ChatGPT, the artificial intelligence (AI) agent rocking all news channels will be a threat factor very soon. A recent SonicWall webinar stressed IT Security Providers must be aware of, and repel, phishing attacks. The presenters gave examples of several forms of emails that would get by most office administrators and even some high-level employees.

I was curious about how easy it is to create a phishing email from the two available versions of ChatGPT (versions 3 and 4).

My prompt in both cases was:

Write a false pretext phishing email for educational purposes

Here are the two responses the AI software generated:

Subject: Urgent Account Verification Required – Prevent Data Loss!

Dear Valued User,

We regret to inform you that our system has detected some unusual activity on your account. In order to ensure the security of your personal information and prevent any potential data loss, we require your immediate assistance to verify and update your account details.

As part of our ongoing commitment to protect our users from cyber threats, we have implemented a new security protocol that requires all users to verify their account information periodically. Failure to comply with this request may result in a temporary suspension of your account and the loss of important data.
To initiate the verification process, kindly click on the link provided below:

[Malicious Link: example.com/verify-account]

Once you click on the link, you will be redirected to our secure server where you will be prompted to enter your login credentials, including your username and password. Rest assured that this process is completely secure, and your information will be protected.

This step is necessary to verify the authenticity of your account and ensure its ongoing protection.
Please note that this verification is mandatory and must be completed within the next 24 hours. We kindly ask for your cooperation to prevent any potential security breaches and protect the integrity of our system.

If you have any questions or concerns, please do not hesitate to contact our support team at support@example.com. Our dedicated professionals are available 24/7 to assist you.

Thank you for your prompt attention to this matter. We value your partnership and remain committed to providing you with a secure and reliable service.

Sincerely,

[Phishing Sender] Customer Support Representative

The second version, from ChatGPT 4, reads as follows:

Subject: Urgent Action Required: Account Security Update

Dear Valued User,

We hope this message finds you well. We are reaching out to you regarding a critical security update that needs your immediate attention. Our system has detected unusual activity on your account, which puts your personal information at risk. To ensure the safety and integrity of your account, we kindly request your cooperation in updating your security details.

To complete this mandatory security update, we need you to follow the steps below:

Step 1: Click on the following link to access the account security portal: [Insert Malicious Link Here]

Step 2: Once you are on the account security portal, you will be prompted to enter your current login credentials. Please provide your username and password to proceed with the security update.

Step 3: After entering your login credentials, you will be asked to update your account information, including your full name, address, phone number, and credit card details. This information is essential to safeguard your account from any potential threats.

We understand the importance of protecting your privacy and are committed to maintaining the highest security standards. Therefore, we assure you that your personal information will be handled with the utmost confidentiality and will not be shared with any third parties.

Please be aware that failure to complete this security update within the next 48 hours will result in temporary suspension of your account. We strongly advise you to take immediate action to prevent any disruptions to your account access.

If you encounter any difficulties during the process or have any questions, please do not hesitate to contact our customer support team at [Fake Customer Support Number].

Thank you for your prompt attention to this matter. We appreciate your cooperation in maintaining the security of your account.

Best regards,

[Phishing Sender] Account Security Department

As you can see, the AI engine provided actionable email templates that are completely believable. Threat actors can use these to send to unsuspecting recipients. In a “spray and pray” effort, tens of thousands of emails could yield dozens of responses. You must always be on alert when you receive emails with links.

Thanks, and safe computing!

In 2017, there was a security breach at the credit reporting firm, Equifax. This breach was significant news at the time, and by 2019 the company agreed to a $425 million settlement of several class action lawsuits. They offered credit monitoring or a cash award of up to $125. At the time, I recommended the former.

In the closing days of December 2022, Equifax began to issue those cash awards. Many people found the amount they received laughable (e.g., most claimed to receive less than $10). However, scammers immediately went on the alert and into action. The website DomainTools.com reported several new domain names, which closely resembled the legitimate one, had been registered in just a few days. The valid website name is equifaxbreachsettlement.com. Fake versions include equifaxbreechsettlement.com, equifaxbreachsettlementbreach.com, and equifaxsettlements.co.

If you get an email notification about payment, do not click on the link in the email. It would be best if you went directly to the legitimate website and manually entered the keycode shown in your email. These instructions also apply if you get a letter in the mail.

Of course, because everyone’s information was made publicly available, scammers know who you are. If you get an email that seems slightly off and want to learn if it is “real,” please forward it to me for verification. Doing so is not an intrusion on my time. I would much rather spend a minute or two to review the contents of an email, than spend several hours — or days — working to restore your stolen identity.

Thanks, and safe computing!

There is little doubt that cybercrime is becoming more complex, and ransomware and data breach events are becoming more frequent. As a result, many small business owners have become concerned that they will soon be victims. Some have looked to IT solutions providers, like Heliotropic Systems, to help deal with these evolving threats. That is why it is vital for me to understand the current state and emerging trends of that threat landscape and what tools I can use to combat them.

Let’s look at the cybersecurity landscape and analyze the threats, trends, and opportunities.

Protecting Small Businesses from Ransomware Attacks

Cybercriminals are increasingly targeting small- to medium-sized businesses (SMBs). In 2021, more than 40% of all cyberattacks were against small businesses. Digging deeper into that statistic, researchers have found that of those attacked, approximately 60% will go out of business six months following an attack. The primary reason is that so many SMBs don’t have the resources to support an internal IT and data security operation.

In almost all of my security vendor recent annual reports, the most common threat was ransomware. The second tier threat was data breach. To combat these insidious hazards, I must be proficient in three areas.

Prevention

The primary goal is to eliminate the threat of an attack in the first place. While I fully acknowledge there is no “right” way to do this, there are measures I take to help keep my clients from becoming ransomware victims. I recently added Huntress (a threat detection tool) to my portfolio. You subscribe to SPF+ (for consumers) and SHADE (for small businesses), which enables automated patch management to fix potential vulnerabilities as soon as they are discovered.

Another significant measure is to constantly remind clients that rather than click on a link or respond to a suspicious email, you should call me for confirmation. The other day, someone said they received an invoice for three years of Norton Lifelock. No, they didn’t — they received a scam email. It was de-
signed to obtain sufficient information to make fraudulent charges on their credit card.

Detection

I’d be remiss if I didn’t acknowledge that ransomware can still get through the protection layer despite my best efforts. That’s why I have measures in place to identify when ransomware is present, rather than assuming an attack will never be successful. The earlier I can detect it, the sooner I can take action to eliminate it.

Response

When ransomware is detected, responding to the attack, and eliminating it must be done with the utmost efficiency. Some of the steps I must take include:

  • Scan the network for confirmation of an attack unfolding.
  • Identify the infected computers and isolate them from the rest of the network.
  • Secure all backup data or backup systems immediately.

I feel good knowing I have a significantly positive affect on my clients’ businesses by optimizing ransomware prevention and detecting and quickly responding to attacks. Ransomware attacks were estimated to cost roughly $20 billion in 2021. My aim is to save my clients from suffering any financial damages that would hurt their business.

Finding the Right Tools to Combat Ransomware

All my small business clients trust me with access to critical systems and data. They feel protected because they know I will act swiftly and effectively when a threat arises. To accomplish this, I have – over the years – sought to obtain the necessary tools that will facilitate quick and decisive action.

For example, remote monitoring and management (RMM) provides me with access to your computers so I can keep them secure, patched, and operational. I can proactively fix any vulnerabilities before you are attacked with automated patching, whether it is from Microsoft or third-party vendors, which helps optimize ransomware prevention efforts.

But, again, the idea is always to be prepared if ransomware attacks are successful. SentinelOne takes the next step of ransomware defense by including native ransomware detection. It constantly monitors for crypto-ransomware and attempts to kill the malicious software, thus reducing the impact of an attack. You (and I) get alerts at the first detection of crypto-ransomware, and I can automatically isolate any infected computer.

The ability to detect ransomware immediately enables me to execute an action plan sooner rather than later. And I know ransomware infections can cause extensive damage, which may prove too costly for many small businesses to overcome.

Of course, no ransomware response plan is complete without a system to protect the most vital company resource – its data. Regularly backing up data can reduce the risk of downtime when a ransomware attack is successful, but the backup system must be secure and reliable. The Datto Vaults I deploy at client sites are designed to protect physical, virtual, and cloud infrastructures and data. The data is well protected and easily accessible, so I can recover it rapidly when needed. The Vaults also have software that detects ransomware within backups, saving me (and my clients) time locating the last clean system restore point.

Leveraging Security Services to Help You Grow Your Business

Most of my colleagues will tell you that they are all focused on security on many levels, whether securing computers and networks, protecting data, or understanding how to be better against the threat of ransomware. Security threats will never go away – we can only keep them at bay. I believe I can effectively protect my clients and ensure their businesses thrive with the multi-layered security tools I have deployed.

Thanks, and safe computing!

In this particular “scammers” edition of Sun Spots, I will share a few recent emails from clients asking about the validity of the contents. I also want to direct your attention to a feature-length article from Wired magazine’s March 2022 issue that contains a third-party discussion of what happens when someone is an unwitting victim of a phone call.

One client forwarded me an email about urgent warning about his Norton anti-virus license.

He uses AOL, which doesn’t let you see “behind” the email address unless you explicitly look for it; fortunately, Outlook does. But this is such a piss poor example of fraud it isn’t even funny.

The email return address is justforconsumers.com, which doesn’t resemble Norton at all! The links in the email route to http://aoolldearbox.bond, which is not a secure website. Worse yet, if you click any link, you are re-directed to a website hosted by aquaticbees.com (definitely not Norton). That page has a warning about an increase in “Malware and Viruses.” Click on any of the links on that page, and I’m certain your computer would be flooded by tons of the stuff they “warn” you about.

And, of course, he has SentinelOne with his SPF+ subscription, not Norton!

This email is fraudulent; it should be marked as “spam” and then deleted.

Another client returned from a recent vacation to find an email with the subject, “Your order has been confirmed.”

Attached was a PDF file that resembled an Amazon invoice indicating that a payment of $769.99 had been received for a “SAMSUNG 55-Inch Class QLED 4K UHD Dual LED Smart TV with Alexa built-in.”

It also included the following information:

If you want to cancel or modify this purchase and want to claim your money back. Please call us Immediately to our Billing Department : +1- 877-542-2099

Let’s forget, for a moment, the atrocious grammar and punctuation. Let’s ignore the email address that isn’t from Amazon.com. This email and invoice features one of the more insidious scamming aspects. It requires you to call them to ask for assistance. The moment you do that, you are an active (unwitting) participant, and — if you are not careful — will be providing con artists and thieves with your personal information. I cannot stress how important it is to DELETE garbage like this immediately!

This leads me to the Wired article: They Were ‘Calling to Help.’ Then They Stole Thousands. Take the time to read this, and if you have any questions afterward, please let me know.

Thanks, and safe computing!

Imagine receiving an email, delivered to your business email address, offering a “Partnership Affiliate Offer.” Would you open it? Oh, come on, of course you would! Your curiosity invariably gets the better of you all the time. But when you read this email, you pause and then shudder. What the heck? Here’s the offer:

If you can install and launch our Demonware Ransomware in any computer, company main Windows Server, physically or remotely, (there’s) 40 percent for you, a million dollars for you in Bitcoin.

A researcher at Abnormal Security engaged with the bad actor behind this poorly written email offer for several days. The researcher documented how he tied the email back to a young man in Nigeria who acknowledged he was trying to save up money to help fund a new social network he was building.

Funny, right? Unfortunately, Business Email Compromise (BEC) or CEO Scams in which crooks, mainly based in Africa and Southeast Asia, spoof communications from executives at the target firm in a bid to initiate unauthorized international wire transfers are bigger business than the blitz of ransomware attacks that have made headlines recently.

The FBI’s Internet Crime Complaint Center (IC3) reports that BEC scams increased to more than $1.8 billion in 2020. These extortion attempts have proven to be highly profitable for cybercriminals.

And, of course, it is incredibly humorous that this latest cyber scam is authored by a Nigerian because the classic email scams began decades ago. Referred to as the “419 scam” (because of the area code), the “Nigerian prince” emails requested your assistance because of a will or lottery win. If you were willing to engage in helping the email author obtain the funds, you’d be rewarded with a percentage of the total amount.

What I found amazing while researching this article is that these 419 emails continue in only slightly modified formats to this very day. That someone has taken the initiative (albeit warped) to reboot this for the Bitcoin era is not surprising — but enterprising.

Bottom line: Be extremely careful of unsolicited email offers!

The Federal Bureau of Investigation (FBI) recently released the annual report from their Internet Crime Complaint Center (IC3). The 2019 Internet Crime Report contains some rather remarkable and sobering statistics recorded on the IC3 website during 2019.

One of the techniques I’ve learned about making a presentation to an audience is to engage with them physically. For example: “Please raise your hand if you’ve been a victim of some form of internet-based scam or fraud in the past 12 months.” Invariably some people in the audience will raise their hand. I’d continue by asking, “Now keep it raised if you went to the IC3 website to report it.” I would be very hard-pressed to convince you that any hands remained in the air. And with that little bit of background, let’s take a look at the numbers. I hope that after you read this newsletter you would contact the IC3 if you inadvertently fall victim to one of these scams.

In 2019, the IC3 received over 467,000 complaints with reported losses that exceeded $3.5 billion. That is approximately 1,300 reports per day and represents a 33% increase in the number of complaints from 2018 with a corresponding increase of 30% in losses. Those numbers reflect both the sheer volume of threats that are taking place and an enhanced effort by the FBI to let people know they should report scams to the IC3.

What accounted for the most substantial loss last year? 23,775 victims reported Business Email Compromise (BEC) attacks, which cost them over $1.7 billion in damages. BEC occurs when a bad actor compromises a legitimate business email account and requests a form of funds transfer. The FBI reports that a new variant of this scam appeared in 2019: diverting payroll funds. In this scheme, a human resources or payroll department would receive an email looking like it came from an employee with a request to update their direct deposit account information. The new account would generally route to a pre-paid card account. The likelihood of recovering those lost assets is extremely low.

Another high yielding scam from 2019 was Tech Support Fraud. The IC3 received over 13,000 complaints that amounted to more than $54 million in lost funds — a 40% increase from 2018. What is missing from this report is the number of victims who fell for the scam but who did not know to contact the IC3 to report their loss. Also missing is the total number of victims who didn’t succumb to the fraud in the first place. (I’d like to give a “shout out” to Rhea Hess for having received and faithfully ignored more of these fake tech support phone calls than anyone I know.)

Also on the list was the Ransomware category, comprised of 2,047 victims who lost $8.9 million. Now I have to admit, that is quite surprising given the high profile ransomware cases involving several cities, government agencies, and the health care industry last year. Again, that goes towards the question of who reports their victimhood to the IC3.

The final category is one that is significant yet frequently overlooked: Elder Fraud. Overall, the majority of losses and incidents occurred to victims who indicated their age was 60 years or over. That amounted to more than 68,000 individuals for a total of over $835 million in losses. Targeting this group is widespread because cybercriminals will invariably go to where they think the money exists.

The most treacherous scams for the over 60 age group involved Romance Fraud, Grandparent scams, and Family/Caregiver scams. The bad actor deceives the victim into believing there is a trusting relationship. The victim is persuaded to send money, or provide personal and financial information, to the bad actor. This situation frequently leads to Identify Theft or Account Takeover, where the criminal has sufficient personal identifying information that they can commit fraud against the victim’s financial accounts.

Steps You Can Take to Avoid Falling Prey — And What to Do If You Are a Victim

One of the best ways to avoid a lot of grief and heartache from these scams is to exercise a moment’s caution every time you encounter someone who is calling you for any personal information.

Similarly, if you need to contact any company for support, DO NOT search for their phone number! Scammers have already rigged the search results list on Google so that their fake phone numbers appear before the real ones. Those links go to fraudulent websites that will try to obtain personal or credit card information. If you need to contact any company, go directly to their website and look up the phone number.

If you think you’ve fallen victim to a scam, the first thing you should do is call me so that I can assess what has occurred. As appropriate, I will help you file a report with the local police, and work with you to contact your financial institutions.

I am going to insist that you log the case with the IC3 (https://www.ic3.gov). Your complaint must contain all of the required data, including banking information.

In terms of BEC fraud, there are more specific actions to take. These include:

  • Contact the originating financial institution as soon as fraud is recognized to request a recall or reversal as well as a Hold Harmless letter or Letter of Indemnity.
  • Never make any payment changes without first checking in with the intended recipient. Verify that email addresses are accurate when checking email on a cell phone or other mobile device.
  • And for heaven’s sake, call someone if there’s a significant amount of money involved, or if the request differs from your usual business process or procedures.

Thanks and safe computing!

I have written about this before (and will undoubtedly do so again), but those phone calls you get from someone with a heavy accent, claiming they are from “Microsoft” or “Tech Support,” saying they have received information from your computer about problems that need to be fixed are nothing but pure crap!

I’ll keep this simple: If you get one of these calls, just hang up. You can’t tell them to put you on a “do not call” list, they don’t / won’t listen to that. They don’t care. All they are interested in is scamming people. They get money from spreading FUD (fear, uncertainty, and doubt) to anyone who doesn’t know enough about computers to know better.

These are incredibly vile profiteers, because after they have falsely convinced a suspect that something is wrong with their computer, and while purporting to help, they install malicious software on the computer and then charge — in most cases as much as $150 — to do this.

So, save your breath, and especially your money. Just hang up the phone. Oh, and you really don’t have to call me to tell me you got one of these calls; my phone line would be busy all day.