Annual Report Deadline Dilemma:

A Laramie business reported receiving a suspicious email from an address using the domain “@ar.wy-annualreport,” claiming the Wyoming annual report filing window was open. The message warned that failure to file could result in administrative dissolution and included business-specific details such as the filing date, formation state, principal address, and annual report due date, making it appear legitimate. However, the formatting and language differed from official Wyoming Secretary of State communications. After contacting the Wyoming Secretary of State’s office, the business owner confirmed the email was not associated with the agency, indicating it was likely a scam or misleading solicitation designed to resemble an official government notice. CyberWyoming Note: Some of these messages may come from private third-party companies using aggressive or misleading tactics to pressure businesses into paying them to file annual reports. In reality, businesses can usually file directly with the state for a much lower cost. Treat unexpected “urgent government filing” emails as suspicious, especially if they create urgency or threaten penalties. Avoid clicking links or replying. Instead, verify independently by visiting the official Secretary of State website or contacting the agency using known contact information.

Seminar Sharks:

A Wyoming business reported a suspected phishing or advance-fee style scam email from someone identifying himself as “Christopher Ward” using the domain “@1on1events[dot]net.” The sender claimed to represent a business coaching organization called “1 on 1” and attempted to recruit the recipient as the exclusive local financial advisor for a supposed event hosting 75–100 prequalified business owners. The email used high-pressure sales tactics, references to affluent clients, and promises of access to wealthy business owners to encourage participation. The reporting party became suspicious after researching the sender and organization. Their LinkedIn profile appeared minimal and lacked credibility, showing only one connection, no activity, and limited employment history. The reporter also discovered inconsistencies between the email domain (“1on1events[dot]net”) and the listed website (“1on1event[dot]com”). Additionally, the website was reviewed on Scam Detector and flagged as “Medium Risk.” CyberWyoming Note: This email was likely fraudulent and intended to deceive financial professionals into participating in or paying for a questionable event or lead-generation scheme. Businesses should independently verify unsolicited partnership or investment opportunities by researching company domains, confirming event details through trusted sources, and avoiding engagement with senders using inconsistent or suspicious online identities.

PayPal, The Usual Suspect:

A Sheridan County resident reported receiving a scam email from an unknown sender using a regular Gmail address. The email had the subject line “LEVY” and contained only the sender’s own email address in the message body. It also included an attachment that appeared to be a PayPal invoice. CyberWyoming Note: Even though this is a relatively conspicuous scam, it is still commonly received, which shows how frequently these mass phishing attempts are circulated. Be sure to avoid opening unexpected attachments, especially invoices or payment requests, and verify any suspicious messages directly through the official service rather than the email itself.

The Rise of ‘Subscription-Bombing’:

IT professionals are seeing a rise in “subscription-bombing,” a tactic where attackers flood a victim’s inbox with thousands of legitimate newsletters and service emails to bury important messages, creating an opening for fraudulent invoices. In the construction sector, adversaries often compromise an email, monitor invoice discussions, then send fake bills from deceptively similar addresses while legitimate messages are lost in the clutter. With construction breaches rising steadily, experts recommend safeguards such as two-factor authentication, single sign-on, segregated payment duties, verified communication channels, and email-forwarding rules to approved vendors. While enterprise systems may detect these floods, smaller companies remain particularly vulnerable.
– Brought to you by IT Brew & CISA Region 8
‍www.itbrew.com/stories/2026/03/20/attacking-the-inbox-it-pros-seeing-rise-in-subscription-bombing

Scammers are Using Fake Claude AI Site to Install Malware:

Researchers found that cybercriminals are using sponsored search results and shared Claude chats to lure victims into a typical ClickFix attack to install malware on macOS devices. ClickFix is a social engineering method that tricks users into infecting their own device with malware. Users are instructed to run specific commands that will download malware, usually an infostealer. The researchers found that when users search for terms like “Claude Mac download,” they may see sponsored Google results that appear to go to the legitimate claude.ai domain. In reality, the ads resolve to real Claude shared chats, set up to look like official “Claude Code on Mac” or Apple Support guides. Independent research by BleepingComputer found another chat serving the same purpose. The chat instructs victims to open Terminal and paste a base64-encoded command, which pulls a loader shell script from attacker-controlled infrastructure and runs it in memory.
– Brought to you by Malwarebytes
‍www.malwarebytes.com/blog/news/2026/05/fake-claude-search-results-lure-mac-users-into-clickfix-attack

Interested in cybersecurity business training?

The Made Safe™ Cybersecurity Training Program is a one-on-one program designed specifically for micro-businesses to reduce cyber risk and relieve anxiety around cybersecurity. Thanks to CyberWyoming’s members and sponsors, scholarships are available for Wyoming companies. Learn more at cyberwyoming.org/cyber-training/ or email info@cyberwyoming.org.

MS-ISAC and CISA Patch Now Alert:

The Multi-State Information Sharing and Analysis Center (MS-ISAC) or the Cybersecurity & Infrastructure Security Agency (CISA) has published a patch now (update your software) alert for Microsoft Exchange Server, NGINX, and Mozilla products. If you use any of these products, make sure the software (or firmware) is updated.

Data Breaches in the News:

Best Western, American Lending Center, 7-Eleven, Grafana, and GitHub. Note: If you have an account with these companies, be sure to change your password and consider placing a credit freeze on your accounts through the three credit reporting agencies: TransUnion, Experian, and Equifax.

Please report scams you may experience to phishing@cyberwyoming.org to alert your friends and neighbors.

‍Other ways to report a scam:

• Better Business Bureau Scam Tracker: bbb.org/scamtracker/us/reportscam
• Wyoming Attorney General’s Office, Consumer Protection
  • Email ag.consumer@wyo.gov
  • Complaint form attorneygeneral.wyo.gov/law-office-division/consumer-protection-and-antitrust-unit/consumer-complaints

• File a complaint with the Federal Trade Commission at reportfraud.ftc.gov
• Get steps to help at www.IdentityTheft.gov
• Report your scam to the FBI at www.ic3.gov/complaint
• Reported unwanted calls to the Federal Trade Commission’s Do Not Call Registration. Online at donotcall.gov/report.html or call 1-888-382-1222, option 3
• Office of the Inspector General: oig.ssa.gov
• If you believe someone is using your Social Security number, contact the Social Security Administration’s (SSA) fraud hotline at 1-800-269-0271.
• AARP Fraud Watch Network (any age welcome) Helpline 877-908-3360
• IRS: report email scams impersonating the IRS to phishing@irs.gov
• Call the Wyoming Senior Medicare Patrol (SMP) for assistance with potential Medicare fraud, abuse, or errors at 1 800 856-4398
• Victim Support: The AARP Fraud Watch Network and Volunteers of America (VOA) created a new, free program to provide emotional support for people impacted by a scam or fraud, called ReST. Visit www.aarp.org/fraudsupport to learn more about the free program and register