Phishing Scams, Email Hacks, and Cybersecurity Must-Knows

[00:00:14] Welcome to another incredible edition of TechWatchRadio, NPITechGuys.com. We keep an eye on tech so you don't have to. Brought to you by NetworkProvidersInc.com. You've got a friend in the IT business. One of the great things that NetworkProvidersInc does is provide security updates, recommendations, cybersecurity tips, and more.

[00:00:42] If you want to sign up, NPITechGuys.com. Sign up and they'll fire you off some of these emails that we talk about. They're great details from the owner, founder, president of NetworkProviders. His name is Jay Hill, and he does a great job breaking some of these things down for us. And we'd like to cover them because what I like the most about these, Jay Harrison, is that he puts things on the kitchen table where it's easy to understand. Yeah, he's pretty prolific too.

[00:01:09] He gets a lot of tips and articles and things out there all the time on a regular basis, which is pretty good. It's often so that you get tips, but it doesn't overwhelm your inbox. So let's be clear, you're not just going to be bombarded and crazy, but you are going to get timely tips that make sense. Cybersecurity tip number one today, how to spot a phishing email. Jay? Yeah, that's pretty good.

[00:01:37] So there's a lot of phishing emails is very common. You know, we kind of thought we were going to get away from this. And I think they've been making some good progress with security email and DKIM and some of these things like that. But people have not got their servers set up to reject servers that aren't secure and don't have these things yet. But we're almost there, and I think we're going to see a decrease.

[00:02:01] But phishing email, as we've seen, these are bogus emails that are carefully designed to look like a legitimate request, often with an attached file. In fact, I got one actually just yesterday. And it was an invoice attached from the Geek Squad at Best Buy. It was like $400-something. I previewed it with Gmail on the web because you could do that easily and be pretty trustworthy that it's not going to launch anything.

[00:02:29] But I would never have downloaded that and run it, say, in Adobe or something where it would have been. But often these emails, they look 100% legitimate. I'm just surprised that that one got through, like the spam filters and stuff. But they're still out there, and they're still looking for you. Those are actually, a lot of times those don't even have malicious content. They are, in these phishing attempts, trying to get you to call to dispute it so they can get you on the phone. And then they're like, oh, you've got to do this, you've got to do that, or you've got to let me log into your computer or whatever.

[00:02:59] But they often look legitimate. And sometimes it's a PDF or it's a UPS tracking number or a bank letter or a Facebook alert. We've seen a lot of those lately. Yeah, a lot of times, ladies and gentlemen, it's things that, believe it or not, surprisingly enough, they control you pretty good. Oftentimes it's even things that you're actually working on, right? Yeah.

[00:03:16] Well, and just by nature of the scattershot shotgun kind of approach, you send out a thing that's like, hey, your shipping delay at the port, well, maybe 1% of people are actually expecting something to come in from overseas. So to them, this is perfectly salient and relevant to what they've been waiting on and looking for. And so that's how they catch a lot of people when they catch them. But if you or I get that out of the blue, we're just like, whatever, I'm not expecting anything. Come on. And so it's kind of harder to catch.

[00:03:46] But, you know, when you're just mass sending this out to everyone. So, for example, if they say, hey, you know what? Your boss is out of town. I tried to get a hold of them, but you need to do this, this, this, you know, or whatever they say. Or it is your boss, supposedly, and it says I'm out of town and your boss is really out of town. Yeah. Then it seems legitimate automatically. Right. And so they look and act legitimate.

[00:04:11] And they're very hard to be careful to not, you know, do damage regarding. But I understand fishing is spelled with P-H, right? Just so people understand, first of all. Yeah. Fishing with a P-H. But, you know, some of the tips is double check the email. You might discover that the email, you know, say your boss's name is Sam Bushman. You know, you might see an email and it's really sambushman at techwatchradio.com would be the email that you're looking for.

[00:04:41] But it's Sam Bushman at Yahoo or Sam Bushman at Gmail or something like that to where they kind of spoof it. Or sometimes it's even Sam Bushman at Tech Watch Radio, maybe without the A. Yeah, exactly. So that you don't see it. So it's Tech Watch RDO, if you will. But it looks so legitimate, but it's not me. So the way you do it is you hover over it to see what the email address really is that it's coming from. Don't click on it. Don't take action.

[00:05:09] But hover over it so that you can kind of see. That's one of the best ways you can do it and just say, hey, is this really the right email address? Or is it slightly different? And pay attention to the details. Training users is one of the great ways to prevent this, Jay. That's exactly right. So that's one thing you can do.

[00:05:32] Second, if you hover over the URL that you might be directed to on the email, don't click on it. But look at the URL. You can kind of say, hmm, is that weird? Is that just some kind of weird URL, something I don't recognize or something that's spelled slightly different or whatever else? And if you're unsure, what I always do, for example, if it's just, say, credit card or whatever it is or an account,

[00:05:56] I always just basically just bail from the email, log into what I know to be the legitimate site for whatever it is. Let's say that it's my car insurance. Right. I will just simply go to where I always go for my car insurance, whatever's in my password manager and whatever I know the original site. I won't use that email to go there at all. And if, hey, they're saying, oh, you got a problem with your thing, you got to correct this or you've got a warning or you've got a payment or you've got to.

[00:06:20] If I log in and I see nothing like that with a legitimate login, completely separate that I know and trust, or if it's a credit card dispute and I call the back of the – I don't call the number in the email. I call the number on the back of my actual physical credit card. Exactly. Or you always want to go to the source and say, hey, does this tick out with what they're saying? Don't take the lazy way out. Go ahead. I say don't take the lazy way out just because the phone number is in the email. Don't trust the email automatically. Use the number off the back of your card.

[00:06:48] Now, I even had somebody call me the other day, Jay. This is a real example. They sent me an email. And the email looked pretty legit. But I paid attention and I decided that it wasn't real. So I ignored it. But then they called me and they said, hey, did you get our email? We're following up. We are an Intuit. We're an Intuit. We're with Intuit. Anyway, I literally took the guy to pieces.

[00:07:17] And I said, if you're with Intuit, then I need you to send me an email from Intuit. And anyway, we went around the bar. You should have recorded the call for the air, Sam. I finally pinned this guy down. And it turns out that he works for a company that supposedly a certified Intuit, QuickBooks expert, whatever they call them, pro advisor person. It wasn't Intuit at all. Yeah, but they should not be masquerading as Intuit. And a lot of them will.

[00:07:47] 100%. Well, anyway, so they did. Then I said, okay. So I hunted down their website. And then I said, so your website's this and you guys are really just a partner with Intuit, right? And I drilled this guy down and he literally melted down right on the spot. What did he say? Well, he's just like, well, yeah, we're actually an Intuit pro advisor. And that's why you need to listen to us. He tried to start saying that. Then I said, but you told me you were with Intuit before.

[00:08:17] Sir, do you work for Intuit? Yeah, that's right. He just kind of sat there. And I said, so what I need you to do is I need you to email me your name and what department and your boss's phone number. And if I can verify that phone number to be a legitimate phone number from Intuit, then I'll call them. Can you email that to me?

[00:08:46] Well, I need your email address, sir. No, you don't. You already emailed me. Remember? You're calling me about the email that you just sent me, right? Anyway, he got so twisted. He got so twisted up in knots it wasn't even funny, Jay. I'm just telling you right now. Yeah, you got to be careful. There's a lot of people that are like that. And they even may be legitimate companies. They may not be scammers, but they're trying to ride on the laurels of these bigger companies, Intuit or Microsoft. And actually, almost everybody you get that says they're Microsoft.

[00:09:17] Yeah, they are, but they're not in a clear sense, right? They're not. I actually have seen this before with legitimate AT&T resellers and reps from companies where they try to act like and they do everything they can to say they're AT&T, but they're really not. They're just a reseller and somebody who's getting, you know, commission or whatever on new sales. But they act like they're AT&T, but they're, you know, they're really, you know, Northwest Communications or something else. They're not legitimately with them. So you got to be careful of that.

[00:09:46] That's not necessarily phishing, but it is a little bit scammy, you know. Well, it's kind of pretexting. It's deception. It's, you know, so the email was not from Intuit. Because I said, I said, well, I have this email and it's from this. And he was like, oh, yeah, that's just one of our sub websites. I said, OK, but if I go to who is, it doesn't say that it's an Intuit owned website of any kind. Right. Who's this person? You know, because there was somebody's name on there. What are these DNSs? And I started asking him all these questions. He just had no clue.

[00:10:15] Anyway, so the whole point that we want people to understand with this is you've got to take a step back. Don't get into this panic mill. I got to do something. Oh, my gosh, this is critical or whatever else. They always want to create the, quote, you know, emergency of the day to get you to not really process this, but to emotionally take action. Don't do it first. Yeah, that's when you'll make poor decisions. Amen.

[00:10:38] Secondly, step back and say, hey, if somebody that I'm doing business with is legitimately trying to get a hold of me, then I should be able to not use the channel of that email that I'm suspect. I can use my legitimate sources to get a hold of them. The number on the back of my credit card, the number on my account statement or that kind of stuff. Right. That's right. I can literally do those things.

[00:11:06] And I don't have to worry about all that stuff. I can just go to the legitimate channel and say, hey, is this happening? So let's say it's my bank. Go to my bank. Hey, are you saying there's some fraud on my account? They're like, no, sir. Your account's totally clear. Well, I already know now and I've gone through legitimate channels. So take the emotions out of it. Step back and analyze it. Hover over the email details, the URL, the address. Look for misspellings. Oftentimes these people don't have great grammar because, hey, they're from across the pond and they don't speak English or whatever.

[00:11:36] Unfortunately, AI is fixing that. But yeah. Yeah. But these are just ways that you can kind of tell and always go back to the source. If something looks weird or even if something seems legitimate, like your boss. Hey, your boss is one phone call away. Did you send that email or your finance department or your. And so a company that I consulted for somebody just said, hey, we need to change. I need this person said I need to change my deposit for my automatic deposit for my check from this to this.

[00:12:05] Well, we've trained our people pretty well at this company that I work with. And the accountants, the people that do the payroll and everything else went, I'm going to call them. So they called him and they're like, what? I didn't do that. Yeah. Oh, good catch. So I'm just telling you that always, even if it's something where you're like, it's completely legit. It looks great. Just verify because it takes an extra second. But oh, boy, does this. Oh, boy, does it save hours and days and dollars and all kinds of things of trouble if it goes wrong.

[00:12:34] You know, one thing I want to highlight that you touched on, which was a password manager. If you have a password manager and you go manually to the site that you're wanting to, or let's say you accidentally click a link or you did and your credentials don't work or they're not showing up in your password manager. That is a red flag that the domain may look legitimate, but it may have some weird ASCII characters or misspelling. And your password manager knows. It's like, hey, this isn't the right domain and it's not going to suggest your credentials for it. So that's another way to keep yourself safe and maybe avoid it.

[00:13:04] The password manager, so everybody understands, it just says, is this string an exact match, whatever you put in for the URL, right? Yeah, and that'll even help you with typos. You know, say you're trying to type PayPal and you type PayPoll or something and your password manager is not giving you the credentials that you're expecting for it to auto put in. That's a good red flag right there. Amen. So the next question becomes, hey, it's one thing to say I've got to avoid the phishing and I've got to avoid the pretexting and the scamming and all that kind of stuff. The next thing is, what about a cybersecurity tip coming from NetworkProvidersInc.com?

[00:13:34] Was your email hacked, Jay? Email account takeover, believe it or not, represents 38% of the fraud happening online. And how do you make sure you're not a victim is kind of the idea. 38% is a huge number, Jay. It is a very big number. I remember an article recently by a cybersecurity guy and that was the crux of the thing was his Gmail account. He had his whole life put into it. That was his main account.

[00:14:01] And anyway, some bad guys were able to get a hold of the Gmail account and all of a sudden they were just going through his system and changing his Apple ID and his passwords. Because everything used recovery to that account. So a lot of times your email account can be the keys to the kingdom for your whole cyber life. And if somebody gets a hold of that, you know, watch out because that can be really hard to fix. And it caused this guy days and weeks worth of grief to get everything squared away.

[00:14:28] Some people are wondering, how do I know if I'm already a victim or not? Well, there's five telltale signs that we can kind of highlight here. There's more, but these are just kind of some of the most obvious that are worth poking on. They call them weird emails. Boy, have you seen those? You know what we're talking about, right? Weird emails. Well, suddenly you start getting reply emails from people you know or you don't even know maybe, but you haven't sent things to them. You shouldn't get a reply.

[00:14:58] Oftentimes you'll also see emails in deleted items or your sent items or things like that that you go, wait a minute, I never saw that or I didn't send that or those kind of things. Big red flag. You see something in your sent message that you didn't send, that's a big red flag that somebody else has access to your account. Even if they're just running it through a relay or some pop server or something, somebody has access and they're sending mail on your behalf. And you don't realize it. And, you know, so there's levels of being hacked.

[00:15:28] One is sending on your behalf, which is not really a hack. It's a problem, but it depends on how, you know, it's a breach of security for sure, but it might be more of a server discussion that they just let an email through somebody pretending they're you or spoofing you, not really acting as you in your account. So that's one thing you got to watch for. You got to also watch for this. Oftentimes there'll be a new signature. Or maybe your phone number gets changed in your normal signature or sometimes.

[00:15:54] So they'll either one change or add another signature or two slightly change the signature so that it goes to them or so that they get the phone call or they get that. All it takes them is a couple of days, Jay, for this to happen, for them to do a lot of damage. That's sneaky because, you know, you're not often vetting your signature. You're so used to it being there. If they change the phone number by a couple of digits or something, you may not even catch that the change has been made. Anyway, that's really important. Also profile changes.

[00:16:24] Maybe a new method of authentication is activated. Maybe your phone number gets changed or anyway, you know, they can make some profile changes that and these subtle things, they can just make a change. You don't know about it for like weeks or maybe even months. And, you know, the whole time phone calls are going somewhere else or and that brings up the next two auto forwarding. Now, this one on one hand is obvious.

[00:16:48] If a new audio forwarding rule gets applied, then it can send messages, you know, somewhere else or pull them into the trash or whatever. And so you got to really watch for that. I mean, if you've literally auto forwarded something and you know you did, that's fine. But if it's something that you're like. The new auto forwards, a great, great flag. That's one of the biggest ones, by the way, Jay. Yeah, it is. And also that's another one you'll see if somebody is like snooping on your messages, somebody will set up and go.

[00:17:16] If they ever get access to your account, they'll auto forward it to another account just so they can see all email that's coming in and sometimes even going out, too. So watch for that. There's a lot of reasons why that could happen. Not any of them are really good. Auto forwards that you didn't set up are not good news. Right. And the reason they want to auto forward is because then they can look at it on the other account and you're not at all aware. They can just spend all the time in the world to look through things, play with things, do whatever, because they're now they're on a separate system.

[00:17:44] And the only thing you don't know is that it was forwarded. But it gives them complete ability to do, you know, take their time and, you know, casually hang out and do whatever. Number five is password changes. If you notice a number of password change requests coming into your mailbox from social media, cloud providers, other online tools. Hey, this is their way of trying to get to some of your other accounts. Right. That's right. So be really aware of that, too. I would add a number six or maybe a corollary to the number five.

[00:18:14] And that is if you're getting two factor requests constantly that you didn't set up, that means somebody has your credentials, but they're just not they don't have that last second factor or access to your text message or your authenticate or whatever you're using. If you're getting those and you're not starting that, it's time to change your password right away. Amen to that. All right. I want to get to this last one, too, another cybersecurity tip. But I really want people to if you want these tips, they're incredible. They're simple.

[00:18:44] Add them to their newsletters, to their own employees where they have an IT section. And it gives us the chance to pop in some education along the way. That's interesting. And people read the little blip. And, you know, the smarter your people get, I'm telling you right now, your people can be the weakest link or the greatest protection ever, no matter what all what all is going down. But this is a cybersecurity tip. It says if you installed it, you must update it. And that's something that I think people really don't understand. They think they can just install something and it's all good or update itself or whatever else.

[00:19:13] It says not so fast. There are thousands of hackers. Their goal is one thing in mind. To find a new vulnerability in commonly installed software, you know, and they get access to millions of their users if they get that done. That's why these companies frequently issue patches, updates for known security flaws, et cetera. And they oftentimes look for people who are lazy and don't really do the updates.

[00:19:41] That's why you got to update your Firefox and Chrome and whatever. It's important to update these programs as soon as possible. Now, I get it if you say I want to be one version behind so that, you know, if they release something and it's, you know, a problem right out of the gate, you can miss that. And they'll do a patch. Stay maybe one or two, you know. Unless there's a zero date on it. Versions behind. Yeah. I mean, it's not perfect, but. And understand that. And so I'm just saying, hey, you want to be up to date, but maybe not on the bleeding edge.

[00:20:10] So I always basically whenever they issue a new release of something. First off, I don't do the beta or the alpha or the this or that, whatever versions usually. What is a solid version? Then I let them release it. And then I wait about probably two weeks. And then I try to update to it because if they release it to two weeks or two or three weeks and a bunch of people try it. And usually if there's a howling bug or a glitch, then you'll know about it and they'll create a patch before you even go to it. So I leave a little bit of grace for that to happen.

[00:20:39] Other than that, I try to keep up on all of our stuff. But I'm telling you, if you install it, you must be responsible for it. That means update it. That's right. Keep track of it. Or you better not be installing it or else you're just going to create big howling holes. And that's what a partner, outsourced IT company does for people. You know, they provide these cybersecurity guidance and tips and protections. And they make sure that software is installed and updated and configured properly to prevent these kind of things.

[00:21:07] Their day-to-day lives are keeping up on this stuff, Jay. Yeah, 100%. You've got to keep that stuff up. Now, not to counter this, but also you've got to be aware of this sometimes. You can have supply chain issues where if somebody gets a hold of that through the provider, the people that are writing the software, staying up to date can actually infect your computer.

[00:21:32] So, again, this is sometimes where you need an outside cybersecurity consultant because they're the ones that are going to be paying attention to things like that in the news or even listening to the show, you know, where you get a problem in a supply chain of a software provider or a GitHub account gets hacked or something. They can inject malicious stuff. And especially you should have apps that are automatically updating. You know, look at, like, for example, FileZilla. Almost every other time you open it, there's an updater, Notepad++, always updating.

[00:22:01] That's great unless they get something on their end. And then you've got to have somebody that can come in and retroactively get that out of there or make sure you're cleaned up and fix those issues. So it's kind of a two-edged sword. And there's no – I still lean toward updating is your best option and keep everything up to date. But it's not foolproof. I say lean towards updating as often as you can, staying, like I say, the bleeding edge behind a little bit.

[00:22:29] Let them release it, wait two or three weeks or whatever else, and then upgrade to things. And that way, even if what Jay is saying is true, that they've been infected once a week, they're likely to catch it pretty quickly. And if they do, then you miss all that whole round of, oh, my heavens. Yeah, because that stuff gets caught fast usually. But yet you want to stay up to date and kind of be in that sweet spot. Like we say, and we're not just trying to sell services. We're trying to give you the best guidance we can for small and medium business, which is this.

[00:22:56] You know, it's better to have somebody that watches those bulletins and keeps track of all that all the time to tell you. So, for example, in the next show, I want to talk about this interesting thing that's been going on for more than a year. What to know about the latest Social Security number breach. And I know people are going, whoa, really? Yeah, really. I mean, your government's been hacked. Well, it wasn't really your government that got hacked. It was a third party that got hacked. And anyway, we'll get into it all.

[00:23:24] But the reason I want to tell you this is because sometimes there's nothing that we can do. I mean, you can do your very best. But, hey, if Social Security and a third party gets hacked and then they use your Social Security number to somehow then breach some payroll company that, you know, something else. And all I'm telling you is it's a complicated world. And so what we're talking about is risk mitigation, risk reward analysis to say, hey, if you have an IT company that knows what they're doing, that has a good track record and you work with them, that is really your sweet spot.

[00:23:53] And you say, well, Sam, I'm too small of a company. I don't have money for that. I understand. But what you really don't have money for is to have someone put some kind of, you know, problem on your system that can take you down, that can create ransomware and then you're over a barrel or your stuff is deleted. Or all I'm telling you is you think that IT companies, you know, protecting you is expensive. It's all a relative discussion. Identity theft is more expensive no matter how you slice it.

[00:24:22] Identity theft and ransomware. Oh, yeah. Anyway, thanks for being alongside for the ride. This was a little bit more techie in some ways, but I hope people take this and apply it to their businesses and personal lives. So I'm telling you right now, these cyber security tips are real. NetworkProvidersInc.com. I'm Sam Bushman with Jay Harrison. Make it a great tech day, will you? Hey, thanks.