Fraud & Security Library
Can you spot a phishing scam?
Every day, thousands of people fall victim to fraudulent emails, texts and calls from scammers pretending to be their bank. And in this time of expanded use of online banking, the problem is only growing worse. In fact, the Federal Trade Commission’s report on fraud estimates that American consumers lost a staggering $3.3 billion to these phishing schemes and other fraud in 2020—that’s nearly double what was lost in 2019.
It’s time to put scammers in their place.
Online scams aren’t so scary when you know what to look for. And at Orrstown Bank, we’re committed to helping you spot them as an extra layer of protection for your account. We’ve joined with the American Bankers Association and banks across the country in a nationwide effort to fight phishing—one scam at a time.
We want every bank client to become a pro at spotting a phishing scam—and stop bank impostors in their tracks. It starts with these four words: Banks Never Ask That. Because when you know what sounds suspicious, you’ll be less likely to be fooled.
These top 3 phishing scams are full of red flags:
• Text Message: If you receive a text message from someone claiming to be your bank asking you to sign in, or offer up your personal information, it’s a scam. Banks never ask that.
• Email: Watch out for emails that ask you to click a suspicious link or provide personal information. The sender may claim to be someone from your bank, but it’s a scam. Banks never ask that.
• Phone Call: Would your bank ever call you to verify your account number. No! Banks never ask that. If you’re ever in doubt that the caller is legitimate, just hang up and call the bank directly at a number you trust.
You’ve probably seen some of these scams before. But that doesn’t stop a scammer from trying. For more tips on how to keep phishing criminals at bay, including videos, an interactive quiz and more, visit www.BanksNeverAskThat.com. And be sure to share the webpage with your friends and family.
What’s Your Scam Score? Take five minutes to become a scamspotter pro by taking the #BanksNeverAskThat quiz at BanksNeverAskThat.com. Share your score on Twitter to encourage your friends and family to test their scam savviness, too. The more scamspotters out there, the harder it is for phishing criminals to catch their next victim!
Fraud Prevention Tips:
- Never provide your confidential information, such as Social Security Number or Date of Birth, to someone unless you have initiated the contact.
- If you are contacted by phone or email and asked to confirm your confidential information, do not respond to the caller or the email. Contact the company back using the phone number found on your monthly statement or in the phone book. Do not use the phone number provided in the email correspondence or that the caller provides to you.
- Do not use your confidential information as a Personal Identification Number (PIN) or a password.
- When completing online applications or making purchases, ensure the website is utilizing encryption and the page shows as an “https” page.
- Do not record your Social Security number on a check, traveler's check, gift certificates, etc., unless required by law.
- Don't carry your Social Security card and be cautious of your surroundings. Old fashioned wallet stealing is still profitable and utilized by criminals.
- Be mindful when using online social networking. Use a search engine to see how much information about you is listed online and could be pieced together to commit Identity Theft.
- Order your FREE Annual Credit Report.
- Reduce the amount of mail and paper with your personal information printed on it to reduce the chance of criminals stealing it.
- Sign up for electronic statements and stop receiving paper account statements.
- Sign up for direct deposit with your employer to have your funds put directly in your account without paper checks.
- Pay your bills with online bill payment to reduce the risk of sending your checks in the mail.
- Watch for the signs of identity theft such as receiving bills in the mail for things you didn’t authorize.
- Purchase a shredder and shred bills and statements.
- Anti-spyware and anti-virus protection detects and removes viruses and spyware, which can steal vital information.
- A firewall prevents unauthorized users from gaining access to a computer or monitoring transfers of information to and from the computer.
- Operating system and software updates, sometimes called "patches" or "service packs," should be installed as soon as possible.
- Web browser updates are deployed with your security in mind so keep them current.
- Your smartphone contains a host of personal information about you. Secure access to your application by applying a strong password.
- Change your password regularly and never write it down or share it with anyone.
- Configure your phone to automatically lock and apply the password when your device is not in use.
- Do not allow the device to save your mobile banking passwords. Anyone else who uses your device can easily gain access to your account because the access information would already be stored.
- If your phone is lost or stolen, report it to us immediately.
- Links in emails, tweets, social networking postings and text messages are often ways cybercriminals disperse their malware. If it looks suspicious, even if you know the sender, it’s best to delete it or call the sender to validate the message.
- Be wary of any communications that require you to act immediately or ask for personal information. Remember, Orrstown Bank will never:
- Call, email or text you asking for your online banking password, wire pin or challenge question answers
- Email or text you about a problem with your account
- Consider adding anti-virus software to your smartphone.
- Mobile Banking does send confirmation messages to your device to alert you of transactions taking place. These messages do not contain private information about you or your account. Become familiar with content of these messages and contact us immediately if you receive a message you feel is suspicious.
- Jailbreaking is a method of “self-hacking” your smartphone. This makes your smartphone more susceptible to malware and other malicious programs. If you choose to use your mobile device for online banking we advise you not to jailbreak your smartphone.
- Review your account transactions regularly and immediately report any suspicious activity.
Criminals “phish” for your personal information. Phishing can take place via phone calls, emails, text messages, visiting your place of business or by directing you to a phony website that claims to be Orrstown Bank.
Stop and ask yourself, if you were to receive an email, text message or phone call from Orrstown Bank stating there was a problem with your account, would you question the validity of the message?
Criminals attempt to trick us in to believing the communication we are seeing or hearing is from someone we trust.
Remember, Orrstown Bank Will Never:
- Call, email or text you asking for your online banking password, wire pin or challenge question answers.
- Direct you to a website that asks you to update your personal account information.
- Email you computer software updates.
- Email or text you about a problem with your account.
- Visit your place of business and request to perform maintenance on your computer.
If you receive a phone call, email, text message or visit to your place of business that you question, please take the time to call and ask us to validate the communication before taking any action requested. Please do not use the contact information provided in the email or text message you receive. Use the number advertised on our website or on the back of your debit card so you know you’re reaching us.
Criminals may send you an email that looks like it has come from Orrstown Bank. These phony emails may contain an infected link or attachment. These emails will either ask you to reply and provide your confidential information or they will direct you to a website that asks you to enter your confidential information. Remember, Orrstown Bank will not ask you to email us your personal information nor will we ask you to enter it online to update our records. Do not take any action requested in the message. Report the message to us.
These messages are usually well-crafted to trick you in to thinking that you must take immediate action. Be on the lookout for messages such as the following:
- Urgent appeals claim that your account may be closed if you fail to confirm, verify or authenticate your personal information.
- Messages about system and security updates claim that the bank needs you to confirm important information and states that you must update your information online.
- Offers that sound too good to be true often are. You may be asked to fill out a short customer service survey in exchange for money being credited to your account, and you are then asked to provide your account number for proper routing of the supposed credit.
- Typos and other errors are often the mark of fraudulent emails. Be on the lookout for typos or grammatical errors.
If you receive a suspicious email, do not click on any links or reply to it. Simply delete it. To report a suspicious email that is abusing Orrstown Bank’s brand, please contact our Customer Service Center at 1.888.677.7869 or locally in the Shippensburg area at 717.530.3530, Monday - Friday, 8:00 AM to 5:00 PM and Saturday, 8:00 AM to Noon
Phone Phishing, called “Vishing” uses Voice over Internet Protocol (VoIP) to generate automated phone calls. The calls are usually an automated recording that states your account has experienced unusual activity. The message instructs you to call a phone number to have the issue corrected.
Rather than return the phone call, contact us and report the incident. We do not utilize automated systems to contact you about your accounts. Please do not use the number in the message. Contact our Customer Service Center at 1.888.677.7869 or locally in the Shippensburg area at 717.530.3530, Monday - Friday, 8:00 AM to 5:00 PM and Saturday, 8:00 AM to Noon
Text message Phishing, called “SMShing” is phishing that happens via SMS text messages. A criminal sends a text message tricking you into providing financial or personal information or clicking on links that will sneak viruses onto your mobile device.
Do not respond to these messages or click the links in the messages. Please contact our Customer Service Center at 1.888.677.7869 or locally in the Shippensburg area at 717.530.3530, Monday - Friday, 8:00 AM to 5:00 PM and Saturday, 8:00 AM to Noon to report the incident.
Malware is a general term for software that is meant to cause harm. Computer viruses, spyware, adware, and Trojan horses are all examples of malware. The purpose of malware can be something as seemingly harmless (yet annoying) as popping up a window to show you unwanted advertising, or as dangerous as capturing the keystrokes as you type your internet banking password or internet banking challenge question answers.
Computers become infected with malware through a number of mechanisms – sharing files on USB thumb drives or DVD’s, opening suspicious e-mail attachments, clicking on links in e-mails or visiting websites that are themselves infected with malware. Malware can also arrive with downloaded files, such as music or videos from peer-to-peer file sharing networks (such as Kazaa or BitTorrent), or simply by visiting a website that has been hacked and infected. No longer is it a matter of staying away from “bad” websites. Unfortunately, any website that is not properly secured can be hacked and infected with malware that could infect your PC and you most likely will not receive any warning that malware is being downloaded on to your computer. In most cases, the website owners themselves do not know their sites have fallen victim to dispersing criminal malware.
How do you avoid getting malware? Taking these steps can help limit the chances of infection:
- Install and use well-known, reputable anti-virus software. Configure the software to update the virus definitions daily and to scan files and your system in real-time. Setting up an additional full system scan on a regular basis is a good practice as well. This software can help in providing a layer of protection when you visit a site that has been hacked and infected. Anti-virus is no longer enough though. If the only measure you employ is anti-virus, you don’t have enough layers of protection to protect you from attacks.
- Use a firewall. If you are using Windows XP or Vista, enable the Windows Firewall. If you have a Mac, enable the built-in firewall. If you have the means to install a corporate firewall that protects the PC’s within your network that is most certainly recommended as well.
- Avoid fake anti-malware. Don’t buy anti-malware software advertised in pop-up ads. Legitimate software isn’t sold this way.
- Don’t open suspicious e-mail attachments or click the links within emails. Infected e-mail attachments and html website links are one of the most popular ways to spread malware. Even if you know the sender of the email, it’s better to verify why they sent you the message before clicking the attachment or links. They may not know they’ve sent you the message.
Cyber criminals disguise their emails to look as though they’re from a legitimate business. Often, they employ some type of scare tactic to entice you to open the email and/or provide account information. For example, emails may state they are from:
- UPS claiming there is a “problem with your shipment”
- A Financial Institution claiming there is a “problem with your banking account”
- The Better Business Bureau stating “A compliant has been filed against you.”
- Court system stating that “You have been served with a subpoena.”
Other popular emails are ones that claim to show photos or video of current events like natural disasters and major sporting events.
- Don’t respond to messages that try and scare you in to providing an “Immediate Response”. E-mails stating your account is subject to being closed or stating that you’re required to install new software updates should be reported immediately. If either of these situations were true we would have sent you previous correspondences letting you know of an upcoming change or issue with your account status.
- Patch your computer regularly. Ensure your applying vendor-distributed patches.
- Report suspicious behavior. If you cannot access our online banking site, contact us immediately to determine if the site is down for scheduled maintenance or if a fraudster is deliberately locking you out of viewing your account activity.
- Review your account activity on a regular basis and report suspicious activity.
Money mules are unsuspecting victims who become middlemen for criminals trying to launder stolen funds. Victims are lured by the promise of a new career opportunity making large sums of money for minimal work. Criminals recruit money mules, send them stolen money and then ask the money mules to wire or transfer the money unwittingly to the criminals. Using the money mule masks the criminal's identity.
The money mule may keep a commission for performing the transfer or wire. The victims of these scams may not only have their bank accounts closed and financial reputation ruined, but are often left financially responsible for returning the stolen funds.
Common signs of a money mule scam:
- Overseas companies requesting money transfer agents in the United States.
- Opening new bank accounts to receive money from someone you don't know.
- Accepting large sums of money into your personal bank account for a new job.
- Transferring or wiring funds out of your personal bank account to people you do not know.
Beware of these latest scams:
Scammers recently used their own third-party Android applications (apps) to hijack over 10,000 Facebook accounts. If you were to download and open one of these malicious apps, you’d see a familiar feature: the “Continue with Facebook” button. Legitimate apps often integrate with websites like Facebook to make account creation quick and easy. In malicious apps, this type of link often leads to a phony login page designed to steal your login credentials.
This scam is unique because clicking the “Continue with Facebook” button actually opens the official Facebook login page. If you log in to your Facebook account, you’ll give the bad guys far more than your username and password. The malicious apps include an extra bit of code that gathers your account details, location, IP address, and more. Once they hijack your account, the bad guys can use it to generate ad revenue, spread disinformation, or even scam your friends and family.
Follow these tips to stay safe from malicious applications:
- Though this attack targets Android users, the technique could be used on any kind of device, even desktop computers. Always be careful when downloading apps or software, regardless of the device that you are using.
- Before downloading an app, read the reviews and ratings. Look for critical reviews with three stars or less, as these reviews are more likely to be real.
Only download apps from trusted publishers. Remember, anyone can publish an app on official app stores, including cybercriminals.
To help protect you against malicious links, most email clients have filters that flag suspicious-looking emails. To bypass these filters, cybercriminals often create malicious content using well-known platforms such as Google Drive, and then use the platform’s share feature to distribute their content. Since these platforms are so widely used, your built-in email filters typically do not recognize that this content is malicious.
In a recent phishing attack, scammers are using a phony notification from DocuSign (a popular electronic agreement service) that actually includes a link to a malicious Google Doc. The fake notification states that you have an invoice to review and sign. If you click on the included View Document button, you’ll be taken to what appears to be a DocuSign login page that asks for your password. In reality, the button leads you to a Google Doc disguised as a DocuSign page, and any information entered on the document is sent directly to the bad guys.
Don’t fall for this trick! Remember:
- Never click on a link or download an attachment in an email that you were not expecting.
- If you think the email could be legitimate, be sure to hover over the link (or button) to preview the destination. Look for discrepancies, such as a DocuSign email using a Google Drive link.
When an email claims to include an invoice, try to find evidence of the transaction elsewhere, like on your bank or credit card statements.
Say the new browser extension that you want to download has a lot of positive reviews. These reviews may make the extension seem legitimate, but not necessarily. Cybercriminals often use fake reviews to trick users into downloading malicious browser extensions.
For example, a malicious Microsoft Authenticator extension with fake reviews was recently found in the Google Chrome Store. The extension had five reviews: three one-star reviews and two five-star reviews. The real one-star reviews warned others that the extension was malware, while the fake five-star reviews praised the extension. This is just one example of how bad guys use fake reviews to gain your trust.
So, how do you know if the cool new extension is safe to download? Follow these tips to stay safe:
- Only download extensions from trusted publishers. Cybercriminals can easily publish extensions or apps to app stores, so make sure you know who developed the extension before you download it.
- Be suspicious of extensions that ask you to enter sensitive information. Legitimate extension downloads may request special permissions from you, but they won’t ask you to give up sensitive information.
Look for negative reviews. Don’t just focus on the positive reviews. Negative or critical reviews are less likely to be fake.
A recent social engineering scam uses real people in a call center to trick you into downloading malware onto your computer. Here’s how the scam works:
You receive an email claiming that your trial subscription to a publishing company will expire soon. The email states that you will be charged if the subscription is not canceled, and it directs you to call a phone number for assistance. If you call this number a representative happily walks you through how to unsubscribe. The representative directs you to a generic-sounding web address, asks you to enter the account number provided in the original email, and tells you to click a button labeled “Unsubscribe”. If you click, an excel file is downloaded onto your computer. The representative tells you to open that file and enable macros so you can read a confirmation number to them. If you enable macros, a malicious file is installed that allows cybercriminals backdoor access to your system. The bad guys can use this access to install more dangerous malware, such as ransomware.
Follow these tips to stay safe from this social engineering attack:
- This attack tries to spark feelings of alarm and frustration by claiming that you will be charged for something you didn’t sign up for. Don’t let the bad guys toy with your emotions.
- Remember that cyber attacks come from real people and real people can lie over the phone, just as they do in phishing emails.
- If you’re concerned that a warning could be legitimate, look up the company and try contacting them another way—not by using the phone number that they provided in an email.
An easy way for cybercriminals to get your attention is to claim that you owe a large amount of money. Pair this claim with a QuickBooks-themed phishing email and malicious malware, you get a dangerous cybersecurity threat.
The cybercriminals send a well-made spoof of a QuickBooks email that even includes an invoice number. The email message states that you owe over one-thousand dollars for the order but it gives no further details. Attached to the email is what appears to be an Excel file with the invoice number as the filename. The bad guys are hoping you’ll open the attachment looking for more information. If you do open it, you’ll actually be opening a dangerous piece of malware specially designed to target your financial and banking information. This malware can lead to unauthorized charges, wire transfers, and even data breaches.
Here’s how you can stay safe from scams like this:
- Never click a link or download an attachment in an email that you were not expecting.
- Remember that bad guys can disguise anything, even file types.
- If you think the notification could be legitimate, navigate to the official QuickBooks website and log in to your account to confirm.
If you try logging in to an account, but get a “wrong password” error what do you do? You’ll probably try typing the same password again. But if that doesn’t work do you try another one of your passwords? Then another, and another? Cybercriminals have a clever new scam that takes advantage of this exact behavior.
You receive an email with a link to view an important document. If you click the link, the document looks blurred-out and is covered by a fake Adobe PDF login page. If you enter your email and password, you’ll get an error stating that your password is invalid. This page allows you to try a few more times before eventually blocking you from viewing the document. But the truth is, there was never a document to view. Instead, the cybercriminals saved your email address and every password you tried to use. They can use this information to try to log in as you on other websites.
Don’t be fooled! Remember these tips:
- Remember that any site, brand, or service can be spoofed.
- Never click a link in an email that you were not expecting. If you’re not sure, reach out to the sender by phone to confirm the legitimacy of the email.
- Always use a password that is unique to that specific account. This way, if your credentials are stolen, the cybercriminals can’t access your accounts on other websites.
Smishing (text message phishing) continues to grow in popularity. Smishing attacks can be difficult to catch, especially because both legitimate and phishy text messages tend to use shortened URLs. A URL is the web address of a page. Typically, the URL shows you where a link will take you. For example, a URL like https://blog[dot]knowbe4[dot]com/why-should-we-care-about-personal-smishing-attacks will take you to a KnowBe4 blog post about personal smishing attacks.
Because text messages have character limits, including a full URL is not practical. Instead, URL shortening programs are used to create a redirect link. For example, this shortened URL https://bit[dot]ly/3gUpTk1 will redirect you to the blog post mentioned above—or will it? There is no way for you to know where that shortened URL will send you. Cybercriminals often use this technique to redirect you to a malicious website or to a download page for malware. Don’t be fooled!
Follow these tips to spot a potential Smishing attack:
- Think before you click. Were you expecting this message? When did you give this company your phone number? Did you sign up for text notifications?
- Be cautious of a sense of urgency. The bad guys often use words like “urgent” or “ATTENTION” to try and trick you into impulsively clicking a malicious link.
- If you think the text message could be legitimate, try typing the shortened URL into a URL expander tool, such as GetLinkInfo or ExpandURL. These tools will reveal where the shortened URL will direct you, without taking you to the redirected site.
In a recent phishing attack that targets single men, cybercriminals show us how they use modern technology to trick their victims. The scam starts with the cybercriminal posing as a single woman and befriending their target on social media. Then, they start building rapport with the target through various interactions. Eventually, the cybercriminal sends audio messages with a woman’s voice to convince their target that they are who they claim to be.
The target doesn’t know it, but the cybercriminal is actually using a voice changing software to disguise their true identity. If the target falls for the fake audio messages, they receive a video file of their newfound love interest. Except, the file is actually a dangerous piece of malware designed to grant the cybercriminals access to the victim’s entire system.
This tactic isn’t exclusive to romantic scams, so be sure to remember these tips:
- Keep your social media accounts private and only accept friend requests from people that you know and trust.
- If you meet someone online, be sure to verify their identity. You could use a search engine to find their other social media profiles or simply ask to have a video call to make a face-to-face connection.
- Remember that cybercriminals can use more than just links within emails to phish for your information. Always think before you click!
Cybercriminals have a new favorite phishing lure: PDF files. A PDF is a standard file type that presents text and images in their original format regardless of which program you use to open the file. Unfortunately, this makes the use of PDFs a great way for cybercriminals to get creative and trick victims into clicking on malicious links.
One common tactic for phishing with PDF files is to include an image that looks like something that you should interact with. The PDF may include a fake captcha image with the “I am not a robot” checkbox. Or the PDF may include an image of a paused video with a play button over the display. If you try to click the captcha checkbox or play the phony video, you’ll actually be clicking a link to a malicious website.
Don’t fall for these tricks! Remember the following tips:
- Never click or download an attachment in an email that you were not expecting.
- Remember that cybercriminals can use more than just links within emails to phish for your information. Always think before you click!
- If you receive a suspicious email, be sure to contact your IT department or follow the specific procedure for your organization.