I have become aware of a recent email scam that is circulating. The email comes from what is purportedly the EEOC or FTC. The email claims that a customer has lodged a complaint against the recipient and asks to hit a link to review or respond to the complaint. In actuality, hitting the link will unleash a virus on your network or computer.
According go the FTC:
A bogus email is circulating that says it is from the Federal Trade Commission, referencing a “complaint” filed with the FTC against the email’s recipient. The email includes links and an attachment that download a virus. As with any suspicious email, the FTC warns recipients not to click on links within the email and not to open any attachments.
The spoof email includes a phony sender’s address, making it appear the email is from “firstname.lastname@example.org” and also spoofs the return-path and reply-to fields to hide the email’s true origin. While the email includes the FTC seal, it has grammatical errors, misspellings, and incorrect syntax. Recipients should forward the email to email@example.com and then delete it. Emails sent to that address are kept in the FTC’s spam database to assist with investigations.
Simply opening the email does not appear to cause harm. However, it is likely that anyone who has opened the email’s attachment or clicked on the links has downloaded the virus on their computer, and should run an anti-virus program. The virus appears to install a “key logger” that could potentially grab passwords and account numbers. More information about bogus emails, phishing, and virus protection is available at www.OnGuardOnline.gov.
The EEOC version of this scam is slightly different, but has the same effect (a virus). According to the EEOC:
The U.S. Equal Employment Opportunity Commission (EEOC) late today notified the business community and general public to a "phishing" e-mail circulating to companies that purports to be from the federal agency regarding a harassment complaint. The bogus e-mail contains a Trojan Horse Virus that is likely to harm a recipient's computer if the user clicks on the referenced web link and/or downloads the attached file.
The phony e-mail to employers -- being circulated under the subject "Harassment Complaint Update For"-- contains links where the respondent can allegedly access details of a fake discrimination claim. The EEOC has reported the issue to appropriate authorities.
The EEOC's policy is to notify an employer of the filing of a charge of employment discrimination using the U.S. Postal System. Because of security concerns, the EEOC does not notify employers of the filing of a charge of discrimination via e-mail. Consequently, if a company receives an e-mail notification which purports to advise the respondent of the filing of a charge of employment discrimination with the EEOC, the federal agency urges users to delete it immediately.
The contents of the phishing e-mail include an EEOC logo under the subject line and contain purported language from the EEOC under a subject heading, "Employer Liability for Harassment." Excerpts of the phishing e-mail are highlighted below:
FROM: Equal Employment Opportunity Commission
SUBJECT: "Harassment Complaint Update For"
This is an automated email that confirms the registration of harassment complaint #number...this harassment complaint can lead to law enforcement action. You can download and print a copy of this complaint to keep for your personal records here...Our staff will keep you updated regarding the status of our investigation...To check the status of your complaint access:
Be advised that it is not common for a Federal agency to contact a company with regard to a complaint via email. A formal letter is usually sent by mail. Further, most government communications will include a telephone number to contact the field office or investigator.
Rule of thumb: don't click on attachments if you don't know the sender. If it appears that you received an email from the government, your bank or credit card company, never provide personal or senstive information. Ask yourself: wouldn't my bank or credit card company have all of my contact information? Why would they need me to verify it?
Finally, you should have a spyware program and antivirus program installed on your computer. I don't know if there has been a fix or virus definitions update for this virus,but why take a chance?