Threat actors can use phone numbers obtained from past data breaches and public records to randomly call or send messages claiming to be a member of a loan processing team and providing a loan offer that appears too good to be true. They may provide vague details, impose urgent demands, or require advanced fees of a purported loan offer with the intent of stealing personally identifiable information (PII) and financial information, including Social Security numbers and bank account numbers.

The NJCCIC received reports of an advanced fee loan scam in which threat actors posed as lenders, guaranteed the loan approval without official credit checks, offered low rates or fees, and asked for money upfront. The victims submitted a supposed loan application and paid a deposit via peer-to-peer money transfer platforms typically used with these scams. The deposits were nominal due to a false claim of a low credit score or based on a percentage of the fake loan amount. In one scam, the victim applied for a loan and paid a $1,350 deposit via Zelle. In another scam, the victim was offered a several million-dollar loan with a reasonable rate and a four percent deposit. Once the victims paid the deposits, the so-called lenders stole their information and funds and never responded to the victims’ subsequent inquiries. Threat actors can use this stolen information to impersonate victims, apply for loans or lines of credit, access bank accounts, and steal additional funds.

In direct deposit or payroll diversion scams, threat actors research the targeted organization and identify an employee to impersonate. They typically register a free email address using the employee’s name and utilizing display name spoofing in the messages. In some cases, they compromise the employee’s email account to avoid suspicion. Then the threat actors email payroll, finance, or human resources departments to request direct deposit changes and applicable forms. Sometimes, the threat actors locate direct deposit change forms online and include the filled-out forms in the email. They intend to divert the employee’s direct deposit account information to an account under the threat actor’s control.

The NJCCIC continues to receive multiple reports of direct deposit scams, primarily targeting educational institutions. However, all organizations, regardless of sector, are at risk. In one incident, threat actors created a Google Gmail account, impersonated an employee, and attempted to change the direct deposit account information. They sent an email with a blank subject line and content containing “Good Morning, Hope you’re having a great day. Before the next payroll will be issued, I need to replace the account where my most recent deposit was made due to a bank change. What information is required?”

In another incident, threat actors impersonated an employee and emailed the finance department with a subject line of “New Account Info.” The email contained, “I am currently experiencing issues logging into the [redacted] portal, as I am being redirected to the homepage with a blank page. Therefore, I can provide my new banking information for the update. Here is the voided check with my new bank details for the change. Please cancel the previous account and use the new details provided below [redacted bank information].”

In the examples above, the requests to change direct deposit information were easily identified as scams. However, in another direct deposit scam, threat actors intended to compromise an employee’s account to impersonate them and avoid suspicion. They contacted the organization’s help desk to request a password and multi-factor authentication (MFA) reset in a successful social engineering attack. The threat actors gained unauthorized access to the employee’s account and emailed a direct deposit change request to the payroll department. The payroll employee initiated the change based solely on the email request, deviating from the organization’s established policy. Additionally, to evade detection, the threat actors created an inbox rule to delete emails containing “direct deposit” automatically. However, the organization’s security monitoring solution detected the rule promptly, and the account was locked.

Organizations, especially employees in payroll, finance, or human resources departments, are advised to identify several red flags in direct deposit scams. First, the authenticity of the request is concerning when the sender’s name does not match the email address. Threat actors may also create urgency to speed up the process and use phrases such as “This is urgent” or “Please make the change immediately.” Additionally, if the request includes a form attachment, there may be errors, the Social Security number may not be correct, or the signature may be suspicious. Furthermore, the request may not include a recommended voided check.

The NJCCIC received reports of Social Security Administration (SSA) phishing emails, consistent with the SSA’s scam alert earlier this month. The emails contain SSA branding to appear legitimate and claim to be from the SSA. However, upon further inspection, they were sent from non-.gov top-level domains (TLDs) with the sender’s display name as “Social Security administration.” The subject line displays, “Your benefits statement is now available for download.” The emails create urgency to convince potential victims to download and review their Social Security statements immediately to ensure uninterrupted access to their benefits and prevent processing delays. The emails also instruct potential victims to click the “Download Statement” button and install the required file specifically on PC/Windows systems. If clicked and installed, sensitive information and devices may be at risk.

These communications are not legitimate, as the SSA will not ask for personally identifiable information (PII), including Social Security numbers or dates of birth, or financial information via email, phone, or text message. Also, the SSA will not threaten to suspend your Social Security number, demand immediate payment, warn of legal action, download “secure” software, or request permission to access your device.

The NJCCIC observed an uptick in employment scams that target and exploit individuals seeking employment. Threat actors first perform reconnaissance on their targets, gathering information from various sources, such as past data breaches, publicly disclosed data, social media profiles, and data purchased on the dark web. They communicate with their targets via emails, text messages, WhatsApp, or Telegram to initiate conversations about purported job opportunities created from legitimate job postings. They may also create and post fraudulent job postings or profiles through trusted professional online employment boards and websites, such as LinkedIn, CareerBuilder, Indeed, and Monster, or via social media platforms like Facebook. They typically impersonate legitimate employers and recruiters and spoof legitimate domains. The threat actors express interest in the target’s compatibility for a vacant position and attempt to ascertain the target’s willingness to explore the opportunity further.

The NJCCIC’s email security solution detected an employment scam in which threat actors use the legitimate Xero platform to create a trial organization to quickly send large amounts of spam emails before they are detected and shut down. In the above campaign, the threat actors impersonate Coca-Cola and incorporate their branding. The email contains a link with the Coca-Cola name in the URL, but it does not direct to Coca-Cola’s official website. Instead, it directs the target to a malicious website that prompts them to update their browser. If clicked and installed, sensitive information and devices may be at risk.  

Threat actors also impersonate legitimate employers and recruiters through multiple random text messages in the hope that their target is an interested job seeker. In the above campaign, the text message outlines the position's benefits, including remote work, flexible hours, and a potential average daily pay ranging from $300 to $900 or more. To avoid detection, they often request to continue the conversation on a chat platform like WhatsApp or Telegram. Legitimate employers do not typically request that applicants communicate or send information through instant messaging platforms.

The NJCCIC also received multiple reports of threat actors creating fake profiles on LinkedIn, impersonating employers and recruiters, and sending direct messages to potential victims regarding fraudulent job postings. The emails request interested targets to provide their email addresses and resumes. If there is no response, the threat actors sometimes attempt to contact their targets via email and phone.

Once contact with a target in these employment scams is established, the threat actors often request information as part of the application process or job offer. They intend to steal personally identifiable information (PII) or monetary funds, potentially committing identity theft and launching other cyberattacks. They may conduct fake online interviews to inquire about work experience, salary expectations, and other typical employment concerns. Threat actors may ask for personal information or request their target to pay processing or application fees, training, or background checks. They may also send fraudulent invoices for equipment, with instructions to pay using cash, Zelle, or PayPal and a promise of reimbursement. In some instances, they also partake in fraudulent check scams via mail to cover all or a portion of the job-related fees or expenses. Until the fraudulent check supposedly clears, threat actors pressure their targets to start the job immediately and insist they front the money, resulting in monetary losses.

Key suspicious indicators of employment scams include vagueness from the purported employer or recruiter about the position, the job sounding “too good to be true,” and upfront requests for personal and financial information, such as a Social Security number, a driver’s license number, or banking information for direct deposits. Threat actors may also create urgency to respond or accept a job offer. Using unofficial communication methods, including personal email accounts, non-company email domains, teleconferencing applications, and apps like WhatsApp, Telegram, Signal, or Wire, are also red flags.

Besides targeting job seekers, threat actors also target corporate human resources departments and recruiters to steal account credentials and funds. They abuse legitimate message services and job platforms to apply for real jobs. Researchers discovered the financially motivated Venom Spider threat group sending spearphishing emails to the hiring manager or recruiter. These emails contain links directing them to download the purported resume from an external website. The threat actors insert a CAPTCHA box to create legitimacy and bypass security controls. They then drop a backdoor called More_eggs and use server polymorphism to deliver the payloads and evade detection and analysis.

Additionally, the proliferation of artificial intelligence (AI) threatens the travel industry. In 2024, travel was the most attacked industry by advanced bots, accounting for 27 percent of all bot attacks, up from 21 percent in 2023. Threat actors can create and deploy malicious bots, create spoofed websites, generate fake reviews and articles, craft sophisticated phishing emails, exploit vulnerabilities, hijack accounts, and exfiltrate data. They have increasingly created fraudulent websites that impersonate official government pages for passports, visas, and TSA PreChecks . Travelers are at risk of fraud, misinformation, and malicious intent when planning or managing trips and itineraries; therefore, they should remain vigilant and employ cybersecurity best practices to help protect themselves from identity theft, financial loss, and disrupted travel.

Recommendations

Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders, and exercise caution with communications from known senders. Confirm requests from senders via contact information obtained from verified and official sources. Exercise caution when searching for or visiting travel websites, as threat actors strategically use SEO poisoning to cause malicious websites to appear at the top of search engine result pages. Research travel websites thoroughly and check reviews to ensure they are legitimate before providing sensitive information. Type official website URLs into browsers manually and only submit account credentials or sensitive information on official websites. Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes. Reduce your digital footprint so threat actors cannot easily target you. Keep systems up to date and apply patches after appropriate testing. Review the Cyber Safe Travel Tips NJCCIC product for more information about devices, accounts, networks, vehicles, and international travel security. Report phishing emails and other malicious cyber activity to the FBI's IC3 and the NJCCIC

The NJCCIC continues to receive reports of fraudulent phone calls in vishing scams. Typically, threat actors acquire publicly available information found online and impersonate specific organizations or individuals. They contact the recipient to extort money or convince their targets to divulge sensitive information, grant access to their accounts or devices, or purchase fraudulent goods or services. In one report, an educational institution received repeated suspicious phone calls from different phone numbers, including spoofed official ones, to appear legitimate. The threat actors claimed to be “Online IT Training” and asked for the head of the information technology department. When questioned, the threat actors could not respond “off script.”

Threat actors are increasingly leveraging voice cloning and artificial intelligence (AI) technologies to carry out impersonation and extortion scams. They can find and capture snippets of a person’s voice online, through social media platforms, in outgoing voicemail messages, or when the recipient caller answers a call. They can weaponize AI technology with the captured audio to clone a person’s voice and create fraudulent schemes, such as family emergencies, kidnappings, robberies, or car accidents. In one reported vishing scam, the threat actors impersonated the target’s daughter, claiming to be involved in a car accident. A male voice was also on the line, claiming to be a local law enforcement officer and reporting that the daughter supposedly admitted to using her cell phone while driving. He indicated that she was being held for charges of injuring the other driver, who was pregnant. The purported officer stated that a bail bond agent would contact them to post bail. Minutes later, a male caller posing as a bail bond agent contacted the target to indicate bail was set at $15,000 cash only and threatened not to tell anyone because it would go on the daughter’s permanent record. After hanging up with the threat actors, the target called their daughter to confirm the call’s legitimacy before going to the bank. The daughter revealed she was not on the call or involved in a car accident.

Recommendations

Refrain from answering unexpected calls from unknown contacts. When receiving unsolicited phone calls, do not respond to any requests for sensitive information, access, or money. If suspicious inquiries are made by individuals claiming to represent a trustworthy organization, hang up and call the organization back using the official phone number found on their website. Block and delete unsolicited or suspicious phone numbers received on cell phones or other devices, if possible. Establish a password with important contacts, such as loved ones, employers, and coworkers, and request it if suspicious inquiries are made by individuals claiming to represent them. Report vishing scams and other malicious cyber activity to the FBI's IC3 and the NJCCIC. If you or someone you know is being physically threatened, contact your local police department or dial 9-1-1 immediately.

 

The NJCCIC recently reported an uptick in employment scams in which threat actors initiated contact through emails, text messages, WhatsApp, Telegram, reputable online employment boards and websites, and social media platforms. Since this reporting, the NJCCIC observed an uptick in job SMS text phishing (SMiShing) campaigns that exploit potential victims seeking employment. In this latest wave, threat actors pose as legitimate recruiters from trusted employers or professional online employment boards and websites. They send multiple random direct text messages from various non-company email domains, such as free email accounts like Gmail, Hotmail, and iCloud.

The various campaigns highlight the position's description and benefits, such as remote location, flexible hours, paid time off, health insurance, retirement plans, free training, and compensation, including potential daily pay, base pay, and bonuses. Threat actors create urgency to respond to a job opportunity that sounds “too good to be true,” such as “we’re opening just 5 spots,” as indicated in the above campaign. They advise interested potential victims to learn more about the job opportunity by texting a specified phone number in the chat platform. In some campaigns, they advise moving to another chat platform like WhatsApp or Telegram. Legitimate employers and recruiters do not typically request that applicants communicate or send information through chat platforms.

In light of several recent natural disasters, the NJCCIC reminds users to exercise caution and conduct due diligence before donating funds. Cybercriminals often exploit the compassion and generosity of the public by conducting fraudulent schemes to steal funds and credentials in the aftermath of tragic events. Individuals seeking to donate to relief efforts are targeted in charity scams initiated by threat actors using social engineering tactics through emails, SMS text messaging, phone calls, and direct messages via social media. They often create a sense of urgency and may impersonate reputable organizations. For example, display name spoofing may be used in phishing emails to appear as though they are sent from a known or trusted charity in an attempt to convince the potential donor to open an attachment or a link that directs them to a spoofed website impersonating the legitimate charity.

Although many legitimate organizations call to solicit donations, potential donors are advised to take the time to research the charity properly, understand who they are and their cause, and where the funds are directed before donating. Also, search the name of the charity to determine if there are any bad reviews, complaints, scams, or fraud associated with the charity. Credit card payments offer more consumer protections and are easier to track than payments of gift cards, wire transfers, cash, or cryptocurrency. Additionally, donations are not recommended through payment apps, such as Venmo, CashApp, or Zelle, as funds through these apps should only be sent to known and familiar individuals, such as family and friends.

The NJCCIC received reports of an uptick in fraudulent New Jersey Department of Labor and Workforce Development Unemployment Insurance (UI) claims, primarily targeting public sector education employees who are still employed. The availability of employee information posted on official websites or social media platforms, combined with personally identifiable information (PII) exposed in past data breaches or sold on the dark web, enables threat actors to apply for and collect UI benefits illegally.

Victims may not be aware that fraudulent UI benefits applications are being attempted under their name until they try to apply for UI benefits and are denied or rejected because a claim has already been filed under their name, or they receive a determination letter indicating that an application has been received under their name, but they did not apply for UI benefits. Additionally, a current or former employer may notify the victim that a claim has been submitted with their PII.

The NJCCIC identified a phishing campaign impersonating the Social Security Administration. The email notifies the user that their "Social Security Statement" is available online and instructs them to click the included link to access the statement. 

The executable attempts to download a remote monitoring and management tool, which cyber threat actors can use to gain unauthorized access and take control over systems to install additional malware, access sensitive information, deploy ransomware, and more. Known, trusted organizations are often impersonated by cyber threat actors in social engineering schemes to convince users to take actions that enable the threat actor's ultimate goals. 

The NJCCIC is aware of a social engineering scheme in which threat actors are contacting individuals by phone and impersonating representatives of the NJ Division of Pensions and Benefits. In addition to contacting individuals by phone, they send calendar invites via email using the Calendly scheduling tool. A similar scheme was reported in which a user’s email account had been compromised, and threat actors were using the account to send calendar invites to their contacts.

Threat actors use calendar invites in phishing campaigns as they are more likely to bypass email security filters and be delivered to end-user inboxes. The contents of the calendar invite may include phishing links to malicious websites that request sensitive information or account login credentials, or attachments used to install malware. The motivations behind these schemes may vary and include gathering personal information for identity theft purposes, stealing funds through financial scams, obtaining remote access to the individual’s system, downloading malware, and more.

The NJCCIC has observed an uptick in the use of debt collection lures that trick users into downloading potentially malicious software. In a recent phishing campaign, users received an email claiming they owed a debt. If a user clicks the link in the email, they are redirected to an intermediate PDF hosted on Google Drive. This PDF directs them to download Syncro MSP , a legitimate remote monitoring and management (RMM) software. However, it can also function as a remote access trojan (RAT), allowing threat actors to gain remote access. Threat actors continue to leverage these legitimate programs as they are less likely to trigger security alerts.

A similar campaign downloads and installs LogMeIn Resolve, a Unified Endpoint Management (UEM) and RMM tool that is designed for IT administration. These campaigns claim to originate from well-known companies and feature urgent-sounding subjects to persuade unsuspecting users to follow their instructions. 

The NJCCIC observed multiple Telephone-Oriented Attack Delivery (TOAD) campaigns targeting New Jersey State employees that purported to be legitimate notifications for purchases of digital assets or currencies. In one campaign, the email content lacks relevant context to the subject line phrases, such as “new log needs confirmation” or “update waiting for review.” The emails come from suspicious domains or out-of-country top-level domains (TLDs) and may contain an Adobe PDF attachment detailing the PayPal purchase. Another red flag is a purchase notification that is not personalized but sent to multiple recipients. Threat actors may add recipients in the “Bcc” field to appear more legitimate or circumvent some security filters that might identify emails sent to an extensive list in the “To” or “Cc” fields. In this campaign, threat actors create urgency by including a phone number if the target requires immediate assistance within the next 24 hours to dispute the “590.99$ USD” PayPal transaction. If the target calls the phone number, the threat actors impersonating a security team representative convince them to divulge sensitive information, such as account credentials or financial details, or download malicious software or a supposed remote support tool, which enables the threat actors to gain access to the device.

In a similar TOAD campaign, the subject line displays “your digital shield is now operational” and lacks relevant context to the email, which claims to be a Bitcoin purchase of “348.87 USD” via PayPal. The fraudulent transaction is part of an automated recurring purchase program or a monthly subscription. Threat actors provide a phone number for the target to cancel future automatic purchases or make changes within 24 hours.

In a separate campaign, the emails claim to be a Bitcoin purchase awaiting approval due to a previous transaction of “USD 767.69” reaching the maximum approved limit for a 24-hour period. They also include a billing support phone number for the target to call if they require assistance or wish to review the transaction details. Additionally, the fraudulent emails are disguised as WordPress notifications from the legitimate “comment-reply[@]wordpress[.]com” email address that facilitates blog comment notification and reply features. The threat actors abuse this service, hoping that their target will respond to the “posted” fraudulent purchase, either by calling the phone number or replying as a comment.

The NJCCIC has recently identified a campaign using Adversary-in-the-Middle (AiTM) techniques to harvest user credentials for account compromise. Threat actors behind this campaign employ various lures to persuade targets to open the supplied file or click the provided link. Some messages claim to be a final document to review or a proposal based on a recent conversation, while others claim to be a link for a pending voicemail.

Following the PDF or link will lead users to a proxied Microsoft login page. After entering an email address, the webpage will display the organization's Azure Active Directory (AAD) branding. Credentials, along with 2FA tokens and session cookies, will be captured in real-time through the Evilginx framework, which was originally designed to be a legitimate software tool for stress-testing a company’s security against phishing attacks.

Threat actors often impersonate IT support to deceive their targets into disclosing account credentials and installing malware. They usually lure with urgent emails related to account issues, such as expired passwords, full mailboxes, and security alerts. Threat actors send emails containing fraudulent links, malicious attachments, or fake phone numbers to initiate data theft or gain remote access to compromise systems and networks. Key red flags include urgent threats, generic greetings, mismatched senders, and requests for sensitive information.

The NJCCIC observed an IT help desk scam targeting New Jersey public sector organizations, including New Jersey State employees and educational institutions. The phishing email’s display name shows “INFORMATION_SERVICES,” implying an internal communication. However, the email is marked with an external tag and comes from a generic Gmail email address that references Steve Jobs and tech. The subject line invites the target to open a file attachment supposedly from the IT (help) desk, and the email contains a misspelled “[impersonated organization name] Mictosoft Office365.pdf” attachment.

If the attachment is opened, the content displays urgent messaging from the impersonated organization’s IT Help Desk, claiming that the target’s password will expire in 24 hours, and they will lose access to their email if they do not follow the instructions. The threat actors instruct the target to update their password immediately by copying the link to their web browser, signing in, and verifying their identity.

If the target copies the link to their browser, a WordPress phishing page is displayed, prompting them to enter their name, email address, password, and phone number. If submitted, the threat actors capture and steal the account credentials in the background. To bypass multi-factor authentication (MFA) and compromise the account, the threat actors initiate the “verification process” by calling the target and claiming they need to verify their identity. In the background, the threat actors submit the stolen credentials on the official organization’s website or application, which then prompts the MFA code to be sent via phone call or a message to the target’s registered device, or an MFA push notification to be sent for approval. Once the target reveals the code or approves the notification, the threat actors can access the account. This “verification process” is not initiated by the target and is considered a red flag. Legitimate IT help desks will never initiate contact with users via email or over the phone to request or demand sensitive information, passwords, MFA codes, or MFA push notification approvals.

Additionally, impersonation and branding are utilized throughout this campaign, but may not be consistent, possibly due to an error by the threat actors. For some emails, the spoofed organization is not associated with the target’s own organization, logos, IT help desk, or domain name. For example, threat actors spoofed one organization in the attachment, but a different organization appeared on the phishing page.

The NJCCIC detected a new telephone-oriented attack delivery (TOAD) campaign. Unlike most phishing attempts, TOAD attacks do not include malicious attachments or URLs in their initial messages. The aim of the message is to trick an unwary user into calling the provided number. Upon receiving a call, threat actors employ further social engineering tactics to convince a target to install malware, grant full remote control, or enter credentials on a malicious webpage.

The threat actors behind this campaign impersonate PayPal order receipts for Bitcoin, using the PayPal logo and transaction details to make the email appear legitimate. Currently, they make no attempts to obfuscate the sender's email address, which is a red flag for malicious emails. Finally, the email includes a contact phone number and a 24-hour deadline to dispute the transaction, creating a sense of urgency to prevent victims from realizing that something is amiss.

During this holiday season, the NJCCIC has continued to receive multiple reports of gift card scams targeting New Jersey State employees and residents. In the above campaign, threat actors create free PenTeleData (ptd[.]net) email accounts to lure their targets in social engineering schemes. They use direct questions or phrases related to Amazon Prime to engage their targets in further conversation. The subject line displays “RE ; Check In [heart emojis]” to indicate a sense of trust and a reply to a previous conversation thread. If the target replies, the threat actors make an urgent request to convince them to purchase gift cards and then provide them with the gift card numbers and PINs on the back of them.

Threat actors exploit organizations that reward employees with gift cards by impersonating positions of leadership or authority within an organization. For example, threat actors impersonated a CEO to persuade the target to purchase gift cards from Apple, Target, and Sephora as employee appreciation gifts. In another campaign, they convinced the target to purchase 10 $500 Apple gift cards for purported employee gifts.

They often spoof or impersonate trusted contacts, such as religious leaders. In one report, threat actors claimed to be a priest to convince their target to buy six $25 Amazon gift cards for parish staff. Once the gift card numbers and PINs were sent to the threat actors, they requested an additional three $50 gift cards. However, the target realized it was a scam after noticing there were not that many staff members in the parish and the sender's email address was not the priest’s legitimate email address. In another report, threat actors attempted to impersonate a pastor to help two women battling cancer. They requested the target to purchase Apple and Visa gift cards.

Threat actors also compromise accounts, such as Amazon, to purchase gift cards and then steal the funds. Several reports indicated losses of approximately $350 due to fraudulent purchases of Amazon and game play gift cards. They may also compromise social media accounts to convince the victim’s contacts or connections to purchase gift cards, such as $200 Sephora gift cards supposedly for a “friend in need.”

Threat actors also build trust in romance scams through social media platforms, such as Facebook, to scam their targets into purchasing Apple or Sephora gift cards, resulting in losses ranging from $200 to $2,500. They may threaten to make up stories or release screenshots in extortion or sextortion cases if the targets do not make payment in gift cards. Several reports indicated losses ranging from $600 to $3,000.

Requests or demands to purchase gift cards are unusual and typically portray a sense of urgency; therefore, they should be handled with increased suspicion. Gift cards allow threat actors to use the gift card's funds as easily as cash without having the physical card. They are considered a payment method not linked to a specific person or entity and do not have the same protection as credit or debit cards. Therefore, victims typically cannot recover the money used for purchasing gift cards and subsequently suffer significant monetary losses.

The NJCCIC observed a campaign that uses an AI Trading Bot lure. The message makes several claims about the use of machine learning and real-time market analysis to gain a trading advantage. Instead, this phishing attempt installs two remote access trojans (RATs), Dark Crystal RAT (DCRat) and zgRAT. RATs provide threat actors with full remote access to a victim's computer, enabling them to capture sensitive information, including passwords, screenshots, clipboard content, cookies, and other personal data.

The message includes URLs that direct users to a landing page promising a credit-cardless experience. If a user clicks the “Get started for free” button, an overlay using the ClickFix technique appears. If the user copies and pastes as instructed, a PowerShell command executes. The script disables real-time monitoring services such as Windows Defender, silences error messages to hide malicious activity, establishes persistence by creating a shortcut in a user’s Startup folder, and downloads and installs DCRat and zgRAT.

Threat actors continue to impersonate recruiters and employers to target potential job seekers with fake or unrealistic remote job offers. They often send unsolicited emails or text messages that promise high pay for little work, require payment to get a job or training, lure targets with bad checks to buy fake work equipment or supplies, involve repackaging or shipping items often purchased with stolen credit cards, or request personal data, leading to financial loss and identity theft. Over the past month, the NJCCIC has observed an increase in remote job scams targeting New Jersey State employees and residents.

Threat actors are targeting New Jersey State employees in this latest job scam. They claim to represent Human Resources for an organization that is not the same as the sender’s domain. Another red flag is that the reply-to email address is in the body of the email and does not match the sender’s email address. They offer an unrealistic part-time remote job opportunity targeting US and Canadian residents and use a generic “Dear Applicant” greeting.

In another campaign, threat actors impersonate an educational institution to encourage their targets to apply for a remote job. Instead of using the official educational institution’s domain, the emails are sent from a Gmail account to multiple New Jersey State employees in the BCC field and use a generic “Dear Students” greeting. Threat actors claim a quick turnaround to convince their targets to act quickly and apply by stating that applications will be reviewed within two to 24 hours. If the “CLICK HERE TO APPLY” link is clicked, targets are directed to a Microsoft Forms page to capture sensitive information. Additionally, the copyright symbol at the bottom of the email is hyperlinked to a Microsoft phishing page to steal account credentials.

In the above campaign, threat actors claim to be recruiters expressing interest in the target’s resume for an interview for the purported remote position. The email is sent to multiple recipients and claims to be an Indeed interview invitation. Legitimate Indeed communications are more customized and formal and sent directly through the Indeed account. The threat actors request that the target contacts Human Resources for more information about the interview process via Signal by clicking on the link. Legitimate companies or recruiters typically do not conduct interviews through such instant messaging platforms.

Threat actors continue to target unsuspecting job seekers via text messages, initiating unsolicited conversations about potential job opportunities. The message outlines the position’s benefits, including flexible hours, competitive earnings, remote work opportunities, training, and requirements. If the target responds with “Yes,” the threat actors send a phishing link or attempt to persuade them to continue the conversation on a different platform to disclose their personal information, such as a Social Security number (SSN), a photo of their driver’s license, and banking information, supposedly to set up direct deposit.

The NJCCIC also received reports of threat actors impersonating a recruiter from hire-desk[.]com. The malicious email contains a Calendly scheduling link and a Google Meet invitation link. Calendly links are used in phishing campaigns to direct targets to malicious websites that request sensitive information or account credentials. Google Meet users can join meetings on mobile phones or tablets via the Google Meet app, or they can connect from their computer browser, as the software does not require installation. The red flag in this campaign is the Google Meet link that prompts the target to install a “GoogleMeetSetup[.]exe” file, disguised as a remote monitoring and management (RMM) tool. This trojanized installer is used for initial access and persistence to commit further malicious activity.

The NJCCIC observed a phishing campaign that impersonates several brands, claiming to be invitations to a feedback survey with an exclusive prize for completing it. These phishing emails contain links that use URL shorteners to obfuscate the true malicious destinations, and have subjects such as:

Upon clicking the provided link, users are redirected to a feedback survey. If completed, they are given the option to claim a reward for their time. The site alleges that a prize is available for free, provided shipping costs are paid. The page also includes comments that appear to be from others who have already claimed this deal. The campaign asks for address information and payment details to complete the order. It also states that there is limited stock available and that only a few minutes remain before the offer is gone, creating a sense of urgency to act.

The NJCCIC observed a QR code phishing campaign targeting New Jersey State employees. Threat actors sent urgent messages claiming that the target’s mailbox would be deleted, without providing further instructions and leaving users with only the option to click the attachment. To bypass traditional email security filters, threat actors can hide malicious links within an image rather than as a clickable text link. In this campaign, they attached an EML file containing a PNG file with an embedded malicious QR code.

If the user scans the QR code with their mobile device, they are directed to a fake Microsoft authentication page whose domain (hxxps://parameterstore[.]fechuvu[.]com) is not associated with the target’s organization. The phishing page impersonates the target organization by including their logo and branding and embedding a Google Maps image of the organization's specific work location in the background, creating a false sense of trust and increasing the scam's effectiveness. It also prepopulates the user’s email address to trick them into providing their password, multi-factor authentication (MFA) code, associated session cookies, and sensitive information.

The NJCCIC observed an increase in phishing emails with human resources (HR)-related lures. These messages claim to distribute revised employee handbooks and ask recipients to confirm receipt by completing the acknowledgment form that is included in the attachment. In one campaign, the emails include links, attachments, or QR codes that direct to sites promoting "low-cost" advertising. Under specific circumstances, these sites redirect to pages that either attempt to install potentially unwanted programs (PUPs) or display tech support scam pages.

A second campaign with a similar HR theme contains an Adobe PDF attachment with a QR code that directs users to a CAPTCHA page. Completing the CAPTCHA redirects users to a counterfeit Microsoft login page designed to steal credentials, 2FA tokens, and associated session cookies. This approach uses the Adversary-in-the-Middle (AiTM) technique, leveraging the EvilProxy Phishkit's synchronous relay capabilities.

The NJCCIC observed an Anthem Blue Cross phishing campaign targeting New Jersey State employees. The sender’s display name includes Anthem Blue Cross, the target organization’s domain name, and “Eft Settlement.” However, the sender’s email address does not reference Anthem Blue Cross. The email signature purports to be from “Account Payable,” and the email contains other grammatical errors and is not personalized. The email claims that the target received an encrypted message for an EFT settlement that can be viewed in Adobe PDF format by clicking the “REVIEW Payment” link.

If the link is clicked, the target is directed to a malicious website, hxxps://_wildcard_[.]experiencetouhdecument[.]com/a/AdQ/a/adobelanding/index[.]php. To view the document, the website prompts the target to first install the latest version of Adobe Acrobat Viewer, unlike the proper name of Adobe Acrobat Reader. The fake Adobe installer, labelled as “AdobeReader.msi,” downloads automatically after 10 seconds.

If the fake Adobe installer file is clicked and installed, it loads a malicious executable. As the Adobe update page is displayed, several tasks and processes run in the background, unbeknownst to the target. In this campaign, threat actors use the trusted Adobe brand to evade detection and lure their target with a fake update. This fake update downloads the payload containing the ScreenConnect or UltraVNC remote monitoring and management (RMM) tools to gain initial access to user devices.

Threat actors may leverage multiple legitimate RMM tools, either simultaneously or in sequence, as a strategic move to improve resilience, avoid detection, and ensure redundancy. The commercial ScreenConnect tool is typically used for initial access and persistence, especially in deploying ransomware, whereas the open-source UltraVNC tool is utilized as a secondary backdoor if the primary ScreenConnect tool is blocked.

This campaign also performs other stealthy tasks and processes, such as dropping or overwriting files in the Windows and Program Files directories, running PowerShell scripts and executing commands, gathering information (e.g., system, browser, and BIOS), escalating privileges, and accessing and modifying the registry and other data. Threat actors also target the Windows Volume Shadow Copy Service (VSS) that creates consistent snapshots (shadow copies) of files for backups while applications are running. Threat actors delete these backup snapshots before encrypting files in ransomware attacks, hindering recovery.  

The NJCCIC observed a phishing campaign that uses legitimate Microsoft Entra ID tenant branding to deliver Telephone-Oriented Attack Delivery (TOAD) messages within Microsoft system notifications. This campaign involves a message claiming to include Microsoft email verification codes, sent from a legitimate Microsoft sender, msonlineservicesteam[@]microsoftonline[.]com, creating a sense of trust. TOAD attacks differ from most phishing attempts by trying to persuade their target to call, rather than including links or attachments in the initial email.

The message's signature matches the subject and is part of the TOAD lure, claiming to confirm a recent payment and providing a phone number for help. The provided number allows the threat actor to communicate directly with their target and attempt to socially engineer them into downloading and executing malicious software, sharing credentials, or granting the threat actor remote access to their computer.

The NJCCIC observed multiple phishing campaigns aimed at financial gain. In one campaign, users receive a phishing email impersonating American Express that claims a large amount of earned reward points are about to expire. The messages include a URL that directs to a fake American Express authentication page designed to steal user credentials. Any credentials entered will be forwarded to the threat actors behind the campaign using the "CoAceV” phishing kit.

This kit was first observed near the end of April 2025 and has primarily targeted users in Japan. It also shares similarities with the "CoGUI" and "Darcula" phishing kits. CoAceV phishing kit employs advanced evasion techniques, such as geofencing, header fencing, and fingerprinting, to bypass automated defenses and analysis. These methods enable the kit to target specific geographical regions while bypassing security measures, making it a significant threat to users in targeted countries.

A second campaign was observed that mimics an out-of-storage notice. To imply urgency, messages contain the subject line "Access Denied: Account Locked." If the user clicks the link in the email, they are directed to a site that claims their files are at risk and requests payment for additional storage. A countdown timer labeled “Time until deletion” is displayed to convince users to act quickly.

The NJCCIC continues to receive reports of compromised accounts of public and private sector New Jersey organizations resulting from compromised credentials and phishing emails. Consequently, the NJCCIC also observed an uptick in fraudulent wire transfers from these compromised accounts. Account compromises enable threat actors to access sensitive data and conduct further malicious activity, including financial fraud.

Once threat actors compromise an account, they create forwarding rules with certain keywords and perform reconnaissance by searching the inbox or sent folder for previous wire transfer instructions to update them. By impersonating legitimate users, threat actors identify and target existing customers or clients who may not question the email’s legitimacy. To appear authentic, they use previous email threads to update their targets on changes to the wire transfer instructions. The threat actors send modified invoices and updated wire instructions to trick or demand payment for goods or services. If payment is made, funds are redirected to threat actor-controlled accounts, causing significant financial losses.

The reported losses ranged from approximately $10,000 to $150,000. In one report, an email from the compromised vendor account was sent to a customer with updated wire instructions containing the vendor’s letterhead. The customer did not verify the request and later discovered that their payment had not been received by the vendor. In another report, a vendor discovered that one of its accounts had been compromised after several clients reported receiving suspicious emails. The threat actors set up rules in the compromised vendor’s account to forward all new emails to a hidden folder. They then sent various phishing emails with attachments to the vendor's contacts, including updated wire instructions.