Fraud Information Center

Scam Alert: QR Code on an Unexpected Package

An unexpected package from an unknown sender arrives in your name. You open it and find a note that says it’s a gift, but it doesn't say who sent it. The note also says to scan a QR code to find out who sent it — or to get instructions on how to return it. Did someone really send you a gift? Or is it an attempt to steal your personal information?

If you know it’s really a gift, you can keep it. But know that the unexpected package could be a new twist on a brushing scam that could steal your personal information. If you scan the QR code, it could take you to a phishing website that steals your personal information, like credit card numbers or usernames and passwords. It could also download malware onto your phone and give hackers access to your device. If you scanned the QR code and entered your credentials, like your username and password, into a website, change your password right away. Create a strong password that is hard to guess, and turn on two-factor authentication. If you’re concerned someone has your personal information, get your free credit report at AnnualCreditReport.com. Look for signs that someone is using your information, like accounts in your name you don’t recognize. 

Also review your credit card bills and bank account statements and look for transactions you didn’t make. And consider taking other steps to protect your identity, like freezing your credit or putting a fraud alert on your credit report. If you think someone stole your identity, report it, and get a personal recovery plan at IdentityTheft.gov.

--Information provided by BankOnIT Information Security Brief

Beware: Mobile Phishing Mimicking the USPS Is On the Rise

Researchers at Zimperium warn that a large phishing campaign is impersonating the US Postal Service (USPS) to target mobile devices with malicious PDF files.

The goal of the campaign is to direct users to a spoofed USPS website designed to harvest personal information.

“The investigation into this campaign uncovered over 20 malicious PDF files and 630 phishing pages, indicating a large-scale operation,” the researchers write.

“Further analysis revealed a malicious infrastructure, starting with landing pages designed to steal data, that could potentially impact organizations across 50+ countries.

“As in our previous Black Friday scam trends analysis, scammers leaned heavily on impersonating trusted brands and leveraging psychological tactics such as urgency and exclusivity,” Bitdefender says.

“Fraudulent emails promised exclusive or early access to Black Friday deals and rewards in exchange for survey participation or irresistible discounts on mystery boxes for submitting payment details. Counterfeit Rolex watches, Louis Vuitton bags, and Ray-Ban sunglasses are among the recurring themes and usual suspects in this year’s Black Friday scam agenda, with scammers luring shoppers with realistic websites and too-good-to-be-true prices.”

This campaign employs a complex and previously unseen technique to hide clickable elements, making it difficult for most endpoint security solutions to properly analyze the hidden links.”

Notably, the phishing campaign used a new obfuscation technique that allowed the malicious links to evade detection by security products.

“The PDFs used in this campaign embed clickable links without utilizing the standard /URI tag, making it more challenging to extract URLs during analysis,” Zimperium explains. “Our researchers verified that this method enabled known malicious URLs within PDF files to bypass detection by several endpoint security solutions. In contrast, the same URLs were detected when the standard /URI tag was used. This highlights the effectiveness of this technique in obscuring malicious URLs.”

The researchers note that PDFs are commonly used in business settings, so employees need to be wary of attackers using these files to deliver phishing links.

“The widespread use of PDFs is introducing significant security risks to the enterprise, particularly when targeted to mobile devices,” the researchers write. “PDFs have become a common vector for phishing attacks, malware, and exploits due to their ability to embed malicious links, scripts, or payloads. On mobile platforms, where users often have limited visibility into file contents before opening, these threats can easily bypass traditional security measures.”

--Information from KnowBe4 Security Awareness Training Blog

Give to a charity, not a scam

There’s no shortage of good causes to donate to. But before you give somewhere new, make sure you’re not donating to a scam.

Scammers are pros at tricking people into donating. They’ll often even use names that sound a lot like other charities you’ve heard of to get your money. Here’s how to make sure your money is going to support the cause you care about:

• Don’t be rushed or pressured into giving, especially over the phone. If it’s a request to donate on social media, take the time to make sure the person who shared it with you knows the organization or person fundraising.
• Research the charity before you give. Search the name plus “complaint,” “review,” “rating,” or “scam.” Organizations like the Better Business Bureau's (BBB) Wise Giving Alliance, Charity Watch, or Candid also let you research charities.
• Don’t trust your caller ID. Technology makes it easy for scammers to fake caller ID information. Calls can look like they come from your local area code, or from a specific organization, even if they don’t. In reality, the caller could be anywhere in the world.
• Check out the charity’s website. Does it give you details about the programs you want to support or how it uses donations? How much of your donation will go directly to support the programs you care about? If you can’t find detailed information about a charity’s mission and programs, be suspicious.
• Pay attention to how you pay. If a charity asks you to pay with cryptocurrency, by wiring money through Western Union or MoneyGram, with a payment app, or with a gift card, it’s likely a scam. Donating by credit card or check is safer.

--Information from Federal Trade Commision Consumer Advice

If you have been the victim of identify theft, here are some steps to help you get your life back on track:

1. Place a fraud alert on your credit report.
   • When you place an alert on your credit, this will prevent any other account from being opened.
   • You can request a report to see if any charges seem suspicious.
2. Close the accounts you think could be affected.
   • Contact someone in the fraud or security department of your financial institution.
   • Follow up in writing with copies of any supporting documents.
   • If any debits exist on your accounts, or a new account has been opened, ask the financial institution for the correct paperwork to dispute them.
3. File a complaint with the Federal Trade Commission (FTC)
   • When you file with the FTC, you are providing information to help law enforcement officials track down thieves.
4. File a report with the local police department
   • Filing a report, along with a complaint to the FTC, can give you certain protections to ensure your identity can be protected and restored.