Fraudsters and criminals are always thinking of new ways to steal your money or your identity.
Back to school also means “back to fraud” for some cybercriminals looking to spoof domains and pull off spear phishing attacks. However, credit unions can take steps to protect their brands and members from these threats, which often begin as malicious emails. Email scams coerce people into providing sensitive data, which leads to identity theft and other crimes. Phishing victims often blame the companies or financial institutions they think were behind the fake emails, so ultimately, these attacks can erode trust between organizations and their customers.
According to John Wilson, field chief technology officer for the San Mateo, Calif.-based email security solutions provider Agari, there are several types of back-to-school scams.
First, there’s phishing, to which education credit unions are especially susceptible at the start of a new school year. Cybercriminals who obtain teachers’ union email lists can hit members with spear phishing attacks, which requests a union member update his or her information and lures him or her to a fake page designed to capture usernames, passwords and personal credentials.
Second, a tuition wire scam coaxes money out of victims by convincing them they have an unpaid tuition bill. They may even pose as the school and solicit bank transfer information to cover the “tuition.”
Finally, during the back-to-school months, criminals are likely to instigate a common email fraud scheme that involves sending a message that promises a reward, such as a gift card from a major retailer. Criminals ask their victims to complete a survey, which includes personal information such as home addresses, Social Security numbers and birthdays. Once the fraudsters have enough details, they use the survey applicant’s data to apply for credit cards.
More sophisticated criminals use a similar tactic to install malware on the victim’s computer. This typically involves the use of an undetected key logger that captures information typed by the victim – including URLs, user names and passwords – and sends it off to the criminal. (cutimes.com)
Fraudsters have now come up with a new scam involving social media and remote deposit capture. The scam, posted on social media sites, appears to be a legitimate work-at-home job or other opportunity that functions as a “money transfer agent.” The member is told they will receive deposits into their accounts, with instructions on withdrawing the funds and forwarding the money to a contact person. The member is told they will receive a percentage of the funds as commission.
Next, the member is instructed to provide the contact person with their online/mobile banking username and passwords. This action allows the fraudsters to log into the member’s accounts to access remote deposit capture and deposit checks. The checks are subsequently returned, after the holds have expired and the member has already withdrawn the funds and sent them to the contact person.
Please do not EVER provide anyone with your online/mobile banking username and/or password. (facebook.com/EagleOneFCU)
The FTC warns consumers that it’s a mistake to assume that all toll-free numbers that pop up in a search are legitimate customer service lines. Some are run by scammers out to hijack your credit card number or install malware on your computer. Using company names and URLs that look confusingly similar to national shopping outlets and big box stores, scammers hope that consumers will see the look-alike sites at the top of search engine results and assume they’re legitimate. Once they have you on the line with your defenses down, scammers try to get you to reveal your credit card number.
Want to stay away from these scams? Here are four tips to help keep you safe:
Even if it involves some digging on a company’s website to find reliable contact information, search carefully and you’ll be more likely to stay safe online and strike gold with your search. (consumer.ftc.gov)
Recent storms and flooding plaguing the Midwest and Southeast could impact car buyers across the country. Vehicles damaged by floods in those areas can be cleaned up and taken out of state for sale. You might not know a vehicle is damaged until you take a closer look or have a mechanic check it out.
Here’s what to do:
Let’s be honest: I spend more time playing games on my smart phone than talking on it. Our phones have become our family photo albums, personal gaming systems, calendars, encyclopedias, navigators, and instant messengers. If you can think of an activity, there’s probably an app for it.
Unfortunately, some apps might not be what they claim, and downloading the wrong app could put your phone on the fritz. According to the FTC, that’s what happened to thousands of people who downloaded the Prized app before it was removed from the app store.
Prized claimed that users could earn prizes by completing tasks like playing games and taking surveys. Instead, the app contained malware that hijacked the phone’s computing power. As a result, phones ran slower, had less battery life, and used up people’s data plans. The company was using the hijacked computing power to mine virtual currencies – like Dogecoin and Litecoin – for their own profit, without the authorization or knowledge of the phone owners.
The FTC Has released information to assist current or former federal employees whose personal information may have been exposed in the recent data breach at the Office of Personnel Management and the Interior Department. Steps to help protect consumer identities include checking credit reports, taking advantage of offers for free credit monitoring, and placing fraud alerts on credit reports, among others.
If your credit union has members that may have been affected by this data breach, please share this link with them: OPM data breach – what should you do? (consumer.ftc.gov)
You get an email from a friend, with a link and a message: “Hi! Oprah says it’s excellent!” But did your friend really send this message? And what’s so excellent?
Millions of people get emails like this one, but not from their friends. Instead, according to the FTC, marketers hired by Sale Slash sent spam emails from hacked email and social media accounts. Why? To trick people into thinking the messages came from a friend. And, of course, to sell stuff.
The links in the messages led to fake news sites promoting Sale Slash’s weight loss products. Everything about the news sites was fake. Endorsements from Oprah and The Doctors’ TV show? Fictitious. Reviews from news reporters? Phony. Testimonials from people with dramatic weight loss stories from using diet pills? Bogus.
Also false, according to the FTC? Claims that Sale Slash’s products would help people “melt away” extensive amounts of belly fat without diet or exercise. Just not true.
So here’s the skinny:
According to the NCUA, the perpetrators are able to mimic a telephone number to generate text messages. The messages may warn of a debit card reaching its limit or use some other trick to persuade individuals to provide personal information or go to a malicious website.
Consumers should not click on links in the message, provide information to any websites referenced in the message nor attempt to conduct any financial transactions through those websites.
This attempted fraud scam is classified as “spoofing” by the Federal Communications Commission.