Good Evening Readers,

Sharing a timely note on two encounters I’ve had with sophisticated phishing attacks. 

Not to worry - both were detected and reported, but these weren’t your everyday requests from a Nigerian prince or the “CRA”.

This is a timely update for two reasons. We recently added cyber security firms to the focus list after the march sell off (PANW and CRWD). Second, RBC is hosting a webinar tomorrow evening with Andrew Kish, former CSIS Intelligence officer, and his experience with physical and cyber vulnerabilities. Details below.

Note - Due to a busier than normal schedule - Portfolio Reviews and Monthly Market update will be sent on May 2^nd, a day later than normal.

Phishy email – but it’s coming from a legit email?

A few weeks ago, I woke up to a series of emails notifying me my Vimeo account had been restricted.

Red Flag #1 From 4:30AM to 6:00AM, I received 8 separate emails notifying me about the restriction…smells automated with a whiff of attempted urgency.

I proceeded with caution.

Here’s a snip of the email.

Red Flag #2 Vimeo (or any legitimate company) is not going to forward me to a “advert-invoice” url…

Here’s where I couldn’t put two and two together. 

Take a closer look at the email sender.

Seems legit…

Did vimeo get hacked? They have the blue checkmark… @vimeo.com seems legit?

And that’s just it.

To the naked eye, it looks like it’s from @vimeo.com and legitimate. Digitally, one of those letters is a  symbol that looks very very similar to a standard alpha-numeric character. 

Maybe it’s the “i” in Vimeo…

Thankfully, this smelt like a phishing email from the start.  I deleted the email, and blocked the sender.

I felt like I knew him - Social engineering call + email

This also occurred a few weeks ago. 

I received a normal looking email from an unknown source, offering and quoting me for marketing materials (Pens, golf balls, etc.)  Normal Gmail, regular appearance, and there was a PDF attached. 

Now - during the day, I typically ignore these and check them at the end of the day. I hadn’t even glanced at it until I received a phone call from “Tony”.

The individual was swift and charismatic, introduced himself and spoke to me like we knew each other for years. 

“We spoke in December just before Christmas remember. You mentioned you liked golf?”

Caught off guard, and whether it happened or not, I couldn’t remember if we did.  I receive promo offers on marketing materials.  He’s very confident we spoke in December. Everything seemed legitimate.

After a bit of back and forth, he asked me if I got his email and had a chance to look at it.  I said no, was in the middle of working on something but could look later.

He insisted it would only take a second, and to open the attached PDF to see the new offer.  Again, I said I could review later.  He insisted a second time “open the pdf”… Boom. Red Flag. As if the Cyber security light bulb in my head flickered on – I don’t know this guy, this isn’t what those promotional marketing emails look like…

I quickly just hung up. Tony tried calling back.  I reviewed deleted emails, and notes.  I’d never spoken to Tony or anyone at the phone number or email.

In all likely hood, without Tony calling, I would have seen the email had no reference to a legitimate website, nor I’d previously spoken to Tony.  The social engineering of calling and speaking to me like I was his friend, he only needed me to believe him for a split second and open the pdf attachment.

Thanks to frequent mandatory training, I was able to detect these scams, and prevent any incidents. I know, not all readers have the same training and hope these experiences can help prevent you from falling victim to these phisihing scams.

RBC DS is hosting a exclusive webinar on navigating today's evolving cybersecurity landscape, featuring expert-led insights on emerging online scams and practical mitigation approaches. Please contact me for registration details.

Personal Thoughts

When was the last time you heard about a Cyber Security breach at RBC?

The answer - you don't.

We, me included, overlook where the money goes from investment management costs. A portion of it goes to state of the art cyber security to keep client information confidential. Underrated if you ask me.

As always, if you have any questions or comments – let me know!
​
Much love to you and yours,

Lucas Paulino

Investment Advisor

RBC Dominion Securities

200 Bay Street, 25^th Floor, Royal Bank Plaza - South Tower

Toronto, ON M5J 2J2

Office: 416-842-4027 | Cell: 416-984-9865

About the Photo

We had the privilege of attending a friend's wedding this past weekend in Canmore, AB. Mountains are special, don't miss the chance to take a picture.