Online financial scams have become increasingly sophisticated, targeting unsuspecting individuals through various deceptive techniques. Cybercriminals exploit trust and create convincing scenarios to steal personal and financial information, often using well-known platforms like PayPal as their hunting ground.

Take Paul from Massachusetts, for example. He recently wrote to us about his disturbing experience. It serves as a cautionary tale about the dangers of online financial transactions. Here’s his account in his own words.

“I wanted to sign up for PayPal and used Google to get the website. After the ‘website’ popped up, it asked me for the usual name, address, etc. and my credit card number with the expiration and 3-digit code. Almost immediately, I received a flash message from my credit card company asking if I made a purchase at a company in OKLA. I live in MA and had the card in my lap. The information was stolen, and a purchase was made almost immediately.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

“The credit card company tried to contact where the purchase was made but the telephone number was a fake. The thieves tried a second purchase which was declined as the credit card company closed my account. This all happened in a 10-minute span.”

Paul, we’re sorry to hear that this happened to you. Unfortunately, your experience is not uncommon, but by sharing your story, you’re helping others learn how to avoid similar scams.

WHAT IS ARTIFICIAL INTELLIGENCE (AI)?

Key takeaways from Paul’s experience

Paul’s unfortunate encounter with online fraud offers several important lessons. First, scammers have become adept at creating highly convincing fake websites that can easily fool unsuspecting users. These sites often mimic legitimate platforms down to the smallest details, making it crucial to verify the authenticity of any site requesting personal information.

Second, fraudulent transactions can occur with alarming speed once scammers obtain sensitive data. In Paul’s case, the thieves attempted to make purchases within minutes of acquiring his credit card information.

Third, credit card companies have developed sophisticated systems to detect suspicious activity rapidly, which can help mitigate potential losses. Paul’s credit card company quickly alerted him to the unauthorized transaction and took swift action to prevent further fraud.

Lastly, this incident underscores the critical importance of digital vigilance and careful online navigation. Always take the time to verify the authenticity of websites before entering any personal or financial information, especially when dealing with financial services or online payments.

A man typing on his laptop (Kurt “CyberGuy” Knutsson)

BEWARE OF THIS LATEST PHISHING ATTACK DISGUISED AS AN OFFICIAL EMAIL SENT BY GOOGLE

How to protect yourself from online financial scams

Protecting your financial information online is crucial. Here are some important steps you can take to safeguard yourself against cyber threats:

Verify the website’s authenticity: Before entering any personal information online, always double-check the URL of the website you’re visiting. Look for “https://” at the beginning of the address and a padlock icon in the address bar, which indicates a secure connection. To ensure you’re on the correct site, type the web address directly into your browser instead of relying on search engine results or clicking on links from emails.

Be wary of unsolicited communications: Legitimate companies will never send unsolicited emails asking for sensitive information. Avoid clicking on links in emails claiming to be from financial institutions, as these could be phishing attempts. Hover over the links to see the actual URL before clicking, as this can help you identify suspicious or misleading addresses. If you’re unsure about a communication, log in to your account directly through the official website or app to check for any notifications or requests.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

Use strong authentication methods: Enable two-factor authentication on all your financial accounts to add an extra layer of security. Create unique, complex passwords for each of your accounts, avoiding the temptation to reuse passwords across multiple sites. Consider using a reputable password manager to help you generate and store strong passwords securely.

Monitor your accounts regularly: Make it a habit to check your financial accounts frequently for any unauthorized activities or suspicious transactions. Set up alerts for transactions on your credit cards and online payment accounts so you can be immediately notified of any activity on your accounts.

Be cautious with personal information: Never share your passwords or answers to security questions with anyone, no matter how trustworthy they may seem. Be skeptical of any requests for personal information, especially those that create a sense of urgency. Legitimate organizations will not pressure you to provide sensitive data immediately.

Use secure payment methods: When making purchases from unknown sellers, use protected payment options that offer buyer protection. Consider using credit cards for online purchases, as they often provide better fraud protection than debit cards. If a website offers multiple payment options, choose the most secure method available.

Use caution with public Wi-Fi: Avoid using public Wi-Fi networks for financial transactions, as these can be easily compromised. If you must access financial accounts while away from home, use a secure VPN connection to protect against being tracked and to identify your potential location on websites that you visit. Many sites can read your IP address and, depending on their privacy settings, may display the city from which you are corresponding. A VPN will disguise your IP address to show an alternate location. For the best VPN software, see my expert review of the best VPNs for browsing the web privately on your Windows, Mac, Android and iOS devices.

A man typing on his laptop (Kurt “CyberGuy” Knutsson)

SCAMMERS EXPLOIT GRIEF WITH FAKE FUNERAL STREAMING ON FACEBOOK

What to do if you suspect a scam

1. Act quickly: If you suspect your information has been compromised, change your passwords immediately.

2. Contact the company: Report any suspicious activity to the security team of the affected platform.

3. Alert your bank: Notify your bank or credit card company about potential fraudulent activities.

4. Use an identity theft protection service: Identity theft companies can monitor personal information like your Social Security number, phone number and email address and alert you if it is being sold on the dark web or being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.

One of the best parts of my No. 1 pick is that they have identity theft insurance of up to $1 million to cover losses and legal fees and a white-glove fraud resolution team where a U.S.-based case manager helps you recover any losses. See my tips and best picks on how to protect yourself from identity theft.

5. Report the incident: Forward suspicious emails to the appropriate authorities and delete them from your inbox.

6. Monitor your credit: Keep a close eye on your credit reports for any unauthorized activities.

HOW SCAMMERS USE YOUR PERSONAL DATA FOR FINANCIAL SCAMS AND HOW TO STOP THEM

Kurt’s key takeaways

Protecting your financial information online is more crucial than ever. Paul’s experience serves as a stark reminder of how quickly things can go wrong when we let our guard down. By following the guidelines outlined above and remaining vigilant, you can significantly reduce the risk of falling victim to online financial scams. Remember, when it comes to your financial information, it’s always better to err on the side of caution. Take the extra time to verify websites, and be skeptical of unsolicited requests for information. Your financial security is worth the effort.

How do you think the responsibility for online security should be shared between individuals, companies and governments? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels:

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.

The US Senate has passed the National Defense Authorization Act (NDAA), the annual defense spending bill, and it may have major consequences for the world’s largest drone company — though not necessarily the immediate ban that China’s DJI feared.

While it did not contain the full “Countering CCP Drones Act” provisions that would have quickly blocked imports of DJI products into the United States, it instead kicks off a one-year countdown until its products (and those of rival dronemaker Autel Robotics) are automatically banned.

If DJI cannot convince “an appropriate national security agency” to publicly declare that its products do not “pose an unacceptable risk to the national security of the United States,” the act instructs the FCC to add DJI’s gear to its “covered list” under the Secure and Trusted Communication Networks Act. Not only does that list keep that gear from running on US networks, it bars the FCC from authorizing their internal radios for use in the US, effectively blocking all imports.

While none of that would keep US citizens from continuing to use their existing DJI gadgets, it wouldn’t just ban new DJI drones from import into the United States. Every DJI product with a radio or camera, like the Verge favorite DJI Osmo Pocket 3, would technically be banned. (The NDAA doesn’t specify just drones, but rather communications and video surveillance equipment.)

The text of the bill (PDF, see page 1084-1088) should theoretically prevent DJI from exploiting the loophole of whitelabeling its drones under other brand names or licensing its technology, too, as it seemed to be doing with the Anzu Robotics Raptor and Cogito Specta. The bill explicitly tells the FCC to add “any subsidiary, affiliate, or partner” and “any entity to which the named entity has a technology sharing or licensing agreement” to the covered list, too.

The bill had already passed the House of Representatives and is headed to President Biden’s desk, where it’s considered a must-sign: it would trigger a partial government shutdown if not signed, and it already passed both houses of Congress with strong bipartisan support.

So it’ll really be up to the Trump administration as to whether it wants to rescue the Chinese drone company, in the year after he takes office. Trump may not need to lift a finger if he’d prefer to see fewer DJI products in the country, so the ball’s in DJI’s court. It wouldn’t be surprising if DJI tries to get face time with Trump in the near future — like TikTok, which is more imminently facing a ban.

In a blog post, DJI calls it “good news” that the NDAA doesn’t explicitly ban DJI products, but says the US government is singling out Chinese drones for scrutiny, and worries about the fact that the law doesn’t specify a government agency to actually carry out the task of determining whether it poses a risk.

“This means that DJI would be prevented from launching new products in the US market through no fault of its own, but simply because no agency chose to take on the work of studying our products,” the company writes. It’s asking Congress to pick a “technically focused agency to assure the assessment is evidence-based,” and to give the company the opportunity to reply.

When you visit a webpage, you might see a CAPTCHA to make sure you’re a real person and not a bot. These usually involve jumbled words, some recognizable images or just a box that says, “I am not a robot.” 

CAPTCHAs are harmless, but hackers are now using them to infect your PC with malware.

Security researchers have found a huge fake CAPTCHA campaign spreading the dangerous Lumma info-stealer malware, which can bypass security measures like Safe Browsing.

This campaign shows how malvertising works, with more than a million ad impressions every day and thousands of victims losing their accounts and money through a network of more than 3,000 sites. I’ll break down how this scam works, who’s responsible and how you can protect yourself.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

How does the scam work?

As reported by Guardio, the fake CAPTCHA scam is a sophisticated malvertising campaign that lures you into unknowingly installing malware under the guise of routine CAPTCHA verification. The cyberattack starts when you’re browsing websites, often those offering free streaming, downloads or pirated content. These sites are used by hackers to present you with what appears to be a legitimate CAPTCHA verification page.

WHAT IS ARTIFICIAL INTELLIGENCE (AI)?

The page mimics a real CAPTCHA, asking you to confirm you are human. However, the instructions are designed to trick you into initiating harmful actions, like triggering the Windows “Run” dialog. Users unknowingly paste and execute a crafted PowerShell command, which silently installs the Lumma info-stealer malware onto their system.

The malware targets sensitive data, including social media accounts, banking credentials, saved passwords and personal files, potentially leading to financial and identity theft.

Illustration of fake CAPTCHA (Guardio)

HERE’S WHAT RUTHLESS HACKERS STOLE FROM 110 MILLION AT&T CUSTOMERS

Who’s to blame for this?

The fake CAPTCHA scam shows how messy the internet’s ad system has become, with everyone involved passing the buck. Guardio Labs points to ad networks like Monetag as a big part of the problem. They distribute malicious ads that are disguised during moderation using tricks like cloaking. Publishers, especially those offering free or pirated content, add to the issue by running these shady ads on their sites, often without checking what they’re actually showing users.

Then there are services like BeMob, which lets scammers hide their bad links behind harmless-looking URLs. These companies call themselves analytics tools, but they’re helping the scams stay hidden. Hosting providers don’t escape blame either. They’re where these fake CAPTCHA pages live, and they often don’t bother to check what’s being hosted.

Of course, the scammers themselves are the ones pulling the strings. But because they spread their operations across so many platforms, they’re almost impossible to track down. Guardio’s research shows how all these moving parts work together, creating a system where no one takes responsibility, and the scams keep running.

Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)

BEWARE OF ENCRYPTED PDFs AS LATEST TRICK TO DELIVER MALWARE TO YOU

6 ways to stay safe from fake CAPTCHAs

1. Use reliable security software: Keeping your antivirus and anti-malware software up to date is one of the most effective ways to protect yourself from fake CAPTCHA scams. A strong antivirus software will detect and block malware like the Lumma info-stealer before it can infect your device. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

2. Enable browser protection features: Modern browsers offer built-in security features, such as Safe Browsing and phishing protection, which warn you about potentially dangerous sites. Make sure these features are enabled in your browser settings. These tools can alert you to malicious links or fake CAPTCHAs trying to trick you into downloading malware.

3. Be cautious with “free” content: There’s a saying that goes, “If something is free, you’re what they are selling.” Websites that offer free downloads, streaming services or pirated content are often associated with malvertising campaigns. Fake CAPTCHA scams are commonly spread through these types of sites, where users are tricked into clicking on malicious ads or links. Even if a site seems tempting, it’s important to be cautious. Avoid clicking on suspicious links or using “free” services, as they could be traps designed to infect your device with malware.

4. Avoid clicking on suspicious ads: Always be wary of ads that appear out of nowhere or seem too good to be true. Fake CAPTCHA scams often disguise themselves as legitimate ads, asking you to click to verify you’re human. Never interact with pop-up ads or unfamiliar banners, especially those that claim to give you something for free, as they may lead to malicious pages or trigger malware downloads. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

5. Check for HTTPS and look for signs of a legitimate site: Before entering any personal information or interacting with a CAPTCHA, ensure that the website is secure. Look for “https://” in the website’s URL, which indicates the connection is encrypted. Legitimate websites also tend to have a professional appearance, so if something feels off or the design looks poor, trust your instincts and leave the site.

6. Enable two-factor authentication: Two-factor authentication adds an extra layer of security, making it harder for attackers to access your accounts. 

WHAT TO DO IF YOUR BANK ACCOUNT IS HACKED

Kurt’s key takeaway

There’s no question that fake CAPTCHA scams are a growing threat, putting millions of us at risk of malware infections and financial loss. What’s even more concerning is that ad networks, publishers and hosting services continue to allow malicious campaigns to spread through their platforms despite the widespread awareness of the problem. The companies involved must take immediate action to improve content moderation, tighten security measures and prevent these scams from thriving. We are seeing a dangerous loophole in the digital advertising ecosystem that could have serious consequences for internet users.

Do you think ad networks and publishers should be held accountable for the spread of malware through their platforms? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels:

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.