In addition to new cybersecurity threats from Russia in conjunction with the war in Ukraine, the FBI is warning consumers and businesses to be on high alert after several new scams were reported over the past few months. The common thread: The tactics are becoming more sophisticated.
Recently, the FBI issued warnings around scammers using:
Fraudulent QR codes
Fake Google Voice Authentication
Cell phone SIM cards
Fraudulent QR codes
The pandemic made Quick Response (QR) codes fashionable again, as restaurants opted against printed menus and asked patrons to get out their mobile phones to access web-based versions. According to the FBI, criminals are intercepting legitimate QR codes used by businesses to redirect potential victims to malicious websites. The sites are designed to steal personal and financial information, prompt users to install malware on their devices, or divert payments to fraudulent accounts.
How to protect yourself:
Pay special attention to the URL you are sent to after scanning a QR code and make sure it matches the business URL.
Be cautious when being asked to input your data after scanning a QR code.
Check to make sure that a physical QR code has not been covered by a malicious one, including a sticker.
Avoid installing third-party QR code apps on your phone; instead, use the ones built into your phone, which provide more security.
Best practices for businesses:
Regularly check QR codes displayed on tables or in common areas to ensure they have not been tampered with.
Present your business logo alongside the QR code to provide more validity for patrons.
Make sure the URL includes your business name (instead of a bit.ly address, for example).
SIM card swaps
With this kind of scam, criminals impersonate their victims with the phone carrier.
"For example, the criminals call AT&T and tell them you got a new phone or lost your old phone and need to transfer your number over to their SIM card," Garrett said. At this point, the representative would ask for your PIN, and if it is easy to guess, they would be able to access your account and transfer your number to their new SIM card.
"The end game is not to gain access to your text messages or voicemail – it is to get your multi-factor authentication (MFA) for your accounts," he said. MFA is an authentication method that requires two or more verification factors (like username/password plus a code sent to your phone) and provides an extra layer of security for your accounts.
How to protect yourself:
According to Garrett, this scam is difficult to block, but one way is to add a PIN to your SIM card.
Make sure your PIN number or secret phrase is not something that is easily guessed (avoid combinations like 1234).
Make it harder for attackers to find information about you, such as names of family or friends, by locking down your social media profiles and monitoring what's available about you online.
Change your authentication methods. If your MFA is set up using SMS (a text message), attackers will have an easier time accessing your accounts. Consider using another authentication method, such as the Google Authentication app.
Google Voice Authentication
The FBI is also warning about fraudsters targeting people who list their phone numbers publicly on "for sale" sites or other websites with a Google Voice Authentication Scam. In this scheme, scammers reach out to the person who listed their number via text or email showing their interest in an item or service – such as those listed on Craigslist or Facebook Marketplace – and then ask the seller to authenticate themselves by sharing a code from Google.
The scammer sets up a Google Voice number in the person's name and can conduct other scams without getting traced. However, in this scenario, the scammer can also gain access to the person's Gmail account and potentially do even more damage.
How to protect yourself:
Avoid listing your phone number publicly, especially on social media.
Never disclose a Google verification code.
Avoid sharing your email with people doing business over the phone.
Only use valid payment methods, such as those with added security features, like PayPal, Venmo, Apple Pay, etc., to ensure there are security measures in place to protect your banking information.
Best practices for businesses:
If you are using Gmail-based workspaces, you should be especially cautious about this scam since the criminals may try to gain access to your main Gmail account to send phishing emails to your business contacts.
If your business uses a Google Voice account, make sure your Google account has MFA set up.
Do not share your Google codes for any reason.
Limit the number of people with access to your Google Voice account.