Gather Federal Credit Union Cares About Your Financial Security
Scam of The Week: Sophisticated Spear Phishing
Last month, researchers at Fortinet observed a sophisticated phishing email sent to a Hungarian diplomat. In the email, cybercriminals disguised themselves by using the first and last name of an employee in the diplomat’s IT department. In this case, the diplomat believed that the email was suspicious and forwarded it to the actual employee in the IT department for investigation.
This case is a perfect example of a popular attack called spear phishing. Spear phishing attacks are targeted at a single person or department that has information that cybercriminals want. In these attacks, cybercriminals conduct research on the specific person or department and figure out who they talk to frequently. Then, the cybercriminals send a message to the person or department, pretending to be someone they know and trust. It’s important to watch out for these attacks because they can happen to anyone, not just diplomats or executives.
Follow these tips to stay safe from spear phishing attacks:
- Don’t open attachments or click on links in emails that you were not expecting.
- Check email headers to make sure you recognize the sender and any other recipients.
- Reach out to the person who allegedly sent the email by phone or in person. By reaching out to the alleged sender directly, you could save yourself and your organization from a potential spear phishing attack!
Stop, Look, and Think. Don't be fooled.
Take Extra Precautions Against ID Theft and Fraud
- Please beware of suspicious "phishing" eMails or telemarketing phone calls asking you to verify your identification or account information.
- Be on the alert for bogus charities asking for donations.
- Never respond to eMails requesting verification of account information.
- Watch out for fake invoices that might appear to be from a legitimate company, such as FedEx, UPS, or US Customs asking for credit card information in order to complete the delivery of a package.
- Never give out your personal information (account number, driver's license, or social security number), unless you initiated the phone call and you are absolutely sure you are dealing with a trusted institution, company or organization.
Report Fraud or Suspicious Activity
How Does Identity Theft Occur?
- They may steal your wallet or purse.
- They may steal your personal information through eMail or the phone. This is done by pretending they represent a legitimate company and claiming that you have a problem with your account. This practice is known as online "phishing", or "pretexting" by phone.
- They may steal your credit or debit card numbers by capturing the information in a data storage device in a practice known as "skimming."
- They may swipe your card for an actual purchase or attach a device to an ATM machine where they may enter or swipe your card.
- They may retrieve your credit reports by abusing authorized access or by posing as a landlord, employer or someone else who may have a legal right to your report.
- They may rummage through your trash, the trash of businesses or public trash dumps in a practice known as "dumpster diving."
- They may steal personal information they find in your home.
- They may steal your mail from your mailbox, including bank and credit card statements, credit card offers, new checks and tax information.
- They may complete a "change of address form" to divert your mail to another location.
- They may steal credit card files from other companies, such as department stores, vendors, suppliers, etc.
What Do Thieves Do with Your Personal Information?
- They may call your credit card issuer to change the billing address on your account. The impostor then runs up charges on your account. Because the bills are being sent to a different address, it may be some time before you realize there's a problem.
- They may open new credit card accounts in your name. When they use the credit cards and don't pay the bills, the delinquent accounts are reported on your credit report.
- They may establish phone or wireless service in your name.
- They may open a bank account in your name and write bad checks on the account.
- They may counterfeit checks, credit cards or debit cards, or authorize electronic transfers in your name and drain your account.
- They may get identification such as a driver's license issued with their picture in your name.
- They may get a job or file fraudulent tax returns in your name.
How Can You Tell If You Are a Victim of Identity Theft?
- Failing to receive bills or other mail. This could mean an identity thief has submitted a change of address.
- Receiving credit cards for which you did not apply.
- Denial of credit for no apparent reason.
- Receiving calls from debt collectors or companies about merchandise or services you didn't buy.
Ways to Protect Yourself from Identity Theft
- DETER identity thieves by safeguarding your information.
- DETECT suspicious activity by routinely monitoring your financial accounts and billing statements.
- DEFEND against ID theft as soon as you suspect a problem.
What To Do If Your Identity Is Ever Stolen
Mobile Device Protection
- Theft of personal data, such as account info, phone numbers, contact lists, call logs, etc.
Propagation of malware to your contacts either through by posting to social media, sending phishing eMails, etc.
- Surveillance through audio, video (camera), location, text messages, phone calls and other means.
- Disabling of monitoring software on the mobile device.
- Collection of data – such as GPS readings to track a user.
What Can I Do to Secure My Mobile Device?
For More Information
- What is a computer virus?
- When Malware Goes Mobile
- 10 Years of Mobile Malware: How Secure Are You?
- Fake Android Apps
What Does a Phishy eMail Look Like?
- "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
- "During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
- "You're credit card will be cancelled if we are unable to verify your personal information today."
Ways to Protect Yourself Against Phishing
- If you get an eMail or pop-up message that asks for personal or financial information, do not reply. And don't click on the link in the message either. Legitimate companies don't ask for this information via eMail. If you are concerned about your account, contact the organization mentioned in the eMail using a telephone number you know to be genuine, or open a new Internet browser session and type in the company's correct Web address yourself. In any case, don't cut and paste the link from the message into your Internet browser-phishers can create a link that looks like it goes to one place, but actually sends you to a different site.
- Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly. Some phishing eMails contain software that can harm your computer or track your activities on the Internet without your knowledge. Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files.
- Forward spam that is phishing for information to email@example.com and to the company, bank or organization impersonated in the phishing eMail.
How and Where Does Skimming Occur?
- Skimming at restaurants. Many skimming incidents occur at a restaurant where a server is carrying a skimming device in his or her apron or somewhere close by. Your card is scanned twice, once for the transaction that you expected and another in the skimming device to capture your credit card information for further use.
- Skimming devices hidden in ATM machines. It is not uncommon for a thief to be bold enough to tamper with an ATM machine. Typically, a "card trapping" device is inserted into the ATM card slot. This trap scans the card and stores its information or traps the card and doesn't return it to the owner. There is no cash dispensed in either case and the crooks retrieve the cards and information at a later time.
- Skimming by store clerks. A very common form of skimming involves store clerks skimming your credit card when you make a purchase. The clerk scans your card twice, once for your expected transaction and another in a skimmer for later retrieval.
- Skimming devices hidden in card payment terminals. Skimming is becoming more sophisticated and thieves are rigging card payment terminals with electronic equipment to capture the card information. The recorded card numbers are stored in an additional implanted chip and thieves return later to retrieve it.
Ways to Protect Yourself Against Skimming
- Closely monitor anyone who handles your card. Watch anyone you give your card to for processing, such as a waiter, clerk, attendant, etc. If at all possible, do not let them out of your sight. If a clerk makes a hard copy, retrieve the carbons.
- Keep low-limit credit cards. Keeping a low credit limit on your credit cards restricts the amount of money thieves can steal. Although not exactly a prevention tactic, it will help if you fall victim.
- Be aware of your surroundings. The first step to prevent skimming is understanding what is going on around you. Prior to inserting your ATM card, check the ATM card reader to make sure it looks appropriate and is not altered.
Check Fraud and Phony Lotteries
Check Fraud Overpayment
Foreign Lottery Winnings
Managing and Protecting Your Personal InformationTips to Safeguard Your Home Computer
- Update your software. Regular software updates can be crucial to keeping your home computer as secure as possible.
- Install, run and keep anti-virus software updated. Commercially available, virus protection software helps reduce the risk of contracting computer viruses that can compromise your security. These programs offer continuous upgrades in response to the latest threats. Two of the most popular programs are:
- McAfee® - http://us.mcafee.com
- Symantec® - http://www.norton.com
- Be careful with eMail and instant messages (IM). Even if a message appears to come from someone you know, a file attached to an eMail message or IM could contain a virus, so be sure to contact the sender by some other means to gain added assurance that the attachment is valid. Also, never reveal personal -- financial information in a response to an eMail request, no matter who appears to have sent it-your home computer may be the target of a phishing scam.
- Use strong passwords and change them often. Strong passwords give you better security against intrusion by hackers and thieves.
- Disconnect from the Internet when not in use. Dedicated services such as DSL or high-speed cable provide a constant connection between your computer and the Internet. Even if you have a firewall installed, as an additional step to help protect yourself, disconnect from the Internet when not in use to avoid unwanted access to your computer's data.
- Use secure websites for transactions and shopping. Make sure the web page you are viewing offers encryption of your data. Often you will see a lock symbol in the lower right hand corner of your browser window, or the web address of the page you are viewing will begin with "https://...". The "s" indicates "secured" and means the web page uses encryption.
- Be aware that there are risks involved when logging in to personal accounts using shared computers accessible to the general public, such as those available in hotels and libraries. Public access computers may be infected with viruses and/or malicious software, such as Trojans and keyloggers.
"Low-Tech" Ways of Protecting Your Personal Information
- Know your billing and statement cycles. Contact the company's customer service department if you stop receiving your regular bill or statement.
- Shred confidential papers, including offers of credit, before discarding them.
- Never carry your SSN or birth certificate in your wallet.
- Carry as few cards with personal information as possible.
- Don't print your SSN, birth date or credit card number on your personal checks and don't allow store clerks to do so.
- Memorize your PIN and passwords. Shield your hand when using an ATM to prevent "shoulder surfers" from obtaining your codes.
- Don't leave your wallet unattended. Vehicle glove compartments and health club locker rooms are spots that thieves go to first.
- Choose hard-to-guess PINs and passwords. When choosing passwords for your accounts, don't use your mother's maiden name, family members' birth dates, your pet's name or other easily guessed word or number.
- Do not place outgoing mail in your mailbox. Deposit mail in a U.S. Postal Service mailbox or at the post office to reduce the chance of mail theft.
- Promptly retrieve incoming mail. Collect your mail as soon as possible every day to limit the opportunity for theft.
Just to Be on the Safe Side...
- Write a list of your credit card account numbers, including expirations dates and contact information, and safely store this information in case you need to report lost or stolen cards.
- Review your Social Security Earnings and Benefits statement annually to check for fraud.
- Review your credit report. Look over your credit report regularly, at least yearly, for any inaccuracies. You can get a free credit report once a year from each of the three major credit bureaus at www.annualcreditreport.com. For a small fee you can obtain a copy at any time directly from:
- Equifax: 1-800-685-1111 or www.equifax.com
- Experian: 1-888-397-3742 or www.experian.com
- TransUnion: 1-800-916-8800 or www.transunion.com
- Limit the credit offers you receive. To reduce the credit offers you receive and the information companies share about you, contact the National Consumer Credit Reporting Agencies at 1-888-5-OPTOUT (1-888-567-8688).
- Remove your name from marketing lists. The Direct Marketing Association (DMA) notifies its members that they must remove your name from the lists they sell. Their members include the agencies and companies that compile mailing and telemarketing lists. Your name and address remain in the DMA's consumer exclusion files for five years. Contact the DMA at www.dmaconsumers.org.