During the COVID-19 pandemic, cybercriminals used health concerns as easy and effective phishing bait. Now, they're using the recent monkeypox outbreak to continue to prey on your emotions and steal your personal information.
In one such attack, employees received an email with the subject line, “Attention all [Company] Employees - Please Read and Comply.” The email includes information about the recent monkeypox outbreak and cites authorities such as the Centers for Disease Control and World Health Organization. The email also provides a link for “mandatory” monkeypox safety awareness training which requires users to log in.
Unfortunately, if you were to click the link and log in, you would not be met with helpful information about how to stay safe from monkeypox. Instead, you would provide cybercriminals with the entry point they need to steal sensitive information from your organization.
To prevent yourself and your organization from falling victim to similar scams, follow the tips below:
- Be wary of emails with alarming or urgent titles, especially emails that ask you to perform an action such as clicking a link or opening an attachment.
- Verify any unexpected or suspicious “mandatory” training with a trusted source, such as your organization’s learning team or your manager.
- Before you click on a link, hover your mouse over it. Make sure that the link leads to a legitimate, safe website that corresponds with the content in the email.
Learning how to handle suspicious emails is essential to keep your organization safe from cybercriminals. If you don’t correctly handle a suspicious email, you could fall victim to a phishing attack.
Follow the tips below to make sure you correctly handle suspicious emails:
Don't Reply to the Email
If you receive a suspicious email that appears to come from someone you know, you may be tempted to reply to the email to learn more. However, if you reply to the email, you may increase the security risk. If an email account has been compromised, the person who replies back to you probably won’t be who you expect. You could actually be communicating with a cybercriminal.
Don't Forward the Email
The best practice is to never click a link or open an attachment that you were not expecting. However, if you are fooled by a phishing email and you click a malicious link or open a malicious attachment, you may find that the link or attachment will not behave as expected. For example, if you open a suspicious image attachment, the file may actually open an installation window. Or, if you click a malicious link, the link may redirect you to a fake login page.
If the link or attachment is suspicious, you may think about forwarding the email to a coworker for help. However, forwarding the email to a coworker could increase the risk. If you click on a link or open an attachment, consider any unusual behavior as a red flag. Never forward unusual or suspicious emails to other users. If you forward a phishing email, you increase the risk of a security breach because your coworker may click the phishing link as well.
Don't Mark the Email as Spam
Spam emails are typically unwanted advertisements. While spam emails may be annoying, they are usually harmless. However, a phishing attack is a malicious email designed to look like a legitimate message. Phishing emails typically include a call to action, such as clicking a link, opening an attachment, or even transferring money.
If you mark a suspicious email as spam, the email will be moved to a different folder along with any other emails from the same sender. So, if you move the suspicious email to a spam folder, the email will be hidden. However, the problem will not be resolved.
Tips to Stay Safe
The best way to handle a suspicious email is to report the email to your organization. If you report the email, your IT team can assess and mitigate the threat.
When you receive a suspicious email, follow the tips below to stay safe:
- Be sure to follow your organization's process for reporting suspicious emails. Following cybersecurity protocols will help keep everyone’s information safe.
- If you don’t know how to report the email, leave the email in your inbox and ask a manager or supervisor for help.
- If you’re not sure whether an email is spam or a phishing attack, report the email and your IT team handle the situation.
The KnowBe4 Security Team
KnowBe4.com
In a new scam, cybercriminals have been using compromised Facebook accounts to send links to fake login pages. This scam is gaining popularity, with over eight million people viewing just one of the phishing pages so far this year.
In this scam, cybercriminals hack users’ Facebook accounts and then use these accounts to send messages to the users’ Facebook friends. When a user clicks on a link from one of these messages, they are directed to a fake Facebook login page. On this page, the user is asked to enter their email and password to verify their credentials.
If you fall for this scam, any credentials that you share will be delivered directly to the cybercriminals. The cybercriminals could then log in to your Facebook account and send similar links to your Facebook friends. It's important to remember that cybercriminals can also use ad tracking tools to receive money from visits to these pages. They profit from every click!
Follow these tips to stay safe from phishy messages:
- Hover your mouse over links before you click. Watch out for links that are suspiciously long or show a domain for a different website than the website you want to visit.
- If you receive a suspicious Facebook message, reach out to your Facebook friend by email, text message, phone call, or another app. If they didn’t send you the message, let them know that their account has been hacked and they should change their password immediately. Do not reply to the suspicious message.
Stay informed about the latest scams and how you can stay safe. Information is one of our most powerful tools against cybercriminals.
Search Engine Optimization (SEO) is a technique that helps websites appear more often in search engine results, and rank higher than other websites. Legitimate websites use SEO such as easy-to-remember URLs and relevant keywords. Unfortunately, cybercriminals can also use SEO for their malicious websites.
Some of the ways cybercriminals use SEO is by adding tons of popular keywords to their website and creating multiple links that redirect you to their website. Cybercriminals can also pay third parties to visit their website, which makes the website appear more reputable and popular to search engines. If you visit one of these malicious websites, you may be tricked into downloading a malicious file or providing your personal information.
Follow these tips to keep yourself safe from malicious search results:
- Always hover your cursor over a link before you click, even when using a search engine. Look for spelling mistakes and overly long URLs that can hide a website's true domain.
- Avoid search results that include a long list of random or repeated words and phrases. That website could be using excessive keywords to draw in traffic.
- Visit trusted websites directly by entering the URL in your browser's address bar, instead of using a search engine to find the website.