Microsoft is warning users about a new phishing scam that has risen in popularity over the past few weeks. This scam uses redirect links in order to trick people into giving away sensitive data, like their email usernames and passwords.
This scam is the next evolution of phishing scams, as many users are trained to hover over links and assess the URL before clicking on it. However, by using sneaky redirects, these scammers are able to disguise the links themselves as seemingly valid links.
Microsoft hasn't publicized a firm amount of victims, but if they're issuing a statement about it, it's likely that a decent amount of users have encountered or fallen victim to this scam.
How Does This Scam Work?
Like most phishing scams, this one starts with an email. According to advice from Microsoft, this email will look fairly professional, and will ask the user to click a link. At this point, more experienced users might be apprehensive and check the link for any signs of phishing. However, these links are well-crafted, and may fool even the most diligent eye.
Upon clicking this link, the user will be lead to a page that, again, will look very professional, even asking for a reCAPTCHA verification. This page will then ask for the user's password.
“If the user enters their password, the page refreshes and displays an error message stating that the page timed out or the password was incorrect and that they must enter their password again.”
“Once the user enters their password a second time, the page directs to a legitimate Sophos website that claims the email message has been released. This adds another layer of false legitimacy to the phishing campaign.” – Microsoft Blog
While it's a quick process, it's all the scammers need in order to fool some people into giving away their login credentials. And with the believability of these emails, it's likely that a lot of people are falling victim to it.
What About This Scam Is Dangerous?
Like most scams, they can only spell bad things for the victims. The specifics of this scam aren't actually widely known yet, but the fact that it's harvesting users' usernames and passwords is a bad omen.
By using this information, scammers can access the victim's accounts and view/send emails. The emails they're viewing might hold even more sensitive data, like banking information or addresses.
If you think you've fallen victim to this scam or something similar, the best thing you can do to protect yourself is immediately change your password, which will hopefully make the old password invalid. It would also pay to keep an eye on your accounts over the coming weeks to make sure no unusual activity is going on.
How to Protect Yourself Online
This scam is one of many, as phishing scams have seen a massive increase over the past couple of years. Outside of general caution and attention to detail, what can the everyday person do to avoid falling victim to such a scam?
One of the best ways to avoid such a trap is to install anti-virus software. When given access to your email account, anti-virus software can give every incoming email a quick scan and warn you of any suspicious links. Here are some of the best anti-virus software options on the market.
In a more general online security sense, it's always a good idea to install a VPN. Using a VPN while browsing online is like wearing a mask in a public area. It will help you avoid detection, as well as any harmful third parties, like phishing scams or hackers. Here are some of the most secure VPNs on the market.
Another thing you can do is use a password manager. Password managers allow you to stay on top of your various accounts and login information, meaning you won't have to rely on your memory, or storing them somewhere where they might be compromised. Here is a list of our favorite password managers.