Contact tracing is an integral part of the fight against COVID-19. It speeds response, identifies potential hot spots, and focuses testing efforts. Unfortunately, it also creates an opportunity for scammers to deploy two of their most powerful tools, impersonating authority and a sense of urgency.
A North Carolina news station conducted an information test by calling a producer's friends and using a script based on CDC recommendations.
After the initial greeting and confirmation of the subject's name and birth date, the script abandoned the CDC guidelines and started asking for the subject's Social Security number, home address and other personal information. These questions are presented as necessary to 'confirm' the subject's identity. In fact, they are the basic elements of identity theft. Several of the attempts were successful in getting a complete picture of the subject's personal information.
In another part of the same segment, the station interviewed an IT Security professional who demonstrated how a simple, professionally-worded message (from a fictitious contact tracing company) could get recipients to click on a link that could install malware on their computer. The malware could be leveraged to give an attacker complete access to all information on the system.
Contact tracing gives scammers a chance to represent themselves as providing a legitimate and authoritative service in combating a pandemic, and to take advantage of the stress their victim may feel on being informed that they have been identified as at-risk for infection.
If you get a text message or email telling you that you will be called by a contact tracer, then just wait for the call. If you get a message telling you to click a link, DO NOT CLICK THE LINK!
If you live in Maryland, please visit https://coronavirus.maryland.gov/pages/contact-tracing . If you are called by a legitimate contact tracer, your caller ID will tag the call as MD COVID. If you do not have caller ID, the calling number should be (240) 466-4488. You can also call back on (240) 466-4488 if you receive voice mail. A legitimate contact tracer will not ask you for your Social Security number, bank account number or credit card information, nor will they ask for money.
References:
Rossen Reports: Feds warn of new contact tracing scam
https://www.wxii12.com/article/rossen-reports-scammers-posing-as-contract-tracers/33251285
Notification of Exposure: A Contact Tracer's Guide for COVID-19
https://www.cdc.gov/coronavirus/2019-ncov/php/notification-of-exposure.html
Welcome to covidLINK - Maryland,giv
https://coronavirus.maryland.gov/pages/contact-tracing
Maryland COVID Contact Tracing
https://www.norc.org/Research/Projects/Pages/maryland-covid-contact-tracing-.aspx
]]>Scammers are always inventing new ways to exploit people. However, some of the basic tactics don’t change much. The Cybercrime Support Network (CSN), in partnership with Google, has set up the ScamSpotter web site (https://scamspotter.org/) . Scam Spotter lists Three Golden Rules for spotting a scam.
Slow Down: If any organization is rushing you to act fast, this is a red flag. Take your time to get more information. Do not rush.
Spot check: Utilize the internet, search for that organization online. If you get unexpected calls, unhang up, then search to verify the phone number.
Stop, Don’t Send: Scammers are always demanding payment on the spot, A trustworthy organization would not ask you to send your credit card over texts, phone calls or emails. Scammers love gift cards. Do not send any gift cards to anyone, who you have not verified or know.
If you receive email and are not sure whether it’s a scam, please send the complete headers to security@umbc.edu. The UMBC guide to displaying complete email headers can be found at:
https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970
Source: https://scamspotter.org/scams
]]>Scammers are always inventing new ways to exploit people. However, some of the basic tactics don’t change much. The Cybercrime Support Network (CSN), in partnership with Google, has set up the ScamSpotter web site (https://scamspotter.org/) . Scam Spotter lists Three Golden Rules for spotting a scam.
Slow Down: If any organization is rushing you to act fast, this is a red flag. Take your time to get more information. Do not rush.
Spot check: Utilize the internet, search for that organization online. If you get unexpected calls, unhang up, then search to verify the phone number.
Stop, Don’t Send. Scammers are always demanding payment on the spot, A trustworthy organization would not ask you to send your credit card over texts, phone calls or emails. Scammers love gift cards. Do not send any gift cards to anyone, who you have not verified or know.
If you receive email and are not sure whether it’s a scam, please send the complete headers to security@umbc.edu. The UMBC guide to displaying complete email headers can be found at:
https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970
Source: https://scamspotter.org/scams
]]>With COVID-19 present in our day to day lives, malicious actors are taking this opportunity to scam people out of their personal and financial information. Recently the IRS Criminal Investigation Division (IRS-CI) has noticed various campaigns targeting Economic Impact Payments as well as other COVID-19 related scams.
The IRS-CI warns that some of these scams will offer more money from the government or even faster check delivery if the reader shares personal information and pays a small “processing fee.” The IRS warns that there are no shortcuts for stimulus checks. Malicious actors have also been trying to convince people to “apply” for a second stimulus check. According to a Forbes article, as of right now, there is currently no second stimulus check in the works.
Malicious actors are also setting up fake charities soliciting donations for individuals, groups and areas affected by COVID-19. Some malicious actors are even offering the chance to invest in companies working on a vaccine, promising that the “company” will dramatically increase in value as a result. Some are even selling fake products like at-home test kits, fake cures, vaccines, pills and giving advice on unproven treatments.
They also warn of phishing campaigns being sent out either through text or emails. These campaigns are using keywords like “Corona Virus,” “COVID-19,” and “Stimulus.” For these campaigns the IRS-CI says the malicious actors' targets are people's personal and financial information.
If you do receive any email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu.
How do I forward full email headers?
https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970
For more information, please check out:
https://www.irs.gov/newsroom/irs-warns-against-covid-19-fraud-other-financial-schemes
]]>You are working from home, web browser open to whatever resources you need to write a paper, prepare a class, review a budget, or whatever else you need to get your job done. Suddenly a window you didn’t ask for appears on your screen. It may look sort of like a normal security product or perhaps it is flashing red and yellow. There may even be - no kidding - sirens. The message seared into your eyes tells you that your computer is infectedwith viruses, possibly hundreds of them. The message says your data may be stolen, or erased, or both. The message tells you that it is urgent that you click a link to buy and download an antivirus product and/or call a phone number where you will be able to buy a support contract (they just need your bank’s routing number and your account number and they will take care of the details). If you try to close this window, it wither won’t close or gets replaced by more such windows. In any case, the message is telling you that the most important thing for you to do immediately is to panic. The pop-up window is doing it’s very best to get you to act without asking any questions.
This type of malware has become quite common and falls into a class called ‘scareware’. The goal is to get you to act without thinking about what you’re doing. If the window won’t go away, turn your computer off and then back on. Some scareware is attached to your browser and will only reappear when you start whichever browser you were using before. Other scareware is installed as a program and may reappear when your computer restarts. It can be extremely annoying, but the real threat is the link and/or phone number that you are asked to use to fix the problem. DO NOT CLICK THE LINK AND/OR DO NOT CALL THE NUMBER.
General Rule: Anything, windows, email, articles, etc. that you see on your computer that seems to be trying to induce panic, is probably trying to do just that. Stay calm and think, don’t click!
Here are some references where you can find out more:
https://www.aarp.org/money/scams-fraud/info-2019/tech-support.html
https://www.consumer.ftc.gov/articles/how-spot-avoid-and-report-tech-support-scams
https://computing.which.co.uk/hc/en-gb/articles/207101035-How-to-spot-a-fake-virus-alert
With Covid-19 causing many Americans to file for unemployment, many people are looking for jobs. Some malicious actors are taking advantage of them by creating new job scams. Here is a list of tips from Forbes to help spot potential job scams.
Malicious actors will use keywords when describing a job such as “work-from-home”, “work-at-home”, “quick money”, or even “unlimited earning potential”. A legitimate job will usually use keywords along the lines of “remote work”, “virtual work” or “telecommute job”.
Descriptions and emails for scam jobs will usually have grammatical or spelling errors, while legitimate jobs will not have major errors.
A malicious actor will want to hire very quickly, they may include keywords like “immediate hire” in the description and any communication will feel urgent. A legitimate job will usually take some time as they want to hire the right people.
If the job description seems “too good to be true” then it probably is.
Scam jobs are known for asking for an upfront fee for things like applications, background checks, employee processing or even uniforms. They could also request personal information prior to completing the hiring process. A legitimate job will only request information like tax documents after agreeing to the terms of hire.
A malicious actor will request to communicate through email or even chat rooms like Google Hangout. Their emails might even try to mimic the real company’s emails. Even if a legitimate job will contact you through websites like LinkedIn. They will not hire someone without having a phone or video conference interview.
The key to quick scams is urgency. The scammer doesn’t want you to stop and think, and certainly not to ask questions. If you are urged to act immediately and told that you will lose a good opportunity or that something bad will happen if you delay, be suspicious.
Lack of business details is another warning flag. If someone offers you a job without giving you a phone number, street address, or a link to their business to check out, be suspicious.
If the message tells you that your name was provided by UMBC, but asks you to reply from your personal email, ask yourself why they don’t want to use the UMBC email address they just used to contact you. If you see something inconsistent, be suspicious.
If you do receive any email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu and delete the message.
How do I forward full email headers?
https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970
For more information, please check out:
]]>Many of us lived our lives, at least in part, through computers even before telework and distance learning became the norm. You may use your computer for writing reports, designing presentations, tracking budgets, email, banking, checking medical records, filing your taxes, and dozens of other necessary work and life-related chores. Now, suppose someone took your computer and demanded a hundred dollars for its return. Suppose someone took all the computers in your office or university away and demanded thousands of dollars for their return. This is what ransomware does.
Just to be clear, no one shows up, grabs the computer, and runs out the door. During a ransomware attack, the computer is still there. The data on the computer, however, all the email, documents, spreadsheets, bookmarks and whatever else you have stored on it is unusable. It has been encrypted, and you don’t know the password. The data is, for all intents and purposes, gone.
Ransomware will leave your computer just functional enough to pop a ransom note up on the screen. The note directs the victim to pay a specified amount in cryptocurrency in return for the password. The payment will be effectively untraceable. Like most ransom situations, you have no assurance beyond the word of obvious criminals that you will get that password, or even that they have it. Two departments at Michigan State University were struck with ransomware around last Memorial Day and have announced the ransom will not be paid.
Ransomware is delivered in the same way as other malware. It usually gets a foothold when a computer user opens infected email, clicks on a malicious link, or installs software from an untrusted source. It is just as likely to strike any computer as any other malicious program.
Updating your computer regularly with security patches and installing anti-virus protection is always a good idea. The absolute best defense against ransomware, is to make a backup. If you have recent copies of your files stored somewhere other than on your computer, you can restore all your data if ransomware hits. You don’t need to backup all the information on the computer, just the information that is important and irreproducible. Documents, pictures, address lists, etc. can all be backed up, either to removable media such as a USB thumb drive or an external drive, or to cloud storage. Microsoft and Apple have both tried to make automatic backup to cloud storage as easy as possible (see Resources below). There are other options such as Box storage with Box Sync.
IMPORTANT: If you are working from home using data belonging to UMBC, there may be restrictions on where that data can be stored. Check with the Division of Information Technology (security@umbc.edu) to find out what options are available. It is essential that backups of sensitive data be protected and not breached.
Windows Backup to Microsoft OneDrive
https://www.microsoft.com/en-us/microsoft-365/onedrive/pc-cloud-backup
Macintosh Backup to iCloud
https://support.apple.com/en-us/HT204025
For more information:
https://www.insidehighered.com/quicktakes/2020/06/04/michigan-state-refuses-pay-ransom-hackers
]]>The Federal Trade Commission warns of a phishing email scam aimed at college students. The malicious actor sends emails out claiming to be from the Financial Department of the student’s university. The email tells readers to click on the provided URL to get messages about their economic stimulus check. Once readers click on the URL it will require a university login to proceed.
These emails are phishing scams and once the URL is clicked on, the reader is either giving the malicious actors their personal information or even allowing malware to be installed onto their devices.
To help spot and avoid scams similar to the one above:
If you have concerns about an email, look up a phone number or website of the sender/department that the email is claiming to be from. This helps to confirm you are calling someone who is real and not a malicious actor. If there is no contact information, it very likely is a scam.
Look out for bad grammar and spelling as this can be a tip-off that the email might be from a malicious actor.
Look out for wrong department names. For example the article found that one version of this phishing email claimed to be from the Financial Dept instead of the Financial Aid Department.
If you do receive any email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu and delete the message.
How do I forward full email headers?
https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970
UMBC’s Office of Financial Aid and Scholarship:
https://financialaid.umbc.edu/
For more information, please check out:
https://www.consumer.ftc.gov/blog/2020/05/covid-19-scams-targeting-college-students
]]>The Federal Trade Commission warns of a phishing email scam aimed at college students. The malicious actor sends emails out claiming to be from the Financial Department of the student’s university. The email tells readers to click on the provided URL to get messages about their economic stimulus check. Once readers click on the URL it will require a university login to proceed.
These emails are phishing scams and once the URL is clicked on, the reader is either giving the malicious actors their personal information or even allowing malware to be installed onto their devices.
To help spot and avoid scams similar to the one above:
If you have concerns about an email, look up a phone number or website of the sender/department that the email is claiming to be from. This helps to confirm you are calling someone who is real and not a malicious actor. If there is no contact information, it very likely is a scam.
Look out for bad grammar and spelling as this can be a tip-off that the email might be from a malicious actor.
Look out for wrong department names. For example the article found that one version of this phishing email claimed to be from the Financial Dept instead of the Financial Aid Department.
If you do receive any email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu and delete the message.
How do I forward full email headers?
https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970
UMBC’s Office of Financial Aid and Scholarship:
https://financialaid.umbc.edu/
For more information, please check out:
https://www.consumer.ftc.gov/blog/2020/05/covid-19-scams-targeting-college-students
]]>As the global health crisis continues, many organizations are making the decision to continue remote work into the summer, and some are even hiring new employees remotely. Malicious actors are also still working and are capitalizing on uncertainty and preoccupation with other challenges. One of their most common goals is to obtain private information, such as passwords, personally identifiable information like social security numbers, or internal business decisions, all of which can be sold on the dark web or used in future scams targeting both individuals and organizations. Whether you are already teleworking or simply want to be prepared for any opportunities that may arise, familiarize yourself with these simple tips to keep you, your devices, and your organization safe in the virtual workspace.
Read and follow your organization’s policies on telecommunications and telework. Know what you are and are not allowed to access from your personal devices.
Secure your Internet connection. Use a unique password for your home Wi-Fi and avoid accessing private information over public connections.
Lock your devices. Use a unique password, facial recognition, etc. to ensure that others cannot access private information through your phone or computer.
Keep your devices up to date. Update regularly or enable automatic updates to get the latest security patches as quickly as possible.
Use any additional security tools your organization provides. For example, UMBC offers access to the GlobalProtect VPN for secure remote connection to the campus network, and Duo Two-Factor Authentication to help prevent unauthorized logins to your UMBC account.