Phishing Fraud during COVID-19
Financial organizations have seen an increase in phishing events during the COVID-19 pandemic. It is important that you understand phishing events and educate your cardholders. Phishing events are when a fraudster attempts to steal a person’s data, mainly login credentials, and card information. The fraudster then uses this information to process fraudulent card transactions or ATM withdrawals. Fraudsters often utilize social media or information bought on the Dark Web to initiate scams.
An example of the recent Phishing Attack:
- The fraudster gathers information from social media to make the scam more believable.
- Cardholder receives a phone call from the fraudster posing as a financial institution employee.
- Fraudsters often spoof phone numbers from the financial institution when contacting the victim, making it seem legitimate.
- Fraudster advises cardholder that they have fraud attempts on their card and they will receive a text with a case number.
- While on the phone, the fraudster will perform a transaction they know will generate a fraud alert.
- When the cardholder receives the case number, the fraudster asks for the case number over the phone so the card can be permanently blocked.
- Instead the fraudster is using the case number to call into the SecurLOCK IVR and validate the activity as valid, so they can continue to use the card fraudulently.
- The fraudster may suggest the cardholder transfer money into their checking account from savings to make it “safer,” thereby giving the fraudster access to more money.
- The cardholder thinks the fraud was caught and stopped, while the fraudster is busy committing more fraudulent transactions and stealing more money.
Educating cardholders is one of the best lines of defense in preventing phishing attacks. Advising cardholders on how your financial institution and FIS interacts with them will mitigate losses due to this type of activity.
FIS will never contact the cardholder to ask for the following:
- Account Number/Card Number
- CVV
- PIN
- Passwords
- Social Security Number
- Online Banking Credentials
FIS will never advise a cardholder to transfer money or withdraw money. If any information concerning suspicious activity is texted to the cardholder, FIS does not call and ask the cardholder for the information. When cardholders call into SecurLOCK to validate suspicious transactions, FIS will request the case number to authenticate them. The cardholder should always reply NO if they are unaware of the transactions in question received via a text or email, no matter what direction has been given to them.
Tech Tips
Is ChatGPT Your Next Financial Advisor?
ChatGPT, an artificial intelligence (AI) chatbot created by OpenAI, has risen in popularity since its release last year. Now, cybercriminals are using ChatGPT’s popularity to lure you into phishing scams. In one of these scams, cybercriminals try to trick you with a fake new ChatGPT feature.
The scam starts with a phishing email informing you that ChatGPT has a new feature to help you invest in the stock market. If you click the link in the email, you’ll be taken to a spoofed ChatGPT website and prompted to enter your contact information. Then, a representative will call you and request that you submit a payment to open your investment account. Unfortunately, if you submit a payment, that money won't help you invest in the stock market. Instead, cybercriminals will steal it to invest in their own malicious pursuits.
Follow the tips below to stay safe from similar scams:
- Before you click a link, hover your mouse over it. Make sure that the link leads to a legitimate, safe website that corresponds with the content in the related email.
- Be cautious of unexpected investment opportunities. Remember, if something seems too good to be true, it probably is!
- Never submit payments to a bank account provided in an email, text message, or phone conversation. Instead, navigate to the organization’s official website to submit a secure payment.
IT or Cybercriminal?
Coinbase, a cryptocurrency platform, was the latest victim of a social engineering attack. Social engineering occurs when cybercriminals manipulate you to try to steal your sensitive information.
In this recent attack, a cybercriminal sent smishing (SMS phishing) messages to Coinbase employees. These messages contained a link directing employees to log in to their company accounts. Shortly after one employee clicked this link, Coinbase saw and prevented the cybercriminal from gaining internal access. Later, the cybercriminal called the same employee and claimed to be from Coinbase’s IT department. The employee thought the call was legitimate, and the cybercriminal stole some sensitive information over the phone.
Follow the tips below to stay safe from similar scams:
- Always be cautious of unexpected text messages.
- Think before you click! Cyberattacks are designed to catch you off guard and make you act impulsively.
- Before you share any sensitive information over the phone, verify that the caller is actually who they say they are.
r/Cybercriminals: Spear Phishing
Reddit, a popular online community, was the latest victim of a spear phishing attack. Spear phishing is a targeted email attack that looks like it’s from a trusted source, but it’s actually from cybercriminals in disguise.
In this recent attack, a cybercriminal set up a fake website designed to steal login credentials. Then, the cybercriminal sent phishing emails to Reddit employees. The emails prompted employees to visit the fake website and enter their credentials. Through this attack, the cybercriminal was able to access sensitive information from Reddit and steal internal company data.
Follow the tips below to stay safe from similar scams:
- Make sure that the sender is actually who they say they are. If the sender claims to be someone you know, reach out to them in person or by phone to verify.
- Remember that spear phishing attacks can happen to anyone. Think before you click, and never click a link in an email that you aren’t expecting.
- Be careful with the information you share about yourself online. Cybercriminals can use this information to target you in phishing attacks.
Scams Related to the Turkey-Syria Earthquake
Last week, two earthquakes occurred in Turkey and Syria. Unfortunately, cybercriminals often use crises to get your attention and manipulate your emotions. Cybercriminals have already begun exploiting this event to try to scam you and steal your sensitive information.
In the coming weeks, we expect to see an influx of phishing attacks referencing this recent event. Cybercriminals may send phishing emails with links asking you to donate money or view “exclusive” videos relating to this news. Clicking these links could allow cybercriminals to steal your sensitive information or install malware on your device.
Follow the tips below to stay safe from these types of scams:
- Avoid making donations to unknown users. If you would like to donate to support a cause, donate directly through a trusted organization's website.
- Think before you click. Cyberattacks are designed to catch you off guard and trigger you to click impulsively.
- Stay informed by following trusted news sources. If you see a sensational headline, research the news story to verify that it’s legitimate.
Watch Out for Scams This Tax Season
In most countries, it’s cybercriminals' favorite time of the year: tax season. Taxes are a sensitive topic that can easily be used to catch your attention or manipulate your emotions. Over the next few months, cybercriminals will likely mention taxes in phishing attacks and disinformation campaigns.
Tax season is also a vulnerable time for your sensitive information. Tax documents from employers, banks, and other organizations typically include personally identifiable information. If cybercriminals get their hands on this information, they can use it to steal your identity, your money, and more.
Follow the tips below to stay safe during tax season:
- Always think before you click. Cyberattacks are designed to catch you off guard and trick you into clicking impulsively.
- Use extra caution when handling tax documents. For digital documents, use password protection. For physical documents, keep paperwork in a secure location and shred anything that is no longer needed.
- Be suspicious of emails, text messages, and social media posts that contain shocking information about taxes in your country. These messages could be disinformation, which is false information designed to mislead you.
ACH Newsletters