Weekly SEA

It Begins with: ‘I Know You Cheated on Your Wife’
Comment: Some phishing campaigns include emails with salacious and sensational subject lines designed to elicit emotional reactions from recipients and convince them to click on an embedded link, open an attachment, or pay an extortion fee. In this particular scheme, hackers claim to have evidence that the recipient has had a marital affair and threaten to release the information to the recipient’s spouse, family, and friends if specific financial demands are not met. However, there is no evidence to suggest that there is any validity to their claims and recipients of these types of emails are encouraged to delete them without taking any further action.

Study Shows which Phishing Attacks Most Successful 
Comment: A study conducted by KnowBe4 found that some of the most successful phishing campaigns included subject lines referencing delivery attempts, UPS tracking numbers, required password updates, and notifications related to unusual sign-in activity. Users must be especially wary of messages that include any of these topics in the subject line and should refrain from using links provided in unsolicited emails to visit websites requiring the input of personal information or account credentials. 

Weekly SEA

Four Common Email Scams and How to Stay Safe Online
Comment: Email-based phishing attacks are one of the most prevalent cyber threats today because they can be an effective way for hackers to manipulate victims into divulging sensitive information. Anyone can be duped by a phishing scheme which is why education and awareness are key to reducing one’s risk. This article highlights four common phishing scams and provides information on how to spot them and avoid falling victim. When handling email, a good rule of thumb is to remain skeptical of any links or attachments contained within unexpected or unsolicited emails.

IRS Scams Ramping Up in Morris County, Police Say
Comment: Morris County officials are warning residents of an increase in IRS scam calls in which the callers accuse victims of owing back taxes and then threaten them with jail time if they don’t pay immediately. Although these phone calls may initially seem legitimate, especially if the caller uses spoofing techniques to make the caller ID display the real number of the IRS, it is important to remember that this type of call will always be a scam. Recipients of these types of calls are urged to immediately hang up and file a report with their local police department. Never divulge any personal or financial information during unsolicited calls and remember that no legitimate company or agency will ever require payment in the form of gift cards, prepaid debit cards, or money transfers. 

Weekly SEA

Scotch Plains Family Loses Thousands to Phone Scammers
Comment: Before acting on any request for money or personal information, whether the request was made over the phone or via email, do your due diligence and research the person or organization making the request, especially if the requestor tries to create a sense of urgency or the requested payment method is unusual. Search phone numbers and organization names online to see if there are any posted complaints from other victims and avoid sending money to people you don’t know via gift cards, prepaid debit cards, or wire transfers. If you are a victim of a phone scam, contact your local police department immediately.

Hackers Are Con Artists: The Perils of Social Engineering
Comment: Hackers often rely on the trusting nature of their victims combined with the element of surprise in order to circumvent security controls and gain access to valuable and sensitive data. This is why phishing schemes remain so prevalent and phone scams such as the Windows Tech Support scam have worked so well against so many people. Sophisticated social engineering schemes can fool anybody – even security professionals – so we always advise using available security tools such as multi-factor authentication to prevent unauthorized access to accounts and reputable antivirus software on all systems and devices.

Weekly SEA

Phishing Remains Top Cyberattack Method
Comment: No organization can fully protect themselves against the threat of phishing; however, organizations can reduce their risk by educating their employees about the different tactics social engineers use to obtain sensitive information and gain unauthorized access into networks. In addition to education, organizations should also have an incident response plan in place, as well as a comprehensive data backup and recovery plan to fully guard against this and other cyber threats.

Old Phone Scam Takes New Twist In Essex County: Sheriff
Comment: Essex County officials are warning residents of a phone scam in which the perpetrators claim they are from the Sheriff’s Office and accuse victims of failing to appear for jury duty, threatening them with an arrest warrant if they do not pay a fine. If victims agree to pay, they are instructed to purchase a prepaid debit card with an amount specified by the perpetrators and then provide them with the card information. Please remember that no government or law enforcement agency will ever demand payment over the phone in the form of a prepaid debit card or gift card and official communications of a serious nature will always arrive via the US Postal Service. Victims of this or other phone scams are encouraged to report it to their local police department, the NJCCIC, and the FBI Internet Crime Complaint Center.

Watch Out for Phishing Emails Linking to Fake Meltdown and Spectre Patches
Comment: Social engineers know that using well-publicized events and topical news items can lure even the most educated and tech-savvy individuals to dangerous, malware-laden websites. This is why it is very important to run reputable and up-to-date antivirus software at all times and scan every executable you download for malware, even if it initially appears to be a legitimate file. For a vetted list of vendors providing patches for Meltdown and Spectre, please see the NJCCIC Meltdown and Spectre Product Vulnerability and Update List.

Weekly SEA

Fake Meltdown/Spectre Patch Installs Malware 
Comment: Social engineers are using recent news regarding Meltdown and Spectre to trick unsuspecting victims into downloading malware. A recent email campaign was observed attempting to lure victims to a malicious website masquerading as a resource for Meltdown and Spectre information and patches. The website hosts a ZIP file claiming to contain a security patch but, in reality, it contains Smoke Loader, a trojan that creates backdoors in systems. To protect yourself from falling victim to this and similar scams, never click on links included in the body of unsolicited emails. For the latest information on Meltdown and Spectre, visit the NJCCIC’s product vulnerability and update list here

Real Life Examples of Phishing at Its “Phinest”
Comment: Phishing continues to be so prevalent because of its effectiveness, and sophisticated social engineering campaigns put all of us at risk of account and credential compromise. The best way to protect against this threat is to enable multi-factor authentication on every account that offers it and refrain from using the same password across multiple accounts. 

Ridgewood Residents Are Victims of Credit Card Fraud, PSE&G Scam 
Comment: One Ridgewood, New Jersey resident lost approximately $1,500 to a caller who claimed to be a PSE&G employee and threatened to cut her power service unless she submitted payment via MoneyPak prepaid debit cards. Unfortunately, the only way to prevent victimization is through education and awareness. Please inform friends and neighbors – especially senior citizens – about these types of scams and remind them that no legitimate company or agency will ever require payment in the form of gift cards, prepaid debit cards, or money transfers. Recipients of these scam calls are urged to hang up immediately and report them to their local police department.

Weekly SEA

Bamboozled: Netflix and Fraud? How Scammers Are Targeting Users 
Comment: Social engineers use popular online services such as Netflix to indiscriminately target a large number of users in phishing campaigns with the assumption that many of them have associated accounts. Well-crafted spam emails and landing pages that are nearly identical to the legitimate websites can easily trick users into entering their credentials and other sensitive information into phishing sites. Targets of these types of phishing campaigns are highly encouraged to visit associated sites by typing the legitimate URL into their web browsers rather than clicking on links included in the body of these emails. 

Electric Company Phone Scam Reported in Ocean City: Police
Comment: Social engineers are attempting to take advantage of the recent bout of extremely cold weather by calling Ocean City residents and identifying themselves as Atlantic City Electric representatives. During the call, they try to scare victims into believing that they have an unpaid or overdue bill and threaten to cut their power if they do not immediately submit payment using a prepaid Green Dot MoneyPak card. Anyone who receives a phone call associated with this or any other scam are urged to immediately hang up and file a report with their local police department. Never divulge any personal or financial information during unsolicited calls and remember that no legitimate company or agency will ever require payment in the form of gift cards, prepaid debit cards, or money transfers.

Somerset County Residents Targeted in Phone Scam
Comment: Somerset County authorities are warning residents of a phone scam in which the perpetrator fraudulently identifies himself as either Lt. Dan O'Brien or Sgt. Dan O'Brien and attempts to convince victims that there is an active warrant out for their arrest. The caller then asks the victims to meet with him and purchase vouchers at a CVS store to pay off the warrant. The calls reportedly originate from phone number (908) 505-8872. Anyone who receives this type of phone call is urged to report it to their local police department.

Weekly SEA

Please Do Not Feed the Phish
Comment: Because advanced persistent threat (APT) groups know that humans are the weakest link in cybersecurity, they often choose phishing as the initial attack vector. Just one well-crafted email could be all it takes to trick a target into clicking on a malicious link or opening a malware-laden attachment, thus allowing an APT to bypass filters and security appliances and access the victim’s network undetected. As no organizations or individuals are immune to this type of threat, providing social engineering awareness training and limiting user account privileges are essential components of a comprehensive security strategy.

Bamboozled: Top Scams to Watch for in 2018
Comment: If the scamming activity that occurred throughout 2017 was any indication, we will likely see as much, if not more, in 2018, especially as we approach tax season. As we begin this new year, stay ahead of the scammers by remembering to never share sensitive personal information over the phone or through unsecured email. Also, keep in mind that no legitimate company, organization, or government agency will ever initiate a phone call to demand immediate payment and they will certainly not require payment in the form of gift cards.