Login

EnrollForgot UsernameForgot Password

We have recently seen an increase in fraudulent activity targeting our Members through phishing scams using text messages, email, and phone. To help combat this rise in illicit behavior, we ask you to never click on unsolicited links or respond to suspicious texts, emails, or calls. For more information, click here.

Did you know?

Altura partners with Balance to offer our members even more financial resources to build your education when it comes to your fiscal matters.

Learn More

Altura understands that you have to start somewhere. Use our Credit Builder options to grow your credit score quickly!

Learn More

Take advantage of the free counseling services for our Members. We offer everything from debt and budget to student loan counseling, and more!

Learn More

Working at Altura has its perks and benefits. Check out our careers page and join the family today!

Learn More

Altura offers scholarships for graduating high schoolers. A $1,000 monetary award is given to selected seniors meeting the scholarship criteria.

Learn More

Placeholder

Fraud and Common Scams

Fake text messages are also known as smishing attempts. Smishing is the fraudulent practice of sending text messages, purporting to be from reputable companies. These messages are intended to trick you into providing personal information, such as passwords, Social Security number or credit card numbers. The fraudsters then use this information to gain access to your bank account or email.

These text messages can be very convincing, as the criminals are trying to entice you to click on the link. Below are some examples of smishing attempts. Notice how convincing these messages appear to be legitimate:

What to do if you receive a Smishing text:

  • Block the phone number. If you are unsure how, reach out to your wireless carrier for help.
  • If you are unsure about whether or not the text is a scam, it’s best to contact the sender directly using a company phone number that you know to be legitimate.

What NOT to do:

  • Do not click on the link within the text message.
  • Do not reply to the text message. Replies can be used by the criminals to validate your phone number.
  • Do not be tricked by a local phone number. Fraudsters have technology that makes the text look like it is coming from a local number.

The Federal Trade Commission provides more resources to learn about Smishing attempts here: https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

A new smishing attack has recently surfaced that targets iPhone users and their Apple ID. This attack sends a text message to you stating that your Apple ID is locked and that you need to click on the link and type in your Apple ID and password. Apple is not sending these. A malicious attacker is and wants to get your information.

Below is an example of how the text message looks:

Please be on the look out for texts similar to the one above.

Signs That It’s A Scam

  1. Scammers PRETEND to be from an organization you know.

Scammers often pretend to be contacting you on behalf of the government. They might use a real name, like the Social Security Administration, the IRS, or Medicare, or make up a name that sounds official. Some pretend to be from a business you know, like a utility company, a tech company, or even a charity asking for donations.

They use technology to change the phone number that appears on your caller ID. So the name and number you see might not be real.

  1. Scammers say there’s a PROBLEM or a PRIZE.

They might say you’re in trouble with the government. Or you owe money. Or someone in your family had an emergency. Or that there’s a virus on your computer.

Some scammers say there’s a problem with one of your accounts and that you need to verify some information.

Others will lie and say you won money in a lottery or sweepstakes but have to pay a fee to get it.

  1. Scammers PRESSURE you to act immediately.

Scammers want you to act before you have time to think. If you’re on the phone, they might tell you not to hang up so you can’t check out their story.

They might threaten to arrest you, sue you, take away your driver’s or business license, or deport you. They might say your computer is about to be corrupted.

  1. Scammers tell you to PAY in a specific way.

They often insist that you pay by sending money through a money transfer company or by putting money on a gift card and then giving them the number on the back.

Some will send you a check (that will later turn out to be fake), tell you to deposit it, and then send them money.

Source: https://www.consumer.ftc.gov/articles/how-avoid-scam

Amazon Scams

There is no shortage of online shopping during normal times, and the pandemic has accelerated our usage of online shopping, resulting in even more scams taking place on the largest retail store, Amazon. These scams and frauds are threats to both the consumer and business owner.

Consumer Threats

  • Phishing scams: This is one someone contacts you and pretends to be a representative of Amazon, offering a discount or asking for more information. Their goal is to gather more information to take your money or your identity. These can be in the form of a text or email and include links with viruses that can retrieve passwords.
  • Email Scams: Remember, Amazon will never ask for your personal details and will not list a customer’s email address or shipping address. Don’t be fooled by an authentic-looking address. Also, Amazon doesn’t ever ask you to login via an email. Even if the email looks legitimate, only logging in directly on Amazon will guarantee your account remains safe.

Seller Threats:

  • Failed Delivery Scam: When a customer says they didn’t receive a package when in fact they did. This can hurt the seller by depleting profits. A simple fix can be using a track-and-trace postage.
  • The Replace and Refund Scam: When a customer asks for a refund and then returns the item, except the item is not the one ordered but a previously purchased or stolen one of the same kind, that has been broken or is old. This scam can be countered by performing a quality test, then attaching a tamper-proof sticker.

(Source: blog.edesk.com)

Elder Fraud

Elder individuals tend to be more trusting and have more savings and assets. It is because of this that there are forms of fraud that specifically target the elderly, categorized as Elder Fraud.

Types of Elder Fraud:

  • Romance scam: Criminals pose as interested romantic partners on social media or dating websites to capitalize on their elderly victims’ desire to find companions.
  • Tech support scam: Criminals pose as technology support representatives and offer to fix non-existent computer issues. The scammers gain remote access to victims’ devices and sensitive information.
  • Grandparent scam: Criminals pose as a relative—usually a child or grandchild—claiming to be in immediate financial need.
  • Government impersonation scam: Criminals pose as government employees and threaten to arrest or prosecute victims unless they agree to provide funds or other payments.
  • Sweepstakes/charity/lottery scam: Criminals claim to work for legitimate charitable organizations to gain victims’ trust. Or they claim their targets have won a foreign lottery or sweepstake, which they can collect for a “fee.”
  • Home repair scam: Criminals appear in person and charge homeowners in advance for home improvement services that they never provide.
  • TV/radio scam: Criminals target potential victims using illegitimate advertisements about legitimate services, such as reverse mortgages or credit repair.
  • Family/caregiver scam: Relatives or acquaintances of the elderly victims take advantage of them or otherwise get their money.

Source: FBI.gov

Holiday Scams To Look Out For

When shopping online during the holiday season—or any time of year—always be wary of deals that seem too good to be true.

The two most prevalent of the holiday scams are non-delivery and non-payment crimes. In a non-delivery scam, a buyer pays for goods or services they find online, but those items are never received. Conversely, a non-payment scam involves goods or services being shipped, but the seller is never paid.

Similar scams to beware of this time of year are auction fraud, where a product is misrepresented on an auction site, and gift card fraud, when a seller asks you to pay with a pre-paid card.

Source: https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/holiday-scams

How To Avoid Holiday Scams

Practice good cybersecurity hygiene. 

  • Don’t click any suspicious links or attachments in emails, on websites, or on social media. Phishing scams and similar crimes get you to click on links and give up personal information like your name, password, and bank account number. In some cases, you may unknowingly download malware to your device.
  • Be especially wary if a company asks you to update your password or account information. Look up the company’s phone number on your own and call the company.

Know who you’re buying from or selling to.

  • Check each website’s URL to make sure it’s legitimate and secure. A site you’re buying from should have https in the web address. If it doesn’t, don’t enter your information on that site.
  • If you’re purchasing from a company for the first time, do your research and check reviews.
  • Verify the legitimacy of a buyer or seller before moving forward with a purchase. If you’re using an online marketplace or auction website, check their feedback rating. Be wary of buyers and sellers with mostly unfavorable feedback ratings or no ratings at all.
  • Avoid sellers who act as authorized dealers or factory representatives of popular items in countries where there would be no such deals.
  • Be wary of sellers who post an auction or advertisement as if they reside in the U.S., then respond to questions by stating they are out of the country on business, family emergency, or similar reasons.
  • Avoid buyers who request their purchase be shipped using a certain method to avoid customs or taxes inside another country.

Be careful how you pay.

  • Never wire money directly to a seller.
  • Avoid paying for items with pre-paid gift cards. In these scams, a seller will ask you to send them a gift card number and PIN. Instead of using that gift card for your payment, the scammer will steal the funds, and you’ll never receive your item.
  • Use a credit card when shopping online and check your statement regularly. If you see a suspicious transaction, contact your credit card company to dispute the charge.

Monitor the shipping process.

  • Always get tracking numbers for items you buy online, so you can make sure they have been shipped and can follow the delivery process.
  • Be suspect of any credit card purchases where the address of the cardholder does not match the shipping address when you are selling. Always receive the cardholder’s authorization before shipping any products.

Source: https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/holiday-scams

Other Ways To Avoid

Online shopping? Pay by credit card. Credit cards give you extra protection for most online purchases.

Buy gift cards for gifts, not for payments. Anyone who contacts you and demands that you pay them with a gift card, for any reason, is always a scammer.

Research charities before you donate. With the generous spirit of the holidays, and with year-end fundraising, it’s the season for donations. Make sure your donation goes where you want it to, not into the hands of a scammer. If someone calls, asking you to give to a charity, don’t let them rush you into making a donation. Instead, research the charity to make sure your donation counts.

Source: https://www.consumer.ftc.gov/blog/2019/12/top-tips-avoiding-scams-holidays

Romance Fraud

Romance scams, occur when a criminal adopts a fake online identity to gain a victim’s affection and trust. The scammer then uses the illusion of a romantic or close relationship to manipulate and/or steal from the victim.

The criminals who carry out romance scams are experts at what they do and will seem genuine, caring, and believable. Con artists are present on most dating and social media sites.

The scammer’s intention is to establish a relationship as quickly as possible, endear himself to the victim, and gain trust. Scammers may propose marriage and make plans to meet in person, but that will never happen. Eventually, they will ask for money.

Scam artists often say they are in the building and construction industry and are engaged in projects outside the U.S. That makes it easier to avoid meeting in person—and more plausible when they ask for money for a medical emergency or unexpected legal fee.

If someone you meet online needs your bank account information to deposit money, they are most likely using your account to carry out other theft and fraud schemes.

Source: FBI.gov

The ‘Zelle Fraud’ Scam: An example of a Smishing or SMS Scam

One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle, a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family. Naturally, a great deal of phishing schemes that precede these bank account takeovers begin with a spoofed text message from the target’s bank warning about a suspicious Zelle transfer. What follows is a deep dive into how this increasingly clever Zelle fraud scam typically works, and what victims can do about it.

A recent story warned that scammers are blasting out text messages about suspicious bank transfers as a pretext for immediately calling and scamming anyone who responds via text. Anyone who responds “yes,” “no” or at all will very soon after receive a phone call from a scammer pretending to be from the financial institution’s fraud department. The caller’s number will be spoofed so that it appears to be coming from the victim’s bank.

To “verify the identity” of the customer, the fraudster asks for their online banking username, and then tells the customer to read back a passcode sent via text or email. In reality, the fraudster initiates a transaction — such as the “forgot password” feature on the financial institution’s site — which is what generates the authentication passcode delivered to the member.

Ken Otsuka is a senior risk consultant at CUNA Mutual Group, an insurance company that provides financial services to credit unions. Otsuka said a phone fraudster typically will say something like, “Before I get into the details, I need to verify that I’m speaking to the right person. What’s your username?”

“In the background, they’re using the username with the forgot password feature, and that’s going to generate one of these two-factor authentication passcodes,” Otsuka said. “Then the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.’”

The fraudster then uses the code to complete the password reset process, and then changes the victim’s online banking password. The fraudster then uses Zelle to transfer the victim’s funds to others.

An important aspect of this scam is that the fraudsters never even need to know or phish the victim’s password. By sharing their username and reading back the one-time code sent to them via email, the victim is allowing the fraudster to reset their online banking password.

Otsuka said in far too many account takeover cases, the victim has never even heard of Zelle, nor did they realize they could move money that way.

“The thing is, many credit unions offer it by default as part of online banking,” Otsuka said. “Members don’t have to request to use Zelle. It’s just there, and with a lot of members targeted in these scams, although they’d legitimately enrolled in online banking, they’d never used Zelle before.”

Otsuka said credit unions offering other peer-to-peer banking products have also been targeted, but that fraudsters prefer to target Zelle due to the speed of the payments.

“The fraud losses can escalate quickly due to the sheer number of members that can be targeted on a single day over the course of consecutive days,” Otsuka said.

To combat this scam Zelle introduced out-of-band authentication with transaction details. This involves sending the member a text containing the details of a Zelle transfer – payee and dollar amount – that is initiated by the member. The member must authorize the transfer by replying to the text.

Unfortunately, Otsuka said, the scammers are defeating this layered security control as well.

“The fraudsters follow the same tactics except they may keep the members on the phone after getting their username and 2-step authentication passcode to login to the accounts,” he said. “The fraudster tells the member they will receive a text containing details of a Zelle transfer and the member must authorize the transaction under the guise that it is for reversing the fraudulent debit card transaction(s).”

In this scenario, the fraudster actually enters a Zelle transfer that triggers the following text to the member, which the member is asked to authorize: For example:

“Send $200 Zelle payment to Boris Badenov? Reply YES to send, NO to cancel. ABC Credit Union . STOP to end all messages.”

“My team has consulted with several credit unions that rolled Zelle out or are planning to introduce Zelle,” Otsuka said. “We found that several credit unions were hit with the scam the same month they rolled it out.”

The upshot of all this is that many financial institutions will claim they’re not required to reimburse the customer for financial losses related to these voice phishing schemes. Bob Sullivan, a veteran journalist who writes about fraud and consumer issues, says in many cases banks are giving customers incorrect and self-serving opinions after the thefts.

“Consumers — many who never ever realized they had a Zelle account – then call their banks, expecting they’ll be covered by credit-card-like protections, only to face disappointment and in some cases, financial ruin,” Sullivan wrote in a Substack post. “Consumers who suffer unauthorized transactions are entitled to Regulation E protection, and banks are required to refund the stolen money. This isn’t a controversial opinion, and it was recently affirmed by the CFPB here. If you are reading this story and fighting with your bank, start by providing that link to the financial institution.”

“If a criminal initiates a Zelle transfer — even if the criminal manipulates a victim into sharing login credentials — that fraud is covered by Regulation E, and banks should restore the stolen funds,” Sullivan said. “If a consumer initiates the transfer under false pretenses, the case for redress is more weak.”

Sullivan notes that the Consumer Financial Protection Bureau (CFPB) recently announced it was conducting a probe into companies operating payments systems in the United States, with a special focus on platforms that offer fast, person-to-person payments.

“Consumers expect certain assurances when dealing with companies that move their money,” the CFPB said in its Oct. 21 notice. “They expect to be protected from fraud and payments made in error, for their data and privacy to be protected and not shared without their consent, to have responsive customer service, and to be treated equally under relevant law. The orders seek to understand the robustness with which payment platforms prioritize consumer protection under law.”

Anyone interested in letting the CFPB know about a fraud scam that abused a P2P payment platform like Zelle, Cashapp, or Venmo, for example, should send an email describing the incident to BigTechPaymentsInquiry@cfpb.gov. Be sure to include Docket No. CFPB-2021-0017 in the subject line of the message.

In the meantime, remember the mantra: Hang up, Look Up, and Call Back. If you receive a call from someone warning about fraud, hang up. If you believe the call might be legitimate, look up the number of the organization supposedly calling you, and call them back.

Source: https://krebsonsecurity.com/2021/11/the-zelle-fraud-scam-how-it-works-how-to-fight-back/

Fake text messages are also known as smishing attempts. Smishing is the fraudulent practice of sending text messages, purporting to be from reputable companies. These messages are intended to trick you into providing personal information, such as passwords, Social Security number or credit card numbers. The fraudsters then use this information to gain access to your bank account or email.

These text messages can be very convincing, as the criminals are trying to entice you to click on the link. Below are some examples of smishing attempts. Notice how convincing these messages appear to be legitimate:

What to do if you receive a Smishing text:

  • Block the phone number. If you are unsure how, reach out to your wireless carrier for help.
  • If you are unsure about whether or not the text is a scam, it’s best to contact the sender directly using a company phone number that you know to be legitimate.

What NOT to do:

  • Do not click on the link within the text message.
  • Do not reply to the text message. Replies can be used by the criminals to validate your phone number.
  • Do not be tricked by a local phone number. Fraudsters have technology that makes the text look like it is coming from a local number.

The Federal Trade Commission provides more resources to learn about Smishing attempts here: https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

A new smishing attack has recently surfaced that targets iPhone users and their Apple ID. This attack sends a text message to you stating that your Apple ID is locked and that you need to click on the link and type in your Apple ID and password. Apple is not sending these. A malicious attacker is and wants to get your information.

Below is an example of how the text message looks:

Please be on the look out for texts similar to the one above.

Signs That It’s A Scam

  1. Scammers PRETEND to be from an organization you know.

Scammers often pretend to be contacting you on behalf of the government. They might use a real name, like the Social Security Administration, the IRS, or Medicare, or make up a name that sounds official. Some pretend to be from a business you know, like a utility company, a tech company, or even a charity asking for donations.

They use technology to change the phone number that appears on your caller ID. So the name and number you see might not be real.

  1. Scammers say there’s a PROBLEM or a PRIZE.

They might say you’re in trouble with the government. Or you owe money. Or someone in your family had an emergency. Or that there’s a virus on your computer.

Some scammers say there’s a problem with one of your accounts and that you need to verify some information.

Others will lie and say you won money in a lottery or sweepstakes but have to pay a fee to get it.

  1. Scammers PRESSURE you to act immediately.

Scammers want you to act before you have time to think. If you’re on the phone, they might tell you not to hang up so you can’t check out their story.

They might threaten to arrest you, sue you, take away your driver’s or business license, or deport you. They might say your computer is about to be corrupted.

  1. Scammers tell you to PAY in a specific way.

They often insist that you pay by sending money through a money transfer company or by putting money on a gift card and then giving them the number on the back.

Some will send you a check (that will later turn out to be fake), tell you to deposit it, and then send them money.

Source: https://www.consumer.ftc.gov/articles/how-avoid-scam

Amazon Scams

There is no shortage of online shopping during normal times, and the pandemic has accelerated our usage of online shopping, resulting in even more scams taking place on the largest retail store, Amazon. These scams and frauds are threats to both the consumer and business owner.

Consumer Threats

  • Phishing scams: This is one someone contacts you and pretends to be a representative of Amazon, offering a discount or asking for more information. Their goal is to gather more information to take your money or your identity. These can be in the form of a text or email and include links with viruses that can retrieve passwords.
  • Email Scams: Remember, Amazon will never ask for your personal details and will not list a customer’s email address or shipping address. Don’t be fooled by an authentic-looking address. Also, Amazon doesn’t ever ask you to login via an email. Even if the email looks legitimate, only logging in directly on Amazon will guarantee your account remains safe.

Seller Threats:

  • Failed Delivery Scam: When a customer says they didn’t receive a package when in fact they did. This can hurt the seller by depleting profits. A simple fix can be using a track-and-trace postage.
  • The Replace and Refund Scam: When a customer asks for a refund and then returns the item, except the item is not the one ordered but a previously purchased or stolen one of the same kind, that has been broken or is old. This scam can be countered by performing a quality test, then attaching a tamper-proof sticker.

(Source: blog.edesk.com)

Elder Fraud

Elder individuals tend to be more trusting and have more savings and assets. It is because of this that there are forms of fraud that specifically target the elderly, categorized as Elder Fraud.

Types of Elder Fraud:

  • Romance scam: Criminals pose as interested romantic partners on social media or dating websites to capitalize on their elderly victims’ desire to find companions.
  • Tech support scam: Criminals pose as technology support representatives and offer to fix non-existent computer issues. The scammers gain remote access to victims’ devices and sensitive information.
  • Grandparent scam: Criminals pose as a relative—usually a child or grandchild—claiming to be in immediate financial need.
  • Government impersonation scam: Criminals pose as government employees and threaten to arrest or prosecute victims unless they agree to provide funds or other payments.
  • Sweepstakes/charity/lottery scam: Criminals claim to work for legitimate charitable organizations to gain victims’ trust. Or they claim their targets have won a foreign lottery or sweepstake, which they can collect for a “fee.”
  • Home repair scam: Criminals appear in person and charge homeowners in advance for home improvement services that they never provide.
  • TV/radio scam: Criminals target potential victims using illegitimate advertisements about legitimate services, such as reverse mortgages or credit repair.
  • Family/caregiver scam: Relatives or acquaintances of the elderly victims take advantage of them or otherwise get their money.

Source: FBI.gov

Holiday Scams To Look Out For

When shopping online during the holiday season—or any time of year—always be wary of deals that seem too good to be true.

The two most prevalent of the holiday scams are non-delivery and non-payment crimes. In a non-delivery scam, a buyer pays for goods or services they find online, but those items are never received. Conversely, a non-payment scam involves goods or services being shipped, but the seller is never paid.

Similar scams to beware of this time of year are auction fraud, where a product is misrepresented on an auction site, and gift card fraud, when a seller asks you to pay with a pre-paid card.

Source: https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/holiday-scams

How To Avoid Holiday Scams

Practice good cybersecurity hygiene. 

  • Don’t click any suspicious links or attachments in emails, on websites, or on social media. Phishing scams and similar crimes get you to click on links and give up personal information like your name, password, and bank account number. In some cases, you may unknowingly download malware to your device.
  • Be especially wary if a company asks you to update your password or account information. Look up the company’s phone number on your own and call the company.

Know who you’re buying from or selling to.

  • Check each website’s URL to make sure it’s legitimate and secure. A site you’re buying from should have https in the web address. If it doesn’t, don’t enter your information on that site.
  • If you’re purchasing from a company for the first time, do your research and check reviews.
  • Verify the legitimacy of a buyer or seller before moving forward with a purchase. If you’re using an online marketplace or auction website, check their feedback rating. Be wary of buyers and sellers with mostly unfavorable feedback ratings or no ratings at all.
  • Avoid sellers who act as authorized dealers or factory representatives of popular items in countries where there would be no such deals.
  • Be wary of sellers who post an auction or advertisement as if they reside in the U.S., then respond to questions by stating they are out of the country on business, family emergency, or similar reasons.
  • Avoid buyers who request their purchase be shipped using a certain method to avoid customs or taxes inside another country.

Be careful how you pay.

  • Never wire money directly to a seller.
  • Avoid paying for items with pre-paid gift cards. In these scams, a seller will ask you to send them a gift card number and PIN. Instead of using that gift card for your payment, the scammer will steal the funds, and you’ll never receive your item.
  • Use a credit card when shopping online and check your statement regularly. If you see a suspicious transaction, contact your credit card company to dispute the charge.

Monitor the shipping process.

  • Always get tracking numbers for items you buy online, so you can make sure they have been shipped and can follow the delivery process.
  • Be suspect of any credit card purchases where the address of the cardholder does not match the shipping address when you are selling. Always receive the cardholder’s authorization before shipping any products.

Source: https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/holiday-scams

Other Ways To Avoid

Online shopping? Pay by credit card. Credit cards give you extra protection for most online purchases.

Buy gift cards for gifts, not for payments. Anyone who contacts you and demands that you pay them with a gift card, for any reason, is always a scammer.

Research charities before you donate. With the generous spirit of the holidays, and with year-end fundraising, it’s the season for donations. Make sure your donation goes where you want it to, not into the hands of a scammer. If someone calls, asking you to give to a charity, don’t let them rush you into making a donation. Instead, research the charity to make sure your donation counts.

Source: https://www.consumer.ftc.gov/blog/2019/12/top-tips-avoiding-scams-holidays

Romance Fraud

Romance scams, occur when a criminal adopts a fake online identity to gain a victim’s affection and trust. The scammer then uses the illusion of a romantic or close relationship to manipulate and/or steal from the victim.

The criminals who carry out romance scams are experts at what they do and will seem genuine, caring, and believable. Con artists are present on most dating and social media sites.

The scammer’s intention is to establish a relationship as quickly as possible, endear himself to the victim, and gain trust. Scammers may propose marriage and make plans to meet in person, but that will never happen. Eventually, they will ask for money.

Scam artists often say they are in the building and construction industry and are engaged in projects outside the U.S. That makes it easier to avoid meeting in person—and more plausible when they ask for money for a medical emergency or unexpected legal fee.

If someone you meet online needs your bank account information to deposit money, they are most likely using your account to carry out other theft and fraud schemes.

Source: FBI.gov

The ‘Zelle Fraud’ Scam: An example of a Smishing or SMS Scam

One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle, a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family. Naturally, a great deal of phishing schemes that precede these bank account takeovers begin with a spoofed text message from the target’s bank warning about a suspicious Zelle transfer. What follows is a deep dive into how this increasingly clever Zelle fraud scam typically works, and what victims can do about it.

A recent story warned that scammers are blasting out text messages about suspicious bank transfers as a pretext for immediately calling and scamming anyone who responds via text. Anyone who responds “yes,” “no” or at all will very soon after receive a phone call from a scammer pretending to be from the financial institution’s fraud department. The caller’s number will be spoofed so that it appears to be coming from the victim’s bank.

To “verify the identity” of the customer, the fraudster asks for their online banking username, and then tells the customer to read back a passcode sent via text or email. In reality, the fraudster initiates a transaction — such as the “forgot password” feature on the financial institution’s site — which is what generates the authentication passcode delivered to the member.

Ken Otsuka is a senior risk consultant at CUNA Mutual Group, an insurance company that provides financial services to credit unions. Otsuka said a phone fraudster typically will say something like, “Before I get into the details, I need to verify that I’m speaking to the right person. What’s your username?”

“In the background, they’re using the username with the forgot password feature, and that’s going to generate one of these two-factor authentication passcodes,” Otsuka said. “Then the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.’”

The fraudster then uses the code to complete the password reset process, and then changes the victim’s online banking password. The fraudster then uses Zelle to transfer the victim’s funds to others.

An important aspect of this scam is that the fraudsters never even need to know or phish the victim’s password. By sharing their username and reading back the one-time code sent to them via email, the victim is allowing the fraudster to reset their online banking password.

Otsuka said in far too many account takeover cases, the victim has never even heard of Zelle, nor did they realize they could move money that way.

“The thing is, many credit unions offer it by default as part of online banking,” Otsuka said. “Members don’t have to request to use Zelle. It’s just there, and with a lot of members targeted in these scams, although they’d legitimately enrolled in online banking, they’d never used Zelle before.”

Otsuka said credit unions offering other peer-to-peer banking products have also been targeted, but that fraudsters prefer to target Zelle due to the speed of the payments.

“The fraud losses can escalate quickly due to the sheer number of members that can be targeted on a single day over the course of consecutive days,” Otsuka said.

To combat this scam Zelle introduced out-of-band authentication with transaction details. This involves sending the member a text containing the details of a Zelle transfer – payee and dollar amount – that is initiated by the member. The member must authorize the transfer by replying to the text.

Unfortunately, Otsuka said, the scammers are defeating this layered security control as well.

“The fraudsters follow the same tactics except they may keep the members on the phone after getting their username and 2-step authentication passcode to login to the accounts,” he said. “The fraudster tells the member they will receive a text containing details of a Zelle transfer and the member must authorize the transaction under the guise that it is for reversing the fraudulent debit card transaction(s).”

In this scenario, the fraudster actually enters a Zelle transfer that triggers the following text to the member, which the member is asked to authorize: For example:

“Send $200 Zelle payment to Boris Badenov? Reply YES to send, NO to cancel. ABC Credit Union . STOP to end all messages.”

“My team has consulted with several credit unions that rolled Zelle out or are planning to introduce Zelle,” Otsuka said. “We found that several credit unions were hit with the scam the same month they rolled it out.”

The upshot of all this is that many financial institutions will claim they’re not required to reimburse the customer for financial losses related to these voice phishing schemes. Bob Sullivan, a veteran journalist who writes about fraud and consumer issues, says in many cases banks are giving customers incorrect and self-serving opinions after the thefts.

“Consumers — many who never ever realized they had a Zelle account – then call their banks, expecting they’ll be covered by credit-card-like protections, only to face disappointment and in some cases, financial ruin,” Sullivan wrote in a Substack post. “Consumers who suffer unauthorized transactions are entitled to Regulation E protection, and banks are required to refund the stolen money. This isn’t a controversial opinion, and it was recently affirmed by the CFPB here. If you are reading this story and fighting with your bank, start by providing that link to the financial institution.”

“If a criminal initiates a Zelle transfer — even if the criminal manipulates a victim into sharing login credentials — that fraud is covered by Regulation E, and banks should restore the stolen funds,” Sullivan said. “If a consumer initiates the transfer under false pretenses, the case for redress is more weak.”

Sullivan notes that the Consumer Financial Protection Bureau (CFPB) recently announced it was conducting a probe into companies operating payments systems in the United States, with a special focus on platforms that offer fast, person-to-person payments.

“Consumers expect certain assurances when dealing with companies that move their money,” the CFPB said in its Oct. 21 notice. “They expect to be protected from fraud and payments made in error, for their data and privacy to be protected and not shared without their consent, to have responsive customer service, and to be treated equally under relevant law. The orders seek to understand the robustness with which payment platforms prioritize consumer protection under law.”

Anyone interested in letting the CFPB know about a fraud scam that abused a P2P payment platform like Zelle, Cashapp, or Venmo, for example, should send an email describing the incident to BigTechPaymentsInquiry@cfpb.gov. Be sure to include Docket No. CFPB-2021-0017 in the subject line of the message.

In the meantime, remember the mantra: Hang up, Look Up, and Call Back. If you receive a call from someone warning about fraud, hang up. If you believe the call might be legitimate, look up the number of the organization supposedly calling you, and call them back.

Source: https://krebsonsecurity.com/2021/11/the-zelle-fraud-scam-how-it-works-how-to-fight-back/

1 OF 1

Placeholder Text

Placeholder Text

Need More Assistance? We are Here to Chat.

Learn More About Membership