Fraud & Security Library
10 Tips to Work From Home Securely
- Phishing scams are rife. Be aware of phishing scams targeting remote workers with sensational or emotional messages. Without your colleagues around, you need to be extra vigilant of both email and phone scams. Report any suspicious messages to your IT Security team.
- Be extra careful of fake news and malicious websites taking advantage of newsworthy events, such as the COVID-19 pandemic.
- Your passwords are the key to the kingdom. Without the company network to protect you, the power now lies squarely in your hands, or your passwords. Make sure your password for each critical site is strong and unique. Check the policy on password managers and use one if allowed.
- Use Multi-Factor Authentication wherever possible. This is combining your username and password with something that you own, such as a one time password app on your phone.
- Don’t fall for “credential phishing” attacks, where scammers trick you to hand over your username and passwords. Don't click on links asking you to update account information.
- Apply all basic security features. Keep your operating system, plug-ins and anti-virus software up to date and apply security patches when necessary.
- Secure your home WiFi Network. Change your default router password. If you’re still using “admin/admin,” “admin/password” or something similar to log into your router itself, change that.
- Keep your work environment private. Keep your home environment safe and ensure nobody is allowed to access your work computer, including your family and kids. Others could unintentionally download malicious software or access files they shouldn’t see. Ensure that your work conversations remain private and check your policy on smart home devices like Alexa or Google Home. Avoid printing at home unless allowed by your company policy. Make sure you lock sensitive documents away and shred them before discarding them.
- Use a VPN. Using a virtual private network (or VPN) provides a secure tunnel for all your internet traffic, preventing criminals from intercepting your data. Ask your security team to set one up for you.
- Read your company policies. They are there to keep you, the company and your data safe. In turn, this allows you to work from home. You are your company's strongest line of defense so remember to remain super vigilant.
Fraud Prevention Tips:
- Never provide your confidential information, such as Social Security Number or Date of Birth, to someone unless you have initiated the contact.
- If you are contacted by phone or email and asked to confirm your confidential information, do not respond to the caller or the email. Contact the company back using the phone number found on your monthly statement or in the phone book. Do not use the phone number provided in the email correspondence or that the caller provides to you.
- Do not use your confidential information as a Personal Identification Number (PIN) or a password.
- When completing online applications or making purchases, ensure the website is utilizing encryption and the page shows as an “https” page.
- Do not record your Social Security number on a check, traveler's check, gift certificates, etc., unless required by law.
- Don't carry your Social Security card and be cautious of your surroundings. Old fashioned wallet stealing is still profitable and utilized by criminals.
- Be mindful when using online social networking. Use a search engine to see how much information about you is listed online and could be pieced together to commit Identity Theft.
- Order your FREE Annual Credit Report.
- Reduce the amount of mail and paper with your personal information printed on it to reduce the chance of criminals stealing it.
- Sign up for electronic statements and stop receiving paper account statements.
- Sign up for direct deposit with your employer to have your funds put directly in your account without paper checks.
- Pay your bills with online bill payment to reduce the risk of sending your checks in the mail.
- Watch for the signs of identity theft such as receiving bills in the mail for things you didn’t authorize.
- Purchase a shredder and shred bills and statements.
- Anti-spyware and anti-virus protection detects and removes viruses and spyware, which can steal vital information.
- A firewall prevents unauthorized users from gaining access to a computer or monitoring transfers of information to and from the computer.
- Operating system and software updates, sometimes called "patches" or "service packs," should be installed as soon as possible.
- Web browser updates are deployed with your security in mind so keep them current.
- Your smartphone contains a host of personal information about you. Secure access to your application by applying a strong password.
- Change your password regularly and never write it down or share it with anyone.
- Configure your phone to automatically lock and apply the password when your device is not in use.
- Do not allow the device to save your mobile banking passwords. Anyone else who uses your device can easily gain access to your account because the access information would already be stored.
- If your phone is lost or stolen, report it to us immediately.
- Links in emails, tweets, social networking postings and text messages are often ways cybercriminals disperse their malware. If it looks suspicious, even if you know the sender, it’s best to delete it or call the sender to validate the message.
- Be wary of any communications that require you to act immediately or ask for personal information. Remember, Orrstown Bank will never:
- Call, email or text you asking for your online banking password, wire pin or challenge question answers
- Email or text you about a problem with your account
- Consider adding anti-virus software to your smartphone.
- Mobile Banking does send confirmation messages to your device to alert you of transactions taking place. These messages do not contain private information about you or your account. Become familiar with content of these messages and contact us immediately if you receive a message you feel is suspicious.
- Jailbreaking is a method of “self-hacking” your smartphone. This makes your smartphone more susceptible to malware and other malicious programs. If you choose to use your mobile device for online banking we advise you not to jailbreak your smartphone.
- Review your account transactions regularly and immediately report any suspicious activity.
Criminals “phish” for your personal information. Phishing can take place via phone calls, emails, text messages, visiting your place of business or by directing you to a phony website that claims to be Orrstown Bank.
Stop and ask yourself, if you were to receive an email, text message or phone call from Orrstown Bank stating there was a problem with your account, would you question the validity of the message?
Criminals attempt to trick us in to believing the communication we are seeing or hearing is from someone we trust.
Remember, Orrstown Bank Will Never:
- Call, email or text you asking for your online banking password, wire pin or challenge question answers.
- Direct you to a website that asks you to update your personal account information.
- Email you computer software updates.
- Email or text you about a problem with your account.
- Visit your place of business and request to perform maintenance on your computer.
If you receive a phone call, email, text message or visit to your place of business that you question, please take the time to call and ask us to validate the communication before taking any action requested. Please do not use the contact information provided in the email or text message you receive. Use the number advertised on our website or on the back of your debit card so you know you’re reaching us.
Criminals may send you an email that looks like it has come from Orrstown Bank. These phony emails may contain an infected link or attachment. These emails will either ask you to reply and provide your confidential information or they will direct you to a website that asks you to enter your confidential information. Remember, Orrstown Bank will not ask you to email us your personal information nor will we ask you to enter it online to update our records. Do not take any action requested in the message. Report the message to us.
These messages are usually well-crafted to trick you in to thinking that you must take immediate action. Be on the lookout for messages such as the following:
- Urgent appeals claim that your account may be closed if you fail to confirm, verify or authenticate your personal information.
- Messages about system and security updates claim that the bank needs you to confirm important information and states that you must update your information online.
- Offers that sound too good to be true often are. You may be asked to fill out a short customer service survey in exchange for money being credited to your account, and you are then asked to provide your account number for proper routing of the supposed credit.
- Typos and other errors are often the mark of fraudulent emails. Be on the lookout for typos or grammatical errors.
If you receive a suspicious email, do not click on any links or reply to it. Simply delete it. To report a suspicious email that is abusing Orrstown Bank’s brand, please contact our Customer Service Center at 1.888.677.7869 or locally in the Shippensburg area at 717.530.3530, Monday - Friday, 8:00 AM to 6:00 PM and Saturday, 8:00 AM to Noon
Phone Phishing, called “Vishing” uses Voice over Internet Protocol (VoIP) to generate automated phone calls. The calls are usually an automated recording that states your account has experienced unusual activity. The message instructs you to call a phone number to have the issue corrected.
Rather than return the phone call, contact us and report the incident. We do not utilize automated systems to contact you about your accounts. Please do not use the number in the message. Contact our Customer Service Center at 1.888.677.7869 or locally in the Shippensburg area at 717.530.3530, Monday - Friday, 8:00 AM to 6:00 PM and Saturday, 8:00 AM to Noon
Text message Phishing, called “SMShing” is phishing that happens via SMS text messages. A criminal sends a text message tricking you into providing financial or personal information or clicking on links that will sneak viruses onto your mobile device.
Do not respond to these messages or click the links in the messages. Please contact our Customer Service Center at 1.888.677.7869 or locally in the Shippensburg area at 717.530.3530, Monday - Friday, 8:00 AM to 6:00 PM and Saturday, 8:00 AM to Noon to report the incident.
Malware is a general term for software that is meant to cause harm. Computer viruses, spyware, adware, and Trojan horses are all examples of malware. The purpose of malware can be something as seemingly harmless (yet annoying) as popping up a window to show you unwanted advertising, or as dangerous as capturing the keystrokes as you type your internet banking password or internet banking challenge question answers.
Computers become infected with malware through a number of mechanisms – sharing files on USB thumb drives or DVD’s, opening suspicious e-mail attachments, clicking on links in e-mails or visiting websites that are themselves infected with malware. Malware can also arrive with downloaded files, such as music or videos from peer-to-peer file sharing networks (such as Kazaa or BitTorrent), or simply by visiting a website that has been hacked and infected. No longer is it a matter of staying away from “bad” websites. Unfortunately, any website that is not properly secured can be hacked and infected with malware that could infect your PC and you most likely will not receive any warning that malware is being downloaded on to your computer. In most cases, the website owners themselves do not know their sites have fallen victim to dispersing criminal malware.
How do you avoid getting malware? Taking these steps can help limit the chances of infection:
- Install and use well-known, reputable anti-virus software. Configure the software to update the virus definitions daily and to scan files and your system in real-time. Setting up an additional full system scan on a regular basis is a good practice as well. This software can help in providing a layer of protection when you visit a site that has been hacked and infected. Anti-virus is no longer enough though. If the only measure you employ is anti-virus, you don’t have enough layers of protection to protect you from attacks.
- Use a firewall. If you are using Windows XP or Vista, enable the Windows Firewall. If you have a Mac, enable the built-in firewall. If you have the means to install a corporate firewall that protects the PC’s within your network that is most certainly recommended as well.
- Avoid fake anti-malware. Don’t buy anti-malware software advertised in pop-up ads. Legitimate software isn’t sold this way.
- Don’t open suspicious e-mail attachments or click the links within emails. Infected e-mail attachments and html website links are one of the most popular ways to spread malware. Even if you know the sender of the email, it’s better to verify why they sent you the message before clicking the attachment or links. They may not know they’ve sent you the message.
Cyber criminals disguise their emails to look as though they’re from a legitimate business. Often, they employ some type of scare tactic to entice you to open the email and/or provide account information. For example, emails may state they are from:
- UPS claiming there is a “problem with your shipment”
- A Financial Institution claiming there is a “problem with your banking account”
- The Better Business Bureau stating “A compliant has been filed against you.”
- Court system stating that “You have been served with a subpoena.”
Other popular emails are ones that claim to show photos or video of current events like natural disasters and major sporting events.
- Don’t respond to messages that try and scare you in to providing an “Immediate Response”. E-mails stating your account is subject to being closed or stating that you’re required to install new software updates should be reported immediately. If either of these situations were true we would have sent you previous correspondences letting you know of an upcoming change or issue with your account status.
- Patch your computer regularly. Ensure your applying vendor-distributed patches.
- Report suspicious behavior. If you cannot access our online banking site, contact us immediately to determine if the site is down for scheduled maintenance or if a fraudster is deliberately locking you out of viewing your account activity.
- Review your account activity on a regular basis and report suspicious activity.
Money mules are unsuspecting victims who become middlemen for criminals trying to launder stolen funds. Victims are lured by the promise of a new career opportunity making large sums of money for minimal work. Criminals recruit money mules, send them stolen money and then ask the money mules to wire or transfer the money unwittingly to the criminals. Using the money mule masks the criminal's identity.
The money mule may keep a commission for performing the transfer or wire. The victims of these scams may not only have their bank accounts closed and financial reputation ruined, but are often left financially responsible for returning the stolen funds.
Common signs of a money mule scam:
- Overseas companies requesting money transfer agents in the United States.
- Opening new bank accounts to receive money from someone you don't know.
- Accepting large sums of money into your personal bank account for a new job.
- Transferring or wiring funds out of your personal bank account to people you do not know.
Beware of these latest scams:
Last week, a rally held in the United States Capitol escalated when protestors stormed the Capitol building. This event was later linked to posts on the social media platform Parler. The controversial events at the Capitol and related use of Parler has led both Apple and Google to remove the app from their respective app stores.
Cybercriminals use high-profile news stories like this to catch your attention and manipulate your emotions. In the coming weeks, we expect to see cybercriminals referencing this event and the Parler app in their phishing attacks and social media disinformation campaigns.
Here are some tips to stay safe:
- Watch out for Parler-related emails—especially those that offer an alternative way to download or install the app.
- Be suspicious of emails, texts, and social media posts that contain shocking developments to the story. This could be false information designed to intentionally mislead you—a tactic known as disinformation.
- No matter how shocking the news, always think before you click. Cyber attacks are designed to catch you off guard and trigger you to click impulsively.
With stay-at-home orders in place across the globe, many people are buying new pets to help them feel more connected. Unfortunately, shoppers who are looking for a furry friend may be in for a big surprise. Cybercriminals are creating phony online pet shops that advertise unbelievable prices on purebred pups.
These malicious pet shop sites include poorly-written testimonials from alleged buyers that often don’t make sense. For example, one testimonial claimed that their “German Shepherd baby had hatched”. If you overlook these phony testimonials and click the “Buy Me!” button under the photo of an adorable puppy, you’ll be taken to a contact page to begin your email conversation with the supposed seller. Via email, the scammers will ask you to pay for your pup using Bitcoin or a service provider, such as Paypal. Of course, any money you send goes straight to the bad guys and you’ll never receive your pup.
Here are some tips to avoid this ruff scam:
- Always be wary of websites with poorly-written information, including testimonials and reviews from customers.
- Remember, if a price sounds too good to be true—it is! Purchasing a purebred dog is typically very expensive, so scammers are trying to use low prices to trick you into acting impulsively.
- If you are in the market for a new pet, be sure to research the rescue shelter, pet adoption agency, or licensed breeder before making a purchase.
It’s no secret that cybercriminals love social media. Bad guys use platforms like Facebook and Instagram to impersonate your real friends and followers. Using this disguise, the scammers try to trick you into sharing sensitive information.
Here’s a common scam that is regaining popularity: You receive a message from a friend or follower asking “Is this a video of you?”. The message includes a screenshot of a blacked-out or blurry video. If you click to watch the video, you will be taken to a social media look-a-like login page that is designed to steal your account credentials. If you enter your credentials here, the information will be sent directly to the bad guys and they’ll be able to use your social media account to scam anyone on your friends list.
Keep you and your friends safe by following these tips:
- The simple message used in this scam sparks feelings of curiosity, concern, and urgency. Don’t let the bad guys toy with your emotions. Think before you click!
- Be cautious of messages that are off-topic, unusual, or outlandish. Especially if the message includes a link.
- Keep your social media accounts private and only accept friend or follow requests from people that you know and trust.
The holiday season is a time for love, joy, togetherness—and last-minute online orders! We’ve all been there: anxiously awaiting a package and hoping you didn’t forget anyone on your shopping list. The holidays have a way of creeping up on us, so expect scammers to be creeping into your inbox as well.
Fake shipping notifications are especially popular during the holiday season. These can come in the form of an email (Phishing) or a text message (Smishing). Typically, the message will offer an urgent update about your package, such as a shipping delay, and you will be directed to click a link for more information. If you click the included link, you’ll be taken to a malicious website that asks for login credentials or other sensitive information. Any information entered on this page will be a gift from you to the cybercriminals!
Here are some tips to keep you safe from shipping notification scams:
- This attack exploits the stress and excitement of the holiday season. Don’t let the bad guys play with your emotions. Think before you click!
- Legitimate shipping notifications will include specific order information, such as your shipping address, an item description, or the name of the sender.
- Stay up-to-date on your orders by visiting the retailer’s official website. If you receive an unexpected notification, be sure to visit their website using your browser—not by clicking the link in the email.
For many months, organizations across the globe have been working remotely due to the coronavirus pandemic. In a new phishing attack, the bad guys target your feelings of stress or excitement about returning to the office.
The phishing email resembles something that your human resources department might send about returning to the office. Attached to the email is an HTML file that includes your name in the file name. If you download and open this attachment, you’ll be taken to a file that is hosted on the file-sharing site, Microsoft SharePoint. According to the document, you must acknowledge the return to office policy by providing your username and password. If you enter your credentials here, the information will be sent directly to the bad guys and they’ll have the same access to your organization as you do.
Don’t fall for this trick! Remember these tips:
- This attack tries to exploit the uncertainty of going back to work in the office. Don’t let the bad guys toy with your emotions. Think before you click!
- Never impulsively click on a link or download an attachment that you weren’t expecting, even if it appears to be from your own organization.
- When in doubt, reach out to the sender by phone to confirm the legitimacy of the email before clicking a link or downloading an attachment.
With so many organizations still working remotely, bad guys continue to target you by spoofing popular video conferencing software, such as Zoom and Microsoft Teams. Video-conference themed phishing attacks can come in all shapes and sizes. For example, you may receive a phony welcome email that asks you to set up your new account. Or, you could receive an email claiming that you need to reschedule a missed meeting. As a more alarming example, you may receive a fake notice that your account has been suspended and you cannot join a meeting without first clicking the link in the email.
No matter what tactic the bad guys use, stay safe from video-conference themed scams by following these tips:
- Never impulsively click on a link within an email that you weren’t expecting.
- Check the from and reply-to email addresses. Watch out for domain misspellings such as “Zooom” or “Teans”, as this is a common trick used by scammers.
- When you’re asked to log in to an account or online service, navigate to the official website and log in. That way, you can ensure you’re logging in to the real site and not a phony look-alike.
Phishing emails are often designed to trick you into clicking a malicious link. Most email clients, such as Microsoft Outlook and Gmail, have filters that add warning messages to emails with suspicious-looking links. Unfortunately, the bad guys are always finding new ways to bypass these security filters.
The latest way that scammers sneak past your email security is by taking advantage of the collaboration tools available for the Google Drive platform. The platform allows you to tag any user in a file by using their Gmail address. Once tagged, the user will receive a notification directly from Google. This means that if a bad guy tags you in a Google document, you will receive a legitimate notification from Google that includes a link to the bad guy’s file. If you view the file, you’ll likely find that it directs you to click another link. This second link is actually a malicious attempt to steal your sensitive information.
Don’t fall for this trick! Remember:
- Always be suspicious of emails or notifications from someone you do not know.
- Never click on a link within an email that you weren’t expecting—even if it came from a legitimate website.
- If you receive a suspicious email or notification, contact your IT department or follow the specific procedure for your organization.
For most of us, the holiday season is about friends, family, food—and shopping! Black Friday and Cyber Monday fall just after Thanksgiving in the U.S., but internationally, they are two of the busiest shopping days of the year. Unfortunately, while you’re looking for holiday deals, the bad guys are looking for ways to scam you any way they can.
Follow these tips to stay safe this holiday season:
- Keep your smartphone, computer, and other devices updated. This helps ensure that your device has the latest security patches.
- Only use trusted Wi-Fi connections and be suspicious of any network that does not require a password to connect.
- Take the time to change any outdated or simple passwords. Use strong, unique passwords on all of your accounts.
- Be careful not to overshare on social media. Consider anything you post to be public information.
- Keep an eye on the activity in your banking and credit card accounts. Also, be sure to monitor your credit report on a regular basis.
- Be suspicious of emails you receive about online purchases. Check the status of your order directly on the website that you purchased from.
- If you receive a holiday greeting card in your inbox, verify the sender before clicking the link to view the card.
- If you’re traveling for the holidays, be sure to keep your devices stored safely at all times.
- Pay close attention to the websites that you order from. Only shop on websites that you know and trust.
- Watch out for giveaways and contests. Remember that if something seems too good to be true, it probably is.
Last week, pharmaceutical company Pfizer announced that long-term trials of their COVID-19 vaccine have been highly successful. This exciting development is a huge step towards ending the pandemic, but experts say we are still far from a publicly available vaccine.
Unfortunately, good news like this is often used by cybercriminals to catch your attention and manipulate your emotions. Expect to see mentions of a COVID-19 vaccine in phishing attacks and social media disinformation campaigns.
Here are some tips to stay safe:
- Be suspicious of emails, texts, and social media posts that contain exciting or alarming information about a vaccine. This could be false information designed to intentionally mislead you—a tactic known as disinformation.
- Always think before you click. Cyber attacks are designed to catch you off guard and trigger you to click impulsively.
- Stay informed by checking official government websites or following trusted news sources for information on vaccine developments.