Be aware of phishing through text messages
Posted: April 22, 2008
A type of fraud that scammers are using called "smishing" is gaining prominence as a way to fraudulently obtain consumers' personal information.
Smishing is text-message fraud that occurs when criminals, posing as financial institutions, attempt to dupe mobile-phone users into sending personal information through text messages.
Financial institutions should restrict text-based messages to information such as balance updates or overdraft alerts, and should not send account numbers and transaction details through text messages, said industry expert Lisa Stanton (ATM & Debit News).
Oregon Community CU (OCCU), and a $388 million asset, Eugene, Ore.-based institution, is under attack from fraudsters sending cell phone text messages that state "Your Oregon Community CU account is closed due to unusual activity." The message then requests that recipients call a phone number in Florida.
If you see a message like this on your cell phone, for this credit union or any other, you should not reply by texting, nor respond to the phone number listed. Contact the credit union directly.
Reprinted from CUNA News
Beware of crooks filing phony tax returns
Posted: March 31, 2008
One of the most serious problems facing taxpayers has nothing to do with calculations or complicated forms. An increasing number of complaints involves a form of identity theft, and it's throwing taxpayer victims for a loop (ABC News March 17).
Although the Internal Revenue Service (IRS) and Federal Trade Commission (FTC) received 20,782 complaints about tax refund fraud in 2007, the IRS is sure those numbers significantly understate the size of the problem because it's difficult to track (The Wall Street Journal March 12).
This form of ID theft occurs when a scam artist files a phony tax return--in your name, with your Social Security number and other personal information--in an attempt to collect a fraudulent refund.
In one case reported by The Wall Street Journal (March 12), a woman was notified by her bank that she had been rejected for a refund anticipation loan--yet she hadn't applied for one and hadn't even filed her tax returns yet. Another woman was asked by H&R Block Inc. to bring in some paperwork that she'd accidentally taken with her from its office two days earlier. After informing the agent that she hadn't been to the office and hadn't filed her taxes, she discovered that a crook had filed a tax return in her name and already pocketed a $4,005 instant loan.
In other cases, phony returns have been filed using children's Social Security numbers.
Take precautions to guard against tax refund ID theft:
- Check out tax preparers. Make sure you hand over sensitive information only to people you trust after checking credentials carefully.
- Choose passwords carefully. Don't use your birthday--it's on your tax form and easily can be lifted by crooks--or the word "password." Make sure all forms you print are password-protected.
- Download forms with caution. If you download tax forms from the IRS website or tax documents from your employer, create a strong password--a combination of numbers, symbols, and upper and lower case letters.
- Use caution with photocopiers. Some copiers store images of copies in memory. If so, personal information that's been copied may be compromised.
- Ensure e-mails are encrypted. If you send tax documents to your accountant, make sure the information you send is scrambled--or encrypted--to prevent others from gaining access to sensitive information.
- Use a secure mailbox. Mail your tax return from a secure location like a post office or a U.S. Postal Service collection box.
- Beware fake calls. Phony calls or e-mails have one goal: to get you to hand over personal information or financial data. Remember that the IRS will never call you or send unsolicited e-mail asking for personal information.
- Check your child's credit report. Go to idtheftcenter.org and type "Letter Form 120" in the search box. Scroll down to Letter Form 120 Requesting a Child's Credit Report. If the child has no credit report, breathe a sigh of relief, because that means a crook hasn't set up fraudulent accounts in the child's name.
Report suspicious activity to the IRS at irs.gov (click Taxpayer Advocate at the bottom of the page) and to the FTC at ftc.gov/bcp/edu/microsites/idtheft/.
Reprinted with permission from CUNA Mutual
New card-activation phishing attempt
Posted: October 31, 2007
CUNA is being used as the subject of a phishing message targeting credit union members to collect personal account information, plastic card numbers, and passwords. CUNA is warning people who receive the e-mail not to click on the link to the fake web page, just delete the message.
This new phishing-scam attempt using the Credit Union National Association's name, informs recipients about "irregular check card activity" and advises them to call a toll-free number to get any restrictions removed. Calling the toll-free number is a "bad idea," says Dorothy Steffens, CUNA's vice president of web services. The call is a ploy to get personal account information, possibly for identity theft purposes.
Recipients received a message as a:
"CUNA Alert: Irregular Check Card Activity"
"We detected irregular activity on check card on Oct. 25, 2007. For your protection, you must reactivate your card. Call us immediately at 1.866.XXX.XXXX. We will review the activity on your account with you and upon verification, we will remove any restrictions placed on your account.
Please disregard this notice if you have already accessed the Web site or spoken with one of our representatives."
"CUNA does not maintain any type of customer/member financial information," emphasized Steffens, adding that "your financial institution would never request personal identification information over the phone. Anyone responding to any e-mails of this type should contact their financial institution directly using the phone number provided by it," she said.
Reprinted with permission from CUNA Mutual
Did You Receive a Foreign Lottery Check?
Counterfeit Checks look real -- don't accept free money
Posted: October 2, 2007
Did you receive e-mails or letters from legitimate sounding lottery organizations that assure that you are a winner in lottery drawings recently held in distant countries? This is an old scam. The prize money varies from lottery e-mail/letter to e-mail/letter. They may even have an “official check” to deposit. The official check is counterfeit or drawn on a non-existent financial institution.
Each lottery e-mail or letter is rich in detail about when and where the drawing was held, the lucky ticket numbers, how the fortunate person or company name was included in the drawing, who was to pay out the funds, the payer's phone and fax numbers plus his web site information, and how much money is supposed to be coming. Most often, all the "supporting" information is fictitious. However, in other cases, names of real lotteries and banks are involved, and look-alike web sites accessed through URLs similar to those of the real corporations or institutions are used by the con artists as proof that the scheme is legitimate.
So far we've seen versions of this fraud come in from "De Lotto Netherlands," "Delotto Netherlands Sweepstakes Lottery," "Diamond Lotto South Africa," "Alpha Lottery International," "Weltlotto-Firma WorldLotto/International Programs," "Publishers Digest LOTTO Sweepstakes Inc.",Uniser Clear House of North America", and "International Lotto Commission in collaboration with El Gordo de la Primitiva."
They are all the same scam. The scam artist changes the names of the lottery handing out the winnings, and some of the stories about why the lucky ones are suddenly in line to receive large amounts of money for a lottery they don't remember entering is just part of the scam. Those who try to collect their "winnings" soon find themselves receiving e-mails or letters informing them that they have to pay facilitation fees before the big payouts will come to them. There are no lottery winnings waiting, but rather scam artists ready to trick people into wiring "handling fees" directly into their accounts. The "lucky" winners scramble to pay the fees while the clock is ticking, but they never receive any winnings.
The victim receives repeated cautions to keep matters confidential until final payout is made, "as part of our security protocol to avoid double claiming and unwarranted abuse of this program by some participants." The thieves don't want news of false winnings being told, because if the information reaches the real lottery people, who will inform the victims about the scheme. The official cashiers type checks issued for payment are counterfeit. Many of the counterfeit checks appear to be issued by credit unions. Credit unions do not issue checks for lotteries.
Reprinted with permission from CUNA Mutual
Phishers utilize VoIP to resurrect old telephone scams
Posted: April 5, 2007
Crooks are bringing back old scams, but doing it utilizing newer technology. Consumers are receiving VoIP (Voice Over Internet) scam calls that are automated and insistent that the cardholder call a toll free number to update important financial information. Once the toll free number is dialed an automated phone system asks for the card number, PIN and expiration date.
VoIP lines are telephone systems that utilize the internet instead of traditional telephone land lines to deliver communication services. The low cost of VoIP lines and relative ease with which they are obtained have led phishers to quickly adopt this evolving technology to attack consumers on an entirely new level.
The bottom line is don't divulge any personal information or numbers, any credit card or ATM card numbers or any of your Personal Identification Numbers (PIN) to anyone that contacts you in an unsolicited manner.
Things to remember when receiving call asking for personal information:
If you get a call that asks for this type of information and/or you are not sure about it, hang up and call the company on the phone number you know (Customer Service number).
A company you do business with already has some of your information. Be very suspicious if an caller asks to "verify" information.
Please report VoIP attacks to your local federal law enforcement agency. Most agencies now have cyber threat units that are well-versed in investigating these claims.
Never give up your credit card information or other personal information (such as a Social Security Number) just because a caller tells you to do so.
Excerpts reprinted from CUNA News Now
Phishers try to get info claiming increased security
Posted: December 4, 2006
Clever phishers are taking advantage of new legislative guidelines requiring financial institutions to strengthen and verify their online banking users. Called "dual authentication," additional security measures will be enacted to protect members' online banking activities from fraud.
The latest phishing scam directs the e-mail user, via an e-mail, to enter their account number and personal identification number (PIN) so they can register for the new "dual authentication code and phrase."
University Credit Union will be implementing it own home-banking security, due in 2007, however, it is not e-mailing any credit union member to enter information.
Things to remember when e-mails ask for personal information:
A company you do business with already has some of your information. Be very suspicious if an e-mail or caller asks to "verify" information.
If you get an e-mail that asks for this type of information and/or you are not sure about it, call the company.
Always go to a company's Web site by typing in the address. Avoid clicking a link in an e-mail.
Never enter your credit card information or other personal information (such as a Social Security Number) just because an e-mail tells you to do so.
Excerpts reprinted from CUNA News Now
Social Security Phishing Scam
Posted: November 14, 2006
The Social Security Administration issued a warning about a new email scam being circulated with the subject, "Cost-of-Living for 2007 Update." The message appears to be from the Social Security Administration and provides information about the benefit increase for 2007.
It contains the following, "NOTE: We now need you to update your personal information. If this is not completed by November 11, 2006, we will be forced to suspend your account indefinitely." The reader is then directed to a Web site designed to look like Social Security’s Internet Web site. Once directed to the phony Web site, the individual is asked to register for a password and to confirm their identity by providing personal information such as the individual’s Social Security number, bank account information, and credit card information.
Inspector General O’Carroll recommends people always take precautions when giving out personal information. “You should never provide your Social Security number or other personal information over the Internet or by telephone unless you are extremely confident of the source to whom you are providing the information,” O’Carroll said.
To report receipt of this e-mail message or other suspicious activity to Social Security’s Office of Inspector General, please call the OIG Hotline at 1-800-269-0271. A Public Fraud Reporting form is also available online at OIG’s Web site, www.socialsecurity.gov/oig.
Callers Claiming to be from the IRS
Posted: November 1, 2006
You can be sure of one thing if you get a call from the Internal Revenue Service (IRS): It probably isn't the IRS.
In an attempt to catch people off guard, crooks are posing as IRS agents and hoping callers will hand over enough personal information—Social Security number, date of birth, and so on--so the crook can commit identity theft.
It's an effective scam, especially for people who fear an audit. And older people are particularly susceptible because they're more trusting.
What should you do if you get a call from someone who claims to be from the IRS?
- Be suspicious from the get-go. Remember that the IRS almost never calls taxpayers and never asks for credit card numbers, financial account numbers, or personal identification numbers over the phone.
- Ask for the agent's name. Then hang up and call the IRS at 800-829-1040 to confirm that the caller is an IRS employee. Don't use any other phone number that the caller gives you--it's probably a fake.
- Report the call to the Treasury inspector general's fraud-referral hot line at 800-366-4484.
Reprinted from CUNA News Now
Are You Ready for "Vishing"?
Vishing Scams Use Phones Instead of Fake Websites
Posted: July 26, 2006
In a new twist, identity thieves are sending spam that warns victims that their credit union/bank account or PayPal accounts were supposedly compromised. However, unlike typical phishing emails, there is no website address in these phishing messages. Instead, the victim is urged to call a phone number to verify account details.
The automated voice message says: "Welcome to account verification. Please type your 16-digit card number." The goal is to get the victim to enter their credit card number. In these reported scams, no mention of the credit union, bank or PayPal is made.
Security experts tracking this scam and other instances of "vishing" , short for "voice phishing", say the frauds are particularly despicable because they imitate the legitimate ways people interact with financial institutions. In fact, some vishing attacks don't begin with an e-mail. Some come as calls out of the blue, in which the caller already knows the recipient's credit card number. This increases the perception of legitimacy, the caller ask for the valuable three-digit security code on the back of the card.
Vishing appears to be prospering with the help of Voice over Internet Protocol, or VoIP, the technology that enables cheap and anonymous Internet calling, as well as the ease with which caller ID boxes can be tricked into displaying erroneous information.
Reprinted with permission from CUNA Mutual
Clever Customer Survey Phishing Scam
Posted: July 26, 2006
The spam e-mail starts with: "The Online department kindly asks you to take part in our quick and easy 5 question survey. In return we will credit $50.00 to your account - Just for your time!" The e-mail goes on to describe how it only takes two minutes, your answers will help them. It is well done and looks authentic. Of course, the spam doesn't really take you to the credit union or bank website. Instead, it takes you to a scammer's site in China, Russia, Romania or elsewhere. The web page itself and the initial questions they ask look quite authentic.
The catch, of course, is that they say that in order to credit your $50 reward, they need your credit union or bank User ID and password, as well as your credit card number, expiration date, three digit security number, Social Security number, ATM PIN Number, zip code, mother's maiden name and email address.
The ploy of using a $50 reward for a customer service survey can be an effective phishing lure.
Reprinted with permission from CUNA Mutual
FBI warns of new scams targeting cell phone and MySpace users
Posted: July 7, 2006
Social butterflies beware: You could be lured by two new e-scams that could wreak havoc with your computer and your personal finances (Federal Bureau of Investigation June 28).
One scam uses cell phone bait. The fraudster sends a bogus text message thanking the recipient for subscribing to a dating service--which is fictitious. The victim is told that a subscription fee of $2 a day will be automatically charged to the person's cell phone bills until the subscription is canceled at the online site.
However, the site contains malware—software designed to infiltrate or damage the computer system without the owner's knowledge or consent. If recipients visit the infected site (irrealhost.com) to cancel the subscription, they're redirected to a screen that prompts them to enter their cell phone number, and they're asked whether they want to run a program that supposedly removes their subscription from the dating service. Don't bite. Victims' computers become infected and are remotely controlled by hackers.
Another scheme involves phishing attacks directed at MySpace.com users--many of whom are teens and young adults. It may start with a bulletin that reads "CHECK OUT these old school pictures," but clicking on the link directs you to a screen that's an exact reproduction of the MySpace login screen.
The intent of the bogus site is to steal financial information from unsuspecting visitors. Investigators warn that phishers may be gambling that login information for users' MySpace accounts is the same for other accounts at financial institutions or online payment systems.
Be extremely cautious when providing login information to websites you don't directly visit. The FBI advises that you don't use the same user names and passwords for your various online accounts.
If you think you've been a victim of either of these crimes, file a complaint with the Internet Crime Complaint Center at ic3.gov/fbi.gov.
Reprinted with permission from CUNA Mutual
Protect yourself from pretexting scams
Posted: June 21, 2006
If you get a call from a survey firm and the caller asks for any personal information--even simply where you conduct your financial business--you may be a victim of a scam known as pretexting. Pretexting is a con game, and it's illegal.
It's designed to get just enough information from you so the pretexters can call your credit union or other financial institution and pretend to be you to gain access to your Social Security number, account numbers, or credit report.
Protect yourself. The Federal Trade Commission offers this advice:
- Be suspicious. Pretexters may pose as representatives of survey firms, financial institutions, Internet service providers, or the government. Remember that legitimate organizations you already do business with have the required information about you on file.
- Hang up. Unless you initiate the conversation and you know whom you're dealing with, never give personal information over the phone or over the Internet.
Reprinted with permission from CUNA Mutual
