Holiday Phishing: It’s All About the Money

Holiday Phishing: It’s All About the Money

By Krista Lockhart
Cybersecurity
Don't fall for holiday phishing scams.

By Smart City Operations 

As we prepare for the holidays, many of us comb through our loved ones’ Wishlists. Some of us contribute to charitable organizations. Cybercriminals typically get to work creating scams to undermine holiday-related generosity. 

For example, an individual may receive an email with vague terms that intrigue recipients. The subject of the email could include terms like Remittance Summary. The body of the email contains a simple message: Find attached payment advice for remittance. Kindly revert and include a malicious attachment named Payment Advice. It gets worse; the sender’s email address may appear legitimate but spoofed, meaning it is not from the actual sender. If the recipient gets through the entire message and downloads the file, malware begins installing itself. The malware is designed to gather sensitive information. It can find personal data stored in a web browser, such as login credentials. It can also install a keylogger, which records every key pressed on a keyboard. This is destructive because it records what is typed and sends it directly to cybercriminals. 

According to the FBI 2022 Internet Crime report, the top holiday-related scams are: 

  • Fake Online Stores or “Lookalike Stores”  
  • Missed Delivery/Non-Delivery Notification 
  • Gift Card Scams 
  • Fake Charities 
  • Phishing Emails or Texts 
  • Fraudulent Seasonal Jobs 

We can all enjoy the holidays and protect ourselves by following these tips: 

  1. Be extra careful reviewing emails that request financial information. If an email looks suspicious or contains unusual grammatical errors, immediately report it to your organization. 
  2. Check the email address because cybercriminals often use emails similar to legitimate senders.
  3. Hovering, but don’t click. Hovering over links in an email allows you to see their destination. Avoid clicking if it looks suspicious. 
  4. Before clicking any links or downloading attachments, verify the legitimacy of the sender and the content. 
  5. If you receive an email from someone you don’t know, don’t open it. 

Enjoy the holiday season, and share these tips with your friends and family. 

Teamwork During Hurricane Season

By Krista Lockhart
Planning
Storms
Hurricane Milton Damage

Tropical Storm Helene and Hurricane Milton challenged Central Florida. In both cases, Smart City activated its Natural Disaster Support Plan. With Hurricane Milton in particular, state and local officials raised a higher degree of caution for Central Florida. As a result, Smart City’s cross-functional emergency team met daily to ensure operational continuity for residential and business customers across our service areas in Orange, Osceola, Seminole, Brevard, Lake, and Polk counties.

Smart City field, customer operations, and network teams responded to customer service inquiries as they came in. While power outages caused delays in select service areas, our teams worked quickly to address customer inquiries. It’s worth noting that Smart City does not deploy field crews during storms, but as soon as weather conditions allow, our ride-out teams are dispatched.

While many at Smart City and the community stepped up to help, scammers are now working to capitalize on Hurricane Milton. Cyber scammers are preying on individuals that want to help. Many use AI to create fake photos of damage caused by Hurricane Milton. These images are designed to evoke emotional responses and help line their pockets through faux disaster relief campaigns. To avoid this, the Smart City Security team recommends donating through the official websites of well-known charitable organizations.

Thanks for your continued support. We still have a few more weeks left in Hurricane season, so here are some Hurricane Season resources:

Smart City Storm Center

Hurricane Preparation Checklist

Don’t Trust, Verify – Smart City Telecom

 

 

Leave A Message: Phone Scams

By Krista Lockhart
Cybersecurity
Phone scams - Vishing

By Smart City Operations 

It’s no secret that cybercriminals use artificial intelligence (AI) technology to craft phishing emails. However, did you know AI can also help them with phone scams or voice phishing, commonly called vishing? It is easy to teach AI software to sound like a specific person. A short audio clip from a recorded phone call or a video posted to social media can be used. Once the cybercriminals have this voice file, they can easily target friends, family members, and coworkers with AI-powered vishing. 

According to Hiya’s 2023 State of the Call Summit report, the top 5 phone scams were: 

  1. Amazon customer service impersonators will state that an unauthorized purchase was made or that the credit card linked to the account needs to be updated.  
  2. Insurance scams involve auto, life, and health insurance. Fraudsters try to sell a bogus policy or claim that the victim needs to pay an outstanding bill.    
  3. Medicare scams have existed for years. Fraudsters try to obtain a person’s Medicare number to bill the government for medical services falsely.  
  4. Loved one’s scams involve fraudsters calling pretending to be a grandchild, daughter, son, or other relative. The distraught loved one insists they are in trouble and begs the relative to wire money.
  5. Payment apps—Scammers target Peer-to-peer apps such as Venmo, PayPal, Zelle, and CashApp. These apps don’t have the same consumer protections as credit cards, and when fraudsters steal money from them, it’s like stealing cash. 

Cybercriminals also use vishing to impersonate managers and executives of an organization. In this scam, an employee receives an unexpected call from upper management asking them to help them with an urgent request. The voice will direct the recipient to wire money to a vendor to meet a looming deadline. Of course, if the recipient follows the directions, they are wiring money to the cybercriminals. Vishing scams are prevalent; however, here are some tips designed to mitigate vishing scams: 

  • If you receive an unexpected message from a loved one, contact the person before you take action.  
  • Use a verified communication channel. For example, log into your account, call the customer service phone number, or use an official email address associated with the company. 
  • When speaking to the caller directly, ask questions. For example, what was the last transaction? Can you confirm who typically manages this request from your records? 
  • If the request is urgent or time-sensitive, ask yourself: Do I typically handle this at work? What procedure should be followed? 

 

Is that really you Sunpass? Toll Way Scams 

By Krista Lockhart
Cybersecurity
Text Scam

By Smart City Operations 

Memorial Day is commonly described as the unofficial start to summer. In fact, according to AAA, over  43 million Americans hit the road for a long weekend. Just a few weeks later, over 70 million Americans headed out for the 4th of July holiday. Clearly, travel spikes due to “summer holidays,” but so do toll-related cyber scams. Here are some scams to be aware of. 

First, scams that occur over text messaging are commonly referred to as smishing scams. Smishing scams target motorists by sending text messages claiming that the recipient has an outstanding toll due for driving on the highway. The toll amount is often not substantial. However, late payment fees will be charged if the toll isn’t paid immediately. The text message typically includes a link instructing recipients to tap it to settle their balance. However, this seemingly innocent action is a trap. If the recipient takes the bait by clicking a link, it will direct them to a fake payment website. Cybercriminals have three goals in mind: 

  • Steal your current login information. 
  • Raid financial accounts linked to your toll account. 
  • Install malware on your device for wider spread destruction. 

Here are a few proactive actions that anyone can take against toll-rated smishing scams.    

  1. The first rule of smishing prevention is not to engage. Replying to a smishing text confirms that your number is active and may lead to further attacks. 
  1. Verify the source. If you receive this text, visit the official toll-collection website. 
  1. If you haven’t recently driven on the tollway or weren’t expecting a payment-related message, treat it with suspicion. 

Toll-related scams spike during major holidays, but we can all take proactive measures to protect ourselves from scammers. Equally important, spread the word, tell friends and colleagues about toll-related scams, and share our proactive tips. 

Cyber Scams and Microsoft 365

By Krista Lockhart
Cybersecurity
Security
Microsoft Office scams

By Smart City Operations 

Microsoft 365 is a digital software application package that supports word processing, analysis, information storage, and more. According to Statista, the worldwide market share of office suite technologies is split between Google’s G Suite and Microsoft’s Office 365. Google’s G Suite holds a market share of 59 percent, and Office 365 has 40 percent in the United States. In the United States, there are over one million Microsoft 365 customers. Said another way, Microsoft 365 supports many freelancers and small, medium, and large businesses. Unfortunately, cybercriminals know this, too. They spend a lot of time developing scams and threats against various 365 applications. Here are two common and destructive scams to be aware of. 

 First, one of the most common scams is a completely “free” version of Microsoft Office. This is an effective scam because it appeals to price-sensitive or unsuspecting users. This too good to be true offer is malware. Once a user downloads and installs it, the malware can begin harvesting their data. The installation process appears to be legitimate and professional.  It allows users to select the version of Microsoft Office they would like to install. This malware is designed to avoid detection from most antivirus systems. So even if antivirus software scans and removes it, this malware can re-install itself afterward.  Ultimately, this “free” version of Microsoft Office costs users their valuable personal data! 

Another common yet destructive Microsoft 365 threat starts with an email claiming unusual activity has been detected on the recipient’s Microsoft account. The email warns that several features have been locked. To review this activity, users are instructed to click a link provided in the email. When a user clicks the link in the email, they are taken to what appears to be an official Microsoft login page. However, this page is fake. But it gets worse fast.  Once a user enters their login credentials, cybercriminals can access the account. Once logged in, they can steal personal information and review emails and Teams messages.  

In both instances, these scams are destructive. However, there are proactive steps to stop these threats in their tracks. Here are a few tips: 

  • Analyze the URL of the login page. If you are attempting to log in to Microsoft, the legitimate URL should be login.microsoftonline.com; any other variances could be malicious. 
  • Download software from the official source. In this case, go to Microsoft.com and search for the application and offer. If something is too good to be true, it probably is.  
  • Be sure to follow instructions regarding antivirus software and data backups. Having updated anti-virus software and periodic backups are good practices. 
  • Scammers often try to influence users to act impulsively. Therefore, taking a few steps to verify the offer is critical. 
  • Sometimes, phishing emails contain spelling and/or grammatical errors, or the wording may seem unusual. Keep a watchful eye out for this. 

In closing, Microsoft 365 cyber scams are widespread. Scammers create new ones daily and use generative artificial intelligence to deploy professional offers.  Use all the information and tips referenced in this blog post to make good decisions at work and at home.