Scam email alert: Convincing phishing attack coming for your passwords

Scam email alert: Convincing phishing attack coming for your passwords
© Nopparat Khokthong - Dreamstime.com

Fraud tactics in the digital age are a lot like computers themselves: They get more sophisticated every year. The phishing scams of the previous decade are nothing like the complex attacks of today — which feature far more competent web design, faster data-harvesting, and more convincing English-language text.

Not only are scam sites better than before, but they’re also keeping up to speed with current events and news. Over the past few months, multiple phishing sites have been found hosting phony COVID-19 cures and treatments. Tap or click here to see how to avoid these scams.

Coronavirus treatments aren’t the only kind of bait out there, either. A new Skype-targeted phishing campaign is tricking people using one of the most convincing emails and websites we’ve seen. By using genuine-looking Skype web design, this site tricks you into sharing your login so hackers can steal it. Here’s how you can tell it’s fake.

Fooled by this new Skype scam? We don’t blame you

A convincing new phishing scam targeting Skype users is just the latest entry in an uptick of cybercrime reports following the start of the COVID-19 pandemic. With so many workers now telecommuting from home, video chats and remote-access programs are among the highest priority targets for cybercriminals.

This new scam, reported by security researchers at Cofense.com, might be a bigger problem than some of the others we’ve seen. Not only is the scam more realistic looking than its contemporaries, but the criminals behind the operation also put a painstaking amount of work into making all parts of their operation look legit — right down to the URL.

Here’s how the scam works: Skype users will receive an email from the hackers with an alert that you have multiple missed notifications. You’ll be able to click a “review” button to access them, and upon doing so, will be taken to an ordinary Skype login screen.

And that’s where the hackers strike. The moment you enter your information into the webpage, your password and username are hijacked. If you share the email address and password with other accounts, you can bet they’ll now have access to those too. Tap or click to see how to make stronger passwords for your various accounts.

This might sound like the same lame-brained phishing scheme of yesteryear, but we honestly can’t blame people for falling for this one. If you look at the images provided by Cofense, you’ll see that the email template is well designed and the sender field obscured to hide the message’s true intentions.

What’s more, when you visit the login screen, you’ll see what appears to be a legitimate URL in the address bar. This URL is very real and is from what should be a trusted top-level domain (.app). This domain is owned by Google and is used by app developers to host downloads and exchange information.

But anyone who develops software can buy one of these domains, and that’s exactly what these hackers did to ensnare people. They even went as far as encrypting their malicious webpage with HTTPS so it looks even more legitimate!

How can I protect myself from this email scam

It should go without saying, but avoiding clicking external links from emails altogether is the safest thing you could do right now. As we mentioned above, phishing scammers are only going to get better and more convincing over time. But the fatal flaw in their plot is that you still have to “open the door” and let them in. Don’t give them the chance!

In addition to email links, always keep an eye on the URLs of the websites you visit. Just because a website is HTTPS encrypted doesn’t make it safe. Top-level domains like .app can only be trusted as much as the program’s developer, and well-known software developers probably won’t use it for their products (Skype, for the record, uses .Com).

To protect yourself and your accounts, always be skeptical of links you’re sent via email, text, or social media. Only log into an account of yours if you visit the website yourself, and avoid logging in after clicking a link if you can help it.

You may also want to set up two-factor authentication to prevent unauthorized logins into your online accounts. Even if your data got phished somehow, the hackers would still need access to your phone to log in. This can save your personal data and more whether the hacker has your password or not. Tap or click here to find out how to set it up.

Threats like phishing aren’t something that can be wished or handwaved away. Because it’s us being tricked, we are the only ones who can put a stop to these scams.

If no one bites when they go phishing, maybe they’ll rethink their life and pick up a better line of work. There are plenty of jobs hiring at-home workers, after all. Tap or click to see who’s hiring now.

Tags: cybercrime, cybercriminals, Google, phishing, scam, security, two-factor authentication