SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 233: A Spate of Scams and Following Up on Venmo

Posted on June 4, 2021

This week on The Checklist, we’ll talk about:

Text scams hit the UK

Authorities in the United Kingdom are warning residents about a sudden surge in text scams. The scams come in two flavors: text messages that appear to come from delivery services, and texts that purport to come from customs officials.

These kinds of scams are typically seasonal — which is why we talked about package delivery and customs scams back around the holidays. But because of COVID-19, more people are shopping online than usual, opening the door to out-of-season delivery scams. In addition, governments are sometimes altering their normal procedures these days, which can make a fake “customs alert” seem more legitimate than it ordinarily would.

In an interesting twist, experts say that young people are more likely to fall victim to these scams, rather than the elderly — for the simple reason that younger folks are more likely to be taking care of business online and on their mobile devices.

So how do the scams actually work? It’s nothing fancy: scammers send out their fraudulent messages en masse, and hope that a small number of people will be fooled.

In the scam texts where the fraudsters are asking for money, the amount usually isn’t all that much — just a small delivery fee — because what they’re really after is credit card details. There are also variants of these text scams that try to get people to click on a malicious links. The goal here is to infect mobile devices with data-stealing malware.

As for what you can do to avoid these scams, just follow these simple recommendations:

If you get a text, email, or call from some delivery company, remember that you can’t be sure if the sender is really who they say they are. The best thing to do is to find the company website yourself (or the customer service number) and reach out to them on your own. You should be able to look up any delivery issues in your account area, or by using a shipment or reference number.

When it comes to phishing emails, regular listeners of this podcast will already be aware of the basic best practices for dealing with them (If you’re a newer listener, Checklist 37: Gone Phishing is an excellent introduction to phishing awareness). As always, look for the telltale signs of a phishing email: messages that create a false sense of urgency using threats or deadlines, misspellings and grammatical errors, and sender addresses that come from strange-looking domains.

New normal, new scams

In the United States, more and more folks are headed back to work … at the actual, physical office! After working from home for so long, that can be a big readjustment, and will clearly require some communication between companies and their returning workers. Unfortunately, the scammers know this — and are taking advantage of the situation to send fake “welcome back to the office” emails.

People who have seen these emails in the wild say that they look pretty legitimate. They use the company’s actual branding and logo, and appear to be signed by the Chief Information Officer. The message itself includes information about new security precautions and new health and safety practices at the office. The emails provide a link to a Microsoft SharePoint page that promises further information … but that contains malicious documents instead. The documents themselves appear authentic — they use company branding as well — but they’re actually phishing tools designed to steal user credentials. 

If the user tries to click on one of the documents, they’ll see a login panel prompting them to provide their credentials in order to view the file. In other words, they’re not redirected to a separate login page (the usual tactic in scams like this), which in itself may be enough to fool some users into entering their login credentials. 

The attack also employs a sneaky tactic designed to make affected users think that everything is OK. The first few times that they enter their login details, they’re told that their login information is incorrect. But if they keep trying, they’re taken to a real Microsoft page with some documents, which makes the user believe that everything is in order.

So what can you do to protect yourself from these malicious welcome back emails?

Well, just being aware that it’s happening is a good first step. But beyond that, carefully inspect any email that appears to come from your workplace — especially if it has to do with returning to the office. If you’re not sure about an email, don’t open it or click on anything. Instead, ask someone in IT if the email is legitimate, and if it’s safe to open. Don’t worry, you won’t be “bothering” them. Your IT department would much rather spend a few minutes looking over an email than a few weeks dealing with a data breach or a ransomware attack!

How to hide your friends

Last week, we discussed the privacy and security issues with the mobile payment service Venmo (Checklist 232: Practice Safe Venmo and Update Your Stuff). In a nutshell, security analysts were calling the platform “a privacy nightmare” after reporters uncovered the personal Venmo accounts of President Joe Biden and First Lady Jill Biden. 

Well, Venmo heard the criticism, and they listened! At least, sort of …

By far the biggest privacy issue with Venmo was that it was impossible to hide your list of “Venmo friends”. That meant that anyone who could find your Venmo profile could also see a list of your Venmo contacts — which could reveal a ton of information about your private life.

In response, Venmo has now added a “hide friends” feature in the app’s account settings. If you want, you can now set your Venmo friends list to private. To do this, go to Settings > Privacy and scroll down to the Friends List setting. Tap on the Friends List setting, and then select Private so that no one else can see your Venmo contacts. In addition, you also need to toggle the Appear in other users’ friends lists from green (on) to gray (off).

This is a definite improvement over the way things were. But privacy observers at Electronic Frontier Foundation and Mozilla say that there’s still work to be done. While both organizations commend Venmo for making it possible for users to hide their friends lists, they also stress that privacy should be the default setting for any app. Both EFF and Mozilla have urged Venmo to take the extra step of making all transactions and friends lists private by default.

Do you have a burning security or privacy question that you’d like to have answered on a future edition of The Checklist? Ask away! We always love hearing from our listeners.

Join our mailing list for the latest security news and deals