Tell Scams To Scram.

What it is:
When someone makes accessible an electronic device such as a USB drive that is preloaded with malware with the intent that you will use the device and allow them access into your computer.

How to protect yourself:
Do not leave your computer unattended and do not use preloaded devices unless you know they are from a trusted source.

What it is:
Botnets are groups of computers (robot networks) that work together without your knowledge to scan computers for vulnerable software holes and access important information. Each computer added to the robot network increases its overall strength.

What it does:
If your computer is vulnerable and becomes part of the botnet, it may attack through keylogging; spam or phishing scams; click fraud (activates viruses through clicking other sites); denial of service (using numerous infected devices to access a single website causing it to become unresponsive); and stealing, storing, or propagating wares (Illegally obtained or pirated software).

 How to protect yourself:
Protect yourself by using updated anti-virus and anti-spyware programs. Disconnect online when you are not using your computer to avoid activity while you’re away. It’s also best not to click on sites you don’t trust, monitor your ‘Sent’ and ‘Outgoing’ email boxes for messages you didn’t send, and be cautious about opening email attachments regardless of who they are from.

What it is:
Credential stuffing is an attempt by a fraudster to use previously exposed credentials to attempt to log into your digital banking accounts. These previously exposed credentials are often from other breaches that you may or may not have heard about. Fraudsters collect the lists and create an attack using these credentials in hopes that users have re-used their credentials on multiple platforms.

How to protect yourself:
To help reduce the risk of credential stuffing take the following precautions:

• Don’t re-use credentials: The attacks are specifically targeted at people who re-use login credentials (username and passwords) across multiple platforms so having different logins helps lower your risk of being a target.
• Create a complex username: Simple usernames are easier to determine and may be targeted more frequently in stuffing attacks. Consider using a combination of special characters (@, #, $, etc.), numbers, and capitalizations to create a longer (preferably more than 8 characters) and more unique username.
• Change your password frequently: Creating a new password every 3-4 months helps make your account credentials more secure.

What it is:
Keylogging uses a device (hardware) or program (software) to track and record what you type. If it’s in a software program, a file is created and sent to a specified recipient. If it’s in hardware, the person who installed the hardware must retrieve it in order to access the information gathered.

What it does:
Keyloggers are typically used maliciously to gain account numbers, PINs, usernames and passwords. A keylogger can be installed undetected via a virus or spyware, which then uses trojans to execute. The program also can use email to direct you to respond or click on an attachment and enter personal information. Keyloggers sit on various websites waiting to install themselves on unpatched or unsecured machines that hit their site.

How to protect yourself:
In addition to the tips found on the Computers & Laptops section on our Electronic Device Security page, you can protect yourself by doing the following:

• Make sure all the programs running on your computer are ones you recognize. If you do not recognize a program, get advice immediately to determine if it should be uninstalled.
• Be wary of emails from banking or financial institutions (whether it is one you use or not), and Pay Pal. Do not respond if you believe the email is fraudulent – remember never send personal or financial information via email.
• Visually inspect the back of the computer. Look specifically for a small connector device between the keyboard wire and the computer.

A word of note:
Keylogging also has constructive purposes including software development. The examination of keystrokes will indicate any errors, which developers can easily correct. Some employers use keylogging to determine the productivity of employees, or to ensure work computers are used for business purposes. Law enforcement officials may use keyloggers to circumvent applied security measures and obtain passwords or encryption keys. Concerned parents might use them to monitor their children’s online activity.

What it is:
An email phishing scam is a fraudulent email message that appears to be from a person or company you know.  It attempts to illegally gather personal and/or financial information from you.

A phishing email typically includes at least one link to a fake website, which may be designed to mimic the site of a legitimate business. The email is designed to entice you into providing information that could be used for identity theft or online financial theft. These scams will often try to scare you into action by threatening to close your accounts if you don’t respond.

How to protect yourself:
If you are suspicious of phishing based on the sender or subject details, don’t open the email. If you do open it, do not open attachments or click links and don’t respond if prompted to verify your information. Remain vigilant, phishers have been known to use real company logos to make their communications appear legitimate and also have used spoofed email addresses, which may be similar to the actual company’s address.

To learn more about phishing and other ways to recognize and avoid phishing scams, please visit Norton Security Center.

Common phishing scams:
The Federal Trade Commission (FTC) gives these examples of phishing messages:

• “We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”
• “During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.”
• “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”

Click here to read more about what the FTC advises to avoid phishing.

Also be aware:
There is a second type of phishing known as “spear phishing” where a user receives a fake email from a hacker posing as a colleague or friend. The email contains a dirty link or file corrupt with malware. If you receive an email from someone you know that seems out of the ordinary (misspellings when there typically aren’t any, they are not making sense, they make an unusual request, etc.) or an email containing only a link, do not open it or respond. In this type of scam, the fake email may even appear as the exact email you typically receive from this person.

What it is:
While phishing requires victims to voluntarily visit a fraudulent site, pharming simply redirects victims to fraudulent websites without assistance.

How to protect yourself:
Pharming is only successful when software or server vulnerabilities exist; otherwise, the criminal needs an insider to make unauthorized changes in order to redirect site visitors. To prevent these scams, we work diligently to manage and update our server software while maintaining a high standard of security.

What it is:
Smishing uses phishing tactics through SMS (text message) communication and attempts to obtain sensitive information by impersonating a trustworthy source. It is especially dangerous because, on rare occasion, these scams can infect your phone with a virus, too.

How to protect yourself:
If you are suspicious of smishing based on the sender or subject details alone, don’t open the message. If you do open it, do not open attachments, click links or call phone numbers and don’t respond if prompted to verify your information. Use your usual log in processes to check your account and call the company directly.

What it does:
Caller ID spoofing is the process of changing the caller ID to any number other than the calling number. This is done through an online service that, for a fee, creates a conference-type phone call connecting the user with the number they provide. This tactic is often used to impersonate a trusted person or organization in order to gain sensitive information.

How to protect yourself:
If you experience this situation, remember the following:

• TruStone will not call you and request personal information – if someone does it’s probably a scam. If you receive a suspect call from someone posing as a credit union employee, hang up and call the credit union directly (phone numbers can be found on this website, our digital banking app, or on your statement).
• It’s usually a good practice to never give out any personal information over the telephone.
• When giving out any information, it’s a good practice to verify the person on the other end of the phone before doing so.

What it does:
Trojans attempt to gain information from your computer by disguising as a trusted program. Spyware attempts to gather information about you and your browsing habits in order to send you targeted ads via spam email. Both are often hidden inside other programs (e.g., screen savers, time and date updaters, weather updaters) and infect your computer when the program runs.

How to protect yourself:
Avoid these by being aware of what you install on or download to your computer. If you are unsure of its legitimacy, search for reliable information regarding the program before adding it to your system. Updated anti-virus and spyware detection programs also are helpful in protecting your computer.

If you think you’ve been infected, update all virus definitions and run a full scan with your anti-virus software. If your system still appears compromised, fix it and change your password again. Also, check your online accounts (email, bank accounts) and change those passwords in case they have been compromised.

What it is:
Vishing is the voice version of email phishing and may be paired with VoIP (Voice over IP, i.e., phone calls through web) to gather personal information.

The scammer contacting you is attempting to trick or scare you into handing over sensitive financial or personal information, which may end up being used for identity theft or online financial theft. The scammer may be impersonating a legitimate entity employee (i.e., a TruStone employee) and/or use a local area code when asking you to provide sensitive information.

How to protect yourself:
Be skeptical of anyone contacting you and attempting to obtain your private banking details or any sensitive information about you. Never provide personal information over the phone. If in doubt, hang up, look for the number of the company on their website and call the company directly to ensure it was a legitimate call and request. Never use the phone number the caller provides. When researching this information on the company website, make sure the website is legitimate.

TruStone will never contact you asking for your card number or online banking information.  Contact us immediately if you receive such a request.

What it is:
Wire fraud is when a fraudster poses as a trusted source, this can be a family member, company, or vendor that requests an immediate transfer of funds. The fraudster will play up the urgent need for the funds, often claiming an emergency to emotionally manipulate their victim. Wire transfers are an immediate form of payment and typically irreversible. This is why scammers find wire transfers so attractive.

How to protect yourself:
Never send money to someone you do not know or have not met.

Common Wire Fraud Scams:

• Wire transfer phishing: Also called “wire transfer fraud,” wire transfer phishing is a type of “social engineering attack” that uses impersonation to trick the victim into transferring money to the attacker.
• Advance-fee loans: After submitting a loan application, the victim is asked to wire processing payments to a lender. Once the victim wires the money, they never receive the loan. In addition, the crooks have the victims’ bank account information.
• Classified ad purchases – fake sellers: con artist posts a bogus advertisement for a vehicle (car, motorcycle, etc..) or other high-ticket items then asks for payment via wire transfer. Other times, scammers may suggest the use of a phony escrow company.
• Classified ad purchases – fake buyers: Swindlers browse online classifieds, auto sales journals and newspapers for potential victims. They contact those advertising cars, electronics or just about anything of value, pretending to be an interested buyer. Payment arrives as a counterfeit check – often for more than the sale price. The Seller is instructed to wire the extra amount to a third party or reimburse the difference. Typically, con artist claims the wired money is payment for an intermediary to ship the item. Other times, scammer(s) may send a check for the correct amount, then back out of the deal and ask for a refund.
• Cryptocurrency scams: Be extremely wary of anyone offering to deal with payments in cryptocurrency. In many cases, there are no safeguards in place when these products are used for payment.
• Fake lotteries and sweepstakes: Our member may receive a certificate indicating that they have won a big prize with a check. The victim is told to keep some of the money and send a wire transfer to cover a “processing fee” or vague taxes. Once the money is wired, the victim never sees their prize. You cannot legally play a foreign lottery in the United States, so those pitches are always scams.
• Foreign business or investment scam: Our member is approached with an offer to fund a lucrative investment or business opportunity, usually in another country. They are then directed to act quickly and keep the deal a secret, especially if questioned by their bank or credit union when sending the wire.
• Investment Scams – Scammers use email or phone calls to offer fraudulent investment opportunities. These often promise high returns or guaranteed profits that in high insight are to good to be true.
• Online Shopping Scams can be difficult to spot because the scammers often create realistic websites and social media ads with great deals, fake assurances, and bogus warranties for their products. Tricking our member(s) into believing the legitimacy of the products offered. Typically, the scammer requests payment through a wire transfer (or mobile payment app) because they are usually irreversible.
• Real Estate Wire Scams occur when a member who is buying or refinancing a home wires money to a scammer’s account based on false wiring instructions received in a phishing email. If the member has received a last-minute change or urgent request to wire money to avoid losing the property, ask them to contact their mortgage consultant. Advise the member not to call a new number or respond to an email with new instructions.
• Relatives in need of help – Family emergency (Grandparent scam): The victim receives a desperate phone call, email or even an instant message from someone posing as a grandchild, family member, or a friend. He was arrested overseas. She was mugged. They were in a car accident or got a DUI, etc. Please send money right away. Except it’s not who they think it is – it’s a con artist.
• Romance Scam: Our member meets a “special” someone, typically through an online app or social media site, and begins a relationship. Immediately, the online interest starts professing their love for the victim and then begins to ask for money to help with costs such as medical bills, children, or travel expenses (to visit) etc.
• Secret Shopper Jobs: After responding to a “help wanted” ad to work as secret shopper, the victims first assignment is to wire money. They are sent a phony check with instructions to keep some for payment for work and wire the rest.
• Tech Support Scams: Tech support scams happen when someone contacts our member claiming to be from a well-known technology company and requests remote access to their computer. Sometimes the caller says they have identified a problem and offers to fix their computer for a fee. If our member gives them access, the scammers [may] install malicious software to steal personal or financial information. Other times, the scammer offers a “refund” for a discontinued service or an accidental overcharge. If the member gives them access to their online banking, the fraudster will make it appear as if they’re sending a refund, but they’re transferring money from your own accounts. Often, the refund is for much more than promised (e.g., $60,000 instead of $600), so the scammer makes a plea for our member to send the extra money back, so they don’t lose their job. They may ask our member(s) to wire money to a foreign country, purchase gift cards, or mail cash.
• Work at Home Schemes: Consumers are offered a part-time job–that’s too good to be true. Their task is to deposit checks into their personal bank accounts, keep a small percentage as a commission, and send the rest by wire transfer to their new employer. The checks are worthless.

With many people in difficult financial situations due to COVID-19, fraudsters are taking advantage of this in a variety of ways for their gain. Here are some common signs of COVID-19 scams and how to avoid them:

Someone claims their unemployment benefits were sent to you by mistake
With the extended unemployment benefits being offered, fraudsters are applying for these benefits by using people that have not previously applied. Then, once the money is placed into your account, they will contact you claiming it was sent by mistake and request that you send the funds to their account. Don’t send them the money. In general, you should never send money to someone you don’t know. Instead, document the incident and report the fraud to your employer and your state’s unemployment agency.

A work-from-home opportunity seems too good to be true
In these times, many companies are hiring for remote positions, but be aware of opportunities that seem too good to be true as they may be a scam. Fraudsters can use these opportunities to scam people into unknowingly transferring money that was illegally obtained. Red flags for this include:

• Requesting to send money to your personal banking account that is to be transferred later.
• Requiring you to open a bank account in your name for the business.
• Telling you to keep a portion of the money you transferred.
• Hiring you on the spot without interviewing.
• Offering high pay for short hours or very minimal job experience.

A “government agency” contacts you asking for bank account information
Government agencies such as the IRS will never unexpectedly call or email to ask for your bank account or other personal information. In general, you should never provide sensitive information over the phone or email, especially when you didn’t initiate the conversation.

Other fraud protection tips:

• Hang up on robocalls.
• Don’t wire money to someone you don’t know.
• Don’t click on any links in emails or texts that you weren’t expecting or seem out of character from the sender.
• Don’t re-use your login credentials across multiple platforms.
• Create a complex password that includes a combination special characters, numbers, and capitalizations.

The Federal Trade Commission (FTC) frequently updates their list of scams that consumers may fall victim to. To view this list to better protect yourself, visit the FTC’s site here.