Smishing Attacks
Smishing is a type of cyber-attack that happens via text message, or SMS message. One of the more common ways that criminals engage in Smishing attacks is by impersonating banks and credit unions. It typically starts with a text message claiming to be from your bank. This message is designed to alarm you, perhaps telling you that your security has been breached; that there has been a large transfer; or that a new payment recipient has been added to your account. It will then encourage you to click on a link, call a phone number, or reply with your PIN or login details. Links are often obscured with link shortening services such as bit.ly or t.co, or will use links that are similar but ultimately very different from the real institutions. Under no circumstances should you follow any of these instructions or prompts. Instead, ignore the message and contact your bank to verify your account status.
Spoofing Scam
Spoofing is the act of disguising a communication from an unknown source as being from a known, trust source. Spoofing can apply to emails, phone calls, and websites.
Please always remember that:
- Technology makes it very easy for scammers to fake caller ID information, so the name and number you see aren't always real. If someone calls asking for money or personal information, hang up. If you think the caller might be telling the truth, call back to a number you know is genuine. In the case of spoofing our phone number, if a call recipient tries to call back, they will reach us since it's our number being spoofed.
- The Bank does NOT call or text to ask any personal questions or request information we would have on file. This includes but is not limited to, social security number, account number, pin number, or debit card number.
- If you receive any phone call or text to that extent, do not give our any personal information. If so, report to the Bank immediately.
- Criminals have also been using scam texts pretending to be from a bank, online retailer, or payment service that ask for only a yes/no response. In these cases, regardless of what the customer chooses, the criminal will then immediately call the victim, knowing they have successfully engaged a potential target. If this occurs, hang up immediately and contact the Bank or spoofed party.
- Legitimate Shore United Bank Fraud Center messages will come from the 96923 short code and will contain the last 4 digits of the debit card in question.
- Don't send money or give out personal information in response to an unexpected request - whether it comes as a text, phone call, or an email.
Money Mule Scam
If someone sends you money and asks you to send it to someone else, STOP. You could be what some people call a money mule - someone scammers use to transfer and launder stolen money. Scammers often ask you to buy gift cards or wire money. They might recruit you through online job ads, prize offers, or dating websites.
How to avoid money mule scams:
- Don't accept a job that asks you to transfer money. They may tell you to send money to a "client" or "supplier". Say no. You may be helping a scammer move stolen money.
- Never send money to collect a prize. That's always a scam, and they might be trying to get you to move stolen money.
- Don't send money back to an online love interest who's sent you money. Also always a scam - and another way to get you to move stolen money.
Protect Your Identity
- Select passwords that are difficult for others to uncover
- Consider using a reputable password manager
- Use multi-factor authentication whenever possible (sometimes called two-factor authentication or additional authentication)
- Do not share your passwords
- Keep personal documents in a safe at home or a safe deposit box
- Shred personal documents before throwing them away
- Monitor your credit
- Review your bank accounts monthly
- Protect your purse or wallet at all times
- Protect your computer with up to date anti-spyware and anti-virus software
- Don’t reveal personal information to unverified sources on the phone or the internet
- If you think you provided personal information to a perpetrator, change your password immediately, monitor your account activity and contact us.
- Additional resources to take action against Identity Theft can be found at the Maryland Attorney General website.
- Identity theft protection services and cyber-insurance are available to help protect you. These services can offer protection for your personal information, credit monitoring, alerts and can also cover losses up to a specific dollar amount. Search online for services that may be right for you.
Online Account Security
- Closely monitor your accounts for unauthorized transactions
- Always use the log out button to end a browser session
- Always ensure that your computer has up-to-date virus protection. Microsoft offers one of the best anti-virus programs for free, and it's included as part of Windows.
- Be wary of email as well as their attachments and links
- Always contact us at the number on your account statement
- Be cautious of clicking on pop-up windows
- Be sure that your computer has the latest security updates available
- Monitor your account activity by setting up alerts
- Optional Visa Purchase Alerts- Anytime a qualified Visa transaction takes place that meets our defined parameters, you will receive an alert in seconds via e-mail and or text message. You can set alerts for amount thresholds, online orders, international transactions and more here: Visa Purchase Alerts.
Beware of Scams Fraud Attempts
- The bank will NEVER call or email you asking for account numbers, personal information, debit or credit card information
- Never give out your account information, PIN or debit or credit card information
- Know and trust with whom you are doing business
- Beware of bogus credit report solicitations
- Typographical errors in emails are often signs of fraud
- Beware of Scams - if it is too good to be true, it probably is and you should be aware of potential problems
Fraud Prevention Tips for Seniors
Pass It On is the Federal Trade Commission's consumer education campaign designed to encourage older adults to talk to their friends, neighbors, and relatives about scams. Chances are good that someone you know has been scammed. They may not talk about it, but the statistics do. The truth is that sharing what you know can help protect someone who you know from a scam. The FTC has several articles that you can use to start a conversation. Click on the link below and pass on some information that could help someone you know.
Email Security Tips
- Be suspicious of any unexpected email, even if it appears to be from someone you know. It is very easy for a criminal to forge any aspect of an email.
- Never click on a link in an email without first hovering over the link and looking to see where it leads. If it doesn’t match the text of the link, do not click!
- Whenever you have any questions about an email, contact the sender by phone or another means to verify whether they meant to send it to you.
- If a link takes you to a sign in page, be certain you are at the correct place. Better yet, open a new browser window or tab and go to the website directly to log into your account.
- Be especially wary of replies and forwards, especially replies to messages you never sent.
- Watch out for messages that you are CC’d on, especially when it’s a large group or you don’t know any of the other people that the message was sent to.
- If the message urges you to act immediately to avoid a negative consequence or offers to reward you with something of value, be skeptical. This is one of the most common tactics used by criminals.
Understanding ATM Attacks
In response to media reports concerning cyber attacks leveraging Automated Teller Machines (ATMs), Financial Services Information Sharing and Analysis Center (FS-ISAC), American Bankers Association (ABA), Credit Union National Association (CUNA) and Independent Community Bankers of America (ICBA) developed this paper to explain how cyber criminals conduct attacks and actions financial institutions may take to protect consumers.
Attacks Against ATMs
Cyber criminals target ATMs through both physical and computer-based means to steal funds for a cyber crime gang or a nation-state. These attacks often occur around holidays in an attempt to circumvent or delay detection. This may involve the creation of fraudulent payment cards at one or more financial institutions.
Four Types of ATM Attacks
- Skimming attacks – Skimmers are devices that may sit on top of the ATM PIN pad and/or card slot or they may be inserted deeply into the card slot. Sometimes, criminals use a camera to capture a consumer’s PIN as it is entered. Usually, the information captured from the skimmer and camera is used to create cloned cards.
- Shimming attacks – These are similar to skimming attacks, except that criminals use special mechanisms inserted deeply within the ATM to capture the chip information on newer chip-enabled cards. Again, this information is used to create cloned cards.
- Cash-out schemes – Criminals use ATMs either locally or globally to drain funds from multiple accounts held at one financial institution. These attacks use legitimate card numbers that were stolen in another campaign and involves the manipulation of the account balances and withdrawal limits to perform the theft. This attack is also referred to as an “unlimited operation”.
- Jackpotting attacks – Like it sounds, in this attack criminals use physical and/or logical methods to force one ATM to dispense all the cash, just like a slot machine.
Common Misunderstandings About ATM Attacks
In many cases, the news media assumes that attacks against ATMs, no matter the type, result in the loss of funds to customers. However, most ATM attacks do not result in the loss of funds to customers as a result of consumer protection laws and business practices. The primary target of cash-out schemes and jackpotting, for example, is the financial institution, not consumers’ accounts. That said, if criminals have used legitimate payment card information (e.g., numbers, PINs), then the financial institution will replace the funds and may reissue cards for its customers. This is protection for both the institution and the consumers whose accounts were affected.
How Institutions Protect Consumers’ Accounts
Financial institutions around the globe are experienced at information security and leveraging industry best practices. Your financial institutions’ customer protections likely include the following:
- Encryption of confidential information;
- Restrictions on who can access systems where confidential information is stored;
- Requirements for more than one person to approve high-risk procedures;
- Systems that will detect and prevent network intrusions;
- Settings and rules to prevent the loss of sensitive data;
- Anti-virus and anti-malware applications to prevent malicious files from infecting the systems;
- Programs that will prevent unauthorized applications or files from running on workstations;
- Monitoring for anomalous behavior or activities on networks and ATM systems;
- A regular cycle to manage patching or updating systems;
- Alerts that will notify institution staff if of abnormal activity, such as an ATM being disarmed or disabled; and
- Implementation of chip and PIN procedures for debit cards.
It is part of an institution’s cyber security program to keep the specific protections and programs they use confidential. However, FS-ISAC works with a large number of financial institutions domestically and around the world, helping them determine the best security practices to put in place and connecting them with their peers for further recommendations and insights.
Shore United Bank along with our industry peers are constantly engaged with various Federal agencies as well as security professionals to stay on top of the latest intelligence and threats from both foreign and domestic sources. Further, all financial institutions including Shore United Bank are required to have business continuity programs as well as incident response programs in place to ensure continuation of service in the event of either natural or intentional disruptions of service. As a final layer of protection, deposits are insured by the FDIC up to $250,000 per individual depositor.
Steps Consumers Can Take
- Customers are not responsible for unauthorized charges; however, there are steps consumers can take to help protect their accounts. Protect your debit and/or credit cards at all times; don’t share cards or PINs with others.
- When using ATMs, be aware of your surroundings. Before using the ATM, look closely at the card slot and PIN pad for any abnormalities and glance up and around to see if you notice any cameras. If anything looks strange or unusual, do not use the ATM.
- If you notice odd or peculiar behavior by others at an ATM (inserting a cable or using multiple cards to withdraw funds at one time), contact local law enforcement and the institution; do not use that ATM.
- Be aware that institutions usually won’t contact you via text message or email about your debit or credit card, unless you have previously agreed to this method of communication; if you receive a suspicious text or email message claiming to come from your financial institution, contact your institution to check the legitimacy using the number on the back of the card.
- Be aware that phone calls you receive may not actually be from your bank or credit union. You should not provide the full card number, PIN or CVV code over the phone. When in doubt, call the number on the back of your card to verify contact.
- Be on guard against phishing attacks and do not open attachments or click links in emails you were not expecting. Use two-factor authentication and other security features offered by your financial institution to protect your accounts.
- Sign up for text or email alerts from your financial institution for certain types of transactions, such as online purchases or transactions of more than $500.
- Notify your FI as soon as possible if you suspect that your card PIN or electronic banking credentials have been compromised.
- Review account statements for any transactions you do not recognize; promptly notify your FI if you notice any unauthorized account activity. A small transaction (e.g. $0.01 or other small amounts) may be indicative of a criminal “checking” the card information to see if it is legitimate. A larger fraudulent charge typically follows.
Article Provided By: Financial Services | Information Sharing and Analysis Center Understanding ATM Attacks | © 2018 FS-ISAC, Inc. | All rights reserved. | fsisac.com | TLP WHITE