All posts by FPU

By the way, you didn’t win the lottery

Here’s a good rule of thumb when deciding how to respond to a potentially fraudulent email message, letter, telephone call or other type of communication: if a stranger walked up to you on the street and said the exact same thing, would you believe them?

For example, you’re walking down the street when a random guy in a shabby gray suit approaches you. He says, “Greetings, I am a foreign dignitary currently in exile and would like to ask for your assistance in transferring my fortune into the United States, totaling 250 million USD. If you help, I will let you keep 25% of that amount. I will need your checking account number to complete this process.”

You’d tell the clown to get lost.

Or perhaps he says, “Congratulations! You have been selected in the Canadian lottery as the top prizewinner! In order to claim your prize of 2.5 million USD, please give me a cashier’s check for $2,945.23 to cover taxes and other fees.”

Unless you’re very gullible, your reaction would be the same.

I know that the economy isn’t good at the moment. You might be facing layoffs, reduction in pay, or worse. Your employer might be going out of business completely. You get an email that promises instant riches and it seems like all your prayers have been answered.

These thieves know that. That’s why they’re in the fraud business to begin with. They’re counting on your sleepless nights of worrying about where you’re going to get the money to make it. And they’re only going to make your situation worse.

You have to keep your guard up. Imagine that offer coming from a stranger on the street, and you will instantly see through it.

New Identity Theft Laws in Indiana

The video is available here.

It looks like Indiana has been taking some proactive steps in the fight against identity crime, including stiffer penalties for violations (including child identity theft and businesses who don’t properly dispose of sensitive information).

It’s good that they’re trying to make it easier to block access to credit if your identity is stolen, but don’t be misled: identity theft still a major hassle to go through.

They also don’t mention anything about whether or not the system would help in cases of medical or other types of identity theft. Since it’s mostly dealing with credit, I’m guessing not. Still, these new laws are a giant step in the right direction.

Gone Vishin’

It’s 9:30 at night when the phone rings.

The Caller ID displays “Card Services” and a toll-free number.

You pick up the phone, and an automated voice informs you that “your card has been compromised.” It gives you a phone number to call to take care of the issue. The phone number is the same number on the Caller ID display.

Now…what should you do?

If you answered, “hang up and ignore the call,” you’re right.

Currently, there is a move towards integrating older technologies with the Internet. Eventually, I believe these technologies will be fully integrated; your television signal, Internet connection and telephone service will all be traveling along the exact same lines as part of the same service. These different technologies will also become more “seamless” over time—there will be less of a distinct divide between how you use your TV and your computer, and between the content you will receive from both. Okay, you’ll probably still use your phone to call Mom, but the signal will be digital, and it will be traveling through the Internet.

However, there is a downside, at least for the time being: vishing. Using Internet telephone services (Voice over Internet Protocol, or VoIP), criminals are able to spoof Caller ID information, to make a phone call appear to be from a trusted entity such as a financial institution or credit card issuer.

Let’s face it, you’re more likely to believe a call from “Card Services” than you are a “Blocked Call” or “Unknown Caller.” And that’s the basis of how Vishing works.

What happens if you call the number as instructed? You will be instructed to enter your credit or debit card number, expiration date, PIN and other security information. This is pretty much everything a crook needs to use your card for fraudulent purposes. They might also attempt to get your personal information, such as date of birth or Social Security number—basically, everything they would need to commit identity theft.

Phishing Alert: 07/06/09

Emails and text messages that claim to come from Allegius Credit Union are rampant in Northwest Indiana right now. In fact, several REGIONAL employees have received these over the past two weeks.

Of course, not everyone who gets one of these messages is a member of Allegius, in which case it’s easy to see through the phishing attempt, like a few years ago when I received a phishing message that claimed to be from a credit union in Hawaii. However, Allegius does have a lot of members, and that’s what the criminals are counting on.

For example, let’s say they sent 100,000 emails, and 5,000 of those people are members. If only 1% of those people fall for it, they’ve got 50 account numbers, PINs, and probably some other information as well. That’s more than enough to do some serious damage and drain a lot of money from victim’s accounts.

I’m pasting the text of these email messages below. I don’t have an example of the text message version of this scam, but it essentially said the same thing: “your account has been suspended, please go to this site and log in.”

Your financial institution will never contact you in this way regarding account security. If you receive such messages, delete them immediately. Never click a link inside an email message of this nature, as it will take you to a website designed to appear legitimate, but set up for the sole purpose of stealing your information.

Example #1:

Subject: You have 1 new ALERT message

You have 1 new ALERT message
Please login into your Allegius Credit Union
account !
To Login, please click the link below:

Click Here

Copyright © 1998-2009 Allegius Credit Union All Rights Reserved.

Example #2:

Subject: Important Security Information

Dear Member,

Your It’s Me 247 Online Banking account has been locked temporarily due to many unsuccessful login attempts.

You are kindly advised to Login to It’s Me 247 Online Banking and follow the instructions on your screen.

The data submitted will be transmitted over an SSL encrypted connection (128 bit Secure Socket Layer).

The line about SSL encryption in the second message is a cute touch. Yet another attempt to make the message seem realistic. You might also think the phrase “You are kindly advised” seems a little off. It doesn’t seem like a phrase a financial institution would use, does it? It has a weird, “translated” aroma to it. Since a lot of these scams originate overseas, that’s probably not far from the truth.

Mystery Shopper Scam Variations

Lately I’ve been getting a ton of emails with offers for…you guessed it: mystery shopper jobs.

Naturally, I know these are a scam, but I did open one of them (afterrunning a quick virus scan on it, just to be sure!). They are from a company called WA Surveys, allegedly based in Seattle. Run a Google search on that phrase and you’ll get all kinds of results confirming that it is indeed a scam. Better yet, Google “WA Surveys” and the word “scam.” This company has quite a colorful history.

I couldn’t help but notice the “from” line in these email messages, though; they were all apparently coming from…me. My email address was in both the “from” and “to” fields.

Odd, you might think, and you’d be correct. It’s also an excellent clue that you shouldn’t trust anything about that message. If they’re already trying to spoof the sending address, you know they’re up to something.

Of course, sometimes you’ll get messages  that appear to be from people who are in your address book. I’ve had a couple of these same messages appear to be coming from other people right here at REGIONAL. I don’t know how the senders are able to do this (is it a hack, or are they just skimming email addresses from the Internet?), but it should still raise red flags—why would your supervisor be sending you a message about mystery shopper jobs?

If you’re truly unsure, contact the person directly and ask them. However, the text of the message should give you all the clues you need. In this case, it said “mystery shopper,” promised a lot of money, asked for personal information outright, and came from WA Surveys, signed by a Michael McDowell or Michael Friedman (both are aliases used by the same person).

Then again, if it turns out your supervisor actually is suggesting a new line of work for you, it might be time to start looking for a new job on your own. Just don’t fall for one of these bogus offers.

Stay Vigilant

Nobody is ever 100% safe from fraud, scams or identity theft. Even if you’ve done everything possible to prevent becoming a victim, it can still happen.

Take, for example, the data breach at Heartland Payment Systems a few months ago. Through no fault of their own, thousands of people experienced unauthorized use of their credit or debit cards. It wasn’t that they fell for a phishing email or a fake phone call. They simply made a purchase or two at a store or restaurant that used Heartland as their card processor.

However, there is no reason to panic. By taking simple steps to stay safe on your end, you can drastically reduce your chances of becoming a victim of fraud.

The key is to be informed and vigilant. Know what the threats are, know how to spot a scam and keep a close watch on your financial statements, and you’ll be miles ahead of where the crooks would like you to be.

That’s why REGIONAL Federal Credit Union is bringing you this new website. We believe that education is key to achieving financial security and independence.

It’s not all doom and gloom, though. In fact, it is my aim to make this site as entertaining as possible (despite the admittedly bone-dry seriousness of this first post). I’ll be posting some Video Dispatches from the FPU very soon. Be sure to check those out. There’ll be enough weird props, strange pop culture references, silly music and bad acting for everyone, and you’ll learn something, too.

I’ll be learning, too. After all, there are new variations on these scams popping up all the time. It will be a chore to keep up, but I will do my best. In the meantime, questions, comments and suggestions are always welcome! Use the comment function below, or email me directly at cturpen@regionalfcu.org. Also be sure to follow the FPU on Twitter (@fraudprevunit). I’ll be posting tips and updates there as well.

And always remember: stay vigilant.