It has long been obvious – or should be – that phishing criminals are like looters: they are good at spotting crimes of opportunity.
And there has been considerable high-profile opportunity lately, in the form of a natural disaster and a big-money lottery win. The seemingly endless rains (maybe not 40 days and 40 nights, but 40-plus inches) in Texas from Hurricane Harvey (pictured) have, predictably, opened the hearts and wallets of people throughout the country and beyond, hoping to help offset some of the damage and suffering from catastrophic flooding.
So that, also predictably, has drawn the cyber underbelly – scammers – looking to exploit that generosity. US CERT (United States Computer Emergency Readiness Team) issued a “Potential Hurricane Harvey Phishing Scams” notice this week, warning people to
… remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey … even if it appears to originate from a trusted source. Fraudulent emails will often contain links or attachments that direct users to phishing or malware-infected websites.
Indeed, the risk is much more than “potential”. The scams are up, spreading like kudzu. Fortune reported “several suspicious online profiles and personas that, although their legitimacy couldn’t be determined, raised several red flags: a small number of followers, unverified accounts, no apparent links to accredited charities, and no means to track where proceeds go”.
Security researcher Perry Carpenter warned about Facebook pages supposedly dedicated to victim relief that contain links to scam websites; tweets with links that claim to lead to charitable websites that are actually spam links or lead to a malware infection; and phishing emails asking for donations to a “#HurricaneHarvey Relief Fund”.
One might think such scams would be obvious. But they sprout overnight online because, says Carpenter:
… they still work. With a circumstance like Hurricane Harvey, so many people truly want to help others in need. Scammers use that vulnerability and empathy to prey upon the human spirit.
But it is not just disasters that bring scammers out of the woodwork. Mavis Wanczyk’s good fortune has done it as well. The 53-year-old Chicopee, Mass. resident and (former) hospital worker recently won one of the biggest Powerball jackpots in history, at $758m.
And now there are dozens of “Mavises” on social media, offering people some of that cash in exchange for some of their personal information – you know, “she” would need to know your bank info so she can deposit the money in your account.
These are apparently more credible than the emails from the Nigerian princess who addresses you as “Dear One”, and then offers a few million bucks if you send her some info, because the Boston Globe reported this week that police in Chicopee had issued a warning on Facebook:
PLEASE do not fall for these scams. DO NOT give out any personal information to these accounts. Do not fall victim to a scammer by releasing ANY of your information.
The Globe reported that a quick social media scan produced more than a dozen Facebook accounts using Wanczyk’s name and photo – one with 3,000 likes and purported messages from her – plus another 13 Twitter accounts, “using photos of Wanczyk, or the giant lottery check she received, claiming to be her”.
None of this is new, of course, nor is the fairly foolproof advice on how to avoid becoming a victim. The most important of which is: NEVER click on a link in an email or social media post unless you are absolutely sure it is from someone you know and trust. Do not click on “click to donate” unless you’re sure it’s a reputable site.
It is laudable, and possible, to donate safely to worthy causes: the way to do that is to go to the website of a credible charity.
Along with that, the recent US CERT notice has a list of recommendations with links (they’re good ones – we checked) to other helpful information, some of it specifically aimed at hurricane relief. They include:
- Review the Federal Trade Commission’s information on Wise Giving in the Wake of Hurricane Harvey.
- Be cautious opening email attachments. Refer to the US-CERT Tip Using Caution With Email Attachments for more information.
- Keep antivirus and other computer software up-to-date.
- Refer to the Avoiding Social Engineering and Phishing Attacks.
- Verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number. Trusted contact information for many charities is on the BBB National Charity Report Index.
“You don’t have to sacrifice your humanity and sympathy for the sake of security,” Carpenter said. “Act. Give. Help. But do so in a wise and informed manner.”