Beware of Coronavirus-related scams and phishing attempts

 During times of turbulence or tragedy there are always those who attempt to turn events to their advantage, such as by stockpiling critical supplies or price-gouging on desperately needed medical equipment.  Unfortunately, the online scammers and fraudsters are no different.  As the disease COVID-19 sweeps across the world we must also remain diligent about online threats that come with it.

Money-launderers are always looking for “mules” to transfer money between accounts for them, often under the guise of charitable assistance in the pandemic relief effort.

  • NEVER be pressured into taking quick action with your money.  Hang up or walk away, take a big breath, and call Empower directly if you are ever asked to do something that makes you uncomfortable.
  • NEVER accept funds to or from people or companies you do not know and trust fully.  Even totally unwitting accomplices can find themselves legally and financially liable for assisting criminals in their actions.
  • Be very suspicious of sales on hard-to-find supplies like masks or hand sanitizer.
  • If you sell something, never accept a check for greater than the amount you asked for.  It is a scam.
  • Do not wire money without being absolutely certain of who it is going to and why.
  • Donating to charities is great, but use the website or phone number of an organization you know and trust.  Don’t respond to donations requests by email or text message.
Online crooks are also using the coronavirus outbreak to great effect to get people to click on links that infect their devices with malware such as computer viruses or ransomware.  Fake COVID-19 tracking websites are popping up, false news articles with sensationalist headlines are tempting people to click and so on.
  • NEVER trust Caller ID.  An incoming call can be made to look like it is coming from any number when it is not.
  • ALWAYS think critically about what you are about to click on.  A retweet or recommendation from a friend does not necessarily make something trustworthy.
  • Remember that social media is a great way to stay in touch but also a really effective way to spread false information and malicious links.
  • Keep your device fully up to date with the latest patches in case you do accidentally navigate to something malicious.

Finally, NEVER respond to an alert or email using the contact information or instructions in the alert itself.  Always go to the company’s trusted website or phone number.  You can always call Empower directly at 315.477.2200 or 800.462.5000 or use the Message Center through the Empower mobile app.  We are always delighted to speak to you and to have the opportunity to serve you better.

Opening a Secure Email from Empower

A regular email is just like a postcard. You can write whatever you want, but anyone who gets access to it between you and the recipient can read the whole thing.

In contrast, a secure email is like a private and confidential envelope with an address window, only even better. Everyone can see who it is addressed to, but only the recipient can open it to see what it contains..


Because the message is secured, you may need to take a few easy steps to prove that you are the intended recipient. Two scenarios are possible:

Decryption (opening the envelope) happens automatically for you because your system uses the same email encryption system that we do. Success! It was sent securely, yet you can read it just like any other email.

You get a message that looks like this:

Screenshot: Office 365 Message Waiting

This is not the email that the sender sent. This is a message telling you that a secure message is waiting for you.

Here are the steps you need to follow:

1. Click on the blue “Read the message” button. You will be sent to a website asking you to sign in using a Microsoft account (if you have one), or a one-time password. If you have a Microsoft account associated with the email address this message went to, simply sign in and you’ll see the secure email.

Screenshot: Sign in with Microsoft

If you do not, or if you’re not sure, or if you have any difficulties, pick the one-time password option instead.

2. After you click on “Or, sign in with a one-time passcode” you will get to a page asking for a passcode. The passcode is sent to the same email account that the secure email was sent to, so check your inbox.

Screenshot: Enter your one-time passcode

It will look something like this.

Screenshot: One-time passcode example

3. Type in the code and click “Continue.

Screenshot: Passcode entered

4. That is it. The email and any attached documents that were sent to you can now be accessed. Nicely done!


  1. Isn’t there a simpler way? Actually once you try this you’ll probably find that it’s very easy. Click the button to see the mail, click for a one-time passcode, type it in and you’re done. And if you have problems you can always call Empower and we’ll help you through it.

  2. Does this work on a mobile phone? Absolutely. In fact, most of these screenshots are from a cell phone.

  3. Can I reply securely? Great question! Yes you can, from the same webpage where you opened the secure email that was sent to you.

These are the latest scams and online threats you should understand and avoid to protect your sensitive personal and financial information.

WannaCrypt, WannaCry, WCry Ransomware

As many of you know, a worldwide ransomware attack, borrowed from leaked NSA exploits was unleashed Friday, May 12 2017.  It exploited a known vulnerability in Windows operating systems that Microsoft released a patch for on March 14, 2017.  The malware is no longer in the wild however, it's likely that will change and the next one will be more sophisticated.

Once the malware finds a computer missing the patch, it does two things:
  1. Encrypts all the files on the computer; and
  2. Looks for other computers on the network to infect.

Like other ransomware variants, files remain encrypted until a ransom in the form of Bitcoin is paid.

What is looks like

Below is an example of what the ransomware screen looks like.

Screenshot of what WannaCrypt, WannaCry, WCry Ransomware ransomware looks like

What should you do?
  1. Keep your computers, tablets and smart phones up-to-date with patches.
  2. Run anti-virus software on all computers, tablets and smart phones and keep it up to date.
  3. Avoid clicking on email links especially from unknown sources.  Launch a browser and go directly to the web site instead.  At the very least, hover over links before clicking to see if they look legitimate.
  4. Legitimate organizations will not ask for sensitive information through unsecured communications such as email.  Nor will they make threatening phone calls.  
  5. Do not open attachments from unknown sources.
  6. Avoid calling phone numbers in suspicious emails.

IRS, States and Tax Industry Warn of Last-Minute Email Scams

IR-2017-64, March 17, 2017
WASHINGTON — The Internal Revenue Service, state tax agencies and the tax industry today warned both tax professionals and taxpayers of last-minute phishing email scams, especially those requesting last-minute deposit changes for refunds or account updates.

As the 2017 tax filing season winds down to the April 18 deadline, tax-related scams of various sorts are at their peak. The IRS urged both tax professionals and taxpayers to be on guard against suspicious activity.

The IRS, state tax agencies and the tax industry, acting as the Security Summit, enacted many safeguards against identity theft for 2017, but cybercriminals are ever evolving and make use of sophisticated scams to trick people into divulging sensitive data.

For example, one new scam poses as taxpayers asking their tax preparer to make a last-minute change to their refund destination, often to a prepaid debit card. The IRS urges tax preparers to verbally reconfirm information with the client should they receive last-minute email request to change an address or direct deposit account for refunds.

The IRS also suggests that tax professionals change and strengthen their own email passwords to better protect their email accounts used to exchange sensitive data with clients.

This is also the time of year when taxpayers may see scam emails from their tax software provider or others asking them to update online accounts. Taxpayers should learn to recognize phishing emails, calls or texts that pose as familiar organizations such as banks, credit card companies, tax software providers or even the IRS. These ruses generally urge taxpayers to give up sensitive data such as passwords, Social Security numbers and bank account or credit card numbers.

Taxpayers who receive suspicious emails purporting to be from a tax software provider or from the IRS should forward them to Remember: never open an attachment or link from an unknown or suspicious source. It may infect your computer with malware or steal information. Also, the IRS does not send unsolicited emails or request sensitive data via email.

The Security Summit maintains a public awareness campaign for taxpayers – Taxes. Security. Together.  – and an awareness campaign for tax professionals – Protect Your Clients; Protect Yourself – as part of its effort to combat identity theft.


Follow the IRS on Social Media
Subscribe to IRS Newswire

Protect Your Security Online

Make your password difficult to guess: it should be at least 8 characters long. Longer is better. Use a complex combination of numbers, letters and punctuation marks when possible. Use a passphrase (two or more words), an acronym or a combination.

Don't share your login information with anyone for any reason. Scammers can create fake websites that look like the website you're trying to visit. They will ask you to log in their fake website in order to get your information. As a rule (there are exceptions), don’t click on links or open attachments, especially office suite documents that can contain malicious macros.  Rather, launch your browser and browse to the site using Favorites or Bookmarks. If you choose to click a link, hover over it first to see if it looks legitimate. Always check the website's URL before you enter your login information. When in doubt, type the web address into your browser to get to the correct page.

If you aren't sure of where a link will take you, don't click on it - even if it comes from a friend, family member, or a company you are familiar with. Be extremely skeptical of any link in a social network, even if it looks like it was sent by someone you know. Stick to reliable sources that you recognize and trust for your news gathering--especially when a story or event is sensational.

If you receive an email claiming to be from a friend, family member, or company you are familiar with, but something seems off - call your friend, family member to report it. When in doubt, don't click on links and don't respond to the email.

Report any suspicious activity. If you receive a strange email, see strange posts, or get a strange phone call from a company you a familiar with, such as Empower, contact that company and let them know.

Get more information about Avoiding Online Thieves and protecting yourself on social media.

YAHOO! Data Breach

Yahoo recently announced that 500 million of their accounts were hacked and are being sold by internet criminals.  This is believed to be the largest ever publicly disclosed data breach by a company.  Bad guys are going to use this information in a variety of ways.  For instance, they will send phishing emails claiming you need to change your Yahoo account, looking just like the real ones.   Here is you should do right away:
  • Open your browser and go to Yahoo.  Do not use a link in any email.  Reset your password and make it a strong, complex password or rather a pass-phrase. 
  • If you were using that same password on multiple websites, you need to stop that right now.  Doing so is an invitation to get hacked.  If you did use your Yahoo passwords on other sites, go to those sites and change the password there too. 
  • Change the security questions and make the answers something that is not obvious.  Security questions and answers were stolen too in this breach.
  • Use a free password manager that can generate hard-to-hack passwords, keep and remember them for you.
  • Watch out for any phishing emails that relate to Yahoo in any way and ask for information.  Do not click on links or open attachments in the messages.  The real Yahoo email does not ask you to click on links or contain attachments.
Now would also be a good time to use Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.

Scam of the Week - Fake Security Emails

There is a new scam you need to watch out for. In the last few years, online service providers like Google, Yahoo and Facebook have started to send emails to their users when there was a possible security risk, like a log-on to your account from an unknown computer.

Bad guys have copied these emails in the past, and tried to trick you into logging into a fake website they set up and steal your username and password. Now, however, they send these fake security emails with a 1-800 number that they claim you need to call immediately.

If you do, two things may happen:

1) You get to talk right away with a real internet criminal, usually with a foreign accent, that tries to scam you. They claim there is a problem with your computer, "fix" it, and ask for your credit card.

2) You get sent to voice mail and kept there until you hang up, but your phone number was put in a queue and the bad guys will call you and try the


Phishing sites ask for personal information such as your credit card number and expiration date. The site appears to be a legitimate company, but thieves link to a fraudulent site interested in only stealing your information. No legitimate company will ask for your personal information online.


More online thieves are moving from phishing to pharming because it does not require a response from the customer. Experts warn that pharming may be more sinister than phishing because it's more difficult to detect.
Unlike phishing, which uses email spam to deliver fraudulent messages, pharming operates through phony websites. The user is automatically directed from a legitimate website to a copy of that website, with no warning signs. Once the victim is transferred to the bogus site, passwords, card numbers and other private information is collected by thieves to commit identity theft.
Online users are urged to watch for uncommon log-in processes that don't look the same as the legitimate site. Some pharming sites will ask users for information such as Social Security numbers, which are not typically required.

Identity Theft

The Federal Trade Commission has launched a nationwide identity theft education campaign to encourage consumers to keep close watch on their personal information and respond quickly when they think their data has been accessed without authorization. An education kit includes a victim recovery guide "Take Charge: Fighting Back Against Identity Theft", a training booklet "Talking About Identity Theft: A How - to Guide", and a 10-minute video on ID theft. The materials are available in English and Spanish.To talk to a counselor, or if you think your personal information has been stolen, call 1-877-IDTHEFT.

Digital Defense

Empower Federal Credit Union has partnered with Digital Defense, Inc. to help educate our members about how to protect themselves while online. The Digital Defense site covers a number of security topics. Plus, there's a quiz at the end to test your security knowledge!
  • ATM Security
  • Banking Myths
  • Home Computer Firewalls
  • Home Computer Tips
  • Secure Transactions
  • Online Fraud
  • Passwords
  • Viruses and Worms
  • Trojans and Spyware

Empower Federal Credit Union’s Online Banking now requires MFA for online banking users as a security measure to further protect your account. This extra layer of security will require you to complete some extra verification steps before the transaction will process. We will ask you to verify your identity by asking security questions or by responding to a message sent via email or text.

You may select the Multi-Factor Authentication (MFA) options that best meets your needs:  

  • Sending an authentication code via email

  • Sending an authentication code via SMS/ Text (cell phone # must be confirmed for codes to be sent via text)

  • Answering Security Questions (default setting)MFA options can be found on the Security tab (under settings) in Online Banking. At least one option must be enabled.

Where do I find the MFA Settings?

MFA options can be found on the Security tab (under settings) in Online Banking. At least one option must be enabled.

Screenshot of Multi-Factor Authentication (MFA) setup in the security tab in online banking

The Settings – Security tab is currently only available in the desktop/tablet environment. This set-up is not available on the mobile app.

Everywhere you look you see people of all ages utilizing personal smart phones, tablets, laptops and other devices to thrive in an online, connected world. Utilizing these devices for work and for pleasure can be extremely convenient and entertaining, but these benefits can come at a very high price if leveraged by a cyber-criminal to gain access to your financial accounts and other sensitive data.

Many people go to great lengths to protect their device, purchasing insurance in the event of breakage and high performance cases to defend against scratches, dents and dings. While protecting the device is important, the data held within the device is worth far more but is often not protected accordingly.

There are a number of best practices that you can follow to protect the data stored on the device and to improve mobile security to defend against a cyber-attack.

Learn how to protect yourself.


Security Summit warns of new IRS impersonation email scam; reminds taxpayers the IRS does not send unsolicited emails


IR-2019-145, August 22, 2019

WASHINGTON — The Internal Revenue Service and its Security Summit partners today warned taxpayers and tax professionals about a new IRS impersonation scam campaign spreading nationally on email. Remember: the IRS does not send unsolicited emails and never emails taxpayers about the status of refunds.

The IRS this week detected this new scam as taxpayers began notifying about unsolicited emails from IRS imposters. The email subject line may vary, but recent examples use the phrase "Automatic Income Tax Reminder" or "Electronic Tax Return Reminder."

The emails have links that show an website with details pretending to be about the taxpayer's refund, electronic return or tax account. The emails contain a "temporary password" or "one-time password" to "access" the files to submit the refund. But when taxpayers try to access these, it turns out to be a malicious file.

"The IRS does not send emails about your tax refund or sensitive financial information," said IRS Commissioner Chuck Rettig. "This latest scheme is yet another reminder that tax scams are a year-round business for thieves. We urge you to be on-guard at all times."

This new scam uses dozens of compromised websites and web addresses that pose as, making it a challenge to shut down. By infecting computers with malware, these imposters may gain control of the taxpayer's computer or secretly download software that tracks every keystroke, eventually giving them passwords to sensitive accounts, such as financial accounts.

The IRS, state tax agencies and the tax industry, which work together in the Security Summit effort, have made progress in their efforts to fight stolen identity refund fraud. But people remain vulnerable to scams by IRS imposters sending fake emails or harrassing phone calls.

The IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.

The IRS also doesn't call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes. See Report Phishing and Online Scams for more details.

scam alert

If you can answer “YES” to any of these questions, you could be SCAMMED or involved in FRAUD!

√  Did you receive an EMAIL/TEXT/CALL from someone you don’t know? 
√  Did you respond to an email or phone call asking you to confirm, update or
    provide your ACCOUNT INFORMATION?
√  Have you been asked for your PERSONAL INFORMATION?
√  Have you been asked to provide your ONLINE BANKING login information?
√  Have you been informed that you were the winner of a SWEEPSTAKES or      
    LOTTERY or CONTEST that you did not enter?
√  Did you respond to an email regarding a work from HOME JOB such as a mystery  
    shopper?   Vehicle wrap?  
√  Have you been instructed to WIRE money as soon as possible?
√  Have you been told you would receive funds via WIRE?  
√  Have you been instructed to purchase and mail multiple GIFT CARDS? 
√  Did you receive a check that you were NOT EXPECTING?
√  Did you receive a CHECK for an item you sold on the Internet?
√  Did you receive the CHECK via an overnight delivery service?
√  Is the CHECK drawn on a business or individual account that is different from the
    person who bought the item?
√  Is the amount of the CHECK more than the item’s selling price and you’ve been told  
    the extra is for shipping costs or to send it back?
Meltdown and Spectre Logos

On January 3, 2018, researchers announced critical security vulnerabilities in all the major microprocessors (CPUs) worldwide found in computers, tablet computers, smart phones and Internet of Things (IoT) devices such as consumer electronics, home appliances and vehicles.  The bugs are actually hardware-based flaws that have been designed into CPUs for the past 15 to 20 years.  They are most commonly known as Meltdown and Spectre.  The risk is that a virus or malicious software could infect a computer and result in a compromise of sensitive information.

What is being done about it?

All of the major operating system and application development companies are working on fixes and have, or are in the process of, providing software updates.  Empower is following developments, continuously monitoring systems to detect these and other vulnerabilities, working with software vendors and installing updates as they become available.

What should you do?

For the average user, this is just another attack method among many.  All the normal security advice still applies:

  • Be on guard for scams related to the vulnerabilities;
  • Be suspicious of unexpected email messages;
  • Avoid clicking on suspicious email links;
  • Hover over links to reveal the true destination;
  • Use caution when opening attachments and avoid enabling macro’s;
  • When in doubt, don’t call phone numbers in email or text messages – use numbers you know are legitimate;
  • Install/enable firewall software on your computers;
  • Apply patches immediately;
  • Run anti-virus software and keep it up-to-date; and
  • In general, be careful on the Internet.

More Information

In addition to many media outlets and vendors that are reporting on Meltdown and Spectre, additional information can be found at these locations:


Text Message Scams

Phishing (pronounced "fishing") is a type of criminal activity of sending email messages using deception, pressure or flattery to gain something that should not be given such as passwords, payment card information or financial information.

Short Message Service (SMS) phishing or smishing is the same but uses text messaging instead of email to trick people.

The message might appear to be from a reputable company you do business with, such as your credit union.  It might say your credit or debit card has been locked or put on hold.

If you receive a suspicious email or text message and suspect it may be from us, DON’T REPLY OR CALL THE NUMBER LISTED.  Rather, call a number you know is legitimate like on the back of your credit/debit card or the number on your statement.

Don't reply to an email, phone call or text message that does these things:

  • Prompts you to give personal or account information either directly in the email or on a website the email sends you to;
  • Threatens to close or suspend your account if you don't take immediate action;
  • Invites you to answer a survey that asks you to enter personal or account information;
  • Tells you your account has been compromised, then asks you to give or confirm your personal or account information;
  • Tells you there are unauthorized charges on your account, then asks you to give your personal or account information;
  • Asks you to confirm, verify or update your account, credit card or billing information.

For more information see

Example of scam text message:


Spoofing and Caller ID

What is spoofing and how does it work?

"Spoofing" occurs when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their identity. Spoofing is often used as part of an attempt to trick someone into giving away valuable personal information so it can be used in fraudulent activity or sold illegally. U.S. law and FCC rules prohibit most types of spoofing.

Caller ID lets consumers avoid unwanted phone calls by displaying caller names and phone numbers, but the caller ID feature is sometimes manipulated by spoofers who masquerade as representatives of banks, creditors, insurance companies, or even the government.

Learn More

Equifax Data Breach Information

Equifax announced on September 7, 2017 that they suffered a massive data breach from May to July 2017 resulting in unauthorized access to electronic information impacting approximately 143 million customers in the United States.  That’s about 50% of the US population.

Empower World, Platinum and Business Mastercard holders have additional Identity Theft Protection benefits available, including optional alert notifications. To enroll for alerts, go to Learn more about additional benefits.  

For information being provided by Equifax go to:  

This public interest information is brought to you by Empower Federal Credit Union. Empower is not making recommendations of action or inaction. It is important for you to consider what may be the best option for you. 

Empower Federal Credit Union
Syracuse, NY 13212


Scams in the Name of Charity

Scammers are creative, cunning and cruel — and they often mix in a little truth to spice up their big lies. This scheme shows just how low they can go.

Government imposters claiming to be with the FTC, or another agency like the fictitious “Consumer Protection Agency,” are calling to inform people they have won a huge sweepstakes from the Make-a-Wish Foundation, a well-known charity for very sick children. Learn More.

New Twist in One Market in Account-Opening Scam

PLEASANTON, Calif.–Credit unions and financial institutions in this market are reporting what they are calling a “wave” of financial fraud in which criminals are paying victims to open accounts, then turn over the account information so they can commit fraud. Learn More.

Fake Ticket Email Hoax - NY State Department of Motor Vehicles (DMV) Phishing Scam

The New York State DMV released an alert of an email phishing scam notifying users that they must pay a ticket within 48 hours or have their license revoked. While the notice appears to come from DMV, it is a hoax. The press release can be found here: Or, to avoid clicking the link, go to and search for press releases.
The phishing email lists a reference number and reads in part:

What do you want out of life?

Empower Federal Credit Union welcomes employees of many companies, immediate family/household members of employees and retirees, as well as our outreach to underserved communities to enjoy personal and business banking solutions including auto loans, mortgages*, credit cards and more. Bank online, in any central NY branch, or call us at 315.477.2200.

* Home mortgages available in FL, PA, CT, NY and NC.