News

With a ring or a ping, scammers come calling and texting. 

It probably happens often enough. You get a call from an unknown number, and you wonder if you should even bother answering it. It’s probably a scammer. Or is it? What if it’s something important? You answer. Sure enough, it’s a robocall. But the voice says it’s your bank and that there’s a problem with your account. Now what do you do? 

Same things with texts. Maybe you get a message that goes something like: 

“We have detected unusual activity on your account. Please call this number to speak to a customer service representative.”  

Enter the world of vishing and smishing.  

The term vishing stems from a combination of “voice” and “phishing.” Likewise, smishing comes from a combination of “SMS” (text) and “phishing.” Taken all together, they’re two ways that scammers will try and reach you on your phone. 

The con is the same as it always is with any form of phishing. The scammers want things like credit card numbers, account logins, and other personal information so that they can rip you off or steal your identity altogether. 

Yet you have ways you can protect yourself. And you have tools that might help you reduce the number of scam calls and texts you get in the first place. 

How do vishers and smishers get your phone number? 

The scammers behind these attacks often cast a wide net. They send calls and messages to thousands and thousands of phones in one fell swoop. Even if they catch a tiny percentage of victims, the attack can still return a decent profit.  

The secret is volume, and scammers can get phone numbers in bulk in several ways: 

• Data breaches: While some data breaches involve the loss of credit card and government ID numbers, others involve names, email addresses, and phone numbers. That’s still damaging, because these breaches provide hackers and scammers with the basic information they need to launch all kinds of phishing, vishing, and smishing attacks. 
• Data brokers: Scammers can also buy entire lists of numbers for a few dollars with a few clicks. Online data brokers collect and sell highly detailed information about millions of people. The records vary from broker to broker, yet they can include dozens or even hundreds of entries gathered from public sources and from third parties. Data brokers will often sell such lists to advertisers for targeted campaigns—but they’ll sell them to scammers too. Data brokers will sell to anyone. 
• The dark web: Plenty of personal information ends up in dark web marketplaces. Scammers will often share lists of potential victims with other scammers for free. In other cases, they’ll sell them for a profit. Either way, the dark web provides scammers with several resources for obtaining phone numbers. 
• Dumpster Diving: And old-school “hack” involves digging through a bank or business’ dumpster and salvaging any lists of client phone numbers. With that list, scammers can program the numbers into their dialers for a more targeted attack. 
• Auto-dialers: As the name suggests, this piece of gear calls random phone numbers with a recorded message. Sometimes, scammers will make calls to specific area codes with a message that involves a regional bank or credit union. This way, the scammer takes aim at potential members in the targeted area. 

What are some examples of smishing? 

There’s a good chance you’ve seen several examples of smishing yourself. Maybe you’ve come across something like these: 

• “Hi! We noticed that you’re a recent customer of ours. To finish setting up your account, please tap this link and enter your personal information.”  
• “Urgent! Your bank account has been compromised. Please tap this link to reset your password and prevent any further fraud.”  
• “We have a package for you, but we were unable to deliver it. Please tap this link to update your information so that we can get your package to you.” 
• “Hi! It’s me, Mandy. Are we still on for lunch today?” 
• “You owe back taxes. Pay using this link within three days or we will turn your case over to law enforcement.” 

Messages like these can seem plausible at first, until you look at them more closely.  

First off, they usually include a link. The link might include unusual strings of characters and a web address that doesn’t match who the message says it’s coming from. Like a bogus notice from the post office that doesn’t use the official post office URL. Or, the link might look almost like a legitimate address, but changes the name in a way that indicates it’s bogus.  

Another indicator might be that you don’t know “Mandy” at all. This is by design. In fact, the scammer hopes you don’t recognize the name. They want you to respond with a “sorry, wrong number” text. From there, the scammer will try to strike up a conversation and launch the first steps of a romance scam or a similar con game. 

Lastly, the message might employ a scare tactic or threat. Scammers love this approach because it successfully plays on people’s emotions and gets them to act quickly without much thinking. The bank and tax scares offer a couple prime examples of this approach. As do messages that appear to come from family members who say they’re in trouble. Like their car has broken down in the middle of nowhere or that they’re off to urgent care with a sudden illness.  

In all, the scammers behind these texts are after the same thing—your personal information, money, or a combination of both. 

How to protect yourself from vishing and smishing attacks 

1. Don’t trust caller ID: Scammers can tamper with caller ID. Scammers have several tools available that can help them populate the caller ID with a specific bank or credit union, or with the words “Bank” or “Credit Union.” 
2. Follow up directly: If you receive a phone call from a person or a recording requesting personal information, hang up. If the call appears like it came from a trusted organization, call them directly to confirm their request. Do the same for any texts that ask you to select a link to provide information. 
3. Report any fraud attempts immediately: Document the call, note what was said, what was asked for, and the number the caller or texter used. Report this to the company in question. Many organizations have dedicated fraud pages that have email addresses to report fraud committed in their name. Netflix offers a good example, and so does the Internal Revenue Service (IRS) in the U.S. McAfee has a page dedicated to fraud as well. 
4. Look for errors in spelling or grammar. Legitimate businesses and organizations go to great lengths to ensure their messages are free from mistakes. Scammers, less so. Misspellings and awkward sentences often find their way into smishing attacks. 
5. Contact the sender: Did you get an urgent text message from someone who appears to be a friend or family member? Follow up with them in some way other than responding to the text message you just received, particularly if it came from a new or unknown number. 
6. Don’t tap on links in text messages: If you follow one piece of advice, it’s this. As mentioned above, if you have concerns, follow up directly. 

Another way to cut down on scam calls and texts: online protection software 

With comprehensive online protection software like McAfee+ on your smartphone, you can stay safer in several ways. 

It offers web protection that warns you of sketchy links in texts, search, and while you browse, which can steer you clear of websites that steal information. It can also monitor dozens of pieces of personal information and alert you if any of it appears on the dark web—and offer guidance for what to do next. 

Further, it can help you remove your personal information from data broker sites with our Personal Data Cleanup. You’ve seen how scammers use data brokers to create their call and text lists. Telemarketers turn to data brokers for the same reason too. Removing your information can lower your exposure to data brokers and telemarketers alike and help reduce scam and spam calls as a result. 

When it comes to vishing and smishing, you have several tips, tactics, and tools at your disposal. When in place, they can help prevent scammers from ringing and pinging—or fooling you if they still somehow do. 

The post Those Annoying Scam Calls and Texts: How to Fight Back Against Vishing and Smishing appeared first on McAfee Blog.

Cybercrime has a price. One that more and more business owners find themselves paying. 

The costs push well into the six figures, according to the U.S. Federal Bureau of Investigation’s (FBI) 2022 cybercrime report. On average, a business email compromise (a form of usually through targeted phishing or other account hacking) siphons $125,611 in funds. Ransomware attacks hold company data hostage for an average of $14,403. And data breaches level businesses for an average loss of $164,336. 

Cybercriminals increasingly wage these attacks against businesses with revenues of $500,000 or less, which makes the thought of a six-figure loss for them even more sobering. Retailers, professional service providers, real estate companies, medical practices, and other businesses like them now find themselves the preferred targets for a growing body of cybercriminals. 

Yet you can help prevent your business from getting hit.  

To counter this rise in attacks, we created McAfee Business Protection in partnership with Dell. It offers an all-in-one solution, with automated protection features that helps secure a company’s employees, along with their data, devices, and online connections. Intuitive setup and guidance for each employee strengthens their personal security posture and fortifies the overall security of your business as a result. 

And today, there’s an absolute need for that kind of protection. 

Why would a cybercriminal target my business? There are bigger fish out there. 

Cybercriminals have good reasons for targeting businesses with revenues of $500,000 and less: 

1. These businesses often lack online protection tools and support, making them more vulnerable to attacks than larger organizations with stricter security measures in place. 
2. Attacking these businesses often requires lower degrees technical expertise. Cybercriminals can buy or rent hacking tools and services on the dark web that can take advantage of poor security. 
3. They are prime for ransomware attacks, because many of these businesses don’t have data backed up or data recovery plans in place. 
4. Their employees aren’t always trained in good security habits, unlike larger businesses that may have such training in place. They may not recognize a phishing email when faced with one. 
5. Attacks on businesses of this size attract less attention. While cyberattacks on big businesses make big headlines, they often draw significant attention from law enforcement whereas smaller attacks may not.  

Cybercriminals may take in smaller hauls from these businesses, yet they make up for that in volume. They will attack several smaller businesses for smaller dollar amounts, which can rival the funds they’d reap by attacking one large target for one large amount—and with less relative risk. 

Another factor that makes these businesses so attractive to cybercriminals is that one hack can lead to another.  

Case in point, you might recall the massive data breach at Target during the holiday shopping season in 2013. It exposed some 41 million customer records, which cost Target nearly $300 million in settlements and losses. How did the hackers get in? By hacking a local HVAC contractor that used Target’s systems for billing, contracts, and project management.  

This shows how a breach in even the smallest of links in the supply chain can lead to yet another breach that impacts millions of people.  

As always, hackers look for easy, low-risk targets that offer the highest reward. In the case of businesses that make $500,000 a year or less, they’ve found exactly that. 

Two roadblocks to a more secure business: time and remote workers. 

Even as cybercriminals increase their attacks, both time and remote work only increase the risk to businesses.  

Time is an issue business owners know well already. There’s never enough of it, which means some aspects of the business get prioritized over others. In this mix, cybersecurity suffers. 

Our own research in the U.S. and Europe found that 63% of small business owners spend an hour or less on protecting their business a week. Moreover, 45% manage security in an ad-hoc way. It’s understandable, given that business owners would rather invest time in growing their business rather than managing their security. However, this low prioritization puts the business at risk, which could result in those six-figure losses mentioned above. 

The advent of remote work introduces further security issues as well. In the wake of the pandemic, many employees continue to work remotely or remotely part of the time.  

The implications for security can be significant. Whether working from home or some other location like a café, these employees may not have proper cybersecurity protection in place. Further, they may be using unsecure networks or Wi-Fi that can put company data at risk—not to mention their data as well. In all, remote workers can find themselves quite vulnerable. 

Protection from breaches and attacks with security that’s built for your business. 

As we created McAfee Small Business protection, we kept these issues in mind. We created protection that’s strong, and we made it straightforward as well. Business owners can set it up for their employees quickly and put controls in place to ensure they’re secure. Meanwhile our Protection Score measures the overall security of the business and offers guidance that can make it even more secure. 

By design, it offers:  

• All-in-one protection: It helps secure your employees, plus their data, devices, and online connections from hackers, malware, viruses, and more with a single solution. 
• A solution that grows with your business: Employers can extend protection to each employee, protecting their data, devices, and online connections with custom guidance that strengthens their security posture. 
• Simple and guided management: Automated protection and timely alerts let employers know when something needs attention, even when on-the-go, all from the Security Console. 
• Support when you need it: Our team of experts are available by phone or chat to help with setup or guidance when something needs attention.  
• The performance you demand: McAfee’s next-generation threat protection helps secure data and devices from threats both known and unknown and keeps devices running safely and smoothly.    
• A trusted expert in security: McAfee has more than 35 years of experience protecting millions of people and their devices around the globe with award-winning security that’s recognized by SE Labs, AV-TEST, and AV-Comparatives. 

Further features secure your business in breadth and depth: 

• Device protection ensures that operating systems are up to date, devices have password protection, and that files get encrypted when and where possible. 
• Web Protection sidesteps phishing attacks and malware downloads with clear warnings of risky websites, links, and files.  
• A secure VPN can automatically help keep your data private and secure anywhere your employees go with bank-grade encryption.  
• A File Shredder deletes sensitive company files completely to ensure no traces are left behind on your devices.  
• Identity Monitoring alerts employees if their personal information is found on the dark web. 

These are just a few of the security features offered, and you can see a full list on our partnership page with Dell here. 

By protecting your business, you protect your customers, clients, and partners too. 

Cybercrime indeed has a price. Beyond the dollars involved, the costs can run yet deeper from there. Downtime in the wake of an attack hits the bottom line. The recovery efforts that follow do as well. Additionally, businesses can suffer reputational damage if an attack also affects its customers, clients, and partners.  

Now, a shift has taken place. Cybercriminals still go after big businesses and major organizations, yet an increasing number of them go after businesses with revenues in the seven or even six figures. Poor security posture is one reason. Another is that even relatively amateur operations can wage attacks with “off-the-shelf” hacking tools found on the dark web.  

In short, every business faces the risk of cybercrime today. 

Yet with the right protection in place, you can avoid paying the price of cybercrime. And the introduction of our new McAfee Business Protection makes it easy in a time when it’s needed most. 

The post The Price of Cybercrime: Protecting the Business You’ve Built from Hacks and Attacks appeared first on McAfee Blog.

The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. “smishing”) messages that spoofed UPS and other top brands. The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn’t be shipped unless the customer paid an added delivery fee.

In a snail mail letter sent this month to Canadian customers, UPS Canada Ltd. said it is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered, and that it has been working with partners in its delivery chain to try to understand how the fraud was occurring.

“During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient’s phone number,” the letter reads. “Because this information could be misused by third parties, including potentially in a smishing scheme, UPS has taken steps to limit access to that information.”

The written notice goes on to say UPS believes the data exposure “affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023.”

As early as April 2022, KrebsOnSecurity began receiving tips from Canadian readers who were puzzling over why they’d just received one of these SMS phishing messages that referenced information from a recent order they’d legitimately placed at an online retailer.

In March, 2023, a reader named Dylan from British Columbia wrote in to say he’d received one of these shipping fee scam messages not long after placing an order to buy gobs of building blocks directly from Lego.com. The message included his full name, phone number, and postal code, and urged him to click a link to mydeliveryfee-ups[.]info and pay a $1.55 delivery fee that was supposedly required to deliver his Legos.

“From searching the text of this phishing message, I can see that a lot of people have experienced this scam, which is more convincing because of the information the phishing text contains,” Dylan wrote. “It seems likely to me that UPS is leaking information somehow about upcoming deliveries.”

Josh is a reader who works for a company that ships products to Canada, and in early January 2023 he inquired whether there was any information about a breach at UPS Canada.

“We’ve seen many of our customers targeted with a fraudulent UPS text message scheme after placing an order,” Josh said. “A link is provided (often only after the customer responds to the text) which takes you to a captcha page, followed by a fraudulent payment collection page.”

Pivoting on the domain in the smishing message sent to Dylan shows the phishing domain shared an Internet host in Russia [91.215.85-166] with nearly two dozen other smishing related domains, including upsdelivery[.]info, legodelivery[.]info, adidascanadaltd[.]com, crocscanadafee[.]info, refw0234apple[.]info, vista-printcanada[.]info and telus-ca[.]info.

The inclusion of big-name brands in the domains of these UPS smishing campaigns suggests the perpetrators had the ability to focus their lookups on UPS customers who had recently ordered items from specific companies.

Attempts to visit these domains with a web browser failed, but loading them in a mobile device (or in my case, emulating a mobile device using a virtual machine and Developer Tools in Firefox) revealed the first stage of this smishing attack. As Josh mentioned, what first popped up was a CAPTCHA; after the visitor solved the CAPTCHA, they were taken through several more pages that requested the user’s full name, date of birth, credit card number, address, email and phone number.

In April 2022, KrebsOnSecurity heard from Alex, the CEO of a technology company in Canada who asked to leave his last name out of this story. Alex reached out when he began receiving the smishing messages almost immediately after ordering two sets of Airpods directly from Apple’s website.

What puzzled Alex most was that he’d instructed Apple to send the Airpods as a gift to two different people, and less than 24 hours later the phone number he uses for his Apple account received two of the phishing messages, both of which contained salutations that included the names of the people for whom he’d bought Airpods.

“I’d put the recipient as different people on my team, but because it was my phone number on both orders I was the one getting the texts,” Alex explained. “That same day, I got text messages referring to me as two different people, neither of whom were me.”

Alex said he believes UPS Canada either doesn’t fully understand what happened yet, or it is being coy about what it knows. He said the wording of UPS’s response misleadingly suggests the smishing attacks were somehow the result of hackers randomly looking up package information via the company’s tracking website.

Alex said it’s likely that whoever is responsible figured out how to query the UPS Canada website for only pending orders from specific brands, perhaps by exploiting some type of application programming interface (API) that UPS Canada makes or made available to its biggest retail partners.

“It wasn’t like I put the order through [on Apple.ca] and some days or weeks later I got a targeted smishing attack,” he said. “It was more or less the same day. And it was as if [the phishers] were being notified the order existed.”

The letter to UPS Canada customers does not mention whether any other customers in North America were affected, and it remains unclear whether any UPS customers outside of Canada may have been targeted.

In a statement provided to KrebsOnSecurity, Sandy Springs, Ga. based UPS [NYSE:UPS] said the company has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it.

“Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries,” reads an email from Brian Hughes, director of financial and strategy communications at UPS.

“Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted,” Hughes said. “We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting the UPS Fight Fraud website.”

Infosecurity Europe inducts Becky Pinkard, Managing Director of Global Cyber Operations at Barclays, into the Hall of Fame

Rising salaries, the cost of living and changing expectations makes hiring cybersecurity specialists hard

Findings indicate that 89% of CISOs are grappling with risks arising from the rapid deployment of digital services

Kaspersky report that the implant specifically targets iOS devices via a malicious iMessage attachment

Organizations told to move away from tick-box approaches

Organizations are still failing to consider cyber risk from the start, experts say

Security teams need to reframe their role, argue experts