BANK TEXT MESSAGE SCAM – A Different Trick to Take Over Your Account

Last week, I published a warning about a text message scam impersonating BECU:

TEXT MESSAGE SCAM – Fraudsters Impersonate BECU- https://ssnoccrimewatch.blogspot.com/2021/11/text-message-scam-fraudsters.html.

Krebs on Security has published articles about a twist to this theme.

Like the BECU scam, the scammers send out text messages, claiming to be from a financial institution, with a warning about a suspicious transaction. Here is an example of a scam message:

“Free Msg- J.P Morgan Chase Bank Alert-Did You Attempt A Zelle Payment For The Amount of $5,000.00? Reply YES or NO Or 1 To Decline Fraud Alerts.”

Zelle is a peer-to-peer payment service that advertises fast payments that you can make to your friends or associates. Zelle is offered as a service by many banks and credit unions.

In this case, the supposed J.P. Morgan Chase Bank is asking you about a specific transaction. Instead of asking you to click on a link, it asks you to reply, Yes or No. After you respond (with a Yes or No), you will receive a phone call from a scammer pretending to be from the fraud department. The scammer will want to “verify” your identity. What they request as verification is your account username. Then, the scammer asks you to read the passcode that was just sent to you via text or email.

This tactic takes advantage of the “forgotten password” feature that most websites with accounts have. This is the feature where if you have forgotten the password to your account, you enter your username, then the account sends you a temporary password. Then you can enter your account and change your password to one that only you know. The scammer, after you give him your username, enters it then the account sends you the temporary password. After you give the scammer the temporary password, the scammer enters it taking control of your account.

The scammer uses Zelle to transfer funds to other people.

You may think that since you gave the scammer information allowing him to enter your account that you do not have any protection. However, according to the Consumer Financial Protection Bureau, this amounts to an unauthorized transaction since the scammer received the username and password through fraud.

Legitimate financial institutions do send out text messages notifying or querying their customers about suspicious transactions. So, if your bank or credit card company uses text messages as an anti-fraud technique, it could be difficult to determine the fraudulent texts from the genuine texts.

Krebs on Security has a simple mantra to follow: Hang up, Look Up, and Call Back,

Hang Up- If you receive a call warning about fraud, hang up. Likewise, if you receive a text or an email warning about fraud, do not click on any links or respond.

Look Up- If you think the call or text might be legitimate, look up the number for customer service on the back of your credit card, on a copy of the account monthly statement, or with a web search. DO NOT USE ANY PHONE NUMBERS OR LINKS PROVIDED BY THE SUSPICIOUS PHONE CALL, TEXT, OR EMAIL!

Call Back- Call the institution and ask if they were trying to contact you.

 

 

Krebs on Security:

https://krebsonsecurity.com/2021/11/the-zelle-fraud-scam-how-it-works-how-to-fight-back/

https://krebsonsecurity.com/2021/11/sms-about-bank-fraud-as-a-pretext-for-voice-phishing/

 

Consumer Financial Protection Bureau:

https://www.consumerfinance.gov/compliance/compliance-resources/deposit-accounts-resources/electronic-fund-transfers/electronic-fund-transfers-faqs/

 

Zelle:

https://www.zellepay.com/

 

 

SNOHOMISH COUNTY SHERIFF’S OFFICE – Holiday Crime Prevention Newsletter

The latest issue of the Snohomish County Sheriff’s Office’s crime prevention newsletter, “Partners in Crime Prevention” is now available. This issue has tips on safe online shopping, protecting yourself from online scams, preventing package theft, and how to protect your presents at home.

 

 

 

Snohomish County Sheriff’s Office:

https://www.snohomishcountywa.gov/ArchiveCenter/ViewFile/Item/6744

TEXT MESSAGE SCAM – Fraudsters Impersonate BECU

This morning, I received the following text message on my phone purportedly from the Boeing Employees Credit Union (BECU):

 

“FRM:BECU-BANK MSG:We discovered unusual updates on your Account that we believe may be unauthorized, secure account below:…”

 

It included a link to go to. Before clicking the link, I checked the BECU website (which I found with a web search) and found a posting, dated in April 2021 about just this type of text message scam. It points out that SMS text messages like the one above continues to be sent out by scammers. BECU says that their goal is to access your BECU account.

BECU emphasizes that they will not ask for your Online Banking User ID, Online Banking Password, and they will not include a link in any text messages that they might send you. They say that the purpose of the link is to direct you to enter your User ID and password. This is a classic example of a phishing text message.

BECU does say that it monitors members’ accounts for suspicious activity and may send a text message, email, or automated phone call if they suspect suspicious activity on your account. They explain that a text message may ask for a simple YES or NO for a response, or it may ask you to call the BECU servicing number on the back of your credit/debit card to verify account usage.

It also warns that some scammers are using the names and locations of actual BECU employees.

If you are victimized by a scammer on your BECU account, BECU wants to know. You can call them at (800) 233-2328 or visit any BECU location.

As far as the text message, I did not click the link and I blocked the number on my smartphone.

 

 

Boeing Employees Credit Union:

https://www.becu.org/news/2021/Apr/fraud-alert-phishing-scams

 

WASHINGTON STATE – Attorney General Issues Data Breach Report

The Washington State Attorney General’s Office (AGO) recently released its latest annual Data Breach Report showing that data breaches affecting Washington State residents skyrocketed to 280 breaches in 2021, a 500% increase over last year’s 60 breaches.

We often hear about scams and frauds that target individuals through robocalls, email, and text messages. The goal of the scammers is to steal your money and to get your personal information that they can use in fraud schemes or sell on the dark web to other scammers.

Data breaches often have similar goals, but target personal information held by organizations such as businesses, educational organizations, health organizations, financial institutions, and governments. The hackers target organization databases that hold client, customer, or patient personal information to use in their own fraud schemes or to sell on the dark web. Since this is information about you that is held by someone else, we all have to rely on the organization to secure the privacy of our information.

The Attorney General’s Office defines a data breach as “…the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by a person, business, or agency.” The Attorney General’s report defines personal information as an individual’s first name or first initial and last name with a Social Security number, driver’s license number or Washington ID card number, account number or credit card or debit card number, student, military, or passport ID numbers, health insurance policy or ID numbers, full date of birth, private keys for an electronic signature, medical information, including medical history, mental or physical condition, diagnoses, or treatments, biometric data, username/email address with a password or security questions and answers.

The AGO looks at three sources of a data breach:

·         Cyberattack is where a hacker accesses secure data on a computer system. Cyberattacks constituted 87.5% of all reported data breaches in 2021 up from 63% in 2020. Of the methods of cyberattack, ransomware amounted to more than half of the cyberattacks in 2021- 150 of the total of 245 cyberattacks. Other methods of cyberattack include skimmers, spyware, and phishing email.

·         Unauthorized access is where an unauthorized person accesses secure data through an unsecured network or sift through sensitive documents on a desk. This method amounted to 7.5% of all cyberattacks.

·         Theft or mistake is where a clerical error mistakenly sends sensitive data to the wrong recipient or a laptop with sensitive data is stolen. Theft or mistake made up 5% of all cyberattacks.

Three entities bear responsibility for protecting personal information, holding cyber criminals accountable for their crimes, or blocking cybercriminals from successfully using personal information.

A business, government, financial organization, etc. needs to take actions to protect the data. Protecting personal information can be challenging as cybercriminals become more sophisticated in their attacks. But not assembling an effective cybersecurity team to plug security holes in a computer system and to keep up to date on the latest cybercriminal trends is inexcusable.

Governments are the best organizations to hold cybercriminals accountable for their crimes. But cybercrime is in the wild west of law enforcement. The federal government is probably the best governmental level to handle cybercrime cases since cybercriminals operate between state boundaries and country boundaries. However, since many cybercriminals operated beyond U.S. borders, the federal government needs the cooperation of other countries to suppress cyber criminal activity. The federal government is making efforts to protect personal data held in the U.S. as shown in this Associated Press article- https://apnews.com/article/technology-russia-crime-arrests-hacking-f0adf6f0765b0f079a20a95cf85c5334, but there remain many challenges to holding cybercriminals accountable.

As individuals there are actions that we can take to protect ourselves.

Some general things include,

·         Using strong passwords and storing them in a password manager/vault such as LastPass or 1Password. Also be sure NOT to use the same password for multiple accounts.

·         Use multifactor authentication (also known as 2 factor authentication) whenever you can. Here is a good explanation of multifactor authentication- https://askleo.com/two-factor-authentication/.

·         Use security software to keep malware off of your devices. Also, keep the software on your devices up to date with the latest security updates.

·         Watch out for phishing emails or texts. Phishing is a leading technique by cybercriminals to insert malware and steal data in computer systems.

If you are notified that your personal information may have been compromised in a data breach, you should be proactive. Some actions to take that the AGO recommends include,

·         Check your credit report, which you can obtain from one of the three credit bureaus (Experian, TransUnion, and Equifax).

·         Report the identity theft to the Federal Trade Commission (FTC) at https://www.identitytheft.gov/#/. This web site will take your report and will help you develop a plan to recover from the theft.

·         File a report with your local police department.

·         Send a copy of the police department to each of the three credit bureaus.

·         Ask the business that sent you the data breach notice to give you information about transactions made in your name. The AGO has a template for a letter that you can use at this link- https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fagportal-s3bucket.s3.amazonaws.com%2Fuploadedfiles%2FHome%2FSafeguarding_Consumers%2FConsumer_Issues_A-Z%2FIdentity_Theft_(Privacy)%2FSample-Letter-for-ID-Theft-Victims-to-Request-Records.doc&wdOrigin=BROWSELINK

Depending what information was compromised in the data breach you may need to take additional steps. The Identity Theft Resource Center has recommendations at this link- https://helpcenter.idtheftcenter.org/s/article/What-to-do-If-You-Receive-a-Data-Breach-Notification

 

 

 

Washington State Attorney General’s Office:

https://www.atg.wa.gov/news/news-releases/ag-data-breach-report-2021-sets-new-record-number-data-breaches-and-ransomware

https://agportal-s3bucket.s3.amazonaws.com/2021%20Data%20Breach%20Report.pdf

 

The Seattle Times:

https://www.seattletimes.com/seattle-news/washington-sets-record-for-data-breaches-and-ransomware-attacks-says-ag-ferguson/

 

KIRO TV:

https://www.kiro7.com/news/jesse-jones/2021-data-breaches-just-keep-coming/LABPLG5GS5AOHJHJ4HDK6TWA5Q/

 

 

AMAZON SCAM – Scammers Trick You into Giving Them Money

You receive a phone call, email, or text message from someone, claiming to be from Amazon, about suspicious activity or unauthorized purchases made against your account. If you call the number given, the phony Amazon representative will trick you into giving them control over your computer or device so that they can give you a refund.

From here they pull an old trick. They “accidentally” add some extra zeros, overpaying you. Then they ask you to return the difference.

To make this ruse more convincing, while they are in your computer, they may access your online banking account, move the amount from your savings account to your checking account. And when you look at your checking account, you see the “deposit” and you assume you got your refund.

The Federal Trade Commission (FTC), which reported this scam, says that about 35% of people who report a business impersonator scam, reported that the impersonator claimed to be from Amazon. And, over the past year, Amazon impersonators seem to be harming older people over 60. According to the FTC, older people are four times more likely than younger people to report losing money to an Amazon impersonator.

For most of us, we realize that a vendor has a way to refund or credit our credit card accounts without going into our computers. But depending on our stresses at any moment, this might be a compelling situation to comply with a stranger. Remember, do not let anyone who has unexpectedly contacted you to control your computer.

Some other tips include,

·         Never call phone numbers included in unsolicited phone calls, emails, or text messages. If you want to check your account or ask a company representative about your account, look up the company’s web address and/or phone number with a web search.

·         DO NOT PAY FOR FEES OR OTHER CHARGES WITH A GIFT CARD! Especially when a stranger contacts you out of the blue.

·         If you receive a phone call, text, or email from an Amazon impersonator, tell your family and friends. The more people who know about the scam, the more people will be on guard against it.

·         And, if you receive a call from an Amazon impersonator, tell the FTC at https://reportfraud.ftc.gov/#/?pid=A

 

 

Federal Trade Commission:

https://www.ftc.gov/news-events/blogs/data-spotlight/2021/10/amazon-tops-list-impersonated-businesses

 

Amazon- Here is a search result on the Amazon website about scams:

https://www.amazon.com/gp/help/customer/display.html?help_keywords=scams&search=true&nodeId=G508510&kwHidden=true&sprefix=scams%2Cscams%2C0&locale=en_US&ref_=hp_search_rd_gw