We let them in: The login scams

I've known about the various scams that exist within the internet and telecommunications realm for years.

You have the ransom scam, where you receive an email stating that they have some photographic evidence of you doing something dodgy and they want to be paid in bitcoin.

There are the phone scammers, who pretend that they are Microsoft or some other company, and want remote access to your computer. These scams are also known as malware scams. (I'll come back to malware scams in a future post, because unfortunately a friend of mine fell prey to this scam in 2021, and it cost her dearly.)

But you also get the txt/email login scams where you receive a txt message (or email... or some other notice) saying that there are some unusual transactions on your account, asking that you click the link to verify. (My own husband fell prey to one of these a few months ago.)

All of these scams are fishing for the person who is trusting and doesn't know any differently. We want to believe the best in people, and the scammers are out there to take advantage of that. And it seems like technology has given con artists new ways to be inventive with their scamming. And the scammers are smart.

Today, I want to discuss the login scams, mainly because it was this type of scam that my husband fell prey to a few months ago. It could have been easily avoided if he had been paying attention—which he wasn't—but there are other steps that you can take to protect your systems even if you are duped by the login scams.

The email login scams

Sometimes, I get an email that on the surface looks legit, telling me that there was a problem with my account, and that I need to login to correct the issue. In these emails, there will often be a button or link to click, taking me to a website that also looks legit. The unsuspecting user would then enter their login details… and the annoying scammer now has your username and password for whatever system they wanted access to.

My husband fell prey to this exact scam all of a few months ago. It was an email that looked like it came from work, telling him that he needed to login to the system to correct an issue. He clicked the link, logged in using his work credentials, did whatever the system wanted him to do, and didn't think anything else of it… until he got a phone call from the IT guys at his work, asking him if he just tried to log in from Germany. Yeah… He was the trusting idiot who actually fell prey to an email login scam.

The IT guys quickly reset his systems and forced him to create new passwords. And it was a lesson learnt the hard way: Don't click the random links in emails! Thankfully, no harm was done, other than my husband gaining a bruised ego.

(Shall we say that he was more than a little sheepish as he told me what had happened? "And no doubt, I'll be your next blog post," he said. And yes, he is, but I love him just the same.)

The login scams don't come necessarily come via email

If the login scams came in via email only, it would be so easy to deal with them by using our spam filters, but I get login scams via social media too. They commonly come in via direct messages, which again is easy to manage by specifying who can and can't send direct messages. But it's the "tagging" posts that were new to me until I encounter my first one of these last month.

I have a public Facebook page. The settings for this page are such that people can send me direct messages and tag my page. I do this for marketing and connectivity reasons. I know the risks, and I accept those risks. The original intention for the tagging was to allow my readers to show off anything that they might get from me that they think is awesome, adding a link to their posts that automatically links back to my Facebook page. But I also have my system set up to send me a notification whenever anyone tags my public page in a post. This is so I know exactly what my name is being associated with. (There are settings within Facebook that will allow me to remove my page/profile from tagged posts... and I have had to use them.)

So, last month, when I got a notification saying that some random page that I had never heard of before had tagged me, I clicked on the notification. It took me to this post that said the following:

We need to re-verify the admin account's profile on all currently promoted pages
This may result in some features on your page being restricted. Click the link below to verify.
<<insert dodgy link>>
You will need to verify your account to get back to normal. If you do not verify, we may permanently disable your account and page
To ensure the rights of users, all users must comply with out policy
Thank you for reading this message

The above message was followed by an insane number of bullets and empty lines, then a list of 30+ tagged accounts, and my public page just happened to be one of them.

Okay... There are so many things wrong with this scenario that it screamed out "scam" from word 'Go!'

  1. Facebook would never use a random third party to highlight issues with pages.
  2. Facebook would never send a public post tagging pages for something like this. They would send a notification that was for my eyes only.
  3. The link in question was an HTTP URL that was made up of a long series of numbers. HTTP protocols went out the window years ago, and my web browser gets super pissy whenever I visit any website that hasn't updated to HTTPS protocols. And any website URL that is made up of a series of random numbers... Um... Dude, not clicking! (And no, I didn't need to click the link to get that information. It was directly written in the post. I didn't include it above, because I didn't want someone clicking on a dodgy link by mistake.)
  4. Did you notice the lack of punctuation in the above quoted message? Because that is a sure-fire sign that it was written by someone who doesn't understand business English. Again, this is not something that would happen to this extent from an official Facebook message. (They still have grammatical issues, but not the blatant lack of punctuation.)
  5. I never signed up for any service that promotes my page. I don't even use Facebook ads. Does that tell you something?

It was alarm bells from start to finish. But clearly, there was something within the message that triggered something else.

Because it's me, I took a screen capture of the original offending message and wrote a "public service announcement" post on my public Facebook page... and I suddenly got inundated by all these comments containing links to people who could "help me unlock my account." I lost track of how many of those comments there were. I responded to the first ones that came in, believing they were legit people trying to be helpful, but after the 15th or so comment of that nature within a span of two minutes, I turned off the comments on that post and started to delete them. Then I got bombarded by private messages with the links, stating that I needed to respond to them.

I think I generated in the order of 4 or 5 separate posts on my public FB feed with the nightmare that ensued. I was laughing at the hilarity of the situation as I was writing them, but OMG... what a headache to manage on a Saturday morning. But there were definitely lessons learned. When I come to finally update Hidden Traps, this tale will likely find its pages, along with information on how to limit those comments to established followers only (i.e., accounts that have been following my page for more than 24 hours).

But for the moment, we're going to give you a list of active steps that you can take to protect yourself against the login scams.

Avoiding the login scams

1) Don't trust the links.

It might seem obvious, but no matter what, don't trust the links asking you to log in. Even if the email looks entirely legitimate, don't click the links in the email. Just don't.

Instead, go to the website yourself and log in that way. Always go back to the source.

Interesting fact: Whenever I get a message from my bank or from the IRD (the tax department in New Zealand), the notification will say that there is a message waiting for me and that I need to login to find the message. But there is never a link to log on. It is always assumed that I know what the web address is for the login page. (And this is just one of the ways that I know that any emails that look like they come from my bank or from the IRD are frauds. Because the real emails never contain links.)

2) Use two-factor authentication

For every system possible, especially your banking system or anything else that is connected to your money, use what is known as two-factor authentication.

Two-factor authentication comes in a variety of different forms, ranging from sending you txt messages with codes, emails with code (or special login links, as is the case with Medium), or the codes generated by authenticator apps on your phone. But the essence of how all the various two-factor authentication systems work is all the same: you log in to the site and you'll be asked to take an additional login step.

It's surprising the number of hackers that could have been stopped in their tracks if people would just use two-factor authentication.

And where possible, turn on the notifications that tell you when someone has logged in to your account. Yeah, those notifications can be annoying if you log in and log out of your account a lot, but if you get that notification and you know that you didn't log in to your account…

Hello, hacker, whatever it is you're trying to do is not going to work—not today.

3) Blacklist the offending sender email

If the offending sender email gets annoying and constantly sends you "login" scam emails, then blacklist the email. Block them.

By blacklisting an email address, you're telling your spam filter that, no matter what, it's to send all emails from that address directly to the spam folder. Eventually, you'll need to clean out your spam folder, but at least they won't be taking up space in your inbox.

Blacklisting has another impact that people might not be aware of. If enough people blacklist an email address, then email servers like Gmail will flag the entire offending domain as spam and send those emails to the spam folder for ALL email users, including those who haven't blacklisted the offending email address. It doesn't stop the persistent scammer from getting a new email address, but it does stop them from effectively using that one email address.

Final thoughts

The internet is our world now. Every facet of our lives is now connected to the internet, so it's not surprising that these types of scams have become embedded into the fabric of our society.

But never be afraid of using the internet for fear of what the skilled hacker can do. If a hacker really wants into your systems, and if they have the skills to accompany that desire, they'll get in. There will be nothing you can do to stop them. They won't need to stoop to using login scams to get your username and passwords; they have other tricks up their sleeves. And even the two-factor authentication won't stop them.

But in reality, a skilled hacker is unlikely to be interested in you. You're a small fry.

All of this is not about avoiding the skilled hacker. This is about avoiding the opportunists, the ones willing to prey on your trusting nature, taking advantage of the innocent things we do.

Do you have any additional tips for avoiding the scams?

Copyright © 2023 Judy L Mohr. All rights reserved.

This article first appeared on judylmohr.com

Posted in We Let Them In and tagged , , .

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.