Cybercriminals are creative in their efforts to deceive us, which results in inventive cyber risks. Even with layers of security tools in place, up to 95% of compromises are caused by human error.
Occasionally, deliberate, malicious actions cause compromises. Far more often, a lack of knowledge or simple carelessness leads to errors. Learn from these two real-life examples from our clients, along with a few other inventive cyber risks.
Online Search Yields Imposter Microsoft Support
What Happened
It all started with unexplained charges from Microsoft on a personal credit card. Our client called his bank to ask about it, and the bank referred him to Microsoft for clarification.
A Google search yielded a phone number for Microsoft billing. When the client called the number, the person on the other end told him his IP address had been hacked and the “tech” needed to connect to his machine to correct the problem. The “tech” connected to the computer and took an unknown action that demonstrated a text box with the word “hacked” in it.
From there the “tech” tried to sell a non-Microsoft anti-virus subscription. Our client became suspicious and hung up. When the client realized what had happened, he called us.
The Results
Since a hacker had connected to the computer and taken an unknown action, it became a risk to the organization’s network. Since it was an older computer, the client chose to replace it. The staff person was without a computer while a spare computer was repurposed for him.
Red Flags
- The credit card number in question is not on the work machine so it couldn’t have been stolen through an IP hack.
- Microsoft would not connect to an individual user’s machine for this reason.
- Microsoft would obviously not sell a competitor’s product.
Key Reminders
- Be careful with online searches. Depending on the search terms you use, the phone number or website the search engine finds could be fraudulent.
- In this case, the client was looking for a phone number. But false search engine results can also include links that gather the data you enter for future scams.
- If you’re looking for a vendor’s support number such as Microsoft, go to their legitimate website.
- NEVER give any unknown third-party remote access to your computer.
Fake Sales Order in Legitimate Microsoft Email
What Happened
A client received a licensing sales order from Microsoft with a phone number to call. The sales order looked real, but she wasn’t expecting it and became suspicious. She decided to check with us to see what was going on.
Red Flags
None, except that it was unexpected. The email came from the legitimate Microsoft domain and the formatting of the sales order was correct.
The Results
The email was a remarkably clever phish with a real sales order. Spam filters allowed the email to pass through because it really was sent from Microsoft.
Here’s how it works: the bad actor sets up a trial or tenant for Microsoft 365, completely separate from the legitimate client, and adds an “info@” email as the billing contact. They then purchase a license from Microsoft. In the only editable field allowed, they add wording about calling Microsoft along with a fake number to call and cancel the subscription if it’s unneeded. If you call, the bad guys ask you to download files that are malicious.
Key Reminders
- If a sales order or invoice is unexpected, even from a known vendor such as Microsoft, confirm its authenticity internally.
- Don’t call a phone number from an email. Use your own internal contact information.
- Be suspicious about downloading files except from confirmed and trusted sources.
Other Inventive Cyber Risks
Sophisticated tactics including fake reviews, false replies to complaints, and AI-generated phishing attempts are increasing.
Fake Reviews on Legitimate Sites
Scammers have figured out if they post product reviews that include a support number, people might call. After all, you’re probably frustrated already and want to get your issue fixed as quickly as possible. A positive support review that includes a phone number seems to make your life easier.
But remember, even if the website is real, comments and reviews could include information meant to deceive you into calling and unintentionally volunteering personal information to a cybercriminal.
False Replies to a Complaint on a Company Social Media Site
Ever get frustrated with a company and decide to take your complaint public? If you post your dissatisfaction on Facebook, X, or other platforms, consider the possibility that any reply you receive might not come from the legitimate company, but from a scammer. If an offer to remedy the issue sounds too good to be true, be skeptical.
Don’t give credit card or other personal information in comments or messages on social media sites.
Compelling AI-Powered Email Phishing
AI chatbots produce customized, convincing phishing emails that impersonate companies, colleagues and even family members with ease. AI-generated emails. don’t have misspellings or weird grammar, either. Since AI is efficient enough to capitalize on real-time information from corporate websites or news outlets, phishing attempts are even more believable.
Remind everyone in your organization to always be on the lookout for phishing attempts. Check for these common elements of a phishing attack:
- unknown sender
- unusual and urgent request
- link or attachment
- consequences if you don’t respond.
Next Steps
Where do we go from here? As cybercriminals intensify and refine their efforts to deceive, it’s essential for each of us to stay aware of the risks. Slow down and pay attention when you’re using online resources. While it sounds cliché at this point, cybersecurity really is everyone’s responsibility.
Contact us to learn more about how CRU Solutions can help keep your business safer.