Delete and ask later: Phishing scams on the rise

We have recently noticed a large number of phishing emails targeting businesses and individuals. These fraudulent emails come across as an unknown vendor or service sending an invoice, or contain a warning of some kind containing either a link to an infected site or an infected file they want you to download. These emails can contain any sort of malicious software. One that is increasingly common is the “CyrptoWall” ransomware, which once it infects your system begins to encrypt any files it can reach, including your “C” drive, and any network drives you may have. Once encrypted, your only way of recovering the data is to restore from backups if you have them, or pay the ransom, which can be hundreds of dollars via “Bitcoin” with no promise of your files being restored.
There are some very basic investigative steps you need to take when receiving a questionable email:

  1. Is this from someone you know and are you expecting an email and/or attachment from him or her?
  2. Is the email the same as other correspondence you have had with this vendor or individual. A simple Google search (thisdomain.com) can tell you the domains from which a vendor will send you mail.
  3. Mouse over any links WITHOUT CLICKING and you will see where the link goes. If the site is unfamiliar, NEVER click it.
  4. Use common sense: Have you heard of this supposed company before? Google them to see if they exist, and check their .com to see if it lines up with their email address.

These emails can come from any email address or even “spoof” known email addresses.
Some examples of phishing scams received at our office or by some clients:

    1. “Your USAA card has been limited”
      This is a scare email suggesting that you download the attachment and fill out all of your personal information so that your card access will be restored. The attachment would be a form that looks like the official site.
    2. “Postmaster reported a failed delivery”
      This email suggests that you had an important email from American Express that could not be delivered to you. It invites you to click on a link to go directly to the site in order to retrieve it. However, the link is likely to an infected website.
    3. “American Express detected suspicious activity on your card”
      This is the same tactic as the first example. Oddly enough, one client reported receiving failed delivery and suspicious activity on American Express emails one after the other. These guys are tricky.
    4. “Dropbox files for you: James has sent you a document.”
      This is probably the more complicated and risky phishing email since we sometimes receive emails from our clients and vendors via Dropbox. If you receive one of these, go through the investigative steps outlined above:

      • Do you know a James and would he be using Dropbox to send you a file? NO
      • Check the real email address. Note that mail.d-box.com is not dropbox.com.
      • Finally, hover VERY carefully over the link in the email and see where the actual link is taking you.
    5. “Invoice #12345678”
      This email claimed to be from “[insert name] Courier Service” sending you an invoice. It contained a .zip file, which is one of the easiest ways to infect a system and is how several people we are aware of have been infected with the Crypto-viruses. Our office has received several of these and they come from a different domain and a different sender. The body of the email is changed to match the sender’s name. This type of attack is becoming far more common and we all need to be far more alert to what we are receiving.

Please delete first and ask questions later! Do not hesitate to let us know if you have any questions.