This Scam Starts With an Email, Then a Phone Call—What to Do If You're Targeted
Hackers and fraudsters are using a new tactic to lure in potential victims.
Even though technology has made our lives easier in many ways, it's also exposed us to new vulnerabilities. Scammers are now quick to take advantage of any new ways to lure in victims and commit fraud or take your money. Many modern ploys can use messages or texts to trick people into giving up their information, while others can involve getting contacted by a surprising or unexpected number. But now, a new scam making the rounds uses both an email and then a phone call to take advantage of unsuspecting people. Read on to see what you should do if you're targeted.
The latest type of scam is known as "callback phishing."
By now, the non-stop SPAM calls that bombard our phones can make the occasional scam emails we receive seem like a trickle by comparison. But according to experts, there's one new type of scam that combines both forms of communication known as "callback phishing."
According to a report published by cybersecurity firm Unit 42 on Nov. 21, hacker groups known as Luna Moth and Silent Ransom Group have begun targeting victims with the double-tiered tactic. The firm says that it has so far "cost victims hundreds of thousands of dollars and is expanding in scope."
Instances of the latest scam also appear to be skyrocketing. According to data from email security company Agari, there was a 625 percent increase in callback phishing activity from the start of 2021 to the second quarter of this year, The Washington Post reports.
The latest scam starts with an email that's followed by a phone call.
Even though it may be new, callback phishing actually starts off relatively similar to other scams. Targets first receive an email with an attached invoice claiming they're about to be charged for a new subscription or service for an amount usually under $1,000, according to Unit 42. Most have an attached invoice in PDF format, making it harder for email security software to detect and intercept. And since the amount is lower, victims are less likely to question the charge or become suspicious.
The email or invoice also contains a phone number formatted to evade inbox security, which targets will then call to dispute or question the charge. In reality, the number leads to a call center staffed by scammers. The live agents direct the unsuspecting victims to download a remote support tool that will give the criminals access to their computers and all of their files.
Hackers use the victim's personal information to make a seriously costly threat.
At this point, hackers can go through the computer to locate important files and sensitive information. They'll quietly download the information while still on the phone with the victim.
After the scammer has scooped what they need, they'll send the victim an extortion email demanding that they pay a hefty ransom to keep the hackers from releasing the files. Usually, ignoring these emails brings about an escalation where the hackers will demand more money or threaten to expose the information to the victim's known associates.
Unfortunately, complying with the crooks isn't always a viable solution, either. "Paying the attacker did not guarantee they would follow through with their promises. At times they stopped responding after confirming they had received payment and did not follow through with negotiated commitments to provide proof of deletion," Kristopher Russo, a senior threat researcher at Palo Alto Networks Unit 42, wrote in the report.
Here's how you can avoid falling victim to a callback phishing scam.
One of the most significant challenges in detecting a callback phishing scam is that it has been designed to skirt most standard safety measures. By using both a human actor and downloading legitimate remote access software instead of malware, it can be harder for security systems to pick up on the ploy, Unit 42 explains. But there are still a few red flags that might tip you off when something fishy is happening.
"People should always be cautious of messages that invoke fear or a sense of urgency," Russo advises. "Do not respond directly to suspicious invoices."
If you're unsure whether or not a charge is legitimate, it's best to look up the company in question's website on your own. Then, contact them directly through a customer service number posted on their legitimate website instead of using the contact provided to you in the email, Russo writes.
Anyone concerned that they've been targeted or compromised can also contact Unit 42's incident response team at the toll-free number listed on the firm's report.