Phishing and Fraud Awareness
Effective Date: August 20, 2024
Last Updated: August 20, 2024
We’re committed to protecting our clients, partners, and candidates from online fraud. This page explains how to spot scams, verify real communications from us, and what to do if you think you’ve been targeted.
TL;DR — Quick Safety Rules
Pause before you click links or open attachments you weren’t expecting.
Verify requests for money, invoices, bank-detail changes, or credentials via a separate channel (call a known number).
We will never ask for your password, MFA codes, or crypto/gift-card payments.
Report suspicious messages to your IT/security team.
Common Red Flags
Urgent tone: “Your account will be closed in 1 hour.”
Misspellings or odd grammar; mismatched “From” name vs. email address.
Look-alike domains (e.g., proaIign.com with an uppercase “i”).
Links that don’t match the display text (hover to preview).
Unexpected files (e.g., Invoice.pdf.exe) or requests to install remote tools.
Requests for MFA codes, recovery codes, or to “approve a login you didn’t make.”
QR codes in emails/messages that ask you to sign in or pay.
Scams We See Most
Fake invoices / vendor bank changes (BEC). Always verify account changes by phone with a known contact.
Account “security alerts.” Link leads to a fake sign-in page to steal passwords/MFA.
Recruiting & job-offer scams. Impersonators use messaging apps, ask for personal data/equipment fees.
Tech-support popups. Fake warnings prompt you to call a number or install remote control software.
Crypto refunds / investment schemes. Promise of quick returns; request wallet seed phrases.
MFA fatigue attacks. Repeated push prompts until you tap “Approve.” Deny and reset your password.
How to Verify It’s Really Us
Our official domains: yourdomain.com (add any others you control).
Official email pattern: firstname.lastname@yourdomain.com (or state the pattern you use).
Before you trust a message:
Check the sender: the exact domain after @ must be one of ours.
Hover the link: the URL should be on our official domains or a well-known provider we use.
Call back: use a phone number from our website or your existing contact list—not the number in the message.
We will never:
Ask for your password, MFA codes, or recovery codes.
Send attachments that install software or request remote control of your device.
Request payment via crypto, wire to a new account without prior contract updates, or gift cards.
Change bank details via email only—financial changes require verbal verification.
Protect Yourself (and Your Team)
Use a password manager and unique passwords; enable MFA (preferably security keys or passkeys) on important accounts.
Keep software updated (OS, browser, extensions).
Set up bank/credit alerts for unusual transactions.
Restrict admin tools and remote-access software; require approval logs.
Train regularly: practice spotting red flags with short simulations.
If You Clicked or Shared Info
Disconnect from the network (if malware is suspected).
Change passwords for any accounts you entered; rotate MFA factors; invalidate sessions.
Run security scans / EDR; capture screenshots and save the email with full headers.
Notify your IT/security team immediately.
Contact your bank if money may be at risk; request a recall/fraud hold.
Consider a credit freeze with major bureaus if personal data leaked.
For Business & IT Admins (Recommended Controls)
Email auth: Enforce SPF, DKIM, and DMARC (p=reject); monitor reports.
Transport security: Enable MTA-STS/TLS-RPT where supported.
Brand signals: Consider BIMI once DMARC is enforced.
Access: Prefer security keys/passkeys; disable legacy/basic auth; apply conditional access.
Payments: Require out-of-band verification for bank changes and wires.
Monitoring: Alert on look-alike domains and anomalous sign-ins; log and review email-rule changes.
Least privilege: Limit who can create forwarding rules or external sharing links.
Report Phishing or Fraud
If funds are involved, contact your bank and local authorities promptly (time matters).
ProAlign