Once again, the ACBL has been notified of members being solicited by ‘phishing scams.’ We take all of these instances serious and work hard to keep our sites safe. After any notification, we check our systems again.
FYI – just because a phishing email lands in your inbox, it doesn’t mean your computer is infected with a virus or malware. … Phishers might send emails to thousands of addresses every day, and if you reply to one of their messages, it confirms your email address is live. This makes you even more of a target. We appreciate you alerting us and helping to keep our network, and our people, safe from cyber threats.
Phishing” is the most common type of cyber-attack that affects organizations like ours. Phishing attacks can take many forms, but they all share a common goal – getting you to share sensitive information such as login credentials, credit card information, or bank account details, or to simply send money or gift cards.
The particular email we were made aware of this time is a form of ‘spoofing’. Spoofing is when someone makes an email appear as though it was sent from somewhere it wasn’t, such as your email address. This is often used in ‘whaling’ efforts. Whaling is a popular ploy aimed at getting you to transfer money or send sensitive information to an attacker via email by impersonating a real company executive or representative. Using a fake domain that appears similar to ours, they look like normal emails from a high-level official of the company, typically members of the Executive Team and/or Board Members.
Although we maintain controls to help protect our networks and computers from cyber threats, we rely on you to be our first line of defense. And you have done exactly what you should – notify the people who may have gotten this and notify us. We all must be on constant alert to scams.
Phishing and How You Can Help
“Phishing” is the most common type of cyber-attack that affects organizations like ours. Phishing attacks can take many forms, but they all share a common goal – getting you to share sensitive information such as login credentials, credit card information, or bank account details.
Outlined below are a few different types of phishing attacks to watch out for:
- Phishing: In this type of attack, hackers impersonate a real company to obtain your login credentials. You may receive an e-mail asking you to verify your account details with a link that takes you to an imposter login screen that delivers your information directly to the attackers.
- Spear Phishing: Spear phishing is a more sophisticated phishing attack that includes customized information that makes the attacker seem like a legitimate source. They may use your name and phone number and refer to ACBL in the e-mail to trick you into thinking they have a connection to you, making you more likely to click a link or attachment that they provide.
- Whaling: Whaling is a popular ploy aimed at getting you to transfer money or send sensitive information to an attacker via email by impersonating a real company executive. Using a fake domain that appears similar to ours, they look like normal emails from a high-level official of the company, typically members of the Executive Team, and ask you for sensitive information (including usernames and passwords).
- Shared Document Phishing: You may receive an e-mail that appears to come from file-sharing sites like Dropbox or Google Drive alerting you that a document has been shared with you. The link provided in these e-mails will take you to a fake login page that mimics the real login page and will steal your account credentials.
What You Can Do to avoid these phishing schemes, please observe the following email best practices:
- Do not click on links or attachments from senders that you do not recognize. Be especially wary of .zip or other compressed or executable file types.
- Do not provide sensitive personal information (like usernames and passwords) over email.
- Watch for email senders that use suspicious or misleading domain names.
- Inspect URLs carefully to make sure they’re legitimate and not imposter sites.
- Do not try to open any shared document that you’re not expecting to receive.
- If you can’t tell if an email is legitimate or not, please DO NOT RESPOND
- Be especially cautious when opening attachments or clicking links if you receive an email containing a warning banner indicating that it originated from an external source.
Be Aware of Potential Scams
Efforts to take your money are more sophisticated than ever before. The ACBL works hard to protect your privacy and security, but there are still opportunities for thieves to target you.
Below are examples of some of the scams we’ve seen.
COVID-19 Pandemic Information: Posing as legitimate organizations, cybercriminals send emails claiming to have the latest information regarding COVID-19 (novel coronavirus). The email messages might ask you to open an attachment to see the latest statistics. If you click on the attachment or embedded link, you’re likely to download malicious software onto your device.
The malicious software — malware, for short — could allow cybercriminals to take control of your computer, log your keystrokes, or access your personal information and financial data, which could lead to identity theft.
Unit/District Officer Needing Urgent Financial Support: Usually this comes in the guise of unit or district president sending an email asking for urgent help with a bill payment or bank transfer. Unit/district treasurers are often the target of this kind of attack. If in doubt, call to confirm the request is legit.
Prospect Student Sends Big Check: In this scam, an interested student reaches out to a teacher about setting up lessons and tries to make a deposit or pay for all lessons upfront with a check that is for an amount larger than you quoted. The scammer then will ask you to refund the extra amount, and the check will bounce. Not only will you lose the amount paid by the “student”, but you’ll often also be on the hook for the bounced check fee at your bank.
Attachment or Link You Aren’t Expecting: Another typical scam involves a scammer sending you an email with a link or file attached. These emails often look like they are coming from a person or company you know. The scammer is counting on you trusting the source of the email so that you’ll open the file or click on the link, potentially exposing your computer to malware or viruses.
Request to Purchase Gift Card: This scam is often directed at unit/district officers, but anyone could be targeted. In this scam, a request appears to come from someone you trust, like a fellow officer. The scammer asks you to purchase a gift card (often for the benefit of a charity) and then transmit the card number and pin number over the phone or via email. Do not share any payment information, including gift cards, over the phone or internet.
There are measures you can take to protect yourself:
- Never respond to the email with your personal information, including social security numbers and bank or credit card information.
- Never provide bank or credit card information via email.
- Don’t accept payment for more than the costs of lessons.
- Don’t download files (especially .exe files) that you aren’t expecting.
- Don’t click on links or attachments in an email that you aren’t expecting.
- Watch for spelling and grammatical mistakes, which are a likely sign of a phishing email.
- Look for generic greetings; phishing emails are unlikely to use your name.
- Be mindful of emails that insist you act immediately. Phishing emails often try to create a sense of urgency or demand immediate action.
Trust your instincts, and if you recognize a scam, report it at the FTC Complaint Assistant website. Fraud victims should always contact the local authorities immediately.
The FTC also has a helpful list of “10 Things You Can Do to Avoid Fraud”.
You also can find more examples of scams and ways to protect yourself at the AARP Fraud Watch Network website, including The Perfect Scam℠, a podcast featuring leading fraud expert, Catch Me if You Can Frank Abagnale.