New Twist in One Market in Account-Opening Scam

PLEASANTON, Calif.–Credit unions and financial institutions in this market are reporting what they are calling a “wave” of financial fraud in which criminals are paying victims to open accounts, then turn over the account information so they can commit fraud. Learn More.


Fake Ticket Email Hoax - NY State Department of Motor Vehicles (DMV) Phishing Scam

The New York State DMV released an alert of an email phishing scam notifying users that they must pay a ticket within 48 hours or have their license revoked. While the notice appears to come from DMV, it is a hoax. The press release can be found here: https://dmv.ny.gov/press-release/press-release-06-01-2017. Or, to avoid clicking the link, go to dmv.ny.gov and search for press releases.
 
The phishing email lists a reference number and reads in part:
 
“Dear Driver:
 
We are writing to inform you that the state police department has notified us that you have several outstanding traffic violations. If you do not make restitution for these infractions within 48 hours, we will be forced to revoke your driver’s license.

To make payment arrangements online, click here.

To refute these tickets, click here.
Sincerely,

The NY DMV”

 
“The Department of Motor Vehicles does not send emails urging motorists to pay traffic tickets within 48 hours or lose your license,” said Terri Egan, DMV Deputy Executive Commissioner.

Tips for Avoiding Phishing Scams:

  1. Verify that you know the sender. When in doubt, double check with the sender before clicking links or opening attachments.
  2. Think twice before clicking on email links:
    1. Avoid clicking if you can. Launch a browser and go directly to the web site instead.
    2. Hover before clicking. If the actual URL that appears in the pop-up window looks suspicious, don’t click on it.
  3. Avoid opening attachments or enable macros unless you know the sender and you’re confident of the authenticity.
  4. Confirm phone numbers in email messages before calling them.
  5. Legitimate organizations will not ask for sensitive information through unsecured communications such as email. Nor will they send threatening emails or make threatening phone calls.
Social Engineering Red Flgas - What to look out for in an email
 

Accessing Secure Email

Empower uses ZixCorp’s encryption services to protect your sensitive financial information within email communications you receive from us. This message protection makes it easy for you to receive, read and reply to our encrypted communications.
 

Retrieving a Secure Email Message

If you have received a secure message, learn more about retrieving your secure email message from the SecureMessage Center. A link to these instructions also is included in your secure email message.
These are the latest scams and online threats you should understand and avoid to protect your sensitive personal and financial information.

WannaCrypt, WannaCry, WCry Ransomware

As many of you know, a worldwide ransomware attack, borrowed from leaked NSA exploits was unleashed Friday, May 12 2017.  It exploited a known vulnerability in Windows operating systems that Microsoft released a patch for on March 14, 2017.  The malware is no longer in the wild however, it's likely that will change and the next one will be more sophisticated.

Once the malware finds a computer missing the patch, it does two things:
  1. Encrypts all the files on the computer; and
  2. Looks for other computers on the network to infect.

Like other ransomware variants, files remain encrypted until a ransom in the form of Bitcoin is paid.

What is looks like

Below is an example of what the ransomware screen looks like.

Screenshot of what WannaCrypt, WannaCry, WCry Ransomware ransomware looks like

What should you do?
  1. Keep your computers, tablets and smart phones up-to-date with patches.
  2. Run anti-virus software on all computers, tablets and smart phones and keep it up to date.
  3. Avoid clicking on email links especially from unknown sources.  Launch a browser and go directly to the web site instead.  At the very least, hover over links before clicking to see if they look legitimate.
  4. Legitimate organizations will not ask for sensitive information through unsecured communications such as email.  Nor will they make threatening phone calls.  
  5. Do not open attachments from unknown sources.
  6. Avoid calling phone numbers in suspicious emails.

IRS, States and Tax Industry Warn of Last-Minute Email Scams

IR-2017-64, March 17, 2017
WASHINGTON — The Internal Revenue Service, state tax agencies and the tax industry today warned both tax professionals and taxpayers of last-minute phishing email scams, especially those requesting last-minute deposit changes for refunds or account updates.

As the 2017 tax filing season winds down to the April 18 deadline, tax-related scams of various sorts are at their peak. The IRS urged both tax professionals and taxpayers to be on guard against suspicious activity.

The IRS, state tax agencies and the tax industry, acting as the Security Summit, enacted many safeguards against identity theft for 2017, but cybercriminals are ever evolving and make use of sophisticated scams to trick people into divulging sensitive data.

For example, one new scam poses as taxpayers asking their tax preparer to make a last-minute change to their refund destination, often to a prepaid debit card. The IRS urges tax preparers to verbally reconfirm information with the client should they receive last-minute email request to change an address or direct deposit account for refunds.

The IRS also suggests that tax professionals change and strengthen their own email passwords to better protect their email accounts used to exchange sensitive data with clients.

This is also the time of year when taxpayers may see scam emails from their tax software provider or others asking them to update online accounts. Taxpayers should learn to recognize phishing emails, calls or texts that pose as familiar organizations such as banks, credit card companies, tax software providers or even the IRS. These ruses generally urge taxpayers to give up sensitive data such as passwords, Social Security numbers and bank account or credit card numbers.

Taxpayers who receive suspicious emails purporting to be from a tax software provider or from the IRS should forward them to phishing@irs.gov. Remember: never open an attachment or link from an unknown or suspicious source. It may infect your computer with malware or steal information. Also, the IRS does not send unsolicited emails or request sensitive data via email.

The Security Summit maintains a public awareness campaign for taxpayers – Taxes. Security. Together.  – and an awareness campaign for tax professionals – Protect Your Clients; Protect Yourself – as part of its effort to combat identity theft.

Source: https://www.irs.gov/uac/newsroom/irs-states-and-tax-industry-warn-of-last-minute-email-scams

Follow the IRS on Social Media
Subscribe to IRS Newswire
 

Protect Your Security Online

Make your password difficult to guess: it should be at least 8 characters long. Longer is better. Use a complex combination of numbers, letters and punctuation marks when possible. Use a passphrase (two or more words), an acronym or a combination.

Don't share your login information with anyone for any reason. Scammers can create fake websites that look like the website you're trying to visit. They will ask you to log in their fake website in order to get your information. As a rule (there are exceptions), don’t click on links or open attachments, especially office suite documents that can contain malicious macros.  Rather, launch your browser and browse to the site using Favorites or Bookmarks. If you choose to click a link, hover over it first to see if it looks legitimate. Always check the website's URL before you enter your login information. When in doubt, type the web address into your browser to get to the correct page.

If you aren't sure of where a link will take you, don't click on it - even if it comes from a friend, family member, or a company you are familiar with. Be extremely skeptical of any link in a social network, even if it looks like it was sent by someone you know. Stick to reliable sources that you recognize and trust for your news gathering--especially when a story or event is sensational.

If you receive an email claiming to be from a friend, family member, or company you are familiar with, but something seems off - call your friend, family member to report it. When in doubt, don't click on links and don't respond to the email.

Report any suspicious activity. If you receive a strange email, see strange posts, or get a strange phone call from a company you a familiar with, such as Empower, contact that company and let them know.

Get more information about Avoiding Online Thieves and protecting yourself on social media.
 

YAHOO! Data Breach

Yahoo recently announced that 500 million of their accounts were hacked and are being sold by internet criminals.  This is believed to be the largest ever publicly disclosed data breach by a company.  Bad guys are going to use this information in a variety of ways.  For instance, they will send phishing emails claiming you need to change your Yahoo account, looking just like the real ones.   Here is you should do right away:
  • Open your browser and go to Yahoo.  Do not use a link in any email.  Reset your password and make it a strong, complex password or rather a pass-phrase. 
  • If you were using that same password on multiple websites, you need to stop that right now.  Doing so is an invitation to get hacked.  If you did use your Yahoo passwords on other sites, go to those sites and change the password there too. 
  • Change the security questions and make the answers something that is not obvious.  Security questions and answers were stolen too in this breach.
  • Use a free password manager that can generate hard-to-hack passwords, keep and remember them for you.
  • Watch out for any phishing emails that relate to Yahoo in any way and ask for information.  Do not click on links or open attachments in the messages.  The real Yahoo email does not ask you to click on links or contain attachments.
Now would also be a good time to use Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.
 

Scam of the Week - Fake Security Emails

There is a new scam you need to watch out for. In the last few years, online service providers like Google, Yahoo and Facebook have started to send emails to their users when there was a possible security risk, like a log-on to your account from an unknown computer.

Bad guys have copied these emails in the past, and tried to trick you into logging into a fake website they set up and steal your username and password. Now, however, they send these fake security emails with a 1-800 number that they claim you need to call immediately.

If you do, two things may happen:

1) You get to talk right away with a real internet criminal, usually with a foreign accent, that tries to scam you. They claim there is a problem with your computer, "fix" it, and ask for your credit card.

2) You get sent to voice mail and kept there until you hang up, but your phone number was put in a queue and the bad guys will call you and try the same scam.

Remember, if you get any emails that either promise something too good to be true, OR look like you need to prevent a negative consequence, Think Before You Click and in this case before you pick up the phone.

If you decide to call any vendor, go to their website and call the number listed there. Never use a phone number from any email you may have received. Here is a real example of such a call. Don’t fall for it!  http://cdn2.hubspot.net/hubfs/241394/phone_phish.mp3

 

NCUA Warns of Text Phishing Scam

​​ALEXANDRIA, Va. (Aug. 23, 2016) – The National Credit Union Administration has received consumer calls about a suspicious text message​ claiming to come from the agency.

Learn more: https://www.ncua.gov/newsroom/Pages/NCUA-Warns-of-Text-Phishing-Scam.aspx

 

EMV (chip) Cards Phishing Scam

ALBANY, N.Y.—New York state officials here are warning consumers of a new phishing scam that involves EMV cards.

Scammers, pretending to be card issuers, are sending emails to individuals who haven't yet received their new chip cards, according to the New York State Division of Consumer Protection (DCP). The emails ask recipients to update their accounts by providing personal information in order to receive their new chip cards, or to click on a link to continue the process. By clicking on the link, malware can be installed on a computer or mobile device, CBS News reported.

Consumers who fall for such scams are also exposing themselves to identity theft. By compiling profiles on individual consumers, some scammers are able to open credit cards in their victims' names.

"The card issuer gets scammed into giving a new card with a line of credit in your name, and the criminal runs up the card by the time the issuer knows what's happening,” David Robertson, publisher of the Nilson Report, told CBS.

(Source: CUtoday.info)
 

National Credit Union Administration (NCUA) Telephone Scam

The NCUA  has issued a warning to consumers about a telephone scam in which a caller claims  to work for NCUA  and asks for personal and financial information.  This is a SCAM.  Do not give the caller any information.  

Robocall Scam Targets Older New Yorkers

The New York State Office for Aging has been made aware of a new robocall scam that attempts to lure older New Yorkers into providing their personal information over the phone. The voice on the robocall identifies itself as the New York State Office for the Aging and asks the individual answering the phone to press a button if someone in the home is over 65 and would be interested in receiving a free Medic Alert pin and $3000 in coupons for food or other items.
This is a SCAM. The New York State Office for the Aging does not give away items, money or coupons and will NEVER solicit personal information over the phone.
If you receive a similar call, you should HANG UP IMMEDIATELY. Reports of financial scams should be reported to the Consumer Protection Division of the NYS Attorney General’s Office at 1-800-771-7755, the NYS Department of Financial Services at 1-800-697-1220 or the NYS Department of State (518) 474-8583.

Did someone call or message you about a problem with your account or credit card?

Empower will NEVER initiate a call asking you to provide an account or card number. This type of scam often includes statements that make you believe immediate action is required or your account will be blocked. This is a tactic used to make the potential victim feel rushed and provide information they otherwise would not provide. NEVER provide information in response to such questions. ALWAYS call us directly at 315.477.2200 if you have any concerns about your account.

For your security, Empower does partner with a third-party vendor that monitors card transactions 24/7. They may call on our behalf to verify a transaction if it appears out of the ordinary, but they will provide all the information to you. They will NEVER ask you for account or card information.

Phishing

Phishing sites ask for personal information such as your credit card number and expiration date. The site appears to be a legitimate company, but thieves link to a fraudulent site interested in only stealing your information. No legitimate company will ask for your personal information online.

Pharming

More online thieves are moving from phishing to pharming because it does not require a response from the customer. Experts warn that pharming may be more sinister than phishing because it's more difficult to detect.
Unlike phishing, which uses email spam to deliver fraudulent messages, pharming operates through phony websites. The user is automatically directed from a legitimate website to a copy of that website, with no warning signs. Once the victim is transferred to the bogus site, passwords, card numbers and other private information is collected by thieves to commit identity theft.
Online users are urged to watch for uncommon log-in processes that don't look the same as the legitimate site. Some pharming sites will ask users for information such as Social Security numbers, which are not typically required.

Identity Theft

The Federal Trade Commission has launched a nationwide identity theft education campaign to encourage consumers to keep close watch on their personal information and respond quickly when they think their data has been accessed without authorization. An education kit includes a victim recovery guide "Take Charge: Fighting Back Against Identity Theft", a training booklet "Talking About Identity Theft: A How - to Guide", and a 10-minute video on ID theft. The materials are available in English and Spanish.To talk to a counselor, or if you think your personal information has been stolen, call 1-877-IDTHEFT.

Digital Defense


Empower Federal Credit Union has partnered with Digital Defense, Inc. to help educate our members about how to protect themselves while online. The Digital Defense site covers a number of security topics. Plus, there's a quiz at the end to test your security knowledge!
 
  • ATM Security
  • Banking Myths
  • Home Computer Firewalls
  • Home Computer Tips
  • Secure Transactions
  • Online Fraud
  • Passwords
  • Viruses and Worms
  • Trojans and Spyware

Empower Federal Credit Union’s Online Banking now requires MFA for online banking users as a security measure to further protect your account. This extra layer of security will require you to complete some extra verification steps before the transaction will process. We will ask you to verify your identity by asking security questions or by responding to a message sent via email or text.

You may select the Multi-Factor Authentication (MFA) options that best meets your needs:  

  • Sending an authentication code via email

  • Sending an authentication code via SMS/ Text (cell phone # must be confirmed for codes to be sent via text)

  • Answering Security Questions (default setting)MFA options can be found on the Security tab (under settings) in Online Banking. At least one option must be enabled.


Where do I find the MFA Settings?

MFA options can be found on the Security tab (under settings) in Online Banking. At least one option must be enabled.

Screenshot of Multi-Factor Authentication (MFA) setup in the security tab in online banking

The Settings – Security tab is currently only available in the desktop/tablet environment. This set-up is not available on the mobile app.

Everywhere you look you see people of all ages utilizing personal smart phones, tablets, laptops and other devices to thrive in an online, connected world. Utilizing these devices for work and for pleasure can be extremely convenient and entertaining, but these benefits can come at a very high price if leveraged by a cyber-criminal to gain access to your financial accounts and other sensitive data.

Many people go to great lengths to protect their device, purchasing insurance in the event of breakage and high performance cases to defend against scratches, dents and dings. While protecting the device is important, the data held within the device is worth far more but is often not protected accordingly.

There are a number of best practices that you can follow to protect the data stored on the device and to improve mobile security to defend against a cyber-attack.

Learn how to protect yourself.