Category Archives: Phishing

App Store Scam targets iPhone and iPad users

If you’re an Apple iPhone or iPad user, be on the lookout for a recently discovered phishing scam, reported by security firm F-Secure.

It seems users of these devices are receiving emails informing them that their recent App Store purchase has been successfully cancelled. There is a link for order information, but it actually takes users to one of those pharmacy websites where they try to mine personal information.

The above linked article tells you more about it, and they make an excellent point: while the emails currently direct you to a drugstore site, which most savvy Internet users will reject right away, what if they decide to build an App Store lookalike page? Lots more people will be tricked.

There was one part of that made me laugh, though:

[T]he phony Apple AppStore message appears in email inboxes immediately after you purchase an app from Apple’s legitimate App Store. F-Secure is not sure how the scammers know you just bought something from the App Store.

Oh, I can tell you right now how they know you just made an App Store purchase: people who have iPhones and iPad always just made an App Store purchase. Do you have one of these devices? You’ve been to the App Store today, haven’t you? Come on, admit it!

Maybe I’m just jealous of your neat-o phone. Or maybe I’m not. I’ll never tell. Welcome to the Fraud Prevention Unit: your source for ambiguous digs at vast swathes of popular culture.

Email links: perhaps I’ve been too alarmist

I have mixed feeling about something I heard about at the credit union recently. It seems that some of our members have taken my advice about links in email messages deeply to heart, to the point that they’re afraid to click a link in any message (even an expected, monthly newsletter from us!).

On one hand, I’m thrilled that some people are listening and learning. The vast majority of the traffic for this site comes from search engines (an unintended result; the original idea was to specifically reach people in our geographic area), so it’s good to know that local folks are getting hip to the fraud prevention tip as well.

On the other hand, perhaps I’m fomenting paranoia and fear with all the dire warnings.

Here’s the deal: if you’re getting a regular email communiqué, such as a monthly electronic newsletter, from a trusted source, it’s okay to use the links contained therein. No scammer is going to go through the trouble of creating a monthly newsletter, with constantly-changing articles about the latest promotions and happenings at a financial institution, and place low-pressure, soft-sell links at the bottom of the page (which is exactly what REGIONAL sends out during the first week of each month).

What you want to be wary of is those unexpected messages that try to jolt you into acting without thinking; “YOUR ACCOUNT HAS BEEN SUSPENDED!” screams the message. “CLICK HERE TO VERIFY YOUR ACCOUNT!”

That’s the stuff you need to avoid—the unexpected, urgent-sounding message that addresses you as “Dear Customer” or “Dead Cardholder” or that contains poor spelling and/or grammar, and that instructs you to verify your personal information. If you’ve got an account at a bank, credit union or creditor, they already have your personal information. If they didn’t, you wouldn’t have an account.

NACHA Phishing Email

History sure is repeating itself an awful lot lately. In a similar vein to the FDIC Phishing Emails I wrote about the other day, now there are malicious messages that claim to be from NACHA, which contain links to what is very likely some form of virus or spyware.

NACHA is the National Automated Clearing House Association (not to be confused with NACHO, a tasty corn chip-based snack). The organization is involved in networks that handle ACH transactions for financial institutions across the country. Much of what NACHA does is regulatory rather than operational in nature.

Here’s a sample of the email:

From: Information
Sent: Thursday, July 22, 2010 8:27 AM
To: Doe, John
Subject: Unauthorized ACH Transaction

Dear bank account holder,
The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report

Naturally, the link is fake. In this case it probably executes malicious code on your computer.

Add NACHA to the list with the FDIC and NCUA—none of these organizations ever contacts consumers directly. NACHA doesn’t even handle actual ACH transactions; they’re involved in the setup of the networks that handle them.

It’s important to get in the habit of ignoring email. Even when it’s not phishing or scams, ignoring email is a great way to save time (for example, I almost never open anything with “FW:” in the subject line, because they’re almost always dumb).

But when messages like this arrive, you must make sure to never click on the links, even “just to see.” While many phishing messages take you to pages designed to steal personal information, many (if not most) phishing websites now give you a one-two phishing/malware punch; if they can’t get you to enter your account numbers, at least they can hit your computer with some spyware, which will be loaded and executed before you can even blink.

Coca-Cola Scam on Facebook: what the heck is a ‘Coca-Cola Scam’?

Here’s the latest scam to make its home on Facebook.

A link shows up in one of your friends’ status that says, “I am part of the 98.3% of people that are NEVER gonna drink Coca Cola again after this HORRIFIC video.”

When you click the link, you are given the runaround (the video doesn’t exist at all) until finally you are taken to a poll that asks you to reveal personal information.

It’s almost as if the crooks have figured out how to make money off Facebook before Facebook did (Facebook has attracted billions from venture capitalists, but from what I’ve heard, they’ve yet to actually stumble upon a working business model).

When you’re on Facebook, you simply cannot implicitly trust links, even when posted by a friend. That goes double for links to ‘scandalous’ videos or images, such as the example here. Your friend’s account may have been compromised, or they might be posting links in an attempt to receive some form of payout or reward.

If you’re looking at a shortened URL (such as bit.ly), use a site like LongURL to preview it before you go. However, the URL might not necessarily be shortened (as in this case), although you can still use LongURL to preview most sites.

Another way to check is to google a phrase from the link, to see if news of a scam or phishing attack pops up. Again, though, if it’s brand new, the word might not have gotten out yet (and it takes time for things to appear in a Google search anyway).

Whatever you do, exercise caution at all times, and never enter personal information or passwords on any site that you arrived at via Facebook or Twitter. Once you’re logged in, there is no reason to log in again, and there is exactly zero reason to reveal nonpublic personal information.

FDIC Phishing Emails

This has happened before, and it’s happening once again now.

People are getting email messages that claim to be from the FDIC (Federal Deposit Insurance Corporation). This is the entity that watches over banks and makes sure you don’t lose your money if your bank would fold. The credit union version is called the NCUA (National Credit Union Administration). They both provide nearly identical services.

These emails inform the potential victim that their bank has failed, and that they need to “check [their] Deposit Insurance coverage” by clicking on a link within the message. Naturally, what happens next is that the scammers obtain your account number, password, and other personal information.

You can only use typography to convey emphasis to a certain extent without getting silly, so in lieu of typing the following in 72-point text, I’ll let bold italics do the job:

The FDIC (or NCUA) is never going to contact you via email for any reason, nor will they ever ask you for personal information, account numbers or passwords.

Got it? As Tom Hulce’s Mozart, on his deathbed, pressed F. Murray Abraham’s Salieri in Amadeus, “Do you have it? Do you have it?!

Good. If you get one of these messages, delete it immediately.

Social network phishing

I read an article the other day about Tweets promising free Twitter followers being a phishing scam.

I’d go into details, but it’s the same old story: you click on a link, which takes you to a website that asks for your Twitter username and password. Once the phishermen have this information, they lock you out of your own account and use it to perpetuate the phishing attack or to drive people to other scam websites. The same thing happens on Facebook. When one of your friends suddenly can’t seem to write in coherent language and starts shouting about some iffy product or cheap prescription drugs, that’s a sure sign of a phishing victim.

The thing that bothers me is how well it seems to be working. Why so much emphasis on increasing your Twitter followers?

If you’re a celebrity, I can understand why you’d end up with over a million followers just on the basis of  who you are. If you have a proactive sort of agent, you might even be encouraged to look at your number of followers as a metric of how much “star power” you’ve got.

If you work in the marketing department of a company and have spent six months convincing management that the company really needs a Twitter account, I can understand the desire to get as many followers as possible in a short amount of time.

However, if you’re just somebody who uses Twitter as a communication tool, what reason is there (beyond your ego) for thinking you need to add a hundred random followers (and subsequently falling for this scam)? Unless you’re doing something interesting on the site (telling us what your cat is doing is not one of them), I can’t think of any. For the 99% of us who are “just sorta there,” is there really any advantage to having scads of followers?

You might think this is going to lead into, “What’s the whole point of Twitter, and why don’t you just go outside for once?” but I’ll resist the temptation. Twitter’s neat, and I see the appeal. However, AOL was pretty neat at one time, too.

So have at it—use Twitter. Complain about the cruddy customer service at a store and see how scary-quick they respond to you. See what Pee-Wee Herman and LeVar Burton are up to. But never click on those “add more followers” links, and never, never, ever enter your username and password on a website other than the real Twitter page.

And go outside now and then.

Couldn’t resist.

Fraud Prevention Templates: how financial institutions will and will not contact you.

Financial institutions (FIs) and the Internet: two things that seem to work together so beautifully. How simple is it to check your balance or pay a bill online these days?

At the same time, phishers (phishermen?) have used this fact to commit millions of dollars worth of fraud and identity theft over the past decade. Is there a general rule to be derived here?

You can’t just say “never trust an email or a text from a financial institution,” because credit unions, banks and credit card companies definitely use email. There’s no arguing that point; I personally get most of my bills through email, and I stopped receiving paper statements years ago. It’s safer than postal mail as long as you use strong passwords, keep them to yourself, and change them up now and then.

Many FIs also offer services for mobile phones, from “your account is getting low on funds” text message alerts to mobile banking applications for “smart phones.”

So how do you tell the difference between a real email and a phishing attack? That brings us to today’s Fraud Prevention Template:

If an email or text message from a financial institution asks you to click a link to login and “verify” or “reactivate your account,” it is a phishing attack. Delete the message immediately.

FIs just don’t send these types of messages out.

When you open an account, your FI is required to get your personal information. They check this information against national databases to verify it. Once an account is open, they’ve got your information. There is no need to have you verify it online. Any verification is already complete.

Sometimes credit card companies may contact you regarding unusual activity on your card. This is a security feature. However, they also never ask you to verify personal information.

I got a call a while back, after a trip to Florida. An automated message gave the name of the card and said there had been some unusual activity. If I knew where the card was, it said to press “1.” Since the card was right there in my wallet, I pressed “1.” That was the end of the call. At no point did I have to verify personal information.

Of course, this also illustrates how important it is to keep your phone number, mailing address and other contact information current with any FI you have a relationship with.

If you sign up for text message alerts from an FI, you’ll also never be asked to verify or reactivate anything.

In all honesty, if there’s fraud on your account, you will probably be the first to notice it. If someone has your account number and password, your bank or credit union probably won’t know the difference, since they can’t see who is sitting behind that computer. Someone with stolen credentials siphoning a few hundred dollars out of an account won’t even register as suspicious. They won’t contact you—you’ll be the one calling them, asking where your money went.

Finally, if you’re unsure whether or not an email message might be genuine, the way to find out is not to click on that link. Call your FI directly, using either a number from their actual website or by looking in an old fashioned phone book.

However, I think you can skip that step. When it says “verify” or “reactivate,” it’s phony.

Fraud Alert: CUNA does not contact credit union members.

Reports of a phishing attack using the Credit Union National Association (CUNA) have come in from the Park Hills, Missouri area.

In this scam, victims were contacted on the telephone by an automated message claiming to represent CUNA and telling them their ATM cards had been deactivated. Victims were instructed to enter card numbers and PINs. It’s not known whether anyone fell for it.

CUNA is a trade organization for credit unions. They do not have your account details, or even know your name. They are not a financial institution; there is no such thing as a “CUNA account,” unless you’re a credit union and you’re buying Credit Union Youth Week marketing materials from them.

Never give out card numbers, PINs or other account information to anyone who requests it online or by phone. It doesn’t matter who they claim to be, what the caller ID says, or if it “sounds” like it could be legitimate. It never is. If you’re unsure, hang up and use a verified phone number to contact your financial institution directly.

Valentine’s Day scams: phishing, malware and identity theft.

It doesn’t matter what it is, there’s always a scam based on it.

As February 14th approaches, in addition to the usual horrible rom-com movies and terrible greeting card poetry, there are some specific types of fraud you’ll want to avoid.

Phishing

If you get an email that says your online floral purchase didn’t process and that you need to re-enter your credit card information, it’s a safe bet you’re looking at a phishing message.

The link embedded in this email will take you to a site that might look legitimate, but is really only designed to steal your card information and possibly install malware on your computer. Delete the message with extreme prejudice. If you think it might be legit, contact the company directly, but most likely you’ll find out it was a scam.

It’s another example of how crooks adapt to the situation. 99% of the time, if you received this message, you’d know it was a scam. However, around the middle of February, there are hundreds of thousands of people to whom the phrase “just bought flowers online” applies. When this message goes out, it’s probably going to find a lot of potential victims.

Malware

I dislike e-cards. I really do. I don’t think I’ve opened one since around 1998, actually. To me, they’re either a waste of time (when they’re out of the blue) or a way to say “wanted to technically contact you, but didn’t want to spend $2 on a card and the sound of your voice is like nails on a chalkboard to me” (when they’re sent for holidays and birthdays). In any case, they’re never entertaining or sincere.

They’re also a source of malware infections. When you get an email that says you’ve got an e-card, proceed with caution. If you want to read it, the best thing you can do is contact the supposed sender directly to find out if they actually sent it to you. However, even the e-card sites that aren’t trying to nuke your computer with viruses can still annoy by installing adware. In any case, make sure your virus and spyware protection are up-to-date.

What I do is just delete them outright. If somebody asks, “Hey, ‘ja get that e-card I sentcha?” just reply, “Yeah—it was really great, thanks!” and leave it at that. Most of the time, you’ll be fine.

Identity Theft

People are looking for dates around this time of year, too. If you’re really desperate to have a date on 2/14, I guess my first piece of advice would be to ask yourself some tough questions, but if you can’t get past the idea of being single on V-Day, watch out when it comes to online dating sites.

First, there are fake dating sites designed to harvest credit card and personal information, putting you at risk of fraud. There are also people who post fake profiles, in an attempt to lure you into revealing personal information that can be used for identity crimes. Stick with the larger, more well-known sites, use a screen name instead of your real name, and set up a new email account with one of the free web-based providers. That way, you’re covered if they sell your address to spammers, and no weirdoes end up with your “real” email address. It makes it easier to disappear.

Don’t trust links to any dating sites that come in the form of unsolicited emails or via Twitter or Facebook. Those are almost always going to not be what is promised.

If it were me, I’d probably skip the online avenue altogether and consider attending a social event. Everywhere from churches to bowling alleys have singles events this time of year. Maybe try that; at least you won’t have to give up your credit card numbers.

Phishing Alert: “An unauthorized transaction billed from your bank card.”

Full text:

From: American Bankers Association
Date: Tuesday, January 26, 2010 7:41 AM
To: [incorrect address]
Subject: An unauthorized transaction billed from your bank card

An unauthorized transaction billed from your bank card.

Amount of transaction: $4939.02
Transaction ID: 398-0919604

Please review the transaction report by clicking the link below:

get the transaction report

———
Letter ID 5220-3934725346-65909286289-61670943682-28564758046-54608776360-66971173579

As usual, the way to respond to this message (assuming you’re not a fraud blogger) is to just delete it after you read the subject line. It’s a fairly obvious phishing attempt, from the disguised link to the large amount of the alleged transaction (which is supposed to make you panic and react without thinking).

The words “get the transaction report” contain a link to a site hosted at “getreport.aba.com.gertfdv.am” (as usual, don’t you even dare visit the site!). Now, I don’t know everything about the ABA, but I know this: their website is not hosted in Armenia (“.am”).

I also know another thing about the American Bankers Association: they don’t issue fraud alerts or unauthorized transaction reports to individual bank customers. Notice how it just says “bank card,” without specifying exactly which bank’s card has supposedly been compromised. That’s one of the top five warning signs of phishing.

If you receive the above message or anything similar, it is a phishing attack and you should delete it right away. And keep your cursor away from that link!