Tag Archive for: phishing

You are here: / phishing

Posts

Stay Safe in 2026 with These New Year’s Resolutions

/in /by

We’re approaching the end of 2025, so we encourage you to consider your New Year’s resolutions. For many people, the new year offers an opportunity to reflect on habits we’d like to adopt or solidify. Although we support reducing social media use and making other positive lifestyle changes, we’d like to suggest a few additional resolutions to improve your digital security and reduce the risk of bad things happening to you online.

If you read through this list and think, “I’m already doing all that,” then you’re done. Keep up the good work!

Back Up All Your Devices Regularly

The most important thing you can do to avoid digital disasters is to back up your data regularly. Bad things happen to good devices, like a Mac’s SSD failing, an iPhone falling into a pool, or data being lost due to theft, fire, or flood. With a solid backup plan, you can recover from nearly any problem.

For the Mac, the easiest way to back up is to use an external drive with Time Machine, but an off-site or Internet backup is also essential. Backblaze is a good choice, but there are numerous online backup services. For iPhones and iPads, it’s simplest to back up to iCloud, which automatically happens every night if you turn it on in Settings > Your Name > iCloud > iCloud Backup. You can also back up iPhones and iPads to your Mac if you do not have enough iCloud storage space. Apple Watches automatically back up to their paired iPhones, and that Watch data is included in iPhone backups, making restores straightforward. Whatever your setup, restore a few files periodically as a test to make sure your backups are working.

Always Install Security Updates

An important step to enhance your security is to install new operating system updates and security updates promptly after Apple releases them. While the specifics rarely make headlines because they are highly technical and detailed, you can gauge the significance of security updates by noting that a typical update fixes 10–30 vulnerabilities identified by Apple or external researchers. Other security updates include only one or two fixes, as they’re aimed at addressing zero-day vulnerabilities currently being exploited in the wild.

It’s usually wise to wait a few days after an update appears before installing it, in case it causes any undesirable side effects. Although such problems are rare, when they do happen, Apple quickly pulls the update, resolves the issue, and releases a new version, typically within a few days.

Use a Password Manager

We’ll keep emphasizing the importance of a password manager until passkeys—the replacement for passwords—become widespread, which will take years. Until then, if you’re still typing passwords manually or copying and pasting from a list stored in a file, please start using a password manager like 1Password or Apple’s Passwords, which is now pretty good. A password manager provides six significant benefits:

  • It generates strong passwords for you. Password1234 can be hacked in seconds.
  • It stores your passwords securely. Anyone walking by your unlocked Mac can read an Excel file on your desktop.
  • It enters passwords for you. Wouldn’t that be easier than typing them in?
  • It audits existing accounts. How many of your accounts use the same weak password, which has likely been stolen in multiple breaches?
  • It lets you access passwords on all your devices. Logging in to websites is just as easy on the iPhone and iPad!
  • It can store and enter two-factor authentication codes. Whenever possible, protect important accounts with two-factor authentication so even a stolen password won’t provide access.

A bonus benefit for families is password sharing. It allows couples to share essential passwords or parents and teens to share specific passwords.

Using a password manager is quicker, simpler, and more secure. If you need assistance getting started, reach out.

Beware of Phishing Email

Individuals and businesses often experience security breaches due to phishing, which involves fake emails that trick someone into revealing login details, credit card numbers, or other sensitive data. While spam filters catch many of these attacks, you must stay alert. Here’s what to watch out for:

  • Any email that tries to get you to reveal information, follow a link, or sign a document
  • Messages from unfamiliar people, asking you to take an unusual action
  • Direct email from a large company for whom you’re an anonymous customer
  • Forged email from a trusted source requesting sensitive information
  • Urgent threats like “account locked,” “unauthorized charge,” or “action required”
  • All messages that contain numerous spelling and grammatical mistakes

When unsure, avoid clicking the link or replying to the email. Instead, reach out to the sender via another method to verify the message’s authenticity. Legitimate companies—especially Apple, financial institutions, and cellular carriers—will never ask for your password or two‑factor codes by email, text, or voice.

Never Respond to Unsolicited Calls or Texts

Phishing attacks increasingly take place via texts and phone calls—and even some via deepfake audio and video. Because of weaknesses in the telephone system, these messages and calls can appear to come from trusted companies like Apple and Amazon. Other common scams warn about unauthorized logins or payments to trick recipients into calling scammers, advertise fake deliveries with malicious tracking links, or send fake two-factor authentication messages that prompt recipients to click a link to “secure” their account.

Avoid clicking links in texts unless you recognize the sender and it makes sense for you to receive that link. (For example, Apple might send text messages with delivery details for a recently placed order.) Never enter login information on a website you reach through a link because you can’t be sure it’s legitimate. Instead, if you’re interested in more details, go directly to the company’s official website by typing its URL into your browser, then log in from there.

For calls from companies, unless you’re expecting a callback regarding a support ticket you opened, don’t answer—caller ID can be spoofed. Let the call go to voicemail, and if you believe it’s important to respond, look up the company’s phone number from a reliable source and contact someone at that number instead of using the one provided by voicemail.

Avoid Anything Associated with Sketchy Websites

We won’t dwell on this last point, but it’s worth noting that you’re much more likely to encounter malware on fringe websites or those that cater to societal vices. The more you can steer clear of sites that deal with pirated software, cryptocurrency, adult content, gambling, or the sale of illicit substances, the safer you’ll be. That’s not to say reputable sites haven’t been hacked and used to spread malware, but such cases are far less frequent.

Don’t call numbers from pop‑ups or ads, don’t grant remote access, and don’t pay for any service you didn’t seek out unprompted. Instead, go directly to the company’s official site (type the URL) or contact us for help. And never paste commands into Terminal from websites or “verification” pages—you could install malware without realizing it. If you are worried after spending time in the darker corners of the Web, download a free copy of Malwarebytes and manually scan for malware.

Let’s raise a glass to staying safe online in 2026!

(Featured image by iStock.com/Marut Khobtakhob)

Social Media: Kick off 2026 with smart security habits: back up every device, stay current on software updates, outsmart phishing attempts, avoid sketchy sites, and streamline your logins with a password manager.

Beware Domain Name Renewal Phishing Attacks

/in /by

Most phishing attacks are easy to identify, but we’ve just seen one that’s more likely to evade detection. Those who own personal or business Internet domain names—to personalize their email or provide an online presence for their website—may receive fake messages claiming that a domain has been deactivated due to a payment issue. Because scammers can determine when domain names are due to expire and the name of the company hosting the domain, the urgency triggered by a message that appears to be from the domain host and arriving near the renewal date may cause someone to click a link they shouldn’t. This particular one wasn’t even that well crafted and still caused the recipient brief concern until they manually went to DreamHost and verified that nothing was wrong with their domain payment. Stay alert out there!

(Featured image by iStock.com/weerapatkiatdumrong)

Social Media: Phishing scams are becoming more sophisticated. A message that seems to come from an Internet domain host and arrives around the time of a domain renewal could deceive even experienced users.

Website Owners: Identifying Copyright Infringement Link Insertion Scams

/in /by

We regularly warn Internet users about online scams and phishing attacks. Most of these are relatively easy to identify and avoid once you’re aware of telltale signs. Unfortunately, we’ve encountered a newer type of scam that’s more difficult to identify, partly because it plays on fears of legal action.

Website owners are the target of this scam email, which purports to come from a lawyer. The message states that an image on your site has been used without permission. Such a claim is all too believable for many, especially those who may not have been as careful about usage permissions in the distant past as they are today. The message includes a link to the image, a link to the purportedly infringing page, and a threat to initiate legal action if certain actions aren’t taken within five business days

Unusually, the email doesn’t ask you to take down the infringing image or pay a retroactive licensing fee. Instead, it says you must credit the image’s copyright holder and include a link. Such a simple request seems like a huge win—instead of paying a licensing fee or worrying about being sued, you can twiddle a little HTML and move on with your life.

Don’t do it! This is what’s called a “link insertion scam.” It exploits the search engine optimization principle that links on reputable sites provide legitimacy to linked sites, helping them move up in the search rankings. Unfortunately, the reverse is also true; linking to a scammer from your website will cause Google and other search engines to penalize your site in the search rankings.

Unfortunately, these copyright infringement scams look legitimate at first glance, as you can see in this example. The From and Subject lines don’t seem forged or malformed, and there are no obvious grammatical errors or indications that the writer doesn’t speak fluent English. And when you click the link in the signature, you end up at what appears to be the website of a real law firm. What should you do if you receive a message like this?

First, don’t panic. Just because the message looks legitimate doesn’t mean it comes from a real lawyer. Also, don’t call your lawyer unless they’re willing to work for free. You can save stress, time, and money by evaluating the message yourself.

A few details in the message suggest that it’s not real:

  • The domain in the From line’s email address—elitejusticeadvisors.biz—sounds sketchy and doesn’t match the company name.
  • The Subject line of “DMCA Copyright Infringement Notice” sounds official, but those familiar with the DMCA will know that it can be used only for a formal notice-and-takedown process, not to make demands for attribution or payment. But most people won’t know that.
  • The message is addressed to the generic “Dear owner of,” whereas legitimate messages from a lawyer would be addressed to a specific entity.
  • The required link URL points to a telecom news site in Sri Lanka, and it’s odd that an Arizona lawyer would be working for such a client.
  • The example of the purportedly infringing image is hosted at Imgur, a consumer image-hosting site known for funny pet pictures and cringeworthy GIFs. Legal firms would always use some sort of case management site.

Those details may feel wrong, but they’re insufficient to prove it’s a scam. You’ll need to dig deeper. Here are some ways you can do that:

  • Investigate the domain: Do a Web search on the domain in question: elitejusticeadvisors.biz. Because others have written about this scam, articles identifying it as a scam will appear on the first page of the results.
  • Search for the lawyer and firm: The lawyer’s name is too generic to yield revealing results, but if you do a Web search on “Dean Parker Commonwealth Legal Services,” you’ll once again see that others have identified it as a scam.
  • Check a state bar association directory: Most state bar associations or state courts have a searchable directory of licensed legal professionals. A quick search of the State Bar of Arizona’s member directory reveals that no “Dean Parker” is licensed in Arizona.
  • See if the headshot matches a real person: If the website provides a headshot, you can copy the image (Control-click it and choose Copy Image) and paste it into the TinEye reverse image search engine. Since all the results say “generated.photos,” it’s a good bet that the image was AI-generated.
  • Search for the company’s full name and address: As with the name of the lawyer, the generic-sounding name of the law firm will probably match other companies. However, if you search for the full name and address, you’ll likely turn up articles about it being fake.
  • Visit the address virtually: With Apple Maps and Google Maps, you can verify that a business is present at a location (or not) and often view the offices using Google Street View. Both mapping tools show no law firm at the provided address. Additionally, the building does not have a fourth floor, as specified in the address.
  • Ask ChatGPT: Now that ChatGPT has access to current Web information, it’s worth pasting the complete contents of the message into a ChatGPT conversation and asking it to tell you about the message. Start generally, but then ask if it thinks the message might be a scam, and if so, to suggest ways you could verify your suspicions.

Some of the above search suggestions identify the scam only because the scammer has reused the same company name, lawyer name, physical address, and website. If you were the first to be targeted by a new scam, the state bar association search and physical address check would be the most likely to expose it.

Let us leave you with an important caveat. You shouldn’t assume that all copyright infringement messages are scams. A legitimate DMCA takedown notice will ask you to remove the content, and a real copyright infringement message—probably from a company that specializes in such matters rather than a lawyer—will likely demand payment. In both cases, take down the offending image right away. If you really were using an image without permission, some payment may be required, and if the amount feels excessive, contact a lawyer specializing in copyright infringement cases. They may be able to negotiate a lower payment or point out issues that will make the claim go away.

(Featured image based on an original by iStock.com/Olivier Le Moal)

Social Media: If you receive what looks like a copyright infringement message complaining about an image on your website, don’t panic—it might be a scam. We help you identify such scams and explain what to do if the message turns out to be real.

Beware Fake “Sextortion” Scams

/in /by

All those data breaches are coming back to haunt us. Once our phone numbers and addresses began to be leaked, it was only a matter of time before scammers would personalize their attacks to make them seem more real. The latest “sextortion” scams purport to have compromising video of you taken from your computer’s webcam, backing it up with your phone number and a Google Street View-like image that matches your leaked address. They make a lot of claims and dire-sounding threats, but talk is cheap, and there’s nothing behind them. Do not pay the scammers!

(Featured image by iStock.com/Thapana Onphalai)

Social Media: Scams are starting to incorporate personal information stolen in data breaches, so you may get “sextortion” threats that purport to know your phone number, address, and more.

Stay Alert! Voice Phishing Used in Recent Ransomware Attacks

/in /by

All it took for MGM Resorts International to be compromised with ransomware was a quick phone call, which some now call “voice phishing” or “vishing.” An attacker using LinkedIn information to pose as an employee asked MGM’s help desk for a password change, after which they were able to install ransomware. MGM is now up to $52 million in lost revenues and counting. Two takeaways. First, if you call support for a manual password reset, expect to be asked for a lot of verification, such as a video call where you show your driver’s license. Second, if you receive a call at work from an unknown person asking you to do anything involving money or account credentials, hang up, verify their identity and authorization, and proceed accordingly only if they check out.

(Images by iStock.com/1550539 and HT Ganzo)

Social Media: Phishing isn’t limited to email and texts anymore—“voice phishing” or “vishing” was used recently in a major ransomware attack on MGM Resorts. The rise in such attacks means that requests over the phone will need much more verification.

5 New Year’s Resolutions That Will Improve Your Digital Security

/in /by

Happy New Year! For many of us, the start of a new year is an opportunity to reflect on fresh habits we’d like to adopt. Although we certainly support any resolutions you may have made to get enough sleep, eat healthy, and exercise, could we suggest a few more that will improve your digital security?

Keep Your Devices Updated

One of the most important things you can do to protect your security is to install new operating system updates and security updates soon after Apple releases them. Although the details seldom make the news because they’re both highly specific and highly technical, you can get a sense of how important security updates are by the fact that a typical update addresses 20–40 vulnerabilities that Apple or outside researchers have identified.

It’s usually a good idea to wait a week or so after an update appears before installing it, on the off chance that it has undesirable side effects. Although such problems are uncommon, when they do happen, Apple pulls the update quickly, fixes it, and releases it again, usually within a few days.

Use a Password Manager

We’ve been banging this drum for years. If you’re still typing passwords in by hand, or copying and pasting from a list you keep in a file, please switch to a password manager like 1Password or LastPass. Even Apple’s built-in iCloud Keychain is better than nothing. A password manager has five huge benefits:

  • It generates strong passwords for you. Password1234 can be hacked in seconds.
  • It stores your passwords securely. An Excel file on your Desktop is a recipe for disaster.
  • It enters passwords for you. Wouldn’t that be easier than typing them in manually?
  • It audits existing accounts. How many of your accounts use the same password?
  • It lets you access passwords on all your devices. Finally, easy login on your iPhone!

A bonus benefit for families is password sharing. It allows, for example, a married couple to share essential passwords or for parents and teens to share certain passwords.

In short, using a password manager is more secure, faster, easier, and just all-around better. If you need help getting started, get in touch.

Beware of Phishing Email

Individuals and businesses alike frequently suffer from security lapses caused by phishing, forged email that fools someone into revealing login credentials, credit card numbers, or other sensitive information. Although spam filters can catch many phishing attempts, it’s up to you to be on your guard at all times. Here’s what to watch for:

  • Any email that tries to get you to reveal information, follow a link, or sign a document
  • Messages from people you don’t know, asking you to take an unusual action
  • Direct email from a large company for whom you’re an anonymous customer
  • Forged email from a trusted source asking for sensitive information
  • All messages that contain numerous spelling and grammar mistakes

When in doubt, don’t follow the link or reply to the email. Instead, contact the sender in some other way to see if the message is legit.

Avoid Sketchy Websites

We won’t belabor this one, but suffice it to say that you’re much more likely to pick up malware from sites on the fringes of the Web or that cater to the vices of society. To the extent that you can avoid sites that provide pirated software, “adult” content, gambling opportunities, or sales of illicit substances, the safer you’ll be. That’s not to say that reputable sites haven’t been hacked and used to distribute malware too, but it’s far less common.

If you are concerned after spending time in the darker corners of the Web, download a free copy of Malwarebytes or DetectX Swift and scan for malware manually.

Never Respond to Unsolicited Calls or Texts

Although phishing happens mostly via email, scammers have also taken to using phone calls and texts. Thanks to weaknesses in the telephone system, such calls and texts can appear to come from well-known companies, including Apple and Amazon. Even worse, with so much online ordering happening, fake text messages pretending to help you track packages are becoming more common.

For phone calls from companies, unless you’re expecting a call back from a support ticket you opened, don’t answer. Let the call go to voicemail, and if you feel it’s important to respond, look up the company’s phone number elsewhere, and talk with someone at that number rather than one provided by the voicemail.

For texts, avoid following links unless you recognize the sender and it makes sense that you’d be receiving such a link. (For instance, Apple can text delivery details related to your orders.) Regardless, never enter login information at a site you’ve reached by following a link because there’s no way to know if it’s real. Instead, if you want to learn more, navigate manually to the company’s site by entering its URL yourself, then log in.

Let’s raise a glass to staying safe online in 2021!

(Featured image based on originals from Tim Mossholder and Jude Beck on Unsplash)

Social Media: Have a safer 2021 with New Year’s resolutions that will help you secure your devices, avoid email and text scams, and stay safe from malware, as well as benefit from the security and ease-of-use of password managers, which can even fill in passwords for iPhone apps.

Beware Microsoft Office 365 Phishing Attacks!

/in /by

We’re seeing an uptick in email phishing attacks purporting to come from Microsoft about Office 365. They’re quite convincing messages that tell users that their credit card payment has failed, that an account needs renewing, or that a password needs to be confirmed. Needless to say, they’re all complete scams, and clicking a link in them takes you to a malicious Web page that will try to steal your password or credit card details. As we noted in “Gone Phishing: Five Signs That Identify Scam Email Messages,” large companies never send email asking you to click a link in order to log in to your account, update your credit card information, or the like. Hover over links to see where they go before clicking anything, and stay safe out there!

Secret Link