Phishing Scams Target Some of the Biggest Online Brands

Amazon and PayPal are the best ways to make financial transactions online. WhatsApp is the secure messaging service with end to end encryption. Everyone uses Facebook and Gmail. What could go wrong?

If you think the best-known names on the internet are safe, it’s time to think again. Online criminals are getting smarter and sometimes the bigger the brand, the more worthwhile it is to invest in a scam that will actually fool people.

In the past, phishing emails were easy to spot, with bad grammar and spelling mistakes a native speaker wouldn’t make. Today, scammers not only use perfect English, they’ve often expertly matched the logo, style and URL, so it takes a careful comparison to see the difference. Meanwhile, legitimate sales platforms, such Facebook Marketplace, are full of people trying to convince you to hand over money for nothing in return.

Don’t assume anyone online is telling the truth unless you have verification from an independent source. It takes only a few seconds for hackers to steal financial details or infect your computer with malware that will allow them to access personal information. Help protect your privacy and safeguard the entire family’s reputation with ReputationDefender’s online privacy services. We’ll tell you about system vulnerabilities before they become a problem and help you deal with leaks after the fact. We’ll also keep you up-to-date on some of the most recent scams.

Companies to Double Check

Here are 6 well-known companies that have recently been targeted by scammers.

  • Amazon – Hackers have been sending convincing receipts for products that were never purchased complete with a link to follow if you want a refund. Don’t fall for it. Open a new browser window and sign into your real Amazon account to check your orders.
  • Apple – A group of scammers have been caught trying to convince people to pay off tax debt with iTunes gift cards. The message may come as a phone call, text or email claiming to be from the HMRC, but fraudsters ask for iTunes vouchers, which can be sold or traded anonymously, to pay off the overdue tax. The HMRC would never communicate in this manner and Apple doesn’t use iTunes as payment ‘outside of official stores’.
  • Facebook – Facebook Marketplace isn’t even a year old and it’s already full of scammers. Since there is no official payment method, it’s up to buyers and sellers to make an agreement. A number of fraudulent users have been insisting on payment via bank transfer, but once the money is turned over the product is never delivered and messages are blocked. Never agree to a bank transfer with someone you don’t know well; there are too many ways this can go wrong.
  • Google –A new Gmail scam has been scarily effective, even with tech savvy people who don’t usually fall for phishing. The trap appears to be an attached file from a contact, but instead it’s an embedded image which will take you to a Google sign-in window when you click on it. The window also appears legitimate, complete with ‘One Account, All of Google’ at the top of the page. However, once you enter your login details hackers have complete access to your account and start to target your contact list almost immediately. The only way to spot this scam is by noticing a subtle difference in the URL which begins with ‘data:text’ rather than ‘https’.
  • PayPal – Look for a warning that claims there’s been ‘unusual activity on your PayPal account’. The scammers have cleverly copied enough identifying marks to make the email look legitimate, but the clicking on the link will give them access to your account.
  • WhatsApp – WhatsApp users have reported messages claiming to offer free Sainsburys gift cards in celebration of new stores opening. Unfortunately the message has nothing to do with Sainsburys and clicking on the link will install malware that allows hackers to steal information from your phone.

New phishing scams appear all the time. Learning to recognise the signs will help protect your reputation and keep your information secure. For further questions or concerns about phishing scams, contact our experts at ReputationDefender.

Vulnerability Discovered – Why You Shouldn’t Use WhatsApp and Telegram on the Web

According to the Israeli security firm Check Point, even encrypted messenger apps like WhatsApp and Telegram can be penetrated by malware. Just this month, spokesperson Doros Hadjizenonos announced the firm had discovered a weakness in the web versions of these apps. The vulnerability allowed hackers to send a contaminated photo capable of infecting the entire account upon opening. Both companies have reacted immediately to patch the problem and users who have downloaded the latest version should be protected. However, security experts are still advising that high-risk individuals stick to the mobile version of WhatsApp and Telegram.

Encrypted Apps are the Secure Choice

Privacy and reputation go hand in hand. ReputationDefender clients include individuals and businesses working to build a positive web profile. A few personal details or a private message made public can quickly undo months of effort. With over 1 billion users, WhatsApp is the go-to messenger app and the announcement of ‘end-to-end encryption’ last year made it one of the more secure choices as well. A unique encryption key means no one but the intended receiver can unlock and read the message, not even WhatsApp itself. Meanwhile, the lesser known Telegram has been offering ‘Secret Chats’ that rely on a similar encryption key for several years.

What Went Wrong?

Unfortunately, in this case encryption created its own unique problem. Since the sender’s content was scrambled before upload, the app wasn’t always able to identify contaminated files. Hackers could conceal HTML code in a harmless-looking image and send it to an unsuspecting user. Opening the message in a web application would allow the malware to run immediately on the user’s browser, giving hackers access to the entire account: personal contacts, messages, images… everything.

Hadjizenonos has assured users that WhatsApp and Telegram both responded quickly and responsibly to Check Point’s warning. The input validation process has been improved to identify and block files containing malware on both web and mobile versions. As always, it’s important to download the latest updates immediately, since these often contain fixes for weaknesses and vulnerabilities that have just been discovered.

What’s Different with Web Apps?

The larger lesson is that the mobile versions of WhatsApp and Telegram are more secure than the web-based versions. Web apps use JavaScript which will input new code and overwrite functionality immediately. Mobile apps don’t support this ‘just-in-time’ compiling; changes much be downloaded and configured before installation. This means users are better protected from the type of vulnerability spotted by Check Point.

Although this particular risk has been eliminated, it won’t prevent hackers from discovering a new access point in the future. If your WhatsApp account contains data that could hurt you if it were made public, it’s best to avoid messaging on the web. Stick to mobile, where there’s an extra layer of security.

WhatsApp’s Sharing Data – What Do the Changes Mean for Users?

WhatsApp recently updated its user agreement and the new policy is raising questions. Since it was created in 2010, the instant message app has maintained a strong commitment to user privacy, with ad-free messaging that doesn’t track users. The company continues to assure users that privacy is a cornerstone of its platform, but the new policy allows for closer integration with Facebook, and opens the way for more business related messaging on WhatsApp.

WhatsApp became a part of the Facebook family of companies in 2014, but this is the first time the connection will be reflected in the app’s privacy policy. WhatsApp has not updated its privacy settings since 2012, so it’s not surprising to see changes. Some elements of the new policy do even more to assure privacy for personal messaging; others indicate a move to increase revenue generation without adding direct advertising. We want to make sure all our clients at Reputation Defender fully understand what they are agreeing to when they accept the new terms of use agreement, so here is a breakdown of the major changes and how they could affect you.

4 Changes in the New Policy

      • Number Sharing With Facebook – This feature has caused the most concern, given that Facebook is known for collecting a lot of information about its users. However, WhatsApp claims it will only be sharing specific information such as phone numbers and the last time of use. Messages and photos should remain one hundred percent private. The purpose of this feature is to “fight spam and abuse” on WhatsApp, as well as to improve targeted advertising on Facebook. WhatsApp number sharing is expected to make Facebook’s friend suggestion lists more relevant and raise the chances that users see ads related to businesses they want to know about. For now, there is an opt-out control for existing users as described in a later section of this article.
      • Third-Party Messaging – This is likely to bring changes to the way WhatsApp is used, moving it from a personal messaging platform to one where users receive all kinds of business notifications. WhatsApp is looking at adding third party business communication over the next several months. This will mostly include automatic notifications you would likely receive anyway, such as appointment confirmations, updates on an online order status, or changes to a flight you’ve already booked. Companies now send these messages via a variety of different platforms, including email, text messages, or even a phone call. By contracting with these third parties, WhatsApp hopes to collect all these notifications in one place to make it easier and simpler for users to find them. Limited data sharing may also take place with third parties, such as a record of the articles you’ve shared amongst WhatsApp contacts. As WhatsApp admitted in a blog post, this is an effort to make the business model generate revenue without actually adding direct advertising.
      • End-to-End Encryption – This element of the new privacy policy is geared toward users who have relied on WhatsApp as one of the most secure, private, ad-free platforms to carry out private messaging. Adding encryption makes messages even more secure, since they won’t be decoded until they reach the sender and won’t be stored on WhatsApp’s servers. This assures users that even though there will be some third party sharing, the company is still dedicated to delivering messages privately and securely. Messages that are not delivered will be deleted within thirty days, however content that is shared multiple times, such as popular videos, photographs and articles, may be retained for longer.
      • Copyright Crackdown – WhatsApp’s new policy also includes a stricter approach to copyrighted material. This is aimed at preventing fake profiles. Using someone else’s name or profile picture will now be considered a copyright violation. This could also apply to videos and copyrighted images, however the chances that this type of contact would be reported are still low.

Opt out of Number Sharing With Facebook

There’s currently an option for existing users who want to opt out of having their phone number shared with Facebook. This can be done in one of two ways. When users receive notification of the new privacy policy, instead of just clicking “Agree,” they should click on “Read.” This will display a checked-box next to an agreement allowing the new Facebook sharing policy. By unchecking the box, users can permanently disable this feature. According to WhatsApp there is no option for users to go back and choose the sharing policy once they have unchecked this box.

Users who have already agreed to the new sharing policy still have thirty days to go back and uncheck the box. This can be done by clicking on “Settings,” then “Account,” and going to “Share my account info.” This will display the same checked box enabling number sharing and the same option to disable the feature by unchecking the box.

This opt-out choice is comforting for existing users who have relied on the security of WhatsApp. However it will not be available to anyone who signs up after the new policy was put in place, or to users who’ve agreed to the new policy for more than thirty days.

Is WhatsApp Secure?

WhatsApp seems to have made changes that allow for limited data sharing in order to improve the business model and make the company more profitable. However given that messages are encrypted and not stored, the app still remains one of the most secure platforms for sending private messages. Users should be prepared to see more advertising-like material in the coming months, but it’s still likely that the spam level will remain below that of most other social media companies.