Governer David Ige and the department of commerce and consumer affairs issued an urgent alert to local businesses last week regarding criminals targeting Hawaii businesses with a dangerous phishing scam that could potentially capture and hold a business hostage with ransomware. The Office of Consumer Protection (OCP) has received numerous reports of local businesses receiving emails purportedly coming from the Department of Commerce and Consumer Affairs (DCCA) and OCP. These emails commonly referred to as “email phishing scams” are fraudulent and are an attempt to illegally obtain private information and to place malware on the businesses’ computers.
The fraudulent email attempts to deceive consumers through the inclusion of a DCCA letterhead and uses a spoofed sender email of “email@example.com.” The phishing correspondence is as follows:
Dear Business Owner:
We are formally notifying you of a claim submitted against your company with the Office of Consumer Protection.
Your company has a rebuttal period of 7 business days from the receipt of this notice, to respond to the claim. The response must contain a final rebuttal and be no more than 5 pages in totality.
The full compliant [sic] filed as well as the response form and instructions for submitting your response have been attached to this email. Due to the privacy of the claim the file is password protected.
The password is located below. You can download the file at the link below.
Complaint Notification: Click to Download
Your reply must be sent to us as instructed within the reply form. If we have not received notification from you within the allotted time the claim will awarded to the party filing the claim and they may take further action if they choose to do so, depending on the severity of the claim.
Waiting for your reply,
Office of Consumer Protection
Anyone receiving this email should not click any links associated with it nor download any attachments. Neither the Department of Commerce and Consumer Affairs nor the Office of Consumer Protection has anything to do with this email. The Office of Consumer Protection never requests a business to download a password protected file through a link, like the one referenced in the email.
Scammers use email or text messages to trick you into giving them your personal information. They may try to steal your passwords, account numbers, or Social Security numbers. If they get that information, they could gain access to your email, bank, or other accounts. Scammers launch thousands of phishing attacks like these every day—and they’re often successful.
Do not click on any links listed in the email message, and do not open any attachments contained in a suspicious email.
Do not enter personal information in a pop-up screen. Legitimate companies, agencies, and organizations don’t ask for personal information via pop-up screens.
Install a phishing filter on your email application and also on your web browser. These filters will not keep out all phishing messages, but they will reduce the number of phishing attempts.
If you aren’t 100 percent certain of the sender’s authenticity, don’t click on attachments or embedded links; both are likely to result in malware being installed. Instead, open a new browser window and type the URL directly into the address bar. Often a phishing website will look identical to the original, so check the address bar to confirm the address.
Similarly, never submit confidential information via forms embedded in or attached to email messages. Senders are often able to track all of the information you enter.
Be wary of emails asking for financial information. Emails reminding you to update your account, requesting you to send a wire transfer, or alerting you about a failed transaction are compelling. However, scammers count on the urgency of the message to blind you to the potential for fraud.
Don’t fall for scare tactics. Phishers often try to pressure you into providing sensitive information by threatening to disable an account or delay services until you update certain information. Contact the merchant directly to confirm the authenticity of the request.
Be suspicious of social media invitations from people you don’t know. Phishers rely on your natural curiosity to click on the person’s profile “just to find out who it is.” However, in a phishing email, every link can trigger malware, including links that appear to be images or even legal boilerplate; scammers use your hijacked account to send spam to your friends, because spam from real accounts is more believable than spam from a fake account.
Watch out for generic-looking requests for information. Many phishing emails begin with “Dear Sir/Madam.” Some come from a bank with which you don’t even have an account.
Ignore emails with typos and misspellings. Recent real examples targeting TurboTax include ”Your Change Request is Completeed” and “User Peofile Updates!!!”
Update and maintain effective software to combat phishing. Reliable anti-virus software should also automatically detect and block fake websites, as well as authenticating the major legitimate banking and shopping sites.
Stay safe out there.