March 31, 2022
Spilling the tea on the latest COVID-19 cure claim
Wouldn’t it be nice if all you had to do to get rid of COVID-19 was drink some tea? Well, selling people easy, feel-good products — without competent scientific evidence — is something scammers are good at — and the FTC is working aggressively to stop them.
In the FTC’s latest case targeting fake COVID-19 cure claims, the agency took action against B4B Earth Tea, LLC. The company claims drinking their beverage (which sells for $60 per 16-ounce bottle) will cure the disease. But the complaint, filed by the Department of Justice on the FTC’s behalf, says the company doesn’t have scientific evidence to back up their treatment or prevention claims.
There are no supplements proven to treat or prevent COVID-19.
When it comes to fighting COVID-19 and spotting unsupported treatment claims:
- Always talk with your doctor or healthcare professional before you try any product claiming to treat, prevent, or cure COVID-19.
- When there’s a medical breakthrough to treat, prevent, or cure a disease, you’re not going to hear about it for the first time through an ad or sales pitch on social media.
- Visit CDC.gov and FDA.gov for the most up-to-date information about COVID-19 and available vaccines.
Now, please share what you know, and ask others to do the same.
- Learn more about COVID-related scams at ftc.gov/coronavirus
- Sign up for consumer alerts at ftc.gov/consumeralerts
- Tell us about scams you’re seeing at ReportFraud.ftc.gov
Updated March 31, 2022
by Rob Herrington, Chief Technology Officer, Senior Vice President, Service One Credit Union
Phishing Attacks – Increased in Frequency
Phishing emails are seemingly legitimate emails created by criminals typically using spoofed or imitated names for the purpose of tricking people to give up private, personal, or company information. As much as we wish for a cease & desist order, phishing attacks aren’t disappearing anytime soon. Phishing attacks are on a dramatic rise since the onset of the COVID-19 pandemic and a further uptick more recently with the Eastern Europe unrest. Recent estimates place up to 90% of modern data breaches now involve a phishing attack. Experts are predicting that phishing attacks continue at an alarming rate since cybercriminals are finding it a simple, low-cost form of attack that yields high results.
One of the reasons these threats are realized is, unfortunately, us, i.e., human nature. The threat to freeze accounts or offer a bit of flattery or threaten jail time can distract us and we stop thinking rationally and, at times, begin to panic. These are very legitimate human vulnerabilities that cybercriminals prey upon us to abandon our better judgment and click what they want us to click.
Do you know what a phishing attack looks like? Are you prepared for such an attack?
We’ll identify the most common types of phishing attacks that might affect your company, personal emails, and more recently, smartphones. And while popular email service providers are employing tools to monitor inbound emails to root out phishing attacks, the degrees of detection & filtering success vary across providers. In addition, phishers are becoming more creative with imitations that even the best detecting tools are unable to discern between real vs. fake. Identifying the indicators that an email is a phishing attempt is the first and foremost defense against becoming a victim.
So, let’s look at the 3 most common types of phishing attacks that you’re likely to come across:
1. Deceptive phishing attacks. Have you ever received an email from a bank that claims your account has been frozen and will remain inaccessible unless you click on the link provided and enter your account information? This type of email is a perfect example of a deceptive phishing attack. It’s the most common type of phishing attack out there, and it occurs when the cybercriminal impersonates a legitimate company to steal your personal information or login credentials.
2. Spear phishing attacks. Customizing their emails with your name, company, position, or other personal information, spear phishers lull you into thinking that you’ve had previous contact with them to lure you into clicking on a malicious link or email attachment. These emails will often appear as part of your normal daily activities and ask you to perform actions that don’t appear to be out of the ordinary. For instance, the cybercriminal might masquerade as your HR department and ask you to verify your benefits policy information. Or….they will impersonate a high-ranking company official, such as a CEO, to purchase gift cards and mail or text them the card codes.
3. Malware-based phishing attacks. Someone, presumably one of your retailers or a vendor, sends you an email asking you to download an invoice. As soon as you click that file, you’ve become a victim of malware-based phishing; malicious software embedded in that file exploits the security vulnerabilities of your computer or phone when triggered. Malware is intentionally designed to do several things:
- Corrupt the device to disrupt your operations
- Steal specific information from you and/or the company
- Spy on your network, i.e., spyware
- Lock you out of your computer system or encrypt your files forcing you to pay a ransom to regain access, i.e., ransomware
- Take control of your computers for illicit purposes, which could lead to blackmail, extortion, or siphoning off bank funds
What are ways to spot a phishing email or phishing text?
Here is a list of details to check before downloading any attachment, clicking on any URL link, or replying to any important email.
Poor Spelling or Grammar - Professionals ensure very serious emails never have major spelling mistakes or poor grammar. If these errors are present, it is mostly likely NOT from a company’s legal department.
Ask for Personal Information - Sometimes they will try to trick you into giving up crucial information. Legitimate companies know how important your information is and they are also fully aware of phishing attacks. Thus, they will never ask for any personal info through email. You should never have to give any information such as but not limited to:
- Usernames or passwords
- Credit card number or Bank account
- Social Security number
- PIN numbers
- Mother’s maiden name
- Ask to sign in to email after opening an email which you are signed into
One easy sign to detect is the phishing attempt asks for money. Most phishing emails or texts along with any subsequent interaction thereafter will eventually ask for money one way or another saying it’s for taxes, fees, or some other expense. If this happens, it is most likely a scam.
Regardless of who is emailing or texting you for credit card information, gift cards, checks, or other financial and/or personal information, you should ALWAYS question the legitimacy even if it appears legitimate. Error on the side of caution…NEVER give out this type of information WITHOUT questioning its legitimacy. Email your company support or email the person directly at their legitimate business or personal email address to seek confirmation OR call the person requesting the information.
- Misleading Domain - A lot of scammers will take advantage of people not knowing how the domain name is structured. Typically, a domain is identified as <company or organizational name>.com, .org, .net, etc. Examples of legitimate domains: coreelementsbiz.com; cnn.com; google.com; nytimes.com; wikepdia.org; amazon.com; facebook.com; godaddy.com; microsoft.com, etc.
So, for example:
http://accounts.amazon.com/ - this will go to the normal amazon.com
http://amazon.accounts - this will go to a possible scammer domain website “accounts.com”, which is NOT affiliated with Amazon, but designed to think it would.
- Mismatched Site Link/URL - Many times a phishing email will contain a link redirecting to a website outside of the email. For example, the email will state things like, “Click here to sign in and secure your account” -or- “Your password needs to be reset, go here to complete that now”. Many times, this Site Link/URL will NOT go to where you believe it should go. Rather it will redirect you to a website that will steal your information or install a virus-malware-spyware program on your computer. The easiest way to check this in Microsoft Outlook is to just hover (DO NOT CLICK) the mouse pointer over the URL/link to see where it is going to take you.
Phishing attacks become even more problematic on mobile devices due to the small and narrow screens that typically do not display fake URLs/domains on mobile browsers, since you can’t hover the mouse pointer over a link to show the actual location it represents. Additionally, attackers can attempt to trick you into thinking a certain link is legitimate by using different alphanumeric characters, such as Spanish letters with accents. Thus, be extra cautious when opening links through email on a mobile device. If you are unsure, wait until you can access the email from a laptop-desktop computer for a better analysis of the email.
- Action Wasn’t Initiated by You- Question all emails you weren’t expecting. Any random email can be an attempt to obtain your information. Don’t trust things such as winning $1,000 in a contest you never heard of or signed up for. The promise of instant riches is unrealistic and is an attempt to obtain your sensitive information.
There are some companies that will never contact you, especially for credentials. For example, someone from "Microsoft" calls because you have a virus on your computer. Or…. someone calls from your bank and wants to verify your account because of a “hack attempt”. Tell them you’ll call back using the 800# on the back of your card. Be vigilant of both email and phone threats, if anyone outside of Core Elements tries to get access to your computer you should automatically suspect it as a threat.
- Urgent or Threatening Dialog- Any email stating things are very time-sensitive or threatening to do things like close your bank account is a trick to get you scared…. don’t give into their scam! Be very careful when any email wants an immediate reply. They will attempt to trick you by saying they have control of your devices, or have your passwords, or saying they have adult material involving you. DO NOT BELIEVE WHAT THEY SAY…IT’S ALL A SCAM!
If you suspect that an email or text message you received is a phishing attempt:
- Report it. Help others and yourself to avoid this by marking these emails as phishing attempts.
- If you are still unsure then....
Updated July 20, 2021
In 2020, consumers reported losing more than $3.3 billion to fraud.
Keep your information safe!
With the ever-growing popularity of online shopping and online communications, you should always have your guard up in the cyberworld. Criminals will use any situation to their advantage–especially when it comes to annual holidays. Below you’ll find a few examples of commonly used seasonal and holiday scams, and what you can do to protect yourself.
Fake Shipping Notifications
End-of-the-year holidays invite a greater likelihood of this common phishing attack, but this is a scam you must be cautious of all year long. Scammers send fake notifications that appear to come from postal service companies. The emails include dangerous links that, if clicked, could install malware on your computer or take you to a fake login page where your credentials will be stolen.
To check the legitimacy of these types of claims, always log in to your online account or service through your browser—not through links in unexpected emails.
Travel Deals and Offers
Scammers know that their potential victims travel for holidays throughout the year. Cybercriminals send emails offering fake travel deals from well-known travel sites. They’re even known to create phony websites for cheap hotels and flights so they can rob you of your money.
When something seems too good to be true, it probably is. Never click on links in unexpected emails. Before booking through an unfamiliar service, do your research and ensure the company is legitimate.
Social Media Deals and Sales
All social media advertisements are not created equal. A “paid advertisement” may seem trustworthy, but be warned: Anyone can pay to put an ad on social media. During holidays and popular shopping seasons, fraudsters buy ads that offer deals for items that you’re more than likely interested in–considering social media ads target the buyer market. The ads typically contain phishing links that lead to fraudulent websites where they will steal your credit card data. Even if the malicious ad is reported and removed, the bad guys typically only need one victim to fall for their trick to make it worth their investment.
Always hover over links and URLs before clicking to check whether the URL will take you to a dangerous or unexpected site. If a social media ad appears to be from a company you’re familiar with, check the company’s website instead of clicking on links from the ad.
Updated March 16, 2021
COVID-19 Vaccine Scams Put Your Identity At Risk
As soon as the FDA approved the emergency use of the Pfizer vaccine, scammers were busy implementing their plans to use this opportunity to profit from the health crisis and medical breakthroughs. Preying on those waiting for a vaccine, scammers have been convincing people to give up personal details in exchange for being put on a "vaccine list", having the opportunity to jump the line, receive alternative cures, or making a co-payment on a vaccine that isn't necessary. Scammers will also wait patiently as unwittingly people post images of their CDC COVID-19 vaccine card on social media, displaying personal information for the world to see! Some of these scams are so timely, delivered through phone calls, text messages, and emails, that it's often hard to tell a scam from the real thing. It's critical you share the real threat vaccine scams pose to people and the ways they can protect themselves from a scam.
- Make your vaccine appointment by calling or on one of the recommended vaccine sites.
- Do not give out personal information, bank account or social security numbers, or insurance information, when someone calls or messages you.
- Do not pay to put your name on a waiting list.
- Do not give a co-pay in advance of a vaccine. According to the CDC, vaccines are provided to Americans for free.
- Do not post pictures on social media sites of your vaccine card.
It will be quite some time until the general population has access to a vaccine. Whether you are in Phase 1 or the last phase of the vaccine rollout, it's important to always stay aware and prepared for scammers to reach out to you. If you feel like you've fallen victim to a COVID-19 related scam, we are here to help. As part of our Service One new Choice checking accounts, you have an Identity Theft Recovery Advocate on standby waiting to help you recover your good name.
Updated February 25, 2021
If you receive a Service One Credit Union cashier's check, please call 270-796-8500 to verify it, there are counterfeit Service One cashier’s checks in circulation.
Risk Alert from CUNA Mutual about the Zelle Fraud Scam
Updated January 19, 2021
Here is how it works:
The fraudster sends test alerts to members, appearing to come from the credit union, warning members of suspicious debit card transactions.
Fraudsters call those members who respond to the text, spoofing the credit union’s phone number, and claim to be from the credit union’s fraud department.
To verify the identity of the member, the fraudster asks for the member’s online banking username and tells them they will receive a passcode via text or email and the member must provide it to the fraudster. In reality, the fraudster initiates a transaction, such as the forgot password feature, that generates a 2-step authentication passcode which is delivered to the member.
The member provides the passcode to the fraudster who uses it to log in to the member’s account using a device not recognized by the host system.
Upon logging into the accounts, fraudsters change the online banking passwords.
It seems pretty convincing, especially to those who don’t deal with it every day. A seemingly legitimate alert from your credit union about a debit card issue, followed by a call from the “fraud department”. Please do not fall for this scam. Call us if you have any questions about your account.
10 tactics scammers use to trick credit union members
by David Ver Eecke, PSCU
Scammers are known for preying on victims’ vulnerabilities, such as financial hardship, fear, and confusion. Given the particularly challenging circumstances surrounding COVID-19, people who believe they are savvy enough to avoid scams may fall victim, nonetheless.
Proactive education is the best way to not only protect members but also help your credit union staff be prepared to assist members who have been targeted by scammers. In fact, a recent Javelin study found 80% of people in the U.S. who are informed about a scam will disengage from it.
Here are 10 common practices scammers keep in their arsenals to attempt to fool your members and commit fraud.
- Faking an emergency. Scammers pretend to represent an official organization (like the IRS) and call, text or email members to demand immediate money for bogus issues. They use threatening phrases such as, “Your 401k plan will be frozen,” “Your passport will be seized,” or “The maximum sentence for this crime is five years in prison and a $10,000 fine,” to catch victims off guard and create a sense of urgency.
- Expressing that resistance is ineffective. Once the scammer has created the emergency and instilled panic, they reinforce there is nothing the member can do to remedy the situation. In the case of an IRS scam, they often tell the member they must cooperate or face arrest or fines.
- Rewarding cooperation with encouraging comments. Scammers sometimes try to play the part of a trusted friend, offering help and a way out of the emergency that would provide relief to the member. They often tell the member they seem like a good person and offer to help them with the situation at hand.
- Not allowing victims to hang up until they pay up. Phone scammers say it is a one-time opportunity for the member to take action to avoid further consequences, and if the member hangs up the phone, he or she will not be offered another chance to resolve the problem.
- Using official-sounding titles and names for ordinary things. Scammers try to sound impressive to gain members’ trust. They use official-sounding titles and names for merchants and everyday items. Examples include referring to a gift card as an “electronic federal tax payment system,” or instead of using the name of a store, they call it a “government-affiliated payment processor.”
- Stating they are not asking for personal information upfront. Scammers know asking for personal information could raise alarm bells for the member. Instead, they may say they are not looking to obtain this information, or they are not looking for an exchange of funds over the phone, which may cause members to let down their guard. This is why scammers often use gift cards to extract payment.
- Signaling to members they are being recorded. In an attempt to sound legitimate, scammers say the call is being recorded and monitored by the IRS.
- Threatening to alert the media. Scammers go to great lengths to keep suspicious or wary members on the phone, and even go so far as to threaten to contact the media on behalf of the IRS if the member does not comply with what is being asked. This is used as a last resort to salvage a conversation that might not be going well.
- Exploiting member engagement. Once scammers have members hooked, they may transfer the call to another fake agent in an attempt to further legitimize the call. Often, these scamming “call centers” employ multiple scammers who work together to make the initial call and then close the scam. Scammers are highly organized: some are responsible for getting members hooked, while others focus on closing the deal by extracting payment. They may say, “Please hold on the line, I am transferring the call to my senior treasury specialist,” or “Thanks for waiting, this is senior officer Matthews from the accounting department. My badge ID is…”
- Insisting members keep quiet about special offers. If a scammer offers a special tax break, for instance, they will often demand the member not discuss it with anyone, as it would prevent them from getting the settlement.
Members should report scams as soon as they occur, and visit USA.gov for information on reporting scams and fraud.
Members have received text messages telling them that their debit cards have been suspended. It lists an 800 number to call. This is not Service One. We do not text you stating your debit card has been suspended. Block the number texting you. It is s scammer trying to get access to your debit card.
Social Media Scams
With most of the US under orders to stay at home due to the COVID-19 pandemic, many people are turning to social media for a fun distraction. Taking a Facebook quiz may seem like a harmless way to pass the time while quarantined, but it could also give scammers your personal information.
How the Scam Works:
You see a fun quiz on Facebook or another social media platform. What’s the harm, you figure? You answer a few questions and prove how well you know a friend. Or you take a short personality test to match with a character from your favorite TV show.
These quizzes ask seemingly silly or meaningless questions, but scammers can use that information for nefarious purposes. For example, some quizzes collect personal information by asking questions like: “What is your mother's maiden name?” or “What is the name of the street you grew up on?” These are common security questions for banking and credit card accounts. Sharing this information can lead to your accounts being hacked, and your personal and financial information being stolen.
Not all social media quizzes are data collection scams, but BBB cautions users to be careful about what they share online. Social media data and quiz answers can be used to steal your identity or enable a scammer to impersonate you to your friends and family.
Tips to avoid social media scams:
- Be skeptical: Before you take a quiz, figure out who created it. Is it a brand you trust? Just because something appears to be fun and innocent, doesn’t mean there isn’t an inherent risk.
- Adjust privacy settings: Review your social media account’s privacy settings and be strict about what information you share - and be mindful of who you are sharing it with.
- Remove personal details from your profile: Don’t share information like your phone number or home address on social media accounts.
- Don't give answers to common security questions: Be cautious if the questions in a quiz ask for things like your mother's maiden name, street you grew up on, or the name of your high school.
- Monitor Friend Requests. Don't accept friend requests from people you don’t know. Also, be wary of a second friend request from someone you are already connected with; the second profile may be an imposter trying to access your data and your Friends list.