Posts

Gift Cards: The Newest Scam that You Should Be Aware of

Hackers are making a lot of money thanks to phishing attacks these days, and now they are also focusing on gift card scams. One of the most notorious scam groups, Scarlet Widow, which is out of Nigeria, has been boosting its efforts to scam people with gift cards since 2015. This group generally focuses on people in the UK and US and also is known for tax scams, romance scams, and rental cons.

Are you at risk of getting scammed by Scarlet Widow? The group generally focuses on medium to large US businesses and nonprofits including the United Way, Boy Scouts of American, and YMCA chapter. The scammers send emails to employees of these organizations, and though most people understand that the emails are, indeed, scams, it only takes one person to put your organization at risk.

The Targets

From November 2017 to the present, Scarlet Widow has targeted thousands of nonprofits and individuals. It also targets the education industry and tax industry. Scarlet Widow only succeeds by getting access to these organizations’ email accounts. They might put malware in the emails or use malicious phishing links. Either way, eventually, these people are going to be able to scam the organizations.

The Scam

Though traditional phishing scams work for Scarlet Widow, it is really focusing on the gift card scam these days. In October 2018, more than a quarter of people who have been scammed during the year said that they were victims of a gift card scam. Scammers love these because they can get the cash quickly, they can be anonymous, and it’s very difficult to reverse. All the scammers have to do is convince someone to buy a gift card, then send them a photo, and they can take the money that is on there.

Scarlet Widow generally focuses on Google Play and iTunes gift cards, but other scammers will ask for cards from places like Target, Walgreens, or CVS. You might think it sounds strange that these people could con others into paying for business services with gift cards but remember…these scammers are experts at manipulation. They will certainly come up with some story with a sense of urgency, and people fall for it all of the time. For instance, there was an administrator in Australia who sent a scammer $1,800 in iTunes gift cards. The email she got seemed as if it was from the head of the finance department, so she believed it was legitimate. However, it was just a scammer.

A security awareness training financial advisor client of mine was conned too. Actually it was his assistant. She received an email that looked like it was coming from him requesting 5 $500.00 Apple gift cards to send to their top 5 clients. She went right out to Walgreens, bought 5 cards and the instructions were to scratch off back to reveal the codes and email pictures of the cards and codes back to him. Which she did. And then the scammers disappeared.

Though there are limitations to scammers using gift cards, these nefarious groups will use any method they can think of to get more money funneling in. So, if you ever get a request from a contractor or organization leader asking for a gift card, use an extreme amount of caution.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Beautiful Buxom Brunette Lures Boxer to His Death

Eddie Leal, 23, was an up-and-coming professional boxer who gave free boxing lessons in his garage to down-and-out neighborhood teens. He was a good guy. And like most young men, was looking for a girlfriend.

Phishing is Getting FishierOne day he saw that a young woman, Rebecca Santhiago, was asking for a friend request on his Facebook page.

The brunette bombshell with fashion model looks said she was 21, liked to party and was attending college.

What Eddie did: He accepted the friend request.

What Eddie should have done: right-clicked on the profile image and then selected off the drop-down menu, “Search Google for image.” He would have discovered that the results were suspicious for a stolen image, and that Rebecca Santhiago – at a minimum – did not look like her profile image.

The next move would have been for Eddie to ask Rebecca to post a picture of herself holding up a sign with her name or his name – or a recent newspaper – because “I googled your profile image and it’s on other sites.”

Few young men would have the nerve to do this, fearing it would end the correspondence. But if it ends it, this likely means that the woman was fraudulent. Better to learn this early on, right?

A correspondence – only via Facebook, ensued. Rebecca said she had no phone.

WARNING! A 21-year-old college student with no phone?

What Eddie should have done: Requested she borrow a phone so he could communicate by voice or use Skype to see her as well. This request would have ended the correspondence. And saved Eddie’s life.

One evening he agreed to meet Rebecca at 2:00 in the morning at a nearby park – her idea.

WARNING! What woman in her right mind agrees to meet a man, whom she’s never seen nor heard speaking, at 2 AM at a park? Okay, a few oddballs out there might, but Rebecca’s request should have set off sirens.

What Eddie did: Drove to the park to meet her near a dark street corner, per the plan.

What he should have done: Insist that they meet in the middle of the day for lunch at a café. This request would have ended the correspondence. And kept Eddie breathing.

The meeting took place a few weeks after the Facebook correspondence began. When Eddie arrived and waited in his car, a young man appeared and shot him point-blank in the head.

Who was Rebecca?

She was Manuel Edmundo Guzman, Jr., 19, one of the teens who had once shown up to check out the free boxing lessons.

Extensive forensic investigating revealed that the Facebook messages had come from Manuel’s computer, and that the image belonged to a model unrelated to him. He murdered Eddie for the thrill of it.

Impersonating someone else via cyber communication is called catphishing. Manuel’s fake FB page included friends whom he may have acquired simply by inserting himself into cyber conversations and then making friend requests. Anyone can build a fake Facebook page. Usually it’s done for non-homicidal reasons, but you now know the warning signs of a homicidal catphisher.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Bitcoin Scams Up the Ying Yang

If you are thinking of jumping onto the Bitcoin bandwagon, or any type of cryptocurrency, you have to make sure that you are watching out for scams. There are a ton of them out there, including the following:

Fake Bitcoin Exchanges

You have to use a Bitcoin exchange if you want to buy or sell Bitcoins, but not all of them are legitimate. Instead, many of them are created for the sole purpose of taking people’s money. Only use well-known exchanges.

Ponzi Schemes

Bitcoins are not exempt from Ponzi schemes, and you have to look out for these. These are like pyramid schemes, and you definitely don’t want to get caught up with this, as you will certainly lose your money.

Fake Currency

You have certainly heard of Bitcoin, but there are other cryptocurrencies on the market, too, as alternatives to Bitcoin. However, there are also fake ones. For instance, one of these, My Big Coin, was fake, yet the people behind it managed to take more than $6 million from customers.

Well-Known Scams

Bitcoin scammers also rely on old school, well-known scams to trick people. They might, for instance, send emails pretending to be the IRS or even having some type of Bitcoin sale. People fall for these scams every day. If it seems weird, like the IRS emailing about Bitcoin, it is most definitely a scam.

Malware

Malware is another associated scam with Bitcoin. Most, or all wallets are connected online, scammers can use malware to access the account and take your money. Malware can get on your computer in a number of ways, including from websites, social media sites, and even through email.

Fake News

We live in an era where online news is the most popular method to get news, but it’s also very easy to create news stories that seem totally legitimate, yet they are absolutely fake. Basically, scammers create these stories to bait victims, so always think before you start clicking.

Phishing

These Bitcoin scammers also use phishing scams to try to get money from people who are trying to buy and sell Bitcoin. These scams are often done by clicking malicious links.

It doesn’t matter if you join the Bitcoin craze or not, you can also use these tips to keep yourself safe from other scams. Here’s some final tips:

  • Always do a security scan on your laptops, computers, phones, and tablets on a regular basis.
  • Do your research before investing in any cryptocurrency website. Make sure it is trustworthy and secure.
  • Store all of your cryptocurrency in a wallet offline, which keeps it protected from scammers.
  • Always monitor all of your banking, credit card, and cryptocurrency accounts.
  • Always insist the crypto site has two step or two factor authentication.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Phishing is Getting Fishier

If you are like most people, you have undoubtedly received an email that has asked you to click on a link. Did you click it?

If you did, no worries, you are just like 99% of internet users – everyone has clicked a link before, it is pretty normal. But, in some situations, you may have found that the link took you to a new or maybe spoofed website where you might be asked to do “something”, i.e. enter some information or even login to an account. Once you entered your username and password, they have it…

If you have ever done so, you were likely a victim of what is known as a phishing attack, and these attacks are getting fishier all of the time.

A What? Phish? Fish?

It’s called a phishing attack, and yes, it’s a play on words. When you fish, you throw a hook and worm into the water and hope you catch something. Hackers do the same when they phish.

Except, their hook and worm, in this case, is an carefully crafted email – designed to look like something you should get – which hackers hope you are going open…its then, that they can reel you in.

There are a few different types of phishing:

  • Spoofed websites – Hackers phish by using social engineering. Basically, they will send a scam email that leads to a website that looks very familiar. However, it’s actually a spoof, or imitation, that is designed to collect credit card data, usernames and passwords.
  • Phishing “in the middle” – With this type of phishing, a cybercriminal will create a place on the internet that will essentially collect, or capture, the information you are sending to a legitimate website.
  • Phishing by Pharming – With phishing by pharming, the bad guys set up a spoof website, and redirect traffic from other legitimate sites to the spoof site.
  • Phishing leading to a virus – This is probably the worst phish as it can give a criminal full control over your device. The socially engineered phish is designed to get you to click a link to infect your device.

Can You Protect Yourself from Phishing?

Yes, the standard rule is “don’t click links in the body of emails”. That being said, there are emails you can click the link and others you shouldn’t. For example, if I’ve just just signed up for a new website and a confirmation email is then sent to me, I’ll click that link. Or if I’m in ongoing dialog with a trusted colleague who needs me to click a link, I will. Otherwise, I don’t click links in email promotions, ads or even e-statements. I’ll go directly to the website via my password manager or a Google search.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video

Is Your Small Business Staff Trained in Security Awareness?

The Ponemon Institute released a shocking statistic: about 80% of all corporate data leaks is due to human error. In other words, it only takes a single staff member to cause a huge issue. Here’s a scenario: Let’s say that you have an employee, Betty. Betty is lovely. We love Betty. But when Betty is checking her personal email during her lunch break and sees she has an offer that promises a 10-pound weight loss in only a week, she clicks the link. She wants to learn more about it, so she clicks the link in the email. What she doesn’t realize is that by clicking that link, she just installed a virus onto the computer. In addition, the virus now has access to your company’s network.

This was a very simple act, one that most of us do every day. However, this is why it is so important that your staff is up to date on security awareness. How can you do this? Here are some tips:

  • Present your staff with information about being aware of security, and then come up with a set up where you send them a link they want to click on. This is a process known as “phishing simulation.” If your staff members click on the links, and they probably will, it will take them to a safe page. However, on the page is a message telling them that they fell for a scam, and though they are safe this time, there could be great repercussions.
  • The staff members who click the link should be tested again. This way, you will know if the message got through.
  • Make sure when you give these tests that it isn’t predictable. Send the emails at different times of day and make sure they look different and have a different message. For instance, don’t send the “lose 10 pounds” email twice.
  • Think about hiring someone, a stranger, who will try to get your staff to give them sensitive information about your company over the phone, through email, or even in person. This is a valuable test, as it helps you to determine who the “weak links” are in your company.
  • Give your staff quizzes throughout the year to see who is paying attention to security.
  • You should focus on education, not discipline, when you are doing this. Don’t make them feel bad or punish them. Instead, make sure they know what they did wrong and work on not doing it again.
  • Ensure that your team knows that a data breach can also result in financial, legal, and criminal problems.
  • Schedule checks of workstations to see if any employee is doing something that might compromise your company’s sensitive data. This includes leaving information on a screen and walking away.
  • Explain the importance of security to your staff, and encourage them to report any activity that seems suspicious.
  • After training and testing your staff, make a list of all concepts that you want them to understand. Look at this list often, and then evaluate it time and time again to see if anything needs changed.
  • Don’t forget company officers. When company officers are omitted from this kind of training it poorly reflects on the organization. Some security personnel are afraid to put their Executives on the spot. That is a huge mistake. Security starts from the top.

Remember, there is nothing wrong with sharing tips with your staff. Post them around the office and keep reminding them to stay vigilant. This helps the information to remain fresh in their minds, and helps you to recognize those who are taking security, seriously.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data

Do you have employees who bring mobile phones to work and use those devices on the corporate network? Do they store company data on these “Bring Your Own Devices (BYOD)”?? Does your company have a policy in place for this?

First, the moment a person brings in their personal phone to work, there is a fusion of personal and business tasks that occur. And, equally as bad, company issued devices are used for personal use as much, if not more than the employees own devices. Not sure you believe this? Here are some stats:

A recent survey asked 2,000 office workers about their habit of using their personal mobile devices at work. Here’s what it found:

  • 73% of people admit to downloading personal apps to tablets they got from their company.
  • 62% of people admit to downloading personal apps to mobile phones they got from their company.
  • 45% of people admit to downloading personal apps to notebooks they got from their company.
  • The people who were most likely to do this were in the 25 to 38-year-old age group.
  • 90% of people use their personal mobile devices to conduct business for work.

As you can see, a lot of people are using their mobile devices on the job, and this could not only put your company data at risk, but also the data associated with your clients. Do you have a plan to minimize or even totally prevent how much sensitive company data is wide open to hackers?

Solutions to Keep Sensitive Business Information Safe

Decision makers and business owners should always consider their personal devices as equal to any business device. You definitely don’t want your sensitive company information out there, and this information is often contained on your personal mobile or laptop device. Here are some things that you can do to keep this information safe:

Give Your Staff Information About Phishing Scams

Phishing is a method that cybercriminals use to steal data from companies. Studies show that it is extremely easy for even the smartest employees to fall for these tricks. Here’s how they work: a staff member gets an email with a sense of urgency. Inside the email is a link. The body of the email encourages the reader to click the link. When they do, they are taken to a website that either installs a virus onto the network or tricks the employee into giving out important company information.

Inform Your Staff that the Bad Guys Might Pose as Someone They Know

Even if you tell your staff about phishing, they can still get tricked into clicking an email link. How? Because the bad guys make these emails really convincing. Hackers do their research, and they are often skilled in the principles of influence and the psychology of persuasion. So, they can easily create fake emails that look like they come from your CEO or a vendor, someone your staff trusts. With this in mind, it might be best to create a policy where employees are no longer allowed to click email links. Pick up the phone to confirm that whatever an email is requesting, that the person who sent it is legitimate.

Teach Employees that Freebies aren’t Always Goodies

A lot of hackers use the promise of something free to get clicks. Make sure your staff knows to never click on an email link promising a freebie of any kind.

Don’t Buy Apps from Third-Party Sources

Apps are quite popular, and there are many that can help to boost productivity in a business setting. However, Apple devices that are “jailbroken” or Android devices that are “rooted” are outside of the walled garden of their respective stores and susceptible to malicious viruses. Make sure your employees know that they should never buy an app from a third-party source. Only use the official Apple App Store or the Google Play Store.

Always Protect Devices

It’s also important that you advise your employees to keep their devices protected with a password. These devices are easy to steal since they are so small. If there is no password, there is nothing stopping a bad guy from getting into them and accessing all of the accounts that are currently logged into the device.

Install a Wipe Function on All Mobile Devices Used for Business

You should also require all employees to have a “wipe” function on their phones. Even if they are only doing something simple, like checking their work email on their personal mobile device, it could get into the wrong hands. With the “wipe” function, the entire phone can be cleared remotely. You should also require employees to use the setting that erases the phone after a set number of password attempts.

Require that All Mobile Devices on the Company Network Use Anti-Virus Software

It’s also important, especially in the case of Android devices, that all mobile devices on the network have some type of anti-virus software.

Do Not Allow Any Jailbroken Devices on Your Company’s Network

Jailbroken devices are much more vulnerable to viruses and other malware. So, never allow an employee with a jailbroken phone to connect to your network.

All Employees Should Activate Update Alerts

One of the easiest ways to keep mobile devices safe is to keep them updated. So, make sure that all employees have update alerts enabled, and make sure that they are updating their devices when prompted or automatically.

Teach Employees About the Dangers of Public Wi-Fi

Finally, make sure your staff knows the dangers of using public Wi-Fi. Public Wi-Fi connections are not secure, so when connected, your devices are pretty open. That means, if you are doing things that are sensitive, such as logging into company accounting records, a hacker can easily follow. Instead, urge employees to use a VPN. These services are inexpensive and they encrypt data so hackers can’t access it.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

The Best Gmail Phishing Scam Ever!

If you use Gmail, pay attention! Security experts have announced that there is a very effective phishing scam out there, and you are a target. This scam, which has only been growing over the past couple of months, is also hitting other email providers, too. However, it’s quite difficult to detect.

According to researchers at WordFence, who make a security tool for WordPress, this is a pretty serious attack and can have quite an impact, even for those who are up on security.

Here’s how it works:

You get an email from someone you trust…like a friend or family member or Google. The email, however, is actually not from them. It just looks like it is. Attached to the email is an attachment, which, when opened, links to a fake Google sign-in page. Everything about this Google sign-in page looks legit…but the address in the address bar is not…and here’s where it gets tricky. The address bar actually has a URL that looks real: https://accounts.google.com. However, before that address is whats called a “data URI”. Google it. This is NOT a URL. Instead, it allows the hackers to get your username and password as soon as you enter them into the fake login screen. To make things even worse, once they sign into your actual inbox, they use your information, including attachments and emails, to target your contacts.

Protecting Yourself From This Scam

If you are a Google Chrome user, you can protect yourself by taking a look at the address bar before clicking anything. A green lock symbol is your indicator that it is safe to browse. However, there are some scammers out there who have created their own site that are HTTPS-protected…which also means they will have a green lock. So, also take a look at the address.

Another thing that you can do is add in two-step authentication, which is an extra layer of security. Ultimately, it will help to lower the odds that your account will be compromised. You also might want to consider a security token, as well. If you don’t use two-step authentication with every account that offers it (Facebook, Twitter, iCloud etc), you’re a bit foolish my friend.

Google is aware of the issue, and they are working on improving security for their users. In the meantime, remain vigilant as you browse.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Top 3 Social Engineering Scams

Think about hackers breaking into accounts. If you think they need top-notch computer skills, you would be wrong. These days, instead of requiring skills behind a keyboard, hackers generally rely on strategy…specifically a strategy called social engineering. This means that hackers don’t have to be technical, but they DO have to be clever and crafty because they are essentially taking advantage of people and “tricking” them into giving information.

There are four main ways that hackers use social engineering:

  • Phishing – where hackers use email tricks to get account information
  • Vishing – similar to phishing, but through voice over the phone
  • Impersonation – the act of getting information in person
  • Smishing – getting account info through text messages

Phishing accounts for 77 percent of all social engineering incidents, according to Social Engineer, but in vishing attacks, alone, businesses lose, on average, $43,000 per account.

Here are the top scams that all consumers and businesses should know about as we move into 2017:

Scam Using the IRS

Starting from the holiday season stretching through the end of tax season, there are scams involving the IRS. One such scam uses caller ID to change the true number of the caller and replaces it with a number from Washington, D.C., making it look like the number is from the IRS. Usually, the hacker already knows a lot about the victim, as they got information illegally, so it really sounds legit.

In this scam, the hacker tells the victim that they owe a couple of thousands of dollars to the IRS. If the victim falls for it, the hacker explains that due to the tardiness, it must be paid via a money transfer, which is non-traceable and nonrefundable.

BEC or Business Email Compromise Scam

In the business email compromise, or BEC scam, a hacker’s goal is to get into a business email account and get access to any financial data that is stored within. This might be login information, back statements, or verifications of payments or wire transfers.

Sometimes a hacker will access the email by using an email file that contains malware. If an employee opens the file, the malware will infect the computer and the hacker has an open door to come right in.

Another way that hackers use the BEC scan is to access the email of a CEO. In this case, they will impersonate the CEO and tell the financial powers that be that he or she requires a wire transfer to a bank account. This account, of course, belongs to the hacker not the business. When most people get an email from their boss asking them to do something, they do it.

Ransomware

Finally, hackers are also commonly using ransomware to hack their victims. In this case, the hackers are working towards convincing targets to install dangerous software onto their computer. Then, the computer locks out the data and the victim cannot access it…until he or she pays a ransom.

At this point, they are informed that they can get access back when they pay a ransom. This might range from a couple of hundred to several thousands. Usually, the hackers demand payment by bank transfer, credit card, bitcoin, PayPal, or money transfer services. Victims are usually encouraged to go to a certain website or call a certain number Unfortunately, too often, once the victim pays the ransom, the hacker never opens up the system. So now, the hacker has access to the victim’s computer and their credit card or financial information.

The way social engineering works in this scam is varied:

One way is this…imagine you are browsing the internet, and then you get a popup warning that looks quite official, such as from the FBI. It might say something like “Our programs have found child pornography on your computer. You are immediately being reported to the FBI unless you pay a fine.” When you click the popup to pay, the program actually downloads a program called spyware to your computer that will allow the hacker to access your system.

Another way that social engineering works with ransomware is through voice. In this case, you might get a phone call from someone saying they are from Microsoft and the representative tells you that they have scanned your computer and have found files that are malicious. Fortunately, they can remotely access the machine and fix the problem, but you have to install a program to allow this. When you install it, you give them access to everything, including personal and financial information, and they can do what they want with it.

Finally, you might get an email offering a free screen saver or coupon, but when you open it, the software encrypts your drive and takes over your computer.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Oh No, iOS Hacked by NSO

Recently, says a report at wired.com, it’s been unveiled that the obscure Israel-based NSO Group has been selling spyware delivered to smartphones through vulnerabilities in Apple’s iOS operating system.

“Pegasus” spyware can put a surveillance out on nearly everything including keystrokes, e-mails, video feeds and phone calls. Apple says that the three vulnerabilities with this spyware (“Trident”) have been patched.

In short, NSO Group’s spyware has been reverse engineered for the first time—achieved by the security research firm Lookout, which discovered Pegasus. Also getting credit for the discovery is Citizen Lab.

  • Ahmed Mansoor, a well-known human rights activist with a history of being targeted by surveillance spyware, sent the security firms the suspicious SMS text messages he had received.
  • Mansoor’s mobile device was running iOS’s latest version when two phishing texts came in with links. He had refused to click them.
  • Instead he sent screenshots to Citizen Lab. The links led to a blank Safari browser page. The analysis then began.
  • The spyware was intended to jailbreak the phone.

Jailbreaking an iPhone means the user can bypass Apple’s plan and customize the experience. However, in the Pegasus case, remote hackers wanted this control.

Citizen Lab and Lookout took their analysis to Apple, who made the patches within 10 days. The recommendation is to regularly download the latest iOS versions to help protect the device from attacks. The latest iOS version will stop Pegasus. However, it’s possible for NSO to infiltrate other phone operating systems like Android with the spyware, says Citizen Lab and Lookout.

NSO Group has no website, and supposedly, earns $75 million a year, with governments as the typical clients, and may have up to 500 employees. It won’t be any surprise if a new and similar threat follows soon, as the NSO Group is quite advanced, with a solid software development organization.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Phishing attacks Two-Factor Authentication

Hackers bank heavily on tricking people into doing things that they shouldn’t: social engineering. A favorite social engineering ploy is the phishing e-mail.

13DHow a hacker circumvents two-factor authentication:

  • First collects enough information on the victim to pull off the scam, such as obtaining information from their LinkedIn profile.
  • Or sends a preliminary phishing e-mail tricking the recipient into revealing login credentials for an account, such as a bank account.
  • The next phase is to send out a text message appearing to be from the recipient’s bank (or PayPal, Facebook, etc.).
  • This message tells the recipient that their account is about to be locked due to “suspicious” activity detected with it.
  • The hacker requests the victim to send the company (which is really the hacker) the unique 2FA code that gets texted to the accountholder upon a login attempt. The victim is to wait for this code to be sent.
  • Remember, the hacker already has collected enough information (password, username) to make a login attempt. Entering this data then triggers a send of the 2FA code to the victim’s phone.
  • The victim then texts back the code—right into the hacker’s hands. The hacker then uses it to get into the account.
  • The victim made the cardinal mistake of sending back a 2FA code via text, when the only place the victim is supposed to enter this code is the login field of their account when wanting to access it!

So in short, the crook somehow gets your password (easy with brute force software if you have a weak password) and username or retrieved in a data dump of some hacked site. They spoof their text message to you to make it look like it came from the company of your account.

Red flags/scams/behaviors/requests  to look out for:

Pay Attention!

  • You are asked via phone/email/IM etc to send someone the 2FA code that is sent to your mobile (prompted by their login attempt).
  • If you receive the 2FA code, this means someone is trying to gain access to your account. If it’s not you, then who is it?
  • Never send any 2FA code out via text, e-mail or phone voice. Never. Consider any such request to be a scam.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.