‘Twas the night before Christmas, when all through the house, not a creature was stirring, not even a mouse...” But you can bet your Inbox received at least one lump of coal in the form of a phishing email. That’s right, the bad actors have been very naughty in 2016 delivering millions of fraudulent messages trying to entice trustworthy people to move money from their wallet to the bad guys’ wallets. And they’ve gotten really good at fooling us – painfully good. We have to defend ourselves correctly every time one of these rotten eggs arrives in our Inbox. After all, the crooks only need to get it right a few times to make a tidy sum and ruin our holiday. Here are four examples of phishing campaigns that caused, or can cause, major problems.
1. John Podesta’s Email Hacked
On March 19th, 2016, John Podesta (Hillary Clinton’s Campaign Chairman) received an email from “Google.” The email said someone in Ukraine had his password and tried to sign into his account. The IT team at the campaign confirmed the email was “real” and provided a Google specific link to change the password (and suggested he set up two-factor authentication). Apparently, rather than using the Google link, the password change was initiated from the original phishing email, and Mr. Podesta’s account was compromised. That phishing attack setup a major email release by WikiLeaks… something that may have contributed to Hillary Clinton’s loss to Donald Trump in the U.S. Presidential election.
2. The Fake Invoice
As this August 2016 article from thisismoney.co.uk explains, people are being duped into handing over their bank details upon receipt of a fake invoice like the one below. There are often telltale signs of fraudulent activity in these messages, including:
- Hovering over the “Manage your refunds!” hyperlink unveils the suspicious website.
- The email originates from a suspicious email address, and a “something just doesn’t seem right” type of feeling comes over you.
3. Fake IRS Email Scams This is nasty stuff. It’s been so effective that the IRS saw an approximate 400% increase in phishing and malware incidents in the 2016 tax season resulting in millions of dollars in losses. These scam emails trick people into thinking these are official communications from the IRS. Emails can seek information related to refunds, filing status, confirming personal information, ordering transcripts, and verifying PIN information. When people click on these email links, they are taken to sites designed to imitate an official-looking website, such as IRS.gov. The sites ask for Social Security numbers and other personal information, which could be used to help file false tax returns. You may know someone who fell victim to this scam. I do, and it cost her months of time and legal fees to undo the damage. Here is an example from the University of Delaware’s threat alert site.
4. Fake Shipping Status Notifications With so many online orders being shipped during the holiday season, people are more likely to click something they wouldn’t normally click. If you just placed an order that shipped via UPS, and then you get an email about your recent order being delayed, you may be likely to click it. Look for subject lines such as "USPS Delivery Failure Notification." Scammers are very good at making these emails look almost identical to official notifications from the real shippers. Trust your gut. If it feels a bit wrong, it probably is. Clicking on the link in the message can cause a variety of problems – like activating a virus and allowing the scammers to steal any personal information stored in your device, including usernames, passwords and other sensitive information tied your financial accounts. Here’s an example from Westfield Bank’s security update webpage, where clicking on the “Print a Shipping Label” button downloads a zip file with a Trojan virus that causes all sorts of problems.
Friends, let’s keep visions of sugar-plums dancing in our heads while being vigilant against unwelcome phishing attacks. Make St. Nicholas proud.