SCAM OF THE WEEK: Phishing Starts Earlier and Earlier
It’s only early November, but you have probably already seen Christmas trees sold in stores. This is a trend known as “seasonal creep” in which retailers start selling seasonal items in advance of the actual season. Did you know that cybercriminals also follow this trend?
For example, Black Friday and Cyber Monday traditionally fell after Thanksgiving in the United States. However, these international shopping events now start as early as November 1. Cybercriminals take advantage of this trend by sending phishing emails disguised as advertisements and phony purchase receipts long before the holiday season begins.
Follow the tips below to shop safely this holiday season:
- Never click a link from an email or text message that you weren't expecting, even if the link appears to be for a store you recognize. Instead, use your browser to navigate directly to the retailer’s official website.
- Watch out for malvertising. Malvertising is when cybercriminals try to phish shoppers through ads on social media and other websites. Always think before you click!
- Be cautious of advertisements that promise outrageous deals. Remember that if something seems too good to be true, it probably is!
Consumer Alert: IRS Reporting Mandates
A recent proposal in Washington would require banks to report to the IRS on the inflows and outflows of all accounts worth over $600. Under the proposal, Farmers and Merchants Bank would be required by the government to report your account information to the IRS.
We care about you and your privacy and want you to know about this potential change proposed by Washington policymakers. If you want to learn more about these issues or share your opinion with Congress, visit banklocally.org/privacy.
Let Congress know your privacy matters by filling out the form linked below.
Don't let your guard down just because you're on a mobile device. Be just as careful as you would on a desktop! Hackers have multiple ways of getting personal information through WiFi, Apps, Browsers, Bluetooth, Smishing (phishing via SMS), and Vishing (voice phishing).
In a recent scam, cybercriminals impersonated the telecommunications provider, Verizon. The logo for Verizon is the company name, followed by a red asymmetrical “V” that resembles a check mark. Cybercriminals imitated this logo by using mathematical symbols, such as the square root symbol (√).
Using their fake logo, cybercriminals sent a phishing email that was disguised as a Verizon voicemail notification. The email directs you to click the “Play” button to listen to the voicemail. If you click the button, you are taken to a phony look-alike Verizon webpage. Before you can listen to the voicemail, you are directed to log in to your Microsoft Office 365 account for authentication. Unfortunately, if you enter your credentials, you’ll give the cybercriminals full access to your Microsoft Office 365 account.
Use the tips below to stay safe from similar scams:
- This type of attack isn’t exclusive to Verizon. Cybercriminals could easily use this technique for other brands. Always think before you click.
- Watch out for anything out of the ordinary. A Verizon webpage asking you to log in using your Microsoft Office 365 account is quite unusual.
- If you receive an unexpected notification, open your browser and navigate to the provider’s website. Then, you can log in to your account knowing that you are on the real website and not a phony look-alike website.
FinCEN has issued an advisory regarding Imposter Scams and Money Mule Schemes in relation to the Coronavirus. Please check the links below for more information on these scams to keep up to date on how to protect yourself:
In a new Smishing (SMS Phishing) attack aimed at Android users, cybercriminals send a text message that claims you have a delivery that needs to be paid for. If you tap on the link provided in the text, you are taken to a page that asks you to update your Google Chrome app. If you tap the Install Now button on the page, a download begins and you are redirected to a payment screen. On this screen, you are asked to pay a small fee so that your package can be delivered. If you provide any payment information on this page, it is sent directly to the bad guys.
Unfortunately, this scam gets worse. If you tapped the Install Now button mentioned above, you actually downloaded malware that uses the icon and name of Google Chrome to disguise itself. This “app” then uses your mobile number to send thousands of smishing texts to random, unsuspecting victims.
Don’t become a part of their scam! Follow the tips below to stay safe from attacks like this:
- Only download and update apps through your device’s official app store.
- Though this attack targets Android users, this technique could be used on any kind of mobile device, so always be suspicious of unexpected text messages.
- If you are expecting a package, stay up-to-date on your order by visiting the retailer’s official website and not by tapping a link in a text message.
Stop, Look, and Think. Don't be fooled.
A romance scam is when a new love interest says they love you, but they really just love your money—and may not be who they say they are.
Be on the lookout for these romance scams:
- A new love who lives far away asks you to wire them money or share your credit card number with them—even if they say they’ll pay you back.
- Your new romantic interest asks you to sign a document that would give them control of your finances or your house.
- Your new sweetheart asks you to open a new joint account or co-sign a loan with them.
- Your new darling asks for access to your bank or credit card accounts.
Report in-person romance scams to local law enforcement. Report online romance scams to ftc.gov/complaint.
An easy way for cybercriminals to get your attention is to claim that you owe a large amount of money. Pair this claim with a QuickBooks-themed phishing email and malicious malware, you get a dangerous cybersecurity threat.
The cybercriminals send a well-made spoof of a QuickBooks email that even includes an invoice number. The email message states that you owe over one-thousand dollars for the order but it gives no further details. Attached to the email is what appears to be an Excel file with the invoice number as the filename. The bad guys are hoping you’ll open the attachment looking for more information. If you do open it, you’ll actually be opening a dangerous piece of malware specially designed to target your financial and banking information. This malware can lead to unauthorized charges, wire transfers, and even data breaches.
Here’s how you can stay safe from scams like this:
- Never click a link or download an attachment in an email that you were not expecting.
- Remember that bad guys can disguise anything, even file types.
- If you think the notification could be legitimate, navigate to the official QuickBooks website and log in to your account to confirm.
A new Smishing (SMS Phishing) attack uses an urgent text message to trick you into clicking a malicious link. The message states “PayPal: We've permanently limited your account, please click link below to verify.” If you click on the link provided, you are taken to a PayPal look-alike page and asked to log in.
Bad actors take this scam one step further. If you enter your login credentials on their phony page, you’ll be taken to a second page that asks for your name, address, and bank account details. Everything entered on these pages will be sent directly to the bad guys.
While this is an advanced attack, you can still stay safe by practicing the tips below:
- Check for poor grammar in supposedly-official messages. Did you catch the grammatical error in the example above? It asks you to “click link below” instead of “click the link below”.
- Question the situation. For example, did you give PayPal your mobile number? And did you ever sign up to receive text notifications?
- Never trust a link in a text message that you were not expecting. If you think the notification could be legitimate, navigate to the official website and log in there.
We have recently seen an increase in COVID-19 themed phishing emails sent to customers. The most recent attempt is a phishing campaign impersonating the Small Business Administration (SBA).
This is a malicious attempt to lure business owners to apply for the Paycheck Protection Program (PPP) by clicking on the provided link.
In this example, the sender posed as the President of World Trade Finance and directed the recipient to click on the embedded URL in the body of the email to fill out a registration form.
If you receive an email resembling the one shown above, DO NOT click any of the links or attachments, and DELETE it immediately.
As always, FMB strongly recommends opening email and attachments from trusted sources only.
The FTC is getting reports about people pretending to be from the Social Security Administration (SSA) who are trying to get your Social Security number and even your money. In one version of the scam, the caller says your Social Security number has been linked to a crime (often, he says it happened in Texas) involving drugs or sending money out of the country illegally. He then says your Social is blocked – but he might ask you for a fee to reactivate it, or to get a new number. And he will ask you to confirm your Social Security number.
In other variations, he says that somebody used your Social Security number to apply for credit cards, and you could lose your benefits. Or he might warn you that your bank account is about to be seized, that you need to withdraw your money, and that he’ll tell you how to keep it safe.
But all of these are scams. Here’s what you need to know:
- The SSA will never (ever) call and ask for your Social Security number. It won’t ask you to pay anything. And it won’t call to threaten your benefits.
- Your caller ID might show the SSA’s real phone number (1-800-772-1213), but that’s not the real SSA calling. Computers make it easy to show any number on caller ID. You can’t trust what you see there.
- Never give your Social Security number to anyone who contacts you. Don’t confirm the last 4 digits. And don’t give a bank account or credit card number – ever – to anybody who contacts you asking for it.
- Remember that anyone who tells you to wire money, pay with a gift card, or send cash is a scammer. Always. No matter who they say they are.
If you’re worried about a call from someone who claims to be from the Social Security Administration, get off the phone. Then call the real SSA at 1-800-772-1213 (TTY 1-800-325-0778). If you’ve spotted a scam, then tell the FTC at ftc.gov/complaint.
Coronavirus: Scammers follow the headlines
Scammers are taking advantage of fears surrounding the Coronavirus. They’re setting up websites to sell bogus products, and using fake emails, texts, and social media posts as a ruse to take your money and get your personal information.
The emails and posts may be promoting awareness and prevention tips, and fake information about cases in your neighborhood. They also may be asking you to donate to victims, offering advice on unproven treatments, or contain malicious email attachments.
Here are some tips to help you keep the scammers at bay:
- Don’t click on links from sources you don’t know. It could download a virus onto your computer or device. Make sure the anti-malware and anti-virus software on your computer is up to date.
- Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts saying that have information about the virus. For the most up-to-date information about the Coronavirus, visit the Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO).
- Ignore online offers for vaccinations. If you see ads touting prevention, treatment, or cure claims for the Coronavirus, ask yourself: if there’s been a medical breakthrough, would you be hearing about it for the first time through an ad or sales pitch?
- Do your homework when it comes to donations, whether through charities or crowdfunding sites. Don’t let anyone rush you into making a donation. If someone wants donations in cash, by gift card, or by wiring money, don’t do it.
- Be alert to “investment opportunities.” The U.S. Securities and Exchange Commission(SEC) is warning people about online promotions, including on social media, claiming that the products or services of publicly-traded companies can prevent, detect, or cure coronavirus and that the stock of these companies will dramatically increase in value as a result.
Want more information on the latest scams we’re seeing? Sign up for our consumer alerts from the Federal Trade Commission. If you come across any suspicious claims, report them to the FTC at ftc.gov/complaint.
Caller ID Spoofing
Caller ID spoofing is when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their identity. Spoofing is often used as part of an attempt to trick someone into giving away valuable personal information so it can be used in fraudulent activity or sold illegally, but also can be used legitimately, for example, to display the toll-free number for a business.
Scammers want more from you....
“I’m calling from [pick any bank]. Someone’s been using your debit card ending in 2345 at [pick any retailer]. I’ll need to verify your Social Security number — which ends in 1234, right? — and full debit card information so we can stop this unauthorized activity...”
So the caller ID shows the name of your bank. And the caller knows some of your personal details. Does that mean it’s legit? No. It’s a scam — and scammers are counting on the call being so unsettling that you might not stop to check your bank statement.
We’ve started hearing about phone scams like this, which combine two scammer tricks: spear phishing and caller ID spoofing. In a phishing attempt, scammers may make it look like they’re from a legitimate company. And when they call or email with specific details about you — asking you to verify the information in full (things like your Social Security number or address) — that’s called spear phishing.
The other nasty wrinkle in this scam is caller ID spoofing. That’s when scammers fake their caller ID to trick you into thinking the call is from someone you trust. They can also send you text messages that may seem legitimate - i.e. reporting that your debit card has been frozen. They may ask you to call them, click on a link in the message, or give them your full credit card number. Never respond to these texts. Do not call the numbers they provide or click on the links they send to you via text message or email. FMB will only send you text messages if you have signed up for FMB Alerts.
How to KNOW it's FMB calling
We will always leave a specific message as to what we are calling about if we get your voicemail. We will always leave our name so you will know who to ask for when you call back. When calling back, call the number of your branch and ask to speak to the person who left you the message.
Tips to avoid spoofing scams
You may not be able to tell right away if an incoming call is spoofed. Be extremely careful about responding to any request for personal identifying information.
- Don't answer calls from unknown numbers. If you answer such a call, hang up immediately.
- Don’t assume your caller ID is proof of whom you’re dealing with. Scammers can make it look like they’re calling from a company or number you trust.
- If you answer the phone and the caller - or a recording - asks you to hit a button to stop getting the calls, you should just hang up. Scammers often use this trick to identify potential targets.
- Do not respond to any questions, especially those that can be answered with "Yes" or "No."
- Never give out personal information such as account numbers, Social Security numbers, mother's maiden names, passwords or other identifying information in response to unexpected calls or if you are at all suspicious.
- Don’t trust someone just because they have personal information about you. Scammers have ways of getting that information.
- If you get an inquiry from someone who says they represent a company or a government agency, hang up and call the phone number on your account statement, in the phone book, or on the company's or government agency's website to verify the authenticity of the request. You will usually get a written statement in the mail before you get a phone call from a legitimate source, particularly if the caller is asking for a payment.
- Use caution if you are being pressured for information immediately.
- If you gave a scammer your personal or banking information, contact us immediately for assistance or go to IdentityTheft.gov.
- If you have a voice mail account with your phone service, be sure to set a password for it. Some voicemail services are preset to allow access if you call in from your own phone number. A hacker could spoof your home phone number and gain access to your voice mail if you do not set a password.
- Talk to your phone company about call blocking tools they may have and check into apps that you can download to your mobile device to block unwanted calls. Information on available robocall blocking tools is available at fcc.gov/robocalls.
Even if you didn’t give personal information to the scammer, you can report the scam to the Federal Trade Commission. Your reports help them understand what’s happening and can lead to investigations and legal action to shut scammers down.
ALERT: There have been media reports of skimmers on ATM’s, gas pumps, and self-check-out terminals in the area.
Here are ways you can protect yourself:
- When paying at gas pumps use the pump that has the closest view to the clerks inside. These are less likely to have a skimmer.
- You often have the option to use the card as a credit or a debit card. If you choose the credit option, you’ll likely be able to avoid entering your PIN.
- Always inspect any ATM that you use. Give the card bezel a tug, look for sticky residue, oddly placed stickers, or holes in the exterior.
- If you have the ability, turn your debit/credit card “off” when not in use. This is coming to FMB in 2020!
- Keep an eye on your accounts. Set up