Scams to watch out for not just this Mother’s Day – 10 minute mail

As you rush to buy something for your mom, con artists will be trying to make a dent in your wallet. Here are some common types of fraud to look out for not only this Mother’s Day.

As it is with every special occasion, large or small, in the run-up to Mother’s Day retailers are promoting special offers to honor all mothers around the world. That provides ample opportunity for cybercriminals to pull out all the stops in their mission to make money off of everything, even a kind occasion like this. Scammers won’t just be focusing on masquerading as vendors; they will probably stoop as low as possible and try to woo single mothers in search of romance and swindle them out of their money.

Let’s have a look at the scams that you may be confronted with this Mother’s Day, and beyond.

Scam ads

A classic favorite with fraudsters. These are ever-present and repurposed for every occasion, be it Christmas or Black Friday; chances are that you might just see one with a Mother’s Day theme. So, what can you expect? Scam ads usually proliferate through social media and chat applications, and usually are spread using hacked accounts. Clicking on a fake ad will redirect you to a fraudulent website, which will probably be advertising fake or non-existent products.

If worst comes to worst, you will end up with malware making its way to your device, which can wreak all kinds of havoc – from stealing your sensitive data to locking up your device and holding it for ransom. Scammers tend to be careless and are looking for a fast turnover, so always keep your eyes peeled for anything suspicious, such as prices that make no sense (you’re probably not getting that Gucci bag for US$99), grammar mistakes or suspicious surveys.

Fake shopping websites

Cybercriminals try to leverage anything and everything that can be used to entice potential victims. Fake shopping websites are ideal for their scamming purposes. Quite often they take on the guise of reputable e-shops that launched a separate website to house their latest promotion, Mother’s Day being celebrated around the world makes it a prime candidate. Such faux e-shops will probably overwhelmingly advertise gifts especially geared towards mothers. These products will be offered for ludicrous discounts to convince potential victims to press the buy button.

Related reading: SPARE: Five tips for a safer online shopping experience

Unfortunately, if you go with it, more likely than not your payment credentials will be stolen, which may differ depending on the payment method, but sooner rather than later, the con artists will start racking up charges against your account. So, you should definitely do your due diligence and first, check out the shop properly, search for reviews on the vendor see how long the site has been operating and maybe even try to contact their support. N.B.: If the vendor added face masks to a totally unrelated inventory in light of the pandemic, there is a high probability it’s a fake shop you should avoid.

Bogus gift cards and coupons

We’ve covered scam ads and fake webshops; now let’s move on to another popular way to reel in victims: bogus gift cards and coupons. These are fairly widespread and sometimes are even dispersed using the unwitting victim’s device. Once a bogus coupon tickles your fancy and you click on it, a malware installer can be downloaded on to your device; in some cases, it can turn out to be a banking trojan or even a keylogger. An additional functionality that may be included is that it will send out the coupon to your whole contact list, thus increasing the chance of striking gold for the scammers.

Fake McDonald’s coupons were at the center of one such attack, not too long ago. Be it coupons or gift cards, always make sure to verify that they were distributed through the official channels of the company like its official app, so it’s usually recommended to stick to those. If you’re suspicious, check out the company’s official site or social media to see if the offer you received is real. In case you get any unsolicited coupons, it’s best to steer clear or contact the company that supposedly issued them.

Romance scams

Amid the COVID-19 pandemic, dating apps and websites are experiencing an increase in usage, which may also translate into increased exposure to scammers. If you think it can’t happen to you or your loved ones, you’d be sorely mistaken. Romance and confidence fraud is the second costliest scam, according to the FBI’s 2019 Internet Crime Report. To put that into more quantifiable terms, one woman was duped out of US$546,000 while another one ended up becoming an unwitting drug mule and was arrested.

Usually, there are telltale signs that your mom may be talking to a scammer. A quick Google image search might reveal that their profile photo belongs to someone else, or they try within a few messages to persuade your mom to leave the dating platform (to avoid the platform screening for suspicious behavior). Whatever the case may be, it doesn’t hurt to be extra vigilant and verify the suitor; nobody wants to end up with their heart (and their bank account) broken.

Final thoughts

While most of us are often looking for the perfect bargain; we should always be vigilant and scrutinize any offer that looks too good to be true, because – often – it is. Be wary of unsolicited offers and emails if they look interesting; read through them thoroughly and be on the lookout for irregularities and inconsistencies. If anything concerns you, either try to double- or triple-check the veracity of the offer through the official sites or consider purchasing directly from the vendor, or not using the coupon altogether. Last but certainly not least, have a reputable endpoint security solution installed, since that will go a long way towards staying protected from these types of attacks.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Hackers Exploit Ad Networks to Launch Phishing Attacks against Android Users – Disposable mail news


The hackers are exploiting mobile ad networks that take the android users to malicious websites. After this, hackers can either steal personal user information or attack the victim’s Android device with spams.

The Google play store has more than 400 apps that come with ads as a means to generate money for app developers. But recently, the hackers are exploiting these ad networks with the help of an SDK (Software Development Kit). The SDKs help app developers earn money, and the hackers are inserting code to attack the ad network.

According to the research done by Wandera, which is a mobile security firm, the hackers send domain and URLs to the users via the ads. The distribution systems are called Startapp, that allows the hackers to swamp the android device with spams and malicious websites. Startapp isn’t responsible for any of the malicious content distributed. However, it is funded by a few agencies that distribute its malicious content. Startapp hasn’t responded to the questions of its involvement in this cyberattack. “Our researchers wanted to explore a service that wasn’t associated with a single well-known advertiser, such as Google or Facebook, so they took a closer look at the framework from StartApp, which would presumably provide app developers with ads from a wider variety of advertising networks,” says Wandera’ research report.

It also says that more than 90% of the distributed through the Startapp framework originate from a single ad provider.  Wandera, however, didn’t identify the provider’s name, but Cyberscoop has identified it as “AdSalsa.” AdSalsa is a digital marketing firm that operates from Spain and is responsible for ads that direct users to these malicious websites.

“We help app publishers and developers turn their apps into successful businesses by using advanced data insights to identify relevant campaigns across direct and programmatic channels for each publisher’s unique users. Over 400,000 apps have already integrated our lightweight, easy to incorporate advertising SDK. When combined with our mediation options, you can begin earning revenue from your apps in minutes,” says StartApp on its website.  Experts at Wandera found 700 apps on Google play store using StartApp’s SDK feature. Google, however, has removed 47% of these SDKs, according to Wandera.

The exploitation of this advertising, which has now become malvertising, is creating problems for the app developers to secure their apps.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Sextortion scammers still shilling with stolen passwords – 10 minute mail

The email includes the potential victim’s password as evidence of a hack, but there is more than meets the eye

Earlier in April, a new sextortion scam campaign was detected making the rounds in countries on both sides of the Atlantic. The spam emails that were detected by ESET’s research laboratory have been trying to dupe unwitting victims by referring to old passwords that have been part of old data breaches.

The campaign is not altogether new, since it repurposes old scams. The first time that scammers made waves with these tactics was in 2018 with a campaign that also included the victim’s password in the subject line. The email itself claimed that the password was obtained by compromising one of the recipient’s devices using malware.

However frightening this may seem at first glance, these are just social engineering and scare tactics, employed by cybercriminals to generate panic in the recipients of these emails. To put it simply, it is highly unlikely that your computer has either been accessed or compromised, at least not by the method suggested in the email, so there is no need to panic.

In fact, a similar campaign has been spotted recently by ESET researchers: it rehashed the content to reflect the current pandemic situation and includes a threat to infect the victim’s whole family with coronavirus.

The new extortion campaign borrows, or rather builds upon, the previous versions. The scammers start with an alarming message right off the bat to get the victim’s attention, usually by including one of the victim’s old passwords that was probably stolen as part of a previous data breach. Moving on, the fraudsters claim that the victim’s device was infected by some form of malware when visiting a porn website, and that allowed them to obtain both the victim’s password and access to their device. The scammers then purport to have made a video of the victim and the alleged “not safe for work” content.

Once the cybercriminals have scared their potential victims enough, they demand a sum to be paid within 24 hours or the embarrassing video will be released. They usually want the payment to be made in bitcoin.

After analyzing some of the cases stemming from this new sextortion scam campaign, ESET researchers found that it probably started sometime around the 8th or 9th of April. They checked the bitcoin wallet addresses shared by the attackers and found that they weren’t faring very well, to put it mildly. By contrast, during the 2018 campaign the scammers were able to trick victims out of almost half a million dollars.

To reiterate, it is important to note that the password did not come from the potential victim’s compromised machine. All of the breadcrumbs indicate that the campaign leverages credentials taken from large data leaks and older breaches, which, unfortunately, aren’t a rare occurrence. ESET researchers entered some of the victims’ email addresses into to the Have I been pwned? website, and indeed found that their passwords and emails were gathered from services that suffered data breaches such as LinkedIn, Taringa, MyFitnessPal or Canva, among others.

What can I do?

Before you fly into a frenzy, you should take a step back and think about the whole scam. Have you ever visited a porn site? If the answer is no, well, you know the email is fake and you have nothing to worry about. And even if you did (and it’s safe to say you weren’t alone), at best it could be embarrassing to you if the secret were revealed. But to reiterate, the cybercriminals have no evidence whatsoever, video or otherwise, of a potential victim’s intended activities.

Another thing you can do is use Google or whatever search engine you prefer and enter the word scam, in quotes, along with an interesting phrase from the scam email. You can then scroll through the results, of which there may be a few thousand, and see if anything seems vaguely familiar. Quite often you will find examples of similar scams that have been floating about and have already been scrutinized by a number of researchers and experts in the field.

If you’re still not sure what you’re dealing with you can check out a list of other steps compiled by ESET researcher Bruce P. Burrell.



Luis Lubeck


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Google Is All Set To Fight The Coronavirus Themed Phishing Attacks and Scams – Disposable mail news

These days of lock-down have left cyber-criminals feeling pretty antsy about “working from home”. Not that it has mattered because apparently, that is why the number of cyber-crime cases has only hiked especially the Phishing attacks.

This has gotten Google working on its machine-learning models to bolster the security of Gmail to create a stronger security front against cyber-criminals.

Given the current conditions, the attackers seem to have a morbid sense when it comes to the themes of the Phishing attacks, i.e. COVID-19. Reportedly, 18 Million such attacks were blocked in a single week. Which amount up to 2.5% of the 100 Million phishing attacks it allegedly dodges every day.

Google, per sources, is also occupied with jamming around 240 Million spam messages on a daily basis. These phishing attacks and spams at such a worrisome time have impelled Google and Microsoft to modify their products’ mechanisms for creating a better security structure.

Reportedly, the number of phishing attacks, in general, hasn’t risen but in the already existing number of attacks, the use of COVID-19 or Coronavirus seems to have been used a lot.

Malware and phishing attacks, especially the ones related to COVID-19 are being pre-emptively monitored. Because being resourceful as the cyber-criminals are the existing campaigns are now being employed with little upgradations to fit the current situation.

A few of the annoying phishing emails include, ones pretending to be from the World Health Organization (WHO) to fool victims into making donations for VICTIMS to a falsified account.

Per the intelligence teams of Microsoft, the Coronavirus themed phishing attacks and scams are just the remodeled versions of the previous attacks.

The attackers are extremely adaptive to the things and issues that their victims might easily get attracted to. Hence a wide variety of baits could be noticed from time to time.

During the lock-down period of the pandemic, health-related and humanitarian organizations have been extensively mentioned in the scams and phishing emails.

Per sources, the Advanced Protection Program (APP) lately acquired new malware protections by enabling Google Play Protect On Android devices to some specifically enrolled accounts.

Allegedly, users trying to join the program with default security keys were suspended, while the ones with physical security keys were still allowed to be enrolled.

All the bettered security provisions of Google shall be turned on by default so that the users can continue to live a safe and secure life amidst the pandemic.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Fraud Prevention Month: How to protect yourself from scams – 10 minute mail

ESET Chief Security Evangelist Tony Anscombe sat down with us to share his insights on how to avoid falling prey to online fraud

Are you aware of some of the most common tactics that con artists can use to steal your data, identity and money? The digital era has opened new ways for scammers to take aim at potential victims; in many cases, fraudsters can gather a range of details about unsuspecting netizens before hitting them with targeted attacks.

Online scams take various forms and become increasingly sophisticated, but being vigilant and knowledgeable about the threats will go a long way towards staying safe. To mark Fraud Prevention Month, which began in Canada this week, we talked to Tony about what people and businesses across the world can do to avoid falling victim to fraud.

Hi Tony, thank you for joining us. This week marks the start of Fraud Prevention Month, reminding both citizens and businesses of the importance of protecting themselves against fraud. The first question imposes itself: how important is individual action to prevent fraud?

Businesses and citizens lead busy lives and it is very easy to keep items that may not immediately affect us towards the bottom of the to-do list. Fraud is potentially one of those items, we may appreciate it can happen but unless it’s happening to us at this moment in time then we can often be guilty of delaying preventative action. While this is understandable, it should not be the case. If fraud makes an appearance as an issue it will dominate time and effort at the expense of everything else we should be doing.

Preventative measures may not be as onerous to implement as you first think, and the benefits of keeping yourself out of the fraud victim statistics will for certain keep a very stressful issue at bay. For example, preventative measures against identity theft may take 3-5 hours, but recovering from identity theft can take anywhere between 100-200 hours over a six-month period.

And for businesses the risk is compounded; fraud may affect the daily operations of the business and if it requires public disclosure can lead to loss of reputation and potentially create a distrust atmosphere with customers.

Having an action plan to prevent fraud either as a business or a citizen should be a priority on the to-do list; it’s time well spent. Don’t wait to be a victim.

According to ESET Cybersecurity Barometer 2018 for Canada, banking fraud and identity theft are Canadians’ top concerns when it comes to cybersecurity. What steps should we take to protect ourselves against these crimes?

Banking fraud and identity theft are intrinsically linked, as you would expect. Here are some tips on what should be the beginning of your plan to protect your identity.

  • When asked for personal information, either online of offline, always consider whether the requester actually needs the information.
  • Don’t overshare personal information on social media.
  • Register with credit agencies and create alerts warning you when someone is accessing your credit file.
  • Consider locking or freezing your credit file to stop access by any third party, it’s relatively simple to do and to unlock when you may need it.
  • And do all of the above for your kids too, don’t let someone steal their identity before they even start using it themselves.
  • Check bank and financial statements on a frequent basis and be on the lookout for any strange or unknown transactions.
  • Open physical mail in a timely fashion, banks and authorities use the regular mail system to alert you to changes or access to some online activities to ensure they were carried out by you.
  • Protect your mobile phone account against SIM swapping, make sure your phone account requires a PIN code or password to issue a new SIM card.
  • Use strong passwords or passphrases to secure your accounts, and keep each account secured with a unique password or passphrase.
  • When possible switch on multi factor authentication to secure your accounts, either using SMS or a dedicated app to authenticate logins and transactions. A dedicated app is recommended as it provides greater protection if you become a victim of SIM swapping.
  • Register for online social security and tax filing, even if you don’t intend using the online systems. Securing your account will stop someone registering as you.
  • Secure devices with security software and make sure it’s kept up to date.

The same study also revealed that three quarters of respondents were targeted by phishing attacks, through email or via phone (voice phishing, aka vishing). What advice would you give to users who want to protect themselves against falling for these scams?

Many of the above apply to businesses as well, securing a company bank account requires the same identifiers of the person as accessing a personal account. Businesses should adopt frequent awareness education with employees to ensure they understand what to look for to avoid fraud and scams that may affect the company. For example, protecting against phishing for login credentials and business email compromise attacks can be thwarted through education and awareness of how these social engineering attacks take place. Some core tips are:

  • Check the spelling of the web address/URL in email links before you click on then. Most email clients allow you to see the address by hovering the mouse over the clickable area, without clicking. If the address does not look right, then don’t click on it.
  • If you have clicked a link then be vigilant when you get to the website, if it does not look right or seems different to normal then don’t enter any information.
  • Don’t click links in emails that take you to login pages, for example I never click links in messages from my bank, I always type the address manually into the browser and access my bank directly.
  • If you don’t recognize the email or find the attachment suspicious, don’t open or download it.

And criminals do not only utilize electronic means. A recent example of a deepfake audio attack against a UK company shows how criminals are using sophisticated AI technology to attack businesses. Always validate the request using communication mechanisms that are trusted.

The FBI’s 2018 Internet Crime Report demonstrated the growing threat of Business Email Compromise (BEC) attacks, commonly known as CEO fraud, with losses almost doubling between 2017 and 2018. Do you think awareness trainings are efficient measures for organizations to protect themselves from these scams?

Yes, as mentioned previously, I believe employee awareness and education is important. Awareness trainings are an excellent engagement and education tool that gives employees advice not only how to recognize these attacks in the workplace but also offline. The Verizon 2019 Data Breach Investigations Report shows a decline in clicking a phishing test email by employees from 4% to 3% year on year. While this is a controlled test phishing email, it demonstrates that the education on identifying fake emails is working.

RELATED READING: Can you spot the phish? Take Google’s test

What is your forecast for future fraud trends and, more importantly, for steps to take in order to prevent fraud?

As the example above demonstrates, criminals will adopt sophisticated technology and techniques to carry out their malicious activities. As more personal data becomes available through breaches or other means then phishing email will become more targeted taking on the form of spear-phishing emails with enhanced personalization. The language and mistakes made in these malicious campaigns will become harder to spot as the technology available to create them improves.

Identity theft is a growing issue which I don’t expect to decrease anytime soon, taking the steps highlighted in earlier are essential in proactively protecting against it.

And review your protection plan frequently, this is not a do-once-and-forget task!

Would you have a final piece of advice for our readers who are worried about fraud, but may not be sure what their next step(s) should be?

Firstly, don’t worry. There are numerous organizations that can help proactively, such as the advice we give here. Fraud costs financial institutions millions of dollars every year and they have expert teams on hand to both help you prevent it happening and to help you recover from it. Governments around the world also provide excellent guidance on staying safe online and avoiding fraud. The most important advice I can give is: don’t think it will not happen to me; make a plan today and act on it. 



Gabrielle Ladouceur Despins


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

4:15 p.m.: An urgent message from the CEO – 10 minute mail

What is CEO fraud, why is it so prevalent, and how can organizations recognize and defend themselves against these scams?

A little role-playing. You’re in the office, it’s 4:15 p.m., and you receive a message from your company’s VP of Finance. An urgent transfer of funds is required to finalize an agreement with a major partner, and the transfer must be sent by the end of the day. How do you respond?

In this second article, as part of Fraud Prevention Month (#FPM2020) we look at a very specific type of scam, which is growing in popularity at an alarming rate: CEO scams.

What is CEO fraud?

CEO fraud is a form of spearphishing attack that targets members of the company’s finance or accounting team. While in a whaling type attack criminals target senior management, in the case of the CEO fraud, they try to impersonate executives to convince the email recipients to quickly transfer money for a supposedly critical operation for the organization. However, the money is transferred to an account under the control of cybercriminals.

As you read this, you may be thinking that you would never fall for it. After all, you know your superiors well and would easily recognize their email addresses or phone numbers. Yet, the FBI estimates that, between 2016 and 2019, Business Email Compromise (BEC) generated losses of US$26 billion.

The Canadian city of Ottawa was among the victims in 2018. The city treasurer, Marian Simulik, received a scam email and wired over CA$100,000 to fraudsters. A few days later, she received another fraudulent email, asking to wire another CA$150,000. Luckily, Simulik received the second email while in the same room as City Manager Steve Kanellakos, who the fraudsters were impersonating. She asked him if the request was legitimate, which blew the lid off the scam.

In order to convince their targets, scammers use various schemes. As in many scams, criminals use social engineering. They evoke a sense of urgency in their target in order to incite the employee to act quickly and by asking a minimum number of questions. In addition, taking the identity of an executive to address a specific employee for an essential and urgent request can generate a sense of pride. Who wants to take the risk of disappointing an executive who trusts us?

Criminals also work upstream to steal the required identity. Finding the names of the company’s senior executives usually requires only a simple online search, probably on the company’s own website. Name theft thus adds credibility to their attempt.

The next step involves imitating or spoofing the email address. The easy method is to create a fake email address that looks like the legitimate one. For example, [email protected] could become [email protected] (note the missing ‘r’ in ‘your’). They can also use email spoofing, or email address spoofing. In this case, the sender’s address would appear in the message as [email protected]. In both cases, clicking ‘Reply’ would send the email directly to the scammer, rather than the legitimate recipient (or the similar email).

How to protect your organization

The first step an organization can take to protect itself from this type of fraud is a clear and robust financial transaction protocol. For example, requiring the approval of at least two authorized persons for any transfer can be part of the rules. Rules on the types of transfers can also be implemented.

As is usually the case with fraud prevention, awareness training and vigilance are once again your allies. Since this type of fraud targets specific corporate departments, special emphasis should be placed on the members of these teams, particularly with respect to the protocols in place and the means of detecting these scams. The basic measures for recognizing phishing attempts remain just as valid here; not succumbing to pressure and a sense of urgency, carefully checking details such as names, source addresses and signatures.

Inviting employees not to reply directly to a suspicious e-mail, but rather to contact them directly by phone – using the official number, rather than the one in the message signature – can also prevent damage. In the above example, Ms. Brown could confirm in a quick phone call from her associates that it was an attempt to defraud and not a request on her part.

Whether it’s 9:10 a.m. or 4:15 p.m., there are no bad times to remind the entire team of fraud prevention measures; and there are no bad times to implement them. As the saying goes, “an ounce of prevention is worth a pound of cure.”

As a continuation of our Fraud Prevention Month special series, our next two weekly articles will focus on one of the most popular tactics used by scammers: social engineering.

In the meantime, we encourage you to read our interview with ESET Chief Security Evangelist Tony Anscombe, who spoke about what people and businesses can do to avoid falling prey to various types of online fraud.



Gabrielle Ladouceur Despins


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Meghan Markle and Prince Harry’s Names Used for Fake Celebrity Endorsement of Bitcoins? – Disposable mail news

While the Coronavirus pandemic has practically driven people to stay locked up in their homes and spend a lot more (in some cases almost all) of their time online, the possibilities for cyber-criminals have only flourished.

Cyber-security experts have realized this and made a note out of it that everyone knows the kind of danger is lurking in their cyber-world.

From elaborate scams to phishing attacks that target the victim’s personal information, there is a lot of people who need to be cautious about it.

The Cryptocurrency industry is going through a lot due to the current crisis the world is in. The ‘crypto-partakers” are being particularly on the hit list with something as attention-grabbing as purportedly “celebrity endorsement”. The latest bait names for this attempt happen to be that of charming Meghan Markle and Prince Harry.

Well-known personalities’ names like Bill Gates, Lord Sugar and even Richard Branson have been misused to lure people in as a part of similar scams. It is not necessary for the people mentioned to belong to a particular industry. They could be anyone famous for that matter.

The scams are so elaborate that once fooled the victims can’t even trace the mal-agent and. The latest scam, per sources, employs a fake report from the “BBC” mentioning how Prince Harry and Meghan Markle found themselves a “wealth loophole”.
Per sources, they also assure their targets that in a matter of three to four months they could convert them into millionaires. Further on, allegedly, it is also mentioned that the royals think of the Cryptocurrency auto-trading as the “Bitcoin Evolution”. It reportedly also includes a fake statement to have been made by Prince Harry.

The overconfident scammers also declare that there is no other application that performs the trading with the accuracy like theirs. Reportedly, on their website, there are banners with “countdowns” forcing people to think that there are limited period offers.

According to researchers this is one of the many schemes desperate cyber-criminals resort to. People not as used to the Cryptocurrency industry and the trading area, in particular, are more vulnerable to such highly bogus scams and tricks that the cyber-criminals usually have up their sleeves.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Beware scams exploiting coronavirus fears – 10 minute mail

From malware-laden emails to fake donations, these are some of the most common cons you should watch out for amid the public health crisis

We are currently experiencing an unprecedented global event. The outbreak of Coronavirus Disease 2019 (COVID-19) – now officially a pandemic – has caused apprehension globally, ultimately resulting in lockdowns, travel bans, panic buying, and financial market turmoil.

Scammers, too, have taken notice. Emergencies offer golden opportunities for con artists to launch fraudulent campaigns that feed off, and cash in on, the climate of concern. Against the backdrop of a disease that has so far caused more than 4,000 deaths and continues to spread, scammers have wasted no time in playing on people’s fears or evoking feelings of compassion.

Some cybercriminals clearly think that all their Christmases have come at once: an anxious population, vulnerable people at the highest risk, excessive demand for goods no longer in stock, and masses of disinformation sloshing around on social media – all this equates to a massive opportunity to prey on people and attempt to defraud them while they are at their most susceptible.

The scams can take various forms, and the ESET research team has shared a few examples of the despicable tactics seen in use recently.

Malicious news

As a major source of information on the outbreak, the World Health Organization (WHO) is among the most-impersonated authorities in the ongoing scam campaigns. In the example below, fraudsters pretend to offer important information about the virus in an attempt to get potential victims to click on malicious links. Typically, such links can install malware, steal personal information, or attempt to capture login and password credentials.

Figure 1. An email purporting to be from the World Health Organization

The WHO is aware that its brand is being used by scammers, so it provides advice on its website on how it communicates, and provides details of what it will or will not do in official emails. One of the most important points to note reads:

“Make sure the sender has an email address such as ‘[email protected]’. If there is anything other than ‘who.int’ after the ‘@’ symbol, this sender is not from WHO. WHO does not send email from addresses ending in ‘@who.com’, ‘@who.org’ or ‘@who-safety.org’ for example.”

The organization also advises to check the URL for any links in emails and that all web content will start with https://www.who.int/ and that no other domain is used. If there’s any doubt, then directly type the address into your browser.

Importantly, the WHO has not randomly started to email people who are not subscribed to a service. Consider navigating to the dedicated WHO site or to the sites of your respective national health care institutions, such as the Center for Disease Control and Prevention (CDC) in the United States or the National Health Service in the United Kingdom.

The real news can also be found on the trusted sources you normally visit to get your daily intake. Links in unsolicited emails do not have unique or breaking news stories.

In another example, the phishing website below is attempting to impersonate the Wall Street Journal (WSJ) and is supposedly reporting the latest COVID-19 news. We have redacted some of the URL for obvious reasons, but notice that it starts with ‘worldstreet’ and the wording on the webpage states ‘world street’.

Nevertheless, some visual consistency with WSJ branding is there in a clear attempt to subtly trick the visitor into thinking that this is the Wall Street Journal. The delivery of advertising on the site is generating revenue for the bad actors, even if no personal details are gleaned from the user.

Figure 2. Hardly the real thing

Exploiting the charitable spirit

Another common type of scam doing the rounds is a tug on the heart strings that attempts to get the recipient to help fund the vaccine for children in China. There is, at the time of writing, no vaccine available and it is not expected to be ready for public use until next year.

Figure 3. The fake charity

The interesting background to this is example is that the bad actor has repurposed an existing campaign infrastructure and process with COVID-19 content. In 2019 we published details of a sextortion scam campaign attempting to scare victims in an attempt to extort money from them.

People who receive the coronavirus-themed emails are asked to send bitcoins to the attackers’ wallets. Despite this technique being only effective for a fraction of the users, when done on a global scale it can be financially attractive for the criminals.

Unmasked

In another type of fraud, scammers send spam emails in a bid to dupe the victims into thinking they can order face masks that will keep them safe from the novel coronavirus. What happens instead is that the victims will unwittingly reveal their sensitive personal and financial information to the fraudsters.

Figure 4. Fake offers for face masks

As you would expect, Google Trends shows that search volumes for terms such as ‘hand sanitizer’ and ‘face masks’ and are reaching unprecedented levels. With demand for these products outstripping supply, con artists have been increasingly targeting people who are looking to take protective measures. According to Sky News, fraudulent face mask sellers swindled people in the UK out of £800,000 (US$1 million) in February alone.

Face masks are in very limited supply, so be savvy about product claims and only purchase from a trusted vendor that you would normally trust with your order (and credit card details!).

Final thoughts

These are just a few of the examples of how cybercriminals are attempting to capitalize on the current climate surrounding the virus outbreak. This is an apt time for individuals and businesses to learn, or be reminded of, some of the most common ways criminals capitalize on people’s emotions (not only) during major events and emergencies.

Remaining vigilant, identifying and ignoring the product of cybercriminals and cyber-nuisances involved in scams or fake news is essential. Here are some of the basics that will help you stay safe:

  • Avoid clicking on any links or downloading any attachments in unsolicited emails or texts from unknown sources, or even in trusted sources unless you’re absolutely sure that the message is authentic.
  • Ignore communications that ask for your personal information. If necessary, verify the contents of the message with the apparent sender or the organization that they (seemingly) represent, and do so via a different medium than the received message.
  • Be especially wary of emails that add to the sense of alarm and urge you to take immediate action or offer COVID-19 vaccines or cures.
  • Look out for fraudulent charities or crowdfunding campaigns.
  • Use reputable multi-layered security software that includes protection against phishing.



Tony Anscombe


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

4:15 p.m.: An urgent message from the CEO – 10 minute mail

What is CEO fraud, why is it so prevalent, and how can organizations recognize and defend themselves against these attacks?

A little role-playing. You’re in the office, it’s 4:15 p.m., and you receive a message from your company’s VP of Finance. An urgent transfer of funds is required to finalize an agreement with a major partner, and the transfer must be sent by the end of the day. How do you respond?

In this second article, as part of Fraud Prevention Month (#FPM2020) we look at a very specific type of scam, which is growing in popularity at an alarming rate: CEO scams.

What is CEO fraud?

CEO fraud is a form of spearphishing attack that targets members of the company’s finance or accounting team. While in a whaling type attack criminals target senior management, in the case of the CEO fraud, they try to impersonate executives to convince the email recipients to quickly transfer money for a supposedly critical operation for the organization. However, the money is transferred to an account under the control of cybercriminals.

As you read this, you may be thinking that you would never fall for it. After all, you know your superiors well and would easily recognize their email addresses or phone numbers. Yet, the FBI estimates that, between 2016 and 2019, Business Email Compromise (BEC) generated losses of US$26 billion.

The Canadian city of Ottawa was among the victims in 2018. The city treasurer, Marian Simulik, received a scam email and wired over CA$100,000 to fraudsters. A few days later, she received another fraudulent email, asking to wire another CA$150,000. Luckily, Simulik received the second email while in the same room as City Manager Steve Kanellakos, who the fraudsters were impersonating. She asked him if the request was legitimate, which blew the lid off the scam.

In order to convince their targets, scammers use various schemes. As in many scams, criminals use social engineering. They evoke a sense of urgency in their target in order to incite the employee to act quickly and by asking a minimum number of questions. In addition, taking the identity of an executive to address a specific employee for an essential and urgent request can generate a sense of pride. Who wants to take the risk of disappointing an executive who trusts us?

Criminals also work upstream to steal the required identity. Finding the names of the company’s senior executives usually requires only a simple online search, probably on the company’s own website. Name theft thus adds credibility to their attempt.

The next step involves imitating or spoofing the email address. The easy method is to create a fake email address that looks like the legitimate one. For example, [email protected] could become [email protected] (note the missing ‘r’ in ‘your’). They can also use email spoofing, or email address spoofing. In this case, the sender’s address would appear in the message as [email protected]. In both cases, clicking ‘Reply’ would send the email directly to the scammer, rather than the legitimate recipient (or the similar email).

How to protect your organization

The first step an organization can take to protect itself from this type of fraud is a clear and robust financial transaction protocol. For example, requiring the approval of at least two authorized persons for any transfer can be part of the rules. Rules on the types of transfers can also be implemented.

As is usually the case with fraud prevention, awareness training and vigilance are once again your allies. Since this type of fraud targets specific corporate departments, special emphasis should be placed on the members of these teams, particularly with respect to the protocols in place and the means of detecting these scams. The basic measures for recognizing phishing attempts remain just as valid here; not succumbing to pressure and a sense of urgency, carefully checking details such as names, source addresses and signatures.

Inviting employees not to reply directly to a suspicious e-mail, but rather to contact them directly by phone – using the official number, rather than the one in the message signature – can also prevent damage. In the above example, Ms. Brown could confirm in a quick phone call from her associates that it was an attempt to defraud and not a request on her part.

Whether it’s 9:10 a.m. or 4:15 p.m., there are no bad times to remind the entire team of fraud prevention measures; and there are no bad times to implement them. As the saying goes, “an ounce of prevention is worth a pound of cure.”

As a continuation of our Fraud Prevention Month special series, our next two weekly articles will focus on one of the most popular tactics used by scammers: social engineering.

In the meantime, we encourage you to read our interview with ESET Chief Security Evangelist Tony Anscombe, who spoke about what people and businesses can do to avoid falling prey to various types of online fraud.



Gabrielle Ladouceur Despins


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Fraud Prevention Month: How to protect yourself from scams – 10 minute mail

ESET Chief Security Evangelist Tony Anscombe sat down with us to share his insights on how to avoid falling prey to online fraud

Are you aware of some of the most common tactics that con artists can use to steal your data, identity and money? The digital era has opened new ways for scammers to take aim at potential victims; in many cases, fraudsters can gather a range of details about unsuspecting netizens before hitting them with targeted attacks.

Online scams take various forms and become increasingly sophisticated, but being vigilant and knowledgeable about the threats will go a long way towards staying safe. To mark Fraud Prevention Month, which began in Canada this week, we talked to Tony about what people and businesses across the world can do to avoid falling victim to fraud.

Hi Tony, thank you for joining us. This week marks the start of Fraud Prevention Month, reminding both citizens and businesses of the importance of protecting themselves against fraud. The first question imposes itself: how important is individual action to prevent fraud?

Businesses and citizens lead busy lives and it is very easy to keep items that may not immediately affect us towards the bottom of the to-do list. Fraud is potentially one of those items, we may appreciate it can happen but unless it’s happening to us at this moment in time then we can often be guilty of delaying preventative action. While this is understandable, it should not be the case. If fraud makes an appearance as an issue it will dominate time and effort at the expense of everything else we should be doing.

Preventative measures may not be as onerous to implement as you first think, and the benefits of keeping yourself out of the fraud victim statistics will for certain keep a very stressful issue at bay. For example, preventative measures against identity theft may take 3-5 hours, but recovering from identity theft can take anywhere between 100-200 hours over a six-month period.

And for businesses the risk is compounded; fraud may affect the daily operations of the business and if it requires public disclosure can lead to loss of reputation and potentially create a distrust atmosphere with customers.

Having an action plan to prevent fraud either as a business or a citizen should be a priority on the to-do list; it’s time well spent. Don’t wait to be a victim.

According to ESET Cybersecurity Barometer 2018 for Canada, banking fraud and identity theft are Canadians’ top concerns when it comes to cybersecurity. What steps should we take to protect ourselves against these crimes?

Banking fraud and identity theft are intrinsically linked, as you would expect. Here are some tips on what should be the beginning of your plan to protect your identity.

  • When asked for personal information, either online of offline, always consider whether the requester actually needs the information.
  • Don’t overshare personal information on social media.
  • Register with credit agencies and create alerts warning you when someone is accessing your credit file.
  • Consider locking or freezing your credit file to stop access by any third party, it’s relatively simple to do and to unlock when you may need it.
  • And do all of the above for your kids too, don’t let someone steal their identity before they even start using it themselves.
  • Check bank and financial statements on a frequent basis and be on the lookout for any strange or unknown transactions.
  • Open physical mail in a timely fashion, banks and authorities use the regular mail system to alert you to changes or access to some online activities to ensure they were carried out by you.
  • Protect your mobile phone account against SIM swapping, make sure your phone account requires a PIN code or password to issue a new SIM card.
  • Use strong passwords or passphrases to secure your accounts, and keep each account secured with a unique password or passphrase.
  • When possible switch on multi factor authentication to secure your accounts, either using SMS or a dedicated app to authenticate logins and transactions. A dedicated app is recommended as it provides greater protection if you become a victim of SIM swapping.
  • Register for online social security and tax filing, even if you don’t intend using the online systems. Securing your account will stop someone registering as you.
  • Secure devices with security software and make sure it’s kept up to date.

The same study also revealed that three quarters of respondents were targeted by phishing attacks, through email or via phone (voice phishing, aka vishing). What advice would you give to users who want to protect themselves against falling for these scams?

Many of the above apply to businesses as well, securing a company bank account requires the same identifiers of the person as accessing a personal account. Businesses should adopt frequent awareness education with employees to ensure they understand what to look for to avoid fraud and scams that may affect the company. For example, protecting against phishing for login credentials and business email compromise attacks can be thwarted through education and awareness of how these social engineering attacks take place. Some core tips are:

  • Check the spelling of the web address/URL in email links before you click on then. Most email clients allow you to see the address by hovering the mouse over the clickable area, without clicking. If the address does not look right, then don’t click on it.
  • If you have clicked a link then be vigilant when you get to the website, if it does not look right or seems different to normal then don’t enter any information.
  • Don’t click links in emails that take you to login pages, for example I never click links in messages from my bank, I always type the address manually into the browser and access my bank directly.
  • If you don’t recognize the email or find the attachment suspicious, don’t open or download it.

And criminals do not only utilize electronic means. A recent example of a deepfake audio attack against a UK company shows how criminals are using sophisticated AI technology to attack businesses. Always validate the request using communication mechanisms that are trusted.

The FBI’s 2018 Internet Crime Report demonstrated the growing threat of Business Email Compromise (BEC) attacks, commonly known as CEO fraud, with losses almost doubling between 2017 and 2018. Do you think awareness trainings are efficient measures for organizations to protect themselves from these scams?

Yes, as mentioned previously, I believe employee awareness and education is important. Awareness trainings are an excellent engagement and education tool that gives employees advice not only how to recognize these attacks in the workplace but also offline. The Verizon 2019 Data Breach Investigations Report shows a decline in clicking a phishing test email by employees from 4% to 3% year on year. While this is a controlled test phishing email, it demonstrates that the education on identifying fake emails is working.

RELATED READING: Can you spot the phish? Take Google’s test

What is your forecast for future fraud trends and, more importantly, for steps to take in order to prevent fraud?

As the example above demonstrates, criminals will adopt sophisticated technology and techniques to carry out their malicious activities. As more personal data becomes available through breaches or other means then phishing email will become more targeted taking on the form of spear-phishing emails with enhanced personalization. The language and mistakes made in these malicious campaigns will become harder to spot as the technology available to create them improves.

Identity theft is a growing issue which I don’t expect to decrease anytime soon, taking the steps highlighted in earlier are essential in proactively protecting against it.

And review your protection plan frequently, this is not a do-once-and-forget task!

Would you have a final piece of advice for our readers who are worried about fraud, but may not be sure what their next step(s) should be?

Firstly, don’t worry. There are numerous organizations that can help proactively, such as the advice we give here. Fraud costs financial institutions millions of dollars every year and they have expert teams on hand to both help you prevent it happening and to help you recover from it. Governments around the world also provide excellent guidance on staying safe online and avoiding fraud. The most important advice I can give is: don’t think it will not happen to me; make a plan today and act on it. 



Gabrielle Ladouceur Despins


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.