Beware of phishing and scams with the holidays approaching

As we enter the holiday season during the second year of the COVID-19 pandemic, you can be sure scammers are counting down the days to send their holiday-timed scam and phishing emails.

The pandemic encouraged a huge increase in online shopping. According to the U.S. Census Bureau, Americans spent $791.7 billion in 2020, an increase of 32.4% from the estimated amount in 2019. Scammers have pretended to be legitimate businesses for years, but their tactics have matured, making it harder for consumers to spot scams. This article will help you take your phish-and scam-spotting skills to the next level by highlighting scam indicators to watch out for.

Check the Sender’s Email Address Carefully

In email, if the display name looks legitimate but the sender address is off, it could be fake. The display name is usually to the left of the sender email which is in < > brackets. Scammers often put a legitimate email address in the display name but use another one to actually send the email.

For example: confirmation@amazon.com <thisisfake@annazon.com>  

The email address on the left side is the display name only. The actual sender’s email address is on the right and this is the one you need to look at carefully. Also, Amazon is misspelled but it’s very close with “nn” replacing the “m.” Remember, similar but not exact is a sign to look out for.

URL Shortener - Double check the actual link

Organizations often use URL Shorteners so they don’t send a 20-character link to their customers, but scammers use it to hide their fake web pages that ask for credentials or other personal information.

For example, if a scammer is using annazon.com/resetpassword as their fake website to trick you in entering your credentials, hover your mouse over the link and you’ll be able to see that it is not the legitimate amazon.com site. However, if they hide their link behind a URL shortener service like bit.ly, hovering over the link will show something like bit.ly/sdk25hn. There are websites that will unshorten the URL to show you the true destination. Review the real URL to make sure it’s going to a legitimate site.

Fake Cloud Service Web Pages

An extremely popular tactic against businesses is hiding a fake web page by using a cloud service like Microsoft Office 365 and Google. Last year, the email security company Proofpoint reported over 59 million malicious messages from Microsoft 365 and over 90 million from Google’s platform were sent to their customers and these numbers are expected to be even higher this year.

How does this work? A scammer will prepare a link to a fake website on a service like Microsoft OneNote or Google Docs. This phish is trickier because the notification and link are directly from Microsoft or Google. It is only after you click on the second link that you’ll go to the fake site. This type of attack is more common with businesses and can allow a criminal to gain access to a company’s email and its internal network. If you do not usually receive content like this, your scam spidey senses should perk up.  

A few additional cybersecurity tips:

• Use multi-factor authentication as much as possible.
• Use a unique password for all your accounts. A password manager will help with that.
• Be careful about scams on social media like cloned business accounts. If you’re unsure, look up the official page and contact them directly.
• Do not call numbers listed on shady emails or ad postings. When in doubt, close the window.
• Report accounts to the platform owners for it to be taken down. Here are some other reporting sites: https://www.ic3.gov/Home/ComplaintChoice, https://reportfraud.ftc.gov/, https://www.bbb.org/file-a-complaint.

To summarize, always check the sender’s email address to be sure it is the legitimate sender. Be extra cautious if you receive a shortened URL or invitations to access cloud content because the other end could be a fake credential-stealing page or malware downloader. Always check the links and address bar to make sure you’re interacting with a legitimate site.

Finally, here’s a holiday jingle (in the tune of Jingle Bells) to remind you to stay safe online. Happy Holidays!

There’s a misspelling,

To reset my password,

Asking for my info,

Act now for half off!

Email smells,

Email smells,

Email smells like a scam,

Oh, what fun, it is to say,

I’m not getting fooled today!

Marc Masuno is Director of Business Services, Professional Services & Cloud Architecture at Hawaiian Telcom. Reach him at marc.masuno@hawaiiantel.com.