Woke this morning with an email from #Scotia bank about my account. I don't have a Scotia account.

Usually, I ignore these as phishing, but I have a #Thunderbird add-on that tells me when SPF and DKIM pass. And the "from" domain was truly scotia bank. So, yes, it did come from them.

Spent 30 minutes on the phone bouncing around, queuing and waiting while they checked. Their conclusion is that their customer carelessly entered my email address instead of their own, and they will contact the customer.

Two things.

Email addresses should always be validated with an OTP. When will banks learn this?

Second: Some people are a pain in the ass.

#banking #phishing #cybersecurity

Well, this is a new type of #phishing to me!

Wonder how well it works?

How much would you pay for your personal phishing awareness training (simulation, e. g. 10 test mails a year)?

Talking about hypothetical service where you would subscribe your personal email to receive, from time to time, email phishing lure based on your customised demography. You know, something your employer usually does for your corporate email, but this time for you (or even your family).

#phishing #awareness #poll #boostswelcome #security

• 6 EUR / year (5%, 1 vote)
• 12 EUR / year (0%, 0 votes)
• Even more? Elaborate (5%, 1 vote)
• Less? Elaborate (5%, 1 vote)
• Would never subscribe for such service (82%, 14 votes)

Important reminder, if you own a domain name and don't use it for sending email.

There is nothing to stop scammers from sending email claiming to be coming from your domain. And the older it gets, the more valuable it is for spoofing. It could eventually damage your domain's reputation and maybe get it blacklisted, unless you take the steps to notify email servers that any email received claiming to come from your domain should be trashed.

Just add these two TXT records to the DNS for your domain:
TXT v=spf1 -all
TXT v=DMARC1; p=reject;

The first says there is not a single SMTP server on earth authorized to send email on behalf of your domain. The second says that any email that says otherwise should be trashed.

If you do use your domain for sending email, be sure to add 3 records:
SPF record to indicate which SMTP server(s) are allowed to send your email.
DKIM records to add a digital signature to emails, allowing the receiving server to verify the sender and ensure message integrity.
DMARC record that tells the receiving email server how to handle email that fails either check.

You cannot stop scammers from sending email claiming to be from your domain, any more than you can prevent people from using your home address as a return address on a mailed letter. But, you can protect both your domain and intended scam victims by adding appropriate DNS records.

UPDATE: The spf and the dmarc records need to be appropriately named. The spf record should be named "@", and the dmarc record name should be "_dmarc".

Here's what I have for one domain.

One difference that I have is that I'm requesting that email providers email me a weekly aggregated report when they encounter a spoof. gmail and Microsoft send them, but most providers won't, but since most email goes to Gmail, it's enlightening when they come.

#cybersecurity #email #DomainSpoofing #EmailSecurity #phishing

Na klar, na? Da soll ich also schnellstens mein Online-Banking unter "klarna-verfahren.com" über den Link in der SMS "aktualisieren". Als ob ich freiwillig einen solchen Service überhaupt nutzen würde. Alles Klar, na?

(PS: Hab solche SMS bislang nie bekommen, sehe so etwas also zum ersten Mal aus erster Hand)

🗑️

#scam #sms #phishing

#Office is now #Microsoft365.
the urls are still office.com, but you might also end up on live.com. if you’re clever microsoft365.com also works.

the login is obviously through microsoftonline.com, sometimes device.login.microsoftonline.com.

if you create a link you might also visit sharepoint.com, which is different but quite the same.

if you want your emails, that would be outlook.office.com, even though office is now microsoft 365.

and now explain a user to detect a #phishing website. 👀

Did you know that advanced phishing attacks have significantly increased since the release of ChatGPT?

Here's how you can prevent email phishing attacks: tuta.com/blog/how-to-prevent-p…

#phishing #emailphishing #preventphishing #phishingtips

Seems to me that a new role has emerged for those who want a career in cybersecurity: Cybercriminal Troll.

Police around the world are making videos to scare the bejeezus out of scammers and hackers, revealing in a jaunty way how they are about to be busted.

Nice one Met Police.

#LabHost #cybersecurity #cybercrime #scam #phishing

This is so f***** up!! O_O

Be aware when you receive HTML emails (who doesn't?)!

gruene.social/@weddige/1121903…

#HTML #HTMLmail #CSS
#Phishing #SCAM
#SocialEngineering
#Thunderbird #Outlook
#KoboldLetters

Konstantin Weddige (@weddige@gruene.social)

Attached: 1 image Welcome to another edition of "Is this phishing?" Assume the email is in principle plausible and the transaction ID exists. What is the worst that can happen if you press send? #phishing

^{gruene.social}

And it's not only google drive, it now also started on #GPhotos 😒
I already reported the completely same #phishing message three times, but a new one from another account appears again...

Conclusion: it does not matter whether you use centralized or decentralized services, spam is always there...

With news of the latest AT&T #databreach affecting over 70 million people, it is important to stay vigilant against #phishing & suspicious #SMS messages claiming to be from #ATT. 📣

Learn more about protecting yourself here: tuta.com/blog/what-is-credenti…

Stay safe out there! 🔒

RT @HalisCz@twitter.com

Je fajn že aspoň podvodné weby dodržují nařízení vlády o #IPv6, když už to ty pravé nezvládají🙄 #phishing #mpsv

🐦🔗: twitter.com/HalisCz/status/160…

Looks like there’s a new phish in town. Keep an eye out, folks

#phishing #github #security