The CEO Forum – July 2019

CryptoChameleon is a phishing-as-a-service kit that makes it easier than ever for cybercriminals to create convincing phishing campaigns. Criminals often use it to impersonate reputable companies to steal passwords, account information, and other sensitive data.

A recent scam using CryptoChameleon targets LastPass, a popular password manager. Scammers pretend to be from LastPass, starting with seemingly authentic support calls. They later send follow-up emails with links to fake login pages, designed to look like legitimate LastPass sites. Once victims enter their master passwords on these fraudulent pages, scammers can access their password vaults and potentially lock them out of their accounts.

Reputable companies will never ask for your master passwords through phone calls, emails, or text messages. To protect yourself from these scams, remember to:

• Hang up immediately if you receive a suspicious call claiming to be from LastPass or another reputable company.
• Do not press any options in automated messages or clicking on links in emails from unfamiliar sources.
• Report suspicious activity to the reputable company, including screenshots of suspect text messages and forwarded emails.

Scammers are pretending to be bank customer service representatives reaching out regarding fraud prevention. Their goal is to get you to reset your login credentials and gain access to your account.

How it works

1. Scammers, posing as customer service representatives, will call and keep the victim on the phone for multiple hours to “resolve” a fraud issue.
2. The scammer urges quick action to prevent alleged hackers from draining the victim’s account.
3. The victim is asked for sensitive information like login credentials and verification answers.
4. The scammer logs in to the victim’s account to initiate unauthorized payments, bypassing security restrictions via a direct call to the real Fraud Support, all while the true customer is on hold.

Quick Tips

• Check your account activity frequently and monitor for suspicious transactions.
• When asked for information that seems unusual, hang up and call the phone number on the back of your bank card or account statement.
• Read text and email communications fully and pause before responding.
• Remember that banks and credit card companies will never ask you for your password or your card/account number over the phone.