April 2025
Don't Book This Phishing Trip
This week, scammers are sending out phishing emails that target employees in the hospitality industry. In this scam, you receive an email with a link that appears to be from the travel website Booking[dot]com. The email may claim you need to verify a guest's reservation, confirm details about a customer’s recent stay at your property, or check the status of your travel organization’s account. If you click the link, you are taken to what looks like a legitimate CAPTCHA webpage. A CAPTCHA is a security measure requiring you to click photographs or type text in order to access certain websites.
The CAPTCHA page appears to be legitimate, but it provides you with unusual instructions. It directs you to run a command on your computer. But if you follow these steps, you won’t be able to access the travel website. The CAPTCHA webpage is actually fake. Instead, the command that you run will install malware on your computer. The malware then steals your user credentials and financial information!
Follow these tips to avoid falling victim to a malware scam:
Contact online service providers directly if you have questions about travel reservations or your account’s status. Be sure to use the website’s official customer service portal or phone number.
Remember to hover your mouse over links to check if they are legitimate. Be wary of anything unusual, such as suspicious URLs or strange instructions.
While this scam is directed toward hospitality employees, remember that scammers can use similar tactics to trick anyone into acting impulsively. Always stop and think before taking action!
The KnowBe4 Security Team
__________________________________________________________________________________________________________________
February 2025
Don’t Pay This PayPal Invoice
|
|
|
Millions of people use PayPal to make secure payments online, but cybercriminals have figured out a way to use it maliciously. In this week’s scam, you receive a legitimate email from PayPal requesting that you make a payment. The email is actually from PayPal and even contains a real PayPal link. Even though the email is real, it’s part of a clever trick by cybercriminals.
The email that is sent to your email address is also sent to an email address you do not recognize. This unrecognized email address actually belongs to the cybercriminals. If you click the link in the email, their email address will be connected to your PayPal account. Once their email address is linked to your account, the cybercriminals will have full access to your PayPal account. They will be able to view all your account details, including your user credentials and financial information!
Follow these tips to avoid falling victim to a phishing scam:
- While this scam targets PayPal users, never submit payments after receiving an unexpected email. Instead, navigate directly to an organization’s official website or app to submit a secure payment.
- Check the email recipients carefully. Be suspicious of emails sent to multiple addresses, especially ones you don't recognize.
- Remember that emails can be malicious even if the sender’s email address is from a trusted domain. Cybercriminals can gain access to trusted domains to make their scams more believable.
|
|
|
The KnowBe4 Security Team
|
____________________________________________________________________________________________________________
January 3, 2025
Hovering over Links
How can you tell if an email is safe? Even if you catch red flags in an email, such as typos or poor grammar, an urgent demeanor, or even a spoofed domain, how can you truly decipher the safety of an email? An immediate step you can take is to watch out for one of the most critical tell-tale signs of a phishing email—a mismatched or fake URL.
Why is hovering important? What can it do for you?
Hovering not only allows you a moment to think before proceeding, it allows you the opportunity to see where a link is going to redirect you. This is especially important because not all links lead to where they appear, or insinuate they'll go. When you hover, check for the following to ensure you're staying safe and secure:
• If the email appears to be coming from a company, does the hover link match the website of the sender?
• Does the link have a misspelling of a well-known website (Such as Micorsoft.com)?
• Does the link redirect to a suspicious external domain appearing to look like the sender’s domain(i.e., micorsoft-support.com rather than microsoft.com)?
• Does the hover link show a URL that does not match where the context of the email claims it will take you?
• Do you recognize the link’s address or did you even expect to receive the link?
• Did you receive a blank email with long hyperlinks and no further information or context?
If you notice anything about the email that alarms you, do not click links, open attachments, or even reply. If everything seems okay, but you're still not sure–verify! Ask your IT team or leadership if the email is legitimate before proceeding. Remember, you are the last line of defense to prevent cyber criminals from succeeding and making you or your company susceptible to an attack.
The KnowBe4 Security Team
____________________________________________________________________________________________________________
November 19, 2024
5 tips to avoid holiday scams
As the holiday season approaches, it’s essential to be extra vigilant, as scams tend to increase during this time. Protect yourself by staying alert and cautious. Here are some key tips to help you avoid holiday scams and keep your personal and financial information safe:
1. Review online purchases carefully: Purchase goods and services from familiar vendors and verify all URLs before completing an online transaction. Be aware of the common methods scammers use in the online holiday marketplace, including:
- Gift card scams: Avoid purchasing gift cards from websites claiming to sell them for a discount.
- Phishing emails and text scams: Pause before clicking links in unrecognized emails or texts promising holiday discounts or deals.
- Fake contests and giveaways: Verify the offer’s legitimacy by using a separate browser to go directly to the company’s website.
- Lookalike online shops: Review URLs before opening to ensure they’re the official websites of trusted vendors. They should always begin with https:// and include a padlock icon.
- Too good to be true offers: Be cautious of offers that seem too good to be true.
- Monitor transactions closely: Regularly monitor banking and credit card transactions to quickly catch and report any fraudulent activity.
2. Choose secure payment methods: Always use traceable credit or debit cards with fraud protection for online purchases, and avoid payment apps like Venmo, CashApp, and other peer-to-peer payments.
3. Be on the lookout for skimming devices: They may be installed on card readers and are used to collect card numbers. You can help prevent these devices from stealing your card information by:
- Tapping or inserting the card’s chip versus swiping
- Covering the pad when typing in your PIN
- Comparing the card reader you’re using with nearby card readers to confirm that they’re the same
- Checking the security seals if you’re at a gas station
4. Avoid public wifi while online shopping: To prevent hackers from gaining access to your information:
- Avoid shopping online when using public wifi
- Use a reputable password manager or change your password regularly. Passwords should include numbers, capital letters and special characters
- Never share your credit card number over the phone if you’re in a public space
5. Verify donation requests: Research charities before donating, use secure payment methods, and avoid donating via text or email links to prevent phishing scams.
We have a partnership with Capital Group. They have a free security checklist you can download for more tips.
____________________________________________________________________________________________________________
Google Yourself
Another great article from our friends on KnowBe4's Security Team
With the internet and social media as a part of our everyday lives, it can be difficult to avoid sharing personal information online. Having an online presence can be valuable, but sometimes sharing personal information is risky. If you want to know what information about you is online, Google yourself.
Your Search Results
If you Google your name, you may find public information about yourself that you didn’t expect to see, such as your phone number, email address, or home address. Some information is available online through government agencies, while other information is posted by data brokers. Data brokers are organizations that collect and sell information.
Cybercriminals’ Scams
Cybercriminals can use your public information in phishing attacks to try and scam you. They often use specific details to make their phishing attacks appear more legitimate. For example, if your home address is publicly available online, cybercriminals can use it in delivery scams. For these scams, cybercriminals will send you a phishing email about a package delivery. This email will prompt you to click a link that appears legitimate but is actually malicious.
What Can I Do to Stay Safe?
Follow the tips below to stay safe online:
• Be careful about what you post online. Cybercriminals could use this information in a phishing attack.
• Analyze your online presence often and remove information that you don’t want cybercriminals to know.
• Many websites have security options that can easily be overlooked. Review and edit your privacy settings to protect your information.
______________________________________________________________________________________________________________________________________________________________________________________________
Be on Patrol for These Fake Calls
Another great article from our friends on KnowBe4's Security Team
In this week’s scam, cybercriminals are impersonating U.S. Customs and Border Protection (CBP) agents. The scammers call you and claim that CBP has intercepted drugs or money shipments that are addressed to you. They insist that you must confirm personal details to help them resolve the case. If you refuse to cooperate, the scammers threaten to send police to arrest you.
To seem more credible, the scammers may provide actual CBP employee names and numbers that they find online, as well as fake case and badge numbers. In some cases, there is a recorded message that says to press a number to speak to a "CBP officer" about an intercepted shipment. The real CBP stresses that these calls are complete scams, and that the agency never requests money or personal information like Social Security numbers over the phone.
Follow these tips to avoid falling victim to a Border Patrol phone scam:
- The CBP will not call you to request money or financial information. If you receive a call asking you to share personal information, it's best to hang up and contact the government agency directly at a verified number.
- This particular phone scam impersonates the CBP, but remember that scammers could call you and impersonate any government entity.
- Scammers rely on scaring you into making an impulsive decision. if you receive an unexpected phone call urging you to take action, be extra cautious. It could be a scam.
-
Keeping Your Passwords Squeaky Clean
Another great article from our friends on KnowBe4's Security Team
Did you know that the average person uses the same three to seven passwords to log in to over 170 online accounts? In addition to being reused, these passwords are often weak and can be easily guessed by cybercriminals. If cybercriminals guess these passwords, they could access the majority of their victim’s online accounts. Even worse, the victim may not know that their password has been compromised for several months or years. To keep your passwords squeaky clean and safe from cybercriminals, follow the tips below:
Create Strong Passwords
Creating strong passwords helps prevent cybercriminals from gaining access to your online accounts. Your passwords should be as long, complex, and random as possible. While many websites only require passwords to be eight characters long, we recommend making your password at least 12 characters long. You should also include a combination of lowercase and uppercase letters, numbers, and symbols in your password. To keep your accounts extra safe, you can use password phrases, or passphrases. However, when you create your password or passphrase, make sure that you don’t use any personal information that a cybercriminal could guess.
Don't Reuse Passwords
Reusing passwords for your online accounts may be convenient, but it’s also risky. If you reuse passwords, you could be at risk of having multiple accounts compromised at once. If a cybercriminal guesses your password, they could access multiple accounts instead of just one account. Cybercriminals can also sell passwords or make them available online. Creating a unique password for each online account reduces the risk if one of your passwords is compromised.
Use a Password Manager
You’re probably wondering how you are supposed to remember long, complex passwords for all of your online accounts. The answer is a password manager. You can use password managers to securely store all of your passwords. Instead of having to remember passwords for every online account, you only have to remember one password for your password manager. In addition to storing your passwords, many password managers can also generate passwords for you based on specific criteria.
Use Multi-Factor Authentication
You can also use multi-factor authentication (MFA) to secure your online accounts, if available. MFA requires multiple forms of authentication, such as a password and a code from your smartphone or a USB smart key. By requiring you to use multiple forms of authentication, cybercriminals will have a harder time gaining access to your account, even if your password is compromised.
Nobody wants cybercriminals to guess their passwords. To keep your passwords squeaky clean and safe, remember to create strong passwords, avoid reusing passwords, and use a password manager or MFA, if possible.
The KnowBe4 Security Team