How to Avoid Clicking Malicious Links

🚨 “It looks like it’s from Google… but it isn’t.” This morning I spoke about a Gmail phishing scam on Newsmax Media, Inc. that’s making headlines — but here’s what you need to know: ✅ This tactic is not new — it’s social engineering. ✅ But it is getting harder to spot, even for trained eyes. Cybercriminals are now repurposing real Google content and hosting malicious links on legitimate Google Sites, so the email and the links look authentic. But make no mistake — it’s still the same old scam: trick you into clicking, steal your data, and/or infect your device. Here’s what I recommend: 🛑 Stop. Think. Don’t click. If you didn’t expect the email, don’t trust it. 🔍 Inspect the sender’s full email address. Phishing emails almost always have subtle mistakes in the sender domain or headers. 🌐 Verify the website yourself. Don’t click links — type the URL into your browser, and double-check what’s in the address bar before entering credentials. 🔒 Enable Two-Factor Authentication (2FA). On Google and every critical account you have: – SMS is better than nothing. – Authenticator app is more secure. – But if you’re serious, invest in a hardware key like YubiKey. If you suspect a scam, contact the company directly — don’t reply to the email. ➡️ Here’s the hard truth: Technology is getting better, but so are the criminals. Many of us in cybersecurity already know this — but our kids, our parents, and even our colleagues may not. 📣 Take 5 minutes today to show someone you care about how to spot these scams and turn on 2FA. If you need help or want a cheat sheet you can share with your family or coworkers, send me a message. I’m on a mission to keep 1 million people safer from cybercrime — and it starts with a CyberSecure Mindset. #Cybersecurity #GoogleScam #Phishing #SocialEngineering #2FA #BEC #FBI Kevin D. Jeff Taylor Mark Bruns Ronnie Manning Yubico Corey Munson Marc E.

Scammers see tax season as open hunting season Don't be their easy prey 7 things nobody tells you about staying safe from phishing during tax season: 1. Be Skeptical of Unexpected Emails → Even if it looks like it’s from your CPA, trust your gut. → Unexpected emails? Delete them immediately. 2. Generic Senders Are Risky → Addresses like donotreply@domain.com are a scammer’s favorite disguise. → Always verify directly with your provider’s online portal. 3. Never Click Unverified Links → Don’t shortcut security by clicking links in emails. → Log in directly via your browser to avoid phishing traps. 4. Upgrade Your Email Security → Free email services lack robust phishing protection. → Consider upgrading to paid plans with built-in security features. 5. Don’t Ignore Email Settings → Even premium platforms like Google Workspace need periodic reviews. → Verify your settings to ensure optimal protection. 6. Scammers Target E-Signature Platforms → The rise of e-signatures has made them prime phishing targets. → Authenticate every document before signing or opening. 7. Think Before You Open Emails → Got an unexpected tax document? Call your provider directly. → No shortcuts, no stress, no scams. PS) Scammers are clever, but they’re also lazy. Make them work harder than it’s worth.

Gmail and Outlook 2FA Codes Hacked—Critical Security Warning A new and highly sophisticated cyberattack is targeting users of major email platforms, including Gmail, Outlook, AOL, and Yahoo, compromising even two-factor authentication (2FA) protections. The Astaroth phishing kit, first observed in December, deploys a man-in-the-middle attack to intercept login credentials, session cookies, and 2FA tokens in real time—effectively bypassing security measures users rely on to protect their accounts. How the Attack Works Cybersecurity firm SlashNext has revealed that Astaroth uses reverse proxy mechanisms to act as a middleman between users and legitimate sign-in pages. Here’s how it unfolds: • Phishing Link: The attack starts with a malicious link, often disguised as a login request or urgent security update. • Fake Login Page: Users are redirected to a nearly identical copy of their email provider’s login portal. • Real-Time Credential Theft: When a user enters their email and password, Astaroth captures this data in real time. • 2FA Interception: The phishing kit instantly intercepts one-time passcodes (OTP) sent via SMS or authentication apps. • Session Hijacking: Attackers gain full access to the victim’s account without needing additional login approvals. Why This is Dangerous • 2FA Bypass: Unlike traditional phishing attacks, Astaroth allows criminals to break into accounts even if users have strong two-factor authentication enabled. • Speed & Precision: The attack occurs in real time, meaning users unknowingly provide attackers with everything needed for immediate unauthorized access. • No Warning Signs: Since the victim technically logs into the real website, the attack leaves no visible trace. How to Protect Yourself 1. Avoid Clicking on Suspicious Links • Do not click on email links prompting you to log in urgently or verify your credentials. • Always go directly to the official website instead of using links in emails or messages. 2. Use Hardware Security Keys • Physical security keys like YubiKey or Google Titan provide an extra layer of protection against phishing. 3. Enable Advanced Account Protection • Gmail users should activate Google Advanced Protection, which requires security keys for login. • Microsoft users can enable Windows Hello or Authenticator app-based security. Final Thoughts The Astaroth phishing kit represents a major evolution in cybercrime, making traditional 2FA less effective against targeted attacks. Education, vigilance, and enhanced security measures are crucial to staying ahead of these threats. If you receive an unexpected sign-in request, avoid using links in emails and instead go directly to your account provider’s official website. Cybercriminals are getting smarter—make sure your security strategy evolves with them.

We all love a good compliment, especially when it comes to our professional achievements.  But that glowing message about your "outstanding work" might be a hacker trying to phish you. They stalk your LinkedIn profile, picking up details to craft emails that play on your ego and make you more likely to click a bad link.  They might mention a specific skill you listed, a project you worked on, or even an award you won.  When it all feels a little too good to be true, that's your gut feeling trying to warn you. Here are some simple things you can do to protect yourself: 1.  𝐀𝐥𝐰𝐚𝐲𝐬 double-check the sender's email address – not just the name displayed. A fancy-looking name with a random email domain (like "[email address removed]") is a giant red flag. 2. Hover over any links in the message before clicking. See where they actually lead. Don't touch it if it's not a legit LinkedIn URL (ending in LinkedIn dot com)! 3. If the message mentions an opportunity or seems important, don't reply directly. Head to LinkedIn and check your messages or search for the supposed contact person. That way, you'll be sure you're communicating through the secure platform. A little healthy skepticism can save you a big headache (and potentially a compromised account!).  Stay vigilant, and you'll keep your presence on LinkedIn safe.

Online shoppers get ready... October 2023 saw a 13% increase in the number of malicious files related to orders and delivery/shipping compared to October 2022. How To Identify URL Phishing > Ignore Display Names: Phishing emails are configured to show anything in the display name. Check the sender’s email address to verify that it comes from a trusted source. > Verify the Domain: Phishers will commonly use domains with minor misspellings or that seem plausible. Look for these misspellings, they are a good indicator. > Check the Links: URL phishing attacks are designed to trick recipients into clicking on a malicious link. Hover over the links within an email and see if they actually go where they claim. Enter suspicious links into a phishing verification tool like phishtank.com, which will tell you if they are known phishing links. If possible, don’t click on a link at all; visit the company’s site directly and navigate to the indicated page. https://lnkd.in/gxXHnVEa