Fraud and Common Scams

What is Spoofing?

Spoofing is when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their identity. Scammers often use neighbor spoofing so it appears that an incoming call is coming from a local number, or spoof a number from a company or a government agency that you may already know and trust. If you answer, they use scam scripts to try to steal your money or valuable personal information, which can be used in fraudulent activity. This video explains more.

How to Avoid Spoofing

You may not be able to tell right away if an incoming call is spoofed. Be extremely careful about responding to any request for personal identifying information.

• Don’t answer calls from unknown numbers and even be skeptical if the number shows up as Altura Credit Union.  The bad actor could be spoofing Altura’s number to trick you. If you answer such a call, hang up immediately.
• Always be suspicious of anyone calling you and asking for personal information about any accounts you have.  Even if they say they are from your financial institution.
• If you answer the phone and the caller – or a recording – asks you to hit a button to stop getting the calls, you should just hang up. Scammers often use this trick to identify potential targets.
• Do not respond to any questions, especially those that can be answered with “Yes” or “No.”
• Never give out personal information such as account numbers, Social Security numbers, mother’s maiden names, passwords or other identifying information in response to unexpected calls or if you are at all suspicious.
• If you get an inquiry from someone who says they represent a company or a government agency, hang up and call the phone number on your account statement, in the phone book, or on the company’s or government agency’s website to verify the authenticity of the request. You will usually get a written statement in the mail before you get a phone call from a legitimate source, particularly if the caller is asking for a payment.
• Use caution if you are being pressured for information immediately.
• If you have a voice mail account with your phone service, be sure to set a password for it. Some voicemail services are preset to allow access if you call in from your own phone number. A hacker could spoof your home phone number and gain access to your voice mail if you do not set a password.
• Talk to your phone company about call blocking tools and check into apps that you can download to your mobile device. The FCC allows phone companies to block robocalls by default based on reasonable analytics. More information about robocall blocking is available at fcc.gov/robocalls.

Remember to check your voicemail periodically to make sure you aren’t missing important calls and to clear out any spam calls that might fill your voicemail box to capacity.

Fake text messages are also known as smishing attempts. Smishing is the fraudulent practice of sending text messages, purporting to be from reputable companies. These messages are intended to trick you into providing personal information, such as passwords, Social Security number or credit card numbers. The fraudsters then use this information to gain access to your bank account or email.

These text messages can be very convincing, as the criminals are trying to entice you to click on the link. Below are some examples of smishing attempts. Notice how convincing these messages appear to be legitimate:

What to do if you receive a Smishing text:

• Block the phone number. If you are unsure how, reach out to your wireless carrier for help.
• If you are unsure about whether or not the text is a scam, it’s best to contact the sender directly using a company phone number that you know to be legitimate.

What NOT to do:

• Do not click on the link within the text message.
• Do not reply to the text message. Replies can be used by the criminals to validate your phone number.
• Do not be tricked by a local phone number. Fraudsters have technology that makes the text look like it is coming from a local number.

The Federal Trade Commission provides more resources to learn about Smishing attempts here: https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

There has been a recent increase in scam phone calls targeting our Members, including ones that originate from our inbound 888-883-7228 number, which we do not use to call OUT from. These calls are designed to trick you into giving out your personal information, such as your Social Security number, credit/debit card number, or account information.

It is important to remember that we will never call you and ask for your personal information. If you receive a call from someone claiming to be from Altura, hang up and call us back at the number on the back of your credit/debit card or at 888-883-7228.

We recommend that you follow these tips to protect yourself from scam phone calls:

• Don’t give out your personal information to anyone who calls you unsolicited
• Be suspicious of any call that asks for your personal information immediately
• Hang up if you feel uncomfortable or pressured
• Report any suspicious calls to the Federal Trade Commission at ftc.gov/complaint

Scam calls are designed to trick you into giving out sensitive information. Scammers may use a variety of tactics to try to get your information, such as:

• Pretending to be from a government agency, such as the IRS or Social Security Administration
• Pretending to be from Altura
• Using threats or intimidation to pressure you into giving out your information
• Telling you to pay in a specific way

Pay It Safe with Zelle®

Zelle® is a great way to send money to friends, family and others you trust, right from the Altura Credit Union app. With Zelle®, money moves directly from your bank account to another person’s bank account, typically arriving in minutes*.

We know getting money to friends and family quickly and safely is important, so we’ve provided some friendly reminders on how to “pay it safe” when you’re sending money with Zelle®. Additionally, you can watch the Zelle® Sending Money Safely video by clicking here.

1. Use Zelle® to pay friends, family and others you trust.

Fast and convenient, Zelle® is a great way to pay people you trust. Money is sent directly from your bank account to another person’s bank account, and can’t be canceled if the other person is already enrolled with Zelle®. Because of this, you should only send money to people you personally know and trust.

2. Know when Zelle® is a good payment option, and when another payment method is better.

Zelle® can be used to pay many important people in your life, for so many different reasons! Use Zelle® to pay your roommate back for takeout or split the cost of necessities with a neighbor. However, if you aren’t sure you will get what you paid for (for example, items bought from an online bidding or sales site), or you don’t know and trust the person you’re paying, we recommend you choose a different payment option. Neither Zelle® nor Altura Credit Union offers a protection program for authorized payments made with Zelle®.

3. Double check your recipient’s info.

One of the key benefits of using Zelle® is the ability to send money directly to another person’s bank account in minutes*. That said, it’s important you enter your recipient’s U.S. mobile number or email address correctly. Always double check your recipient’s contact info before you hit “send”!

4. Don’t share sensitive data with others.

As an added layer of protection, Zelle® will send you a Multi-Factor Authentication code to your mobile device to verify it’s you, but Zelle® and Altura Credit Union will never ask you to verbally share your code or online banking credentials. Your credentials should never be shared with others.

More Safety Tips

A new smishing attack has recently surfaced that targets iPhone users and their Apple ID. This attack sends a text message to you stating that your Apple ID is locked and that you need to click on the link and type in your Apple ID and password. Apple is not sending these. A malicious attacker is and wants to get your information.

Below is an example of how the text message looks:

Please be on the look out for texts similar to the one above.

Signs That It’s A Scam

1. Scammers PRETEND to be from an organization you know.

Scammers often pretend to be contacting you on behalf of the government. They might use a real name, like the Social Security Administration, the IRS, or Medicare, or make up a name that sounds official. Some pretend to be from a business you know, like a utility company, a tech company, or even a charity asking for donations.

They use technology to change the phone number that appears on your caller ID. So the name and number you see might not be real.

2. Scammers say there’s a PROBLEM or a PRIZE.

They might say you’re in trouble with the government. Or you owe money. Or someone in your family had an emergency. Or that there’s a virus on your computer.

Some scammers say there’s a problem with one of your accounts and that you need to verify some information.

Others will lie and say you won money in a lottery or sweepstakes but have to pay a fee to get it.

3. Scammers PRESSURE you to act immediately.

Scammers want you to act before you have time to think. If you’re on the phone, they might tell you not to hang up so you can’t check out their story.

They might threaten to arrest you, sue you, take away your driver’s or business license, or deport you. They might say your computer is about to be corrupted.

4. Scammers tell you to PAY in a specific way.

They often insist that you pay by sending money through a money transfer company or by putting money on a gift card and then giving them the number on the back.

Some will send you a check (that will later turn out to be fake), tell you to deposit it, and then send them money.

Source: https://www.consumer.ftc.gov/articles/how-avoid-scam

Amazon Scams

There is no shortage of online shopping during normal times, and the pandemic has accelerated our usage of online shopping, resulting in even more scams taking place on the largest retail store, Amazon. These scams and frauds are threats to both the consumer and business owner.

Consumer Threats

• Phishing scams: This is one someone contacts you and pretends to be a representative of Amazon, offering a discount or asking for more information. Their goal is to gather more information to take your money or your identity. These can be in the form of a text or email and include links with viruses that can retrieve passwords.
• Email Scams: Remember, Amazon will never ask for your personal details and will not list a customer’s email address or shipping address. Don’t be fooled by an authentic-looking address. Also, Amazon doesn’t ever ask you to login via an email. Even if the email looks legitimate, only logging in directly on Amazon will guarantee your account remains safe.

Seller Threats:

• Failed Delivery Scam: When a customer says they didn’t receive a package when in fact they did. This can hurt the seller by depleting profits. A simple fix can be using a track-and-trace postage.
• The Replace and Refund Scam: When a customer asks for a refund and then returns the item, except the item is not the one ordered but a previously purchased or stolen one of the same kind, that has been broken or is old. This scam can be countered by performing a quality test, then attaching a tamper-proof sticker.

(Source: blog.edesk.com)

Elder Fraud

Elder individuals tend to be more trusting and have more savings and assets. It is because of this that there are forms of fraud that specifically target the elderly, categorized as Elder Fraud.

Types of Elder Fraud:

• Romance scam: Criminals pose as interested romantic partners on social media or dating websites to capitalize on their elderly victims’ desire to find companions.
• Tech support scam: Criminals pose as technology support representatives and offer to fix non-existent computer issues. The scammers gain remote access to victims’ devices and sensitive information.
• Grandparent scam: Criminals pose as a relative—usually a child or grandchild—claiming to be in immediate financial need.
• Government impersonation scam: Criminals pose as government employees and threaten to arrest or prosecute victims unless they agree to provide funds or other payments.
• Sweepstakes/charity/lottery scam: Criminals claim to work for legitimate charitable organizations to gain victims’ trust. Or they claim their targets have won a foreign lottery or sweepstake, which they can collect for a “fee.”
• Home repair scam: Criminals appear in person and charge homeowners in advance for home improvement services that they never provide.
• TV/radio scam: Criminals target potential victims using illegitimate advertisements about legitimate services, such as reverse mortgages or credit repair.
• Family/caregiver scam: Relatives or acquaintances of the elderly victims take advantage of them or otherwise get their money.

Source: FBI.gov

Holiday Scams To Look Out For

Romance Fraud

Romance scams, occur when a criminal adopts a fake online identity to gain a victim’s affection and trust. The scammer then uses the illusion of a romantic or close relationship to manipulate and/or steal from the victim.

The criminals who carry out romance scams are experts at what they do and will seem genuine, caring, and believable. Con artists are present on most dating and social media sites.

The scammer’s intention is to establish a relationship as quickly as possible, endear himself to the victim, and gain trust. Scammers may propose marriage and make plans to meet in person, but that will never happen. Eventually, they will ask for money.

Scam artists often say they are in the building and construction industry and are engaged in projects outside the U.S. That makes it easier to avoid meeting in person—and more plausible when they ask for money for a medical emergency or unexpected legal fee.

If someone you meet online needs your bank account information to deposit money, they are most likely using your account to carry out other theft and fraud schemes.

Source: FBI.gov

The ‘Zelle Fraud’ Scam: An example of a Smishing or SMS Scam

One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle, a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family. Naturally, a great deal of phishing schemes that precede these bank account takeovers begin with a spoofed text message from the target’s bank warning about a suspicious Zelle transfer. What follows is a deep dive into how this increasingly clever Zelle fraud scam typically works, and what victims can do about it.

A recent story warned that scammers are blasting out text messages about suspicious bank transfers as a pretext for immediately calling and scamming anyone who responds via text. Anyone who responds “yes,” “no” or at all will very soon after receive a phone call from a scammer pretending to be from the financial institution’s fraud department. The caller’s number will be spoofed so that it appears to be coming from the victim’s bank.

To “verify the identity” of the customer, the fraudster asks for their online banking username, and then tells the customer to read back a passcode sent via text or email. In reality, the fraudster initiates a transaction — such as the “forgot password” feature on the financial institution’s site — which is what generates the authentication passcode delivered to the member.

Ken Otsuka is a senior risk consultant at CUNA Mutual Group, an insurance company that provides financial services to credit unions. Otsuka said a phone fraudster typically will say something like, “Before I get into the details, I need to verify that I’m speaking to the right person. What’s your username?”

“In the background, they’re using the username with the forgot password feature, and that’s going to generate one of these two-factor authentication passcodes,” Otsuka said. “Then the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.’”

The fraudster then uses the code to complete the password reset process, and then changes the victim’s online banking password. The fraudster then uses Zelle to transfer the victim’s funds to others.

An important aspect of this scam is that the fraudsters never even need to know or phish the victim’s password. By sharing their username and reading back the one-time code sent to them via email, the victim is allowing the fraudster to reset their online banking password.

Otsuka said in far too many account takeover cases, the victim has never even heard of Zelle, nor did they realize they could move money that way.

“The thing is, many credit unions offer it by default as part of online banking,” Otsuka said. “Members don’t have to request to use Zelle. It’s just there, and with a lot of members targeted in these scams, although they’d legitimately enrolled in online banking, they’d never used Zelle before.”

Otsuka said credit unions offering other peer-to-peer banking products have also been targeted, but that fraudsters prefer to target Zelle due to the speed of the payments.

“The fraud losses can escalate quickly due to the sheer number of members that can be targeted on a single day over the course of consecutive days,” Otsuka said.

To combat this scam Zelle introduced out-of-band authentication with transaction details. This involves sending the member a text containing the details of a Zelle transfer – payee and dollar amount – that is initiated by the member. The member must authorize the transfer by replying to the text.

Unfortunately, Otsuka said, the scammers are defeating this layered security control as well.

“The fraudsters follow the same tactics except they may keep the members on the phone after getting their username and 2-step authentication passcode to login to the accounts,” he said. “The fraudster tells the member they will receive a text containing details of a Zelle transfer and the member must authorize the transaction under the guise that it is for reversing the fraudulent debit card transaction(s).”

In this scenario, the fraudster actually enters a Zelle transfer that triggers the following text to the member, which the member is asked to authorize: For example:

“Send $200 Zelle payment to Boris Badenov? Reply YES to send, NO to cancel. ABC Credit Union . STOP to end all messages.”

“My team has consulted with several credit unions that rolled Zelle out or are planning to introduce Zelle,” Otsuka said. “We found that several credit unions were hit with the scam the same month they rolled it out.”

The upshot of all this is that many financial institutions will claim they’re not required to reimburse the customer for financial losses related to these voice phishing schemes. Bob Sullivan, a veteran journalist who writes about fraud and consumer issues, says in many cases banks are giving customers incorrect and self-serving opinions after the thefts.

“Consumers — many who never ever realized they had a Zelle account – then call their banks, expecting they’ll be covered by credit-card-like protections, only to face disappointment and in some cases, financial ruin,” Sullivan wrote in a Substack post. “Consumers who suffer unauthorized transactions are entitled to Regulation E protection, and banks are required to refund the stolen money. This isn’t a controversial opinion, and it was recently affirmed by the CFPB here. If you are reading this story and fighting with your bank, start by providing that link to the financial institution.”

“If a criminal initiates a Zelle transfer — even if the criminal manipulates a victim into sharing login credentials — that fraud is covered by Regulation E, and banks should restore the stolen funds,” Sullivan said. “If a consumer initiates the transfer under false pretenses, the case for redress is more weak.”

Sullivan notes that the Consumer Financial Protection Bureau (CFPB) recently announced it was conducting a probe into companies operating payments systems in the United States, with a special focus on platforms that offer fast, person-to-person payments.

“Consumers expect certain assurances when dealing with companies that move their money,” the CFPB said in its Oct. 21 notice. “They expect to be protected from fraud and payments made in error, for their data and privacy to be protected and not shared without their consent, to have responsive customer service, and to be treated equally under relevant law. The orders seek to understand the robustness with which payment platforms prioritize consumer protection under law.”

Anyone interested in letting the CFPB know about a fraud scam that abused a P2P payment platform like Zelle, Cashapp, or Venmo, for example, should send an email describing the incident to BigTechPaymentsInquiry@cfpb.gov. Be sure to include Docket No. CFPB-2021-0017 in the subject line of the message.

In the meantime, remember the mantra: Hang up, Look Up, and Call Back. If you receive a call from someone warning about fraud, hang up. If you believe the call might be legitimate, look up the number of the organization supposedly calling you, and call them back.

Source: https://krebsonsecurity.com/2021/11/the-zelle-fraud-scam-how-it-works-how-to-fight-back/