BEC scams are well-known for their timeliness. Scammers across the globe cook up impressive stories based on current events to lure in unsuspecting victims. The latest to join the list is a new online fraud scheme that uses the pretext of offering compensation for personal data leaks.
A website called ‘Personal Data Protection Fund’ created by the ‘US Trading Commission’ - both bogus names - says the fund awards compensation for leaks of personal data, for which citizens of any country in the world can apply.
The site offers to check whether your data has ever leaked and asks for your details such as surname, first name, phone number, and social media accounts, with a warning that entering other people’s data will result in a severe penalty.
"However, it turns out that the website accepts any information, even complete gobbledegook" wrote Tatyana Sidorina, security expert at Kaspersky.
"Our fictional character with an unpronounceable name had indeed had their data leaked. Moreover, it turned out that someone had already used their photos, videos, and contact information, and so fghfgh was entitled to compensation in excess of US$2,500 (£1,900)."
The catch is that you need a US Social Security Number (SSN) and the website offers to sell a temporary one for US$9 (£7).
"The scammers themselves are most likely Russian speakers, as suggested by the ruble payment form, plus the suspicious similarity of the scheme to other easy money offers that regularly tempt residents of Russia and the CIS," wrote Sidorina.
Unlike the previous easy-money scams, this compensation scam has a wider attack geography, with victims located not only in Russia and neighbouring countries, but also in Algeria, Egypt, the UAE, and elsewhere.
While this method takes the pains to appear as timely, others still con users with tried-and-tested phishing methods, says a KnowBe4 study.
Its Q4 2019 top-clicked phishing report found that simulated phishing tests with an urgent message to change a password immediately were most effective, with 26 percent of users falling for it.
"Given that password reuse is one of the biggest security problems companies face today, organisations must build a culture of zero trust when it comes to opening emails with attachments or links, especially those from outside the organisation. This requires regular training and awareness that ensures individuals think twice before opening attachments," commented Kayla Gesek, product manager at OneLogin.
KnowBe4 also analysed subject lines of fraudulent emails that users received and reported to their IT departments as suspicious. The top 10 phishing email subject lines were:
Change of Password Required Immediately: 26 percent
Microsoft/Office 365: De-activation of Email in Process: 14 percent
Password Check Required Immediately: 13 percent
HR: Employees Raises: 8 percent
Dropbox: Document Shared With You: 8 percent
IT: Scheduled Server Maintenance – No Internet Access: 7 percent
Office 365: Change Your Password Immediately: 6 percent
Avertissement des RH au sujet de l’usage des ordinateurs personnels: 6 percent
Airbnb: New device login: 6 percent
Slack: Password Reset for Account: 6 percent
"Organisations and individuals should remember the vital role that MFA can play in protecting against phishing attacks — you’re always better off having MFA in place than relying on passwords alone," said Gesek..
"However, it’s great news that more users are becoming more security minded than in previous years. With the threat landscape evolving so fast, companies should invest in partnerships with folks that keep on top of these new scams to stay vigilant."