Spring Spamapalooza

Spring Spamapalooza:  is your inbox feeling like a spam festival? You’re not alone. Everyone has been getting more spam this spring.

Spring Spamapalooza

A phish is a malicious email whose purpose is to either obtain login information and/or infect the recipient’s computer. Hackers are definitely having a spring spamlooza with lots of phishes for small business.

What do the phishes look like? Definitely seeing an increase in fake invoices. Usually the invoice is a poisoned PDF attachment though sometimes it’s an URL (web link) to a malicious web site.

Also seeing a lot of fake delivery notification emails with URLs leading to web site that a) try to infect your computer or b) capture login information. A lot of these purport to be from Canada Post. The fake Canada Post emails are usually easy to spot: all Canada Post emails are in both in English and then French.

Canada Post Phish
Note the sender email address, definitely not Canada Post. Also no French text below English text. Running a mouse carefully over the web link shows the real destination is not the Canada Post web site

Text Scams or Smishing

Text scams tend to be more topical: fake Ukraine relief appeals, something  that has been in the news recently, tax refunds and delivery notifications. The example below is a fake tax refund link.

Area code shows it’s not from Ottawa or Canada Revenue. Replying would most likely get you a link to a malicious web site where the smisher would capture your Canada Revenue login or try to get your banking informaiton

What are the goals?

Hackers want your banking information, credit information and logins to other web sites. Hackers really want your administrator access to Microsoft 365 or G-Suite accounts. With the Microsoft 365 or G-Suite access, hackers can buy themselves products licenses, harvest company email addresses and then use your email addresses to scam your clients.

Best Defense

Educate your staff regularly. Advise how to deal with invoices from unknown parties. Enable multifactor authentication (MFA) on administrator accounts.

While antivirus products might protect your from some of the malicious attachments and web links, your best defense is being vigilant and suspicious of unexpected emails and text messages.