Upcoming Auction Email Scam – What You Need To Know

Have you received an email recently from your employer inviting you to participate in an upcoming auction for used office items and assets? While this may sound like an exciting opportunity to score great deals on discounted equipment, furniture or electronics, caution is advised as this could very well be a phishing scam aimed at stealing your credentials.

In this article, we’ll break down exactly how the upcoming auction email phishing scam works, provide tips on how to spot and avoid it, explain what to do if you fell victim, and answer some frequently asked questions.

Scams

How the Upcoming Auction Email Pham Works

The upcoming auction phishing email usually arrives with a subject line stating something like “Upcoming Auction: Used Assets/Items for Employees”. The email claims to be from your employer and informs you that they will be holding an exclusive discounted auction for used items and equipment, open only to employees.

It will explain that interested employees can indicate their interest by clicking a button or link such as “Upcoming Auction: Interested”. If clicked, this button will redirect you to a phishing site designed to mimic your email login page. The scam email may include some brief details about requiring registration or notifications for the fake auction event to add legitimacy.

The goal is to trick recipients into entering their work email credentials on the phishing page, allowing the scammers to gain access and control of the account. From there, the criminals can leverage the compromised account to launch further attacks on the organization and contacts.

How to Spot This Scam

While this phishing scam email can look quite convincing on the surface, there are a few red flags to watch out for:

  • Generic greeting – The email is addressed with a generic greeting like “Dear employee” rather than your name. Real emails from your employer would normally address you directly.
  • Spelling and grammar issues – Phishing emails often contain typos, spelling mistakes and grammatical errors as they are not written by native English speakers. Look for awkward phrasing.
  • Suspicious sender address – The sender address may look legitimate but be slightly off, like using your company name with a different domain extension. Always check the actual email address it was sent from.
  • Requests sensitive information – Reputable organizations would never ask you to submit login credentials or sensitive information via an unsolicited email.
  • Sense of urgency – The email tries to create false urgency by implying you need to act now with terms like “limited time” or “interested employees must register by XX date”. This pressures recipients to click without thinking first.
  • Link hover reveal – Hover your mouse over any links in the email without clicking on them. The hover tooltip should reveal if the link will direct to a suspicious or misleading web address.
  • Poor image quality – Logos and graphics may look blurry, low resolution or obviously edited.
  • No customization – The email content remains generic with no personal details, company specifics or employee customization.

If an auction invitation sets off any red flags, it’s best to just delete it outright without taking further action. Notify your IT department as well.

What to Do If You Fell For This Scam

If you unfortunately already clicked the link or submitted information through the phishing site before realizing it was a scam, take the following steps right away:

  • Change your email password – Reset your work email password immediately to lock the scammers out. Use a new, strong password. Enable two-factor authentication if available.
  • Contact employer IT – Alert your IT department about the phishing attack so they can inform others and take action to limit damage. Provide details like the subject line, sender address, etc.
  • Scan for malware – Run a full system scan to check for any malware that may have been installed from clicking suspicious links. Delete anything harmful detected.
  • Review recent emails/activity – Check your outbox and sent items for any unusual emails. Scammers may have been able to access and use your email already. Look for any unknown online activity.
  • Reset other accounts – Change the passwords for any other online accounts that may have used the compromised password like social media profiles, retail sites, banks, etc.
  • Monitor credit – Keep an eye out for any suspicious credit activity just in case the scammers attempt identity theft. Consider a credit freeze if needed.
  • Learn from the experience – Think carefully in the future before clicking links or submitting data. Report all suspicious emails to your IT team moving forward.

Tips to Avoid Falling Victim

Here are some general tips to avoid becoming a victim of phishing scams like this using your work email:

  • Enable two-factor authentication – Adding an extra layer of authentication like OTP codes helps prevent unauthorized logins even if passwords are stolen.
  • Never click unvetted links/attachments – View links as untrustworthy by default, especially in unexpected emails. Hover over rather than clicking.
  • Watch for red flags – Take a few extra seconds to check for signs like odd senders, typos, generic greetings before interacting with any email.
  • Slow down – Avoid the urge to click in curiosity or urgency. Take your time to inspect emails thoroughly first.
  • Hover over hyperlinks – Before clicking, hover to preview the actual destination URL for anything suspicious.
  • Verify requests – Any odd or sensitive requests via email should be confirmed directly via phone before taking action.
  • Report scams – Alert IT security teams to any phishing attempts so they can warn others. Report scams to authorities like spam@uce.gov.
  • Keep software updated – Maintain updated operating systems, browsers, plugins and antivirus software to avoid vulnerabilities.
  • Use strong passwords – Create a unique, complex password for your work email that utilizes upper and lowercase letters, numbers and symbols.
  • Be wary of links/attachments – Never open an attachment or click a link from an untrusted source, no matter how enticing.

What to Do If Your Email Account is Compromised

If a phishing scam succeeds in compromising your work email account, it’s critical to take quick action:

  • Report the breach – Alert your IT/security team immediately and explain what occurred so they can start incident response. Provide details to help identify scope.
  • Reset password/MFA – Use account recovery options to regain access and lock out the attackers. Update to a new strong password and enable MFA.
  • Review settings/rules – Check for any unauthorized changes made to things like forwarding rules that could propagate threats. Remove anything suspicious.
  • Revoke sessions – End all currently active sessions which could still be linked to the attackers. Force reauthentication.
  • Check for data loss – See if any emails, attachments or information was exfiltrated outside the organization by the scammers.
  • Scan devices – Run antivirus scans on any PCs or devices you used to access the account to check for malware, spyware or keyloggers planted by the phishers.
  • Notify contacts – Let any users you communicate sensitive data with know about the breach in case of unintended impacts on them.
  • Strengthen defences – Work with IT administrators to implement updated filters, protections and controls to prevent repeated phishing.
  • Change other account passwords – Anywhere else you reused the same breached password should also be reset to revoking access from the attackers.

Prompt response can hugely limit the damage from a successful phishing attack. Make sure to report, reset and revoke as soon as an account compromise is discovered.

FAQ

Is it ever legitimate for an employer to contact you about an employee auction via email?

In most cases, no – genuine auctions or offers for employees would be announced officially through proper company channels and communications, not random emails. Proceed with extreme caution if asked to submit any sensitive information via email.

What should I do if I receive an upcoming auction phishing email at work?

Do not click any links or attachments within the phishing email. Report it to your IT security team immediately and delete it from your inbox to avoid accidental clicks in the future. Do not attempt to register interest or respond.

Are phishing emails illegal?

Yes, phishing scams are illegal. They fall under cybercrime laws and often involve fraud, identity theft, hacking, spamming and spreading malware. Authorities like the FBI, FTC and spam@uce.gov track and prosecute phishing networks.

What are some other examples of common work phishing scams?

Password expiration warnings, fake HR policy updates, urgent malware scans required, requests to re-verify credentials, IT account lockouts unless immediate action taken, fake requests for W2/tax forms, and requests to click and confirm safe receipt of attached documents.

Is it safe to click unsubscribe links in phishing emails?

No, unsubscribe links should also be considered extremely untrustworthy. They likely just lead to more phishing sites or possibly download malware. Never interact with phishing content. Just delete the email.

Can my personal email accounts also be targeted by phishing scams?

Yes, phishers cast a wide net and do not just target work emails. Gmail, Yahoo, MSN and other personal accounts are also vulnerable. Apply the same vigilance checking emails on those accounts as your work one.

Conclusion

Phishing emails disguised as upcoming employee auction invitations can seem convincing and tempting if you’re unaware of the scam. However, now that you know what red flags to watch for and have tips to avoid becoming a victim, you can identify and report these malicious emails to protect yourself, your employer and contacts.

Stay vigilant against all forms of phishing by checking email addresses, hovering over links, verifying requests and never providing login credentials via unsolicited emails. Protect your accounts with strong passwords and multi-factor authentication. Seek help immediately if you accidentally fall prey to limit damage. Share scam awareness with colleagues.

With great care taken to identify and avoid email phishing traps, we can reduce the effectiveness of these scams and make organizations more secure. Don’t become a victim to the upcoming auction phishing scam!

How to Stay Safe Online

Here are 10 basic security tips to help you avoid malware and protect your device:

  1. Use a good antivirus and keep it up-to-date.

    Shield Guide

    It's essential to use a good quality antivirus and keep it up-to-date to stay ahead of the latest cyber threats. We are huge fans of Malwarebytes Premium and use it on all of our devices, including Windows and Mac computers as well as our mobile devices. Malwarebytes sits beside your traditional antivirus, filling in any gaps in its defenses, and providing extra protection against sneakier security threats.

  2. Keep software and operating systems up-to-date.

    updates-guide

    Keep your operating system and apps up to date. Whenever an update is released for your device, download and install it right away. These updates often include security fixes, vulnerability patches, and other necessary maintenance.

  3. Be careful when installing programs and apps.

    install guide

    Pay close attention to installation screens and license agreements when installing software. Custom or advanced installation options will often disclose any third-party software that is also being installed. Take great care in every stage of the process and make sure you know what it is you're agreeing to before you click "Next."

  4. Install an ad blocker.

    Ad Blocker

    Use a browser-based content blocker, like AdGuard. Content blockers help stop malicious ads, Trojans, phishing, and other undesirable content that an antivirus product alone may not stop.

  5. Be careful what you download.

    Trojan Horse

    A top goal of cybercriminals is to trick you into downloading malware—programs or apps that carry malware or try to steal information. This malware can be disguised as an app: anything from a popular game to something that checks traffic or the weather.

  6. Be alert for people trying to trick you.

    warning sign

    Whether it's your email, phone, messenger, or other applications, always be alert and on guard for someone trying to trick you into clicking on links or replying to messages. Remember that it's easy to spoof phone numbers, so a familiar name or number doesn't make messages more trustworthy.

  7. Back up your data.

    backup sign

    Back up your data frequently and check that your backup data can be restored. You can do this manually on an external HDD/USB stick, or automatically using backup software. This is also the best way to counter ransomware. Never connect the backup drive to a computer if you suspect that the computer is infected with malware.

  8. Choose strong passwords.

    lock sign

    Use strong and unique passwords for each of your accounts. Avoid using personal information or easily guessable words in your passwords. Enable two-factor authentication (2FA) on your accounts whenever possible.

  9. Be careful where you click.

    cursor sign

    Be cautious when clicking on links or downloading attachments from unknown sources. These could potentially contain malware or phishing scams.

  10. Don't use pirated software.

    Shady Guide

    Avoid using Peer-to-Peer (P2P) file-sharing programs, keygens, cracks, and other pirated software that can often compromise your data, privacy, or both.

To avoid potential dangers on the internet, it's important to follow these 10 basic safety rules. By doing so, you can protect yourself from many of the unpleasant surprises that can arise when using the web.