Yesterday, one of our clients received an email alleging to be from the Federal Trade Commission. The email had the FTC logo, it said a fraud complaint had been filed against his company, and he should download a .pdf of the complaint from a link at the bottom of the email. The link as shown on the page and the sending email address as shown had ftc.gov in the address. There were no obvious signs that the email itself was a fraud.
This client clicked on the link, but instead of getting a .pdf document it wanted to install a screensaver. The client wisely chose not to run the program, but when he logged on to his bank this morning he got a pop up with the bank logo asking for basically all of his financial information. He called his bank and they confirmed it was a fraud.
It is our belief that the two events are related. When the client clicked on the link in the email it installed a Trojan virus even though he declined to install the screen saver, and the virus ran when he logged on to the website of his bank. Because the infection might have also captured his logon name and password for the bank, we advised him to change his password and call his bank to inform them that his account may have been compromised.
This is a classic phishing scheme. This kind of scam depends on presenting something to you that will make you act before you can question the authenticity of what you’re seeing. We’re alerting you to this threat specifically because of the effectiveness of the bait, and because of the potential for serious damage even if you don’t install the program it presents to you.
If you receive an email from the FTC saying a fraud complaint has been made against your business, do not click on the link in the email. Delete the email immediately.
The best defense against this kind of scam is skepticism. The email looked official, but it did have some signs that something wasn’t right. The body of the email didn’t include the recipient or his company by name. The salutation was “Dear business owner” and the complaint was against “your company”. Also, no legitimate government or law enforcement agency would notify you of an investigation by email. Finally, if you hover your cursor over any link to download a file or go to a webpage, a small box will appear showing the real address and file name in the link. In this case the link was to a website with a foreign domain, and the file was not a .pdf.
Also, and we can’t stress this enough, if any site asks you to enter personal information like your Social Security number or a credit card number, call them and confirm the site is legitimate before continuing. If they tell you it’s not, your computer has been infected and you should call us immediately.