Skip to Content
© Dennizn |

Don’t be fooled by this new phishing attack hidden in online surveys

Phishing scams are growing more prevalent by the day and are becoming much more difficult to spot. It’s bad enough if you get tricked into clicking on a malicious link that leads to having account credentials stolen, but some crooks aren’t satisfied with just that.

A recent phishing attack played on COVID-19 fears and resulted in the victims’ device being infected with ransomware. Tap or click here to see this nasty scam in action and steps to prevent your device from being infected.

Now, there is a new phishing email making the rounds that you need to know about. Keep reading to find out how the thieves are pulling it off and one critical precautionary step you need to take to stop it.

Survey says: Do not click on that link

When we talk about sophisticated phishing attacks, that typically means thieves are spoofing emails and websites to look exactly like legitimate companies. By using authentic logos and setting up URLs that are almost identical to the real deal, it’s hard to distinguish between genuine and fake.

RELATED: Why are there so many phishing scams during COVID-19?

Welp, get ready for some next-level deception. Scammers have found a way to bypass spoofing legitimate emails and are sending their scams through actual emails from a legitimate survey company and are targeting Microsoft Office 365 clients.

According to researchers at Abnormal Security, cybercriminals are sending phishing emails through legitimate survey company SurveyMonkey. If not familiar, SurveyMonkey has around for over 20 years and hosts real surveys for anyone who signs up for an account.

Here’s how the scam works: thieves send potential victims an email through a real SurveyMonkey domain, However, the reply-to domain isn’t legitimate. Instead, it’s a malicious link that is supposedly needed to “take the survey.”

The malicious link is labeled, “Navigate to access statement.” If you click the link, you’re actually sent to a malicious web page that asks for your Microsoft Office 365 credentials. If you type your credentials on that site, you’re handing them over to thieves.

The trickery doesn’t stop there. The email also includes this clever line: “Please do not forward this email as its survey link is unique to you.” This makes the idea of signing in to your Microsoft Office 365 account necessary to confirm that it’s actually the person intended to take the survey. Pretty genius, wouldn’t you say?

You may also like: Fast-spreading malware steals credentials and browser history

Thankfully, there is one simple precaution that you can take to avoid falling victim to this scam.

How to outsmart SurveyMonkey phishermen

As with many scams, this clever phishing attack can be defeated if you take the right precautions. The best way to avoid falling victim to this scam is by setting up two-factor authentication (2FA) for your Microsoft Office 365 account.

The good news is Microsoft does offer 2FA for Office 365, you be sure to enable the feature before it’s too late. If the company you work for is in charge of your Office 365 account, the network administrator will need to enable 2FA and it’s a good idea to ask them to do so if they haven’t already.

If you’re not familiar with 2FA, it works like this: anytime you log in to an account with 2FA enabled, you’re required to have a second way of verifying it’s you beyond username and password. You can have a code sent to you via text or use an authenticator app instead, which is even more secure.

Using 2FA with Office 365 pretty much stops these thieves in their tracks. Even if you were to fall for the phishing email and log in to the spoofed site, the scammer couldn’t take over your account without the device in hand that you use to get the 2FA code. Tap or click here for more details on 2FA and how to set it up.

Another thing you should be doing is avoiding links found inside unsolicited emails. That’s just solid advice these days because you never know when the next scam is going to hit your inbox. All links and attachments found in emails or texts are potentially malicious and could infect your device with malware or trick you into handing over sensitive information. Just don’t!

Follow these simple precautions and you’ll be able to outsmart phishermen before they can do any real damage. Stay informed of the latest attacks by keeping up with and don’t forget to share this article with family and friends so they know what’s happening, too. Knowing what to watch for is the first line of defense.

Stop robocalls once and for all

Robocalls are not only annoying, but they scam Americans out of millions every year. Learn Kim's tricks for stopping them for good in this handy guide.

Get the eBook