Scam of the Month: MFA Prompt Bombing
Multi-factor authentication (MFA) provides an extra layer of security for your accounts, but it’s important to think before you click. Cybercriminals can use an attack method called MFA prompt bombing to get around MFA protections and overwhelm you with prompts via email, text message, or phone call.
For example, cybercriminals may attempt to log in to an account using your credentials. Then, they’ll request a phone call MFA verification, which is sent to the phone number you use for MFA. Cybercriminals will often request these verifications late at night when you’re asleep and unprepared. If you accept the phone call and press the button to verify your identity, you may grant the cybercriminals access to your account. Once the cybercriminals bypass your MFA, they can use your account to achieve their malicious goals.
Don’t let MFA give you a false sense of security. Follow the tips below to stay safe from MFA prompt bombing scams:
- Never approve an MFA notification you didn’t request. If you have a shared account, verify the MFA request with the other account holder before taking action.
- If you receive an MFA notification you didn’t request, immediately change your password for the associated account. You should also consider updating your passwords for any accounts that use the same credentials.
- Create unique, strong passwords for each of your accounts. Without your password, it’s difficult for cybercriminals to reach the MFA step of the login process.
UK residents are targets of a recent smishing (SMS Phishing) scam. In this scam, cybercriminals impersonate the home delivery company, through fake failed delivery text messages that include a link to reschedule the delivery.
The link included in these fake delivery notifications leads to a phony look-alike website. On the website, you're asked to provide your personal and financial information to reschedule the delivery. Unfortunately, if you fill out and submit this form, you won't be receiving any packages. Instead, you'll be delivering your sensitive information right to the cybercriminals.
Follow these tips to protect yourself from similar smishing attacks:
- Think before you tap. Are you expecting a package? Have you signed up for text notifications? Is this like notifications you’ve received before from this company?
- Never tap on a link in an email or text message that you were not expecting. Instead, open your browser and enter the official URL for the website you wish to visit.
To verify the legitimacy of a delivery notification, contact the company by phone, email, or their official mobile app. Do not use the phone number or link sent in the text to contact the company.
What could be safer than sending money to yourself through your own bank?
A new social engineering scam is making the rounds, and this one is particularly insidious: It tricks users into sending money to what they think is their own account to reverse a fraudulent charge.
The FBI's Internet Crime Complaint Center issued the warning, which it said involves cybercriminals who have definitely done their homework. "In addition to knowing the victim's financial institution, the actors often had further information such as the victim's past addresses, social security number, and the last four digits of their bank accounts," the IC3 said.
The con starts off as many that target individuals do nowadays: With a text message. In this case it's not a phishing attempt, it's an attempt to ascertain whether the person receiving the message is susceptible to further manipulation. Posing as the target's bank, the message asks whether a large charge ($5,000 in the example the FBI gives) was legitimate and asks for a reply of YES or NO. Replying no leads to a follow-up text: "Our fraud specialist will be contacting you shortly.
This is where social engineering comes in, and the FBI is painting a picture of a sophisticated operation.
The "fraud specialists" contacting users reportedly "speak English without a discernible accent," and once they establish credibility with the victim they move on to "helping" them "reverse" the fake transaction.
It gets even more insidious here: The charges that are being refuted aren't bank charges directly: they are payments being made through an instant payment app like Venmo or CashApp. The fraudster never asks for a password or any information that might clue someone in that they're being strung along.
Instead, the caller asks the victim to use their bank website or app to remove their email address from the digital payment app (thereby unlinking the app and bank account), which the fraudster then asks for. Next, the victim is asked to send the same amount as the fake payment to themselves using their own email address, which has already been added to an account the criminal controls.
"Victims often only realized they had been scammed after they checked their financial account's balance," the FBI said.
The FBI says that the normal tips for avoiding phishing apply here: Don't respond to unsolicited requests to verify information, if you receive one contact your financial institution directly, keep MFA enabled on all accounts and be wary of anyone providing personally identifiable information as proof of their legitimacy. Also, the FBI said, "financial institutions will not ask customers to transfer funds between accounts in order to help prevent fraud."
Social engineering has been a problem on the internet dating back almost to its inception, and it treats digital crime in the same way that crimes in the physical world are planned: What's the path of least risk with greatest reward?
Online, it's less about brute force or technical skill, both of which require knowledge, training and time, and more about con artistry, which is made simpler in the digital world where personal charisma is less essential.
Those who've yet to come in contact with a social engineering attack are a rapidly shrinking pool: According to one statistic, 98 percent of cyber attacks involve social engineering in some capacity.
Recruitment websites are a great way to find new job opportunities. Unfortunately, very few of these recruitment websites properly validate the people posting jobs, which makes it surprisingly easy to create fake job posts.
Cybercriminals have been creating fake job posts that appear to be listed by a legitimate organization. These fake posts direct you to contact a malicious email address, phone number, or website that appears to belong to the spoofed organization. Cybercriminals use this scam to try to steal your personally identifiable information. This type of information is often provided when applying for a job, which makes this scam simple, yet effective.
Follow the tips below to stay safe from these types of scams:
- Watch out for grammatical errors, unusual language, and style inconsistencies in job posts. Be suspicious of job posts that look different compared to other job posts from the same organization.
- Avoid applying for a job within a recruitment website’s platform. Instead, look up the organization’s official website and find their careers page.
- Cybercriminals could also use this scam to target people within a specific organization. Be sure to follow your organization’s specific guidelines when applying for internal positions.
It’s that time of year – love is in the air and Valentine’s Day is approaching!
Many Americans dream of finding their one true love and, in the world of technology, many are turning to online platforms to find that special someone. Common online platforms include (but are not limited to) email, social media, dating apps and dating websites. While one person’s intentions may be to find love, unfortunately scammers often prey on hopeless romantics for financial gain.
Romance scammers typically create fictitious profiles with attractive pictures and personal information lifted from internet searches or the social media profiles of real people. Within a short period of communication, the scammer is likely to claim they need money for one reason or another.
These scams happen to everyday people, including your friends, family, and clients.
The Lies Romance Scammers Tell
Scammers often say they’re living or traveling outside of the United States. They commonly say they are:
- Working on an oil rig
- In the military
- A doctor working for an international organization
Romance scammers often ask their targets for money to:
- Pay for a plane ticket or other travel expenses
- Pay for surgery or other medical expenses
- Pay customs fees to retrieve something
- Pay off gambling debts
- Pay for a visa or other official travel documents
Scammers ask people to pay by:
- Wiring money
- Using reloadable cards like MoneyPak
- Purchasing gift cards from vendors like Amazon, Google Play, iTunes or Steam
Scammers prefer these payment methods because they can get cash quickly and remain anonymous. They also know the transactions are almost impossible to reverse.
How To Avoid Losing Money to a Romance Scammer
Here’s the bottom line: you should never send money or gifts to a sweetheart you haven’t met in person.
If someone you care about suspects they are involved in a romance scam, here are a few tips to pass along:
- Stop communicating with the person immediately.
- Encourage them to talk to someone they trust and pay attention if their friends or family say they’re concerned about their new love interest.
- Suggest they search for the type of job the person has to see if other people have heard similar stories. For example, they could search for “oil rig scammer” or “U.S. Army scammer.” They can also browse the comments on the Federal Trade Commission’s blog posts about romance scams to hear other people’s stories:
- Faking it – scammers’ tricks to steal your heart and money
- Has an online love interest asked you for money?
- Romance scams will cost you
- Suggest they conduct a reverse image search of the person’s profile picture to see if it’s associated with another name or with details that don’t match up – those are signs of a scam.
Reporting a Romance Scam
- Contact your financial institution right away if your account information or online banking credentials have been compromised or have been involved in a scam.
- If you paid a romance scammer with a gift card, contact the company that issued the card right away. Let the company know you paid a scammer with the gift card and ask if they can refund the money.
- If you believe they’ve been a victim of a scam, report it to the FTC at ReportFraud.ftc.gov. You should also notify the website or app where they met the scammer, too.
Being the victim of a romance scam is a sad reality for so many and is heartbreaking both emotionally and financially.
Netflix is both the world’s largest streaming platform and one of the most impersonated brands among cybercriminals. There have been many Netflix-themed scams over the years, but most of these scams target one of two groups: current Netflix subscribers or potential Netflix subscribers.
To target current Netflix subscribers, cybercriminals send phony email notifications claiming there is a problem with your billing information. To target potential Netflix subscribers, cybercriminals send emails that advertise a deal for new accounts. Both phishing emails include links that lead to Netflix look-alike webpages where you’re asked to provide your personal and payment information. Any information you enter on these fake webpages is delivered straight to the cybercriminals.
Remember the tips below to stay safe from streaming scams:
- Never click on a link within an email that you weren’t expecting, even if the email appears to come from a company or service you recognize.
- These types of scams aren’t limited to Netflix. Cybercriminals also spoof other streaming services, such as Disney+ and Spotify. Remember that if a deal seems too good to be true, it probably is.
- If you receive an unexpected notification, open your browser and navigate to the platform’s website. Then, you can log in to your account knowing that you’re on the platform’s real website and not a phony look-alike website.
A recent proposal in Washington would require banks to report to the IRS on the inflows and outflows of all accounts worth over $600. Under the proposal, Farmers and Merchants Bank would be required by the government to report your account information to the IRS.
We care about you and your privacy and want you to know about this potential change proposed by Washington policymakers. If you want to learn more about these issues or share your opinion with Congress, visit banklocally.org/privacy.
Let Congress know your privacy matters by filling out the form linked below.
If you’ve started your holiday shopping, you may have received purchase confirmation emails from Amazon, one of the world’s most popular retailers. Unfortunately, cybercriminals have also been sending their own version of these emails. In a new scam, cybercriminals impersonate Amazon to send fake purchase confirmation emails in hopes of receiving a special holiday gift: your credit card information.
In this scam, cybercriminals send you a fake purchase confirmation email that appears to come from Amazon. In the email, you can review details about the phony purchase, such as the payment amount and your mailing address. To review the purchase further, you can click a “View or manage order” button in the email. If you click this button, you’ll be taken to Amazon’s real website, but you won’t be able to find information about the purchase. As a last resort, you can call the customer service phone number in the email. If you call, you’ll be asked to provide your credit card number and CVV number to cancel the purchase. Instead of canceling the purchase, you’ll grant cybercriminals access to your credit card.
Don’t fall for this scam! Follow the tips below to stay safe:
- Watch out for fake customer service phone numbers. If you need assistance, check the vendor’s website to find their customer service phone number or email address.
- Don’t click links in emails you weren’t expecting. If you click a malicious link, malware or other malicious software may be downloaded onto your device.
- Don’t share sensitive information, such as credit card numbers or social security numbers, over the phone.
It’s only early November, but you have probably already seen Christmas trees sold in stores. This is a trend known as “seasonal creep” in which retailers start selling seasonal items in advance of the actual season. Did you know that cybercriminals also follow this trend?
For example, Black Friday and Cyber Monday traditionally fell after Thanksgiving in the United States. However, these international shopping events now start as early as November 1. Cybercriminals take advantage of this trend by sending phishing emails disguised as advertisements and phony purchase receipts long before the holiday season begins.
Follow the tips below to shop safely this holiday season:
- Never click a link from an email or text message that you weren't expecting, even if the link appears to be for a store you recognize. Instead, use your browser to navigate directly to the retailer’s official website.
- Watch out for malvertising. Malvertising is when cybercriminals try to phish shoppers through ads on social media and other websites. Always think before you click!
- Be cautious of advertisements that promise outrageous deals. Remember that if something seems too good to be true, it probably is!
Don't let your guard down just because you're on a mobile device. Be just as careful as you would on a desktop! Hackers have multiple ways of getting personal information through WiFi, Apps, Browsers, Bluetooth, Smishing (phishing via SMS), and Vishing (voice phishing).
In a recent scam, cybercriminals impersonated the telecommunications provider, Verizon. The logo for Verizon is the company name, followed by a red asymmetrical “V” that resembles a check mark. Cybercriminals imitated this logo by using mathematical symbols, such as the square root symbol (√).
Using their fake logo, cybercriminals sent a phishing email that was disguised as a Verizon voicemail notification. The email directs you to click the “Play” button to listen to the voicemail. If you click the button, you are taken to a phony look-alike Verizon webpage. Before you can listen to the voicemail, you are directed to log in to your Microsoft Office 365 account for authentication. Unfortunately, if you enter your credentials, you’ll give the cybercriminals full access to your Microsoft Office 365 account.
Use the tips below to stay safe from similar scams:
- This type of attack isn’t exclusive to Verizon. Cybercriminals could easily use this technique for other brands. Always think before you click.
- Watch out for anything out of the ordinary. A Verizon webpage asking you to log in using your Microsoft Office 365 account is quite unusual.
- If you receive an unexpected notification, open your browser and navigate to the provider’s website. Then, you can log in to your account knowing that you are on the real website and not a phony look-alike website.
FinCEN has issued an advisory regarding Imposter Scams and Money Mule Schemes in relation to the Coronavirus. Please check the links below for more information on these scams to keep up to date on how to protect yourself:
In a new Smishing (SMS Phishing) attack aimed at Android users, cybercriminals send a text message that claims you have a delivery that needs to be paid for. If you tap on the link provided in the text, you are taken to a page that asks you to update your Google Chrome app. If you tap the Install Now button on the page, a download begins and you are redirected to a payment screen. On this screen, you are asked to pay a small fee so that your package can be delivered. If you provide any payment information on this page, it is sent directly to the bad guys.
Unfortunately, this scam gets worse. If you tapped the Install Now button mentioned above, you actually downloaded malware that uses the icon and name of Google Chrome to disguise itself. This “app” then uses your mobile number to send thousands of smishing texts to random, unsuspecting victims.
Don’t become a part of their scam! Follow the tips below to stay safe from attacks like this:
- Only download and update apps through your device’s official app store.
- Though this attack targets Android users, this technique could be used on any kind of mobile device, so always be suspicious of unexpected text messages.
- If you are expecting a package, stay up-to-date on your order by visiting the retailer’s official website and not by tapping a link in a text message.
Stop, Look, and Think. Don't be fooled.
A romance scam is when a new love interest says they love you, but they really just love your money—and may not be who they say they are.
Be on the lookout for these romance scams:
- A new love who lives far away asks you to wire them money or share your credit card number with them—even if they say they’ll pay you back.
- Your new romantic interest asks you to sign a document that would give them control of your finances or your house.
- Your new sweetheart asks you to open a new joint account or co-sign a loan with them.
- Your new darling asks for access to your bank or credit card accounts.
Report in-person romance scams to local law enforcement. Report online romance scams to ftc.gov/complaint.
An easy way for cybercriminals to get your attention is to claim that you owe a large amount of money. Pair this claim with a QuickBooks-themed phishing email and malicious malware, you get a dangerous cybersecurity threat.
The cybercriminals send a well-made spoof of a QuickBooks email that even includes an invoice number. The email message states that you owe over one-thousand dollars for the order but it gives no further details. Attached to the email is what appears to be an Excel file with the invoice number as the filename. The bad guys are hoping you’ll open the attachment looking for more information. If you do open it, you’ll actually be opening a dangerous piece of malware specially designed to target your financial and banking information. This malware can lead to unauthorized charges, wire transfers, and even data breaches.
Here’s how you can stay safe from scams like this:
- Never click a link or download an attachment in an email that you were not expecting.
- Remember that bad guys can disguise anything, even file types.
- If you think the notification could be legitimate, navigate to the official QuickBooks website and log in to your account to confirm.
A new Smishing (SMS Phishing) attack uses an urgent text message to trick you into clicking a malicious link. The message states “PayPal: We've permanently limited your account, please click link below to verify.” If you click on the link provided, you are taken to a PayPal look-alike page and asked to log in.
Bad actors take this scam one step further. If you enter your login credentials on their phony page, you’ll be taken to a second page that asks for your name, address, and bank account details. Everything entered on these pages will be sent directly to the bad guys.
While this is an advanced attack, you can still stay safe by practicing the tips below:
- Check for poor grammar in supposedly-official messages. Did you catch the grammatical error in the example above? It asks you to “click link below” instead of “click the link below”.
- Question the situation. For example, did you give PayPal your mobile number? And did you ever sign up to receive text notifications?
- Never trust a link in a text message that you were not expecting. If you think the notification could be legitimate, navigate to the official website and log in there.
We have recently seen an increase in COVID-19 themed phishing emails sent to customers. The most recent attempt is a phishing campaign impersonating the Small Business Administration (SBA).
This is a malicious attempt to lure business owners to apply for the Paycheck Protection Program (PPP) by clicking on the provided link.
In this example, the sender posed as the President of World Trade Finance and directed the recipient to click on the embedded URL in the body of the email to fill out a registration form.
If you receive an email resembling the one shown above, DO NOT click any of the links or attachments, and DELETE it immediately.
As always, FMB strongly recommends opening email and attachments from trusted sources only.
The FTC is getting reports about people pretending to be from the Social Security Administration (SSA) who are trying to get your Social Security number and even your money. In one version of the scam, the caller says your Social Security number has been linked to a crime (often, he says it happened in Texas) involving drugs or sending money out of the country illegally. He then says your Social is blocked – but he might ask you for a fee to reactivate it, or to get a new number. And he will ask you to confirm your Social Security number.
In other variations, he says that somebody used your Social Security number to apply for credit cards, and you could lose your benefits. Or he might warn you that your bank account is about to be seized, that you need to withdraw your money, and that he’ll tell you how to keep it safe.
But all of these are scams. Here’s what you need to know:
- The SSA will never (ever) call and ask for your Social Security number. It won’t ask you to pay anything. And it won’t call to threaten your benefits.
- Your caller ID might show the SSA’s real phone number (1-800-772-1213), but that’s not the real SSA calling. Computers make it easy to show any number on caller ID. You can’t trust what you see there.
- Never give your Social Security number to anyone who contacts you. Don’t confirm the last 4 digits. And don’t give a bank account or credit card number – ever – to anybody who contacts you asking for it.
- Remember that anyone who tells you to wire money, pay with a gift card, or send cash is a scammer. Always. No matter who they say they are.
If you’re worried about a call from someone who claims to be from the Social Security Administration, get off the phone. Then call the real SSA at 1-800-772-1213 (TTY 1-800-325-0778). If you’ve spotted a scam, then tell the FTC atftc.gov/complaint.
Coronavirus: Scammers follow the headlines
Scammers are taking advantage of fears surrounding the Coronavirus. They’re setting up websites to sell bogus products, and using fake emails, texts, and social media posts as a ruse to take your money and get your personal information.
The emails and posts may be promoting awareness and prevention tips, and fake information about cases in your neighborhood. They also may be asking you to donate to victims, offering advice on unproven treatments, or contain malicious email attachments.
Here are some tips to help you keep the scammers at bay:
- Don’t click on links from sources you don’t know. It could download a virus onto your computer or device. Make sure the anti-malware and anti-virus software on your computer is up to date.
- Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts saying that have information about the virus. For the most up-to-date information about the Coronavirus, visit the Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO).
- Ignore online offers for vaccinations. If you see ads touting prevention, treatment, or cure claims for the Coronavirus, ask yourself: if there’s been a medical breakthrough, would you be hearing about it for the first time through an ad or sales pitch?
- Do your homework when it comes to donations, whether through charities or crowdfunding sites. Don’t let anyone rush you into making a donation. If someone wants donations in cash, by gift card, or by wiring money, don’t do it.
- Be alert to “investment opportunities.” The U.S. Securities and Exchange Commission(SEC) is warning people about online promotions, including on social media, claiming that the products or services of publicly-traded companies can prevent, detect, or cure coronavirus and that the stock of these companies will dramatically increase in value as a result.
Want more information on the latest scams we’re seeing? Sign up for our consumer alerts from the Federal Trade Commission. If you come across any suspicious claims, report them to the FTC at ftc.gov/complaint.
Caller ID Spoofing
Caller ID spoofing is when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their identity. Spoofing is often used as part of an attempt to trick someone into giving away valuable personal information so it can be used in fraudulent activity or sold illegally, but also can be used legitimately, for example, to display the toll-free number for a business.
Scammers want more from you....
“I’m calling from [pick any bank]. Someone’s been using your debit card ending in 2345 at [pick any retailer]. I’ll need to verify your Social Security number — which ends in 1234, right? — and full debit card information so we can stop this unauthorized activity...”
So the caller ID shows the name of your bank. And the caller knows some of your personal details. Does that mean it’s legit? No. It’s a scam — and scammers are counting on the call being so unsettling that you might not stop to check your bank statement.
We’ve started hearing about phone scams like this, which combine two scammer tricks: spear phishing and caller ID spoofing. In a phishing attempt, scammers may make it look like they’re from a legitimate company. And when they call or email with specific details about you — asking you to verify the information in full (things like your Social Security number or address) — that’s called spear phishing.
The other nasty wrinkle in this scam is caller ID spoofing. That’s when scammers fake their caller ID to trick you into thinking the call is from someone you trust. They can also send you text messages that may seem legitimate - i.e. reporting that your debit card has been frozen. They may ask you to call them, click on a link in the message, or give them your full credit card number. Never respond to these texts. Do not call the numbers they provide or click on the links they send to you via text message or email. FMB will only send you text messages if you have signed up for FMB Alerts.
How to KNOW it's FMB calling
We will always leave a specific message as to what we are calling about if we get your voicemail. We will always leave our name so you will know who to ask for when you call back. When calling back, call the number of your branch and ask to speak to the person who left you the message.
Tips to avoid spoofing scams
You may not be able to tell right away if an incoming call is spoofed. Be extremely careful about responding to any request for personal identifying information.
- Don't answer calls from unknown numbers. If you answer such a call, hang up immediately.
- Don’t assume your caller ID is proof of whom you’re dealing with. Scammers can make it look like they’re calling from a company or number you trust.
- If you answer the phone and the caller - or a recording - asks you to hit a button to stop getting the calls, you should just hang up. Scammers often use this trick to identify potential targets.
- Do not respond to any questions, especially those that can be answered with "Yes" or "No."
- Never give out personal information such as account numbers, Social Security numbers, mother's maiden names, passwords or other identifying information in response to unexpected calls or if you are at all suspicious.
- Don’t trust someone just because they have personal information about you. Scammers have ways of getting that information.
- If you get an inquiry from someone who says they represent a company or a government agency, hang up and call the phone number on your account statement, in the phone book, or on the company's or government agency's website to verify the authenticity of the request. You will usually get a written statement in the mail before you get a phone call from a legitimate source, particularly if the caller is asking for a payment.
- Use caution if you are being pressured for information immediately.
- If you gave a scammer your personal or banking information, contact us immediately for assistance or go to IdentityTheft.gov.
- If you have a voice mail account with your phone service, be sure to set a password for it. Some voicemail services are preset to allow access if you call in from your own phone number. A hacker could spoof your home phone number and gain access to your voice mail if you do not set a password.
- Talk to your phone company about call blocking tools they may have and check into apps that you can download to your mobile device to block unwanted calls. Information on available robocall blocking tools is available at fcc.gov/robocalls.
Even if you didn’t give personal information to the scammer, you can report the scam to the Federal Trade Commission. Your reports help them understand what’s happening and can lead to investigations and legal action to shut scammers down.
ALERT: There have been media reports of skimmers on ATM’s, gas pumps, and self-check-out terminals in the area.
Here are ways you can protect yourself:
- When paying at gas pumps use the pump that has the closest view to the clerks inside. These are less likely to have a skimmer.
- You often have the option to use the card as a credit or a debit card. If you choose the credit option, you’ll likely be able to avoid entering your PIN.
- Always inspect any ATM that you use. Give the card bezel a tug, look for sticky residue, oddly placed stickers, or holes in the exterior.
- If you have the ability, turn your debit/credit card “off” when not in use. This is coming to FMB in 2020!
- Keep an eye on your accounts. Set up