Credential scam with a clever twist

Online hackers are always on the prowl for new victims. Sometimes they can be large-scale, like the Colonial Pipeline, but most often, scammers aim to prey on individuals and small- to medium-size businesses. Awareness is the best defense. KnowBe4.com is a world leader in security awareness training. They recently highlighted an emerging cybersecurity scam with far-reaching implications:

If you try logging in to an account, but get a “wrong password” error what do you do? You’ll probably try typing the same password again. But if that doesn’t work, do you try another one of your passwords? Then another, and another? Cybercriminals have a clever new scam that takes advantage of this exact behavior.

You receive an email with a link to view an important document. If you click the link, the document looks blurred-out and is covered by a fake Adobe PDF login page. If you enter your email and password, you’ll get an error stating that your password is invalid. This page allows you to try a few more times before eventually blocking you from viewing the document. But the truth is, there was never a document to view. Instead, the cybercriminals saved your email address and every password you tried to use. They can use this information to try to log in as you on other websites.

Don’t be fooled! Remember these tips:

  • Remember that any site, brand, or service can be spoofed.
  • Never click a link in an email that you were not expecting. If you’re not sure, reach out to the sender by phone to confirm the legitimacy of the email.
  • Always use a password that is unique to that specific account. This way, if your credentials are stolen, the cybercriminals can’t access your accounts on other websites.

Mat Payne is the Technology Director with Antares Group, Inc. He can be reached at mrp@antarescpas.com.