Fraud & Security Library
Can You Spot a Phishing Scam?
Every day, thousands of people fall victim to fraudulent emails, texts and calls from scammers pretending to be their bank. And in this time of expanded use of online banking, the problem is only growing worse. In fact, the Federal Trade Commission’s 2019 report on fraud estimates that American consumers lost a staggering $1.48 billion to these “phishing” scams in 2018 alone. Imagine where we are in 2020.
It’s time to put scammers in their place.
Online scams aren’t so scary when you know what to look for. And at Orrstown Bank, we’re committed to helping you spot them as an extra layer of protection for your account. We’ve joined with the American Bankers Association and banks across the country in a nationwide effort to fight phishing—one scam at a time.
We want every client to become a pro at spotting a phishing scam—and stop bank impostors in their tracks. It starts with these four words: Banks Never Ask That. Because when you know what sounds suspicious, you’ll be less likely to be fooled.
These top 3 phishing scams are full of red flags:
- Text Message: If you receive a text message from someone claiming to be your bank asking you to sign in, or offer up your personal information, it’s a scam. Banks never ask that.
- Email: Watch out for emails that ask you to click a suspicious link or provide personal information. The sender may claim to be someone from you bank, but it’s a scam. Banks never ask that.
- Phone Call: Would your bank ever call you to verify your account number. No! Banks never ask that. If you’re ever in doubt that the caller is legitimate, just hang up and call the bank directly at a number you trust.
You’ve probably seen some of these scams before. But that doesn’t stop a scammer from trying. For more tips on how to keep phishing criminals at bay, including videos, an interactive quiz and more, visit www.BanksNeverAskThat.com. And be sure to share the webpage with your friends and family.
What’s Your Scam Score? Take five minutes to become a scamspotter pro by taking the #BanksNeverAskThat quiz at BanksNeverAskThat.com. Share your score on Twitter to encourage your friends and family to test their scam savviness, too. The more scamspotters out there, the harder it is for phishing criminals to catch their next victim!
Fraud Prevention Tips:
- Never provide your confidential information, such as Social Security Number or Date of Birth, to someone unless you have initiated the contact.
- If you are contacted by phone or email and asked to confirm your confidential information, do not respond to the caller or the email. Contact the company back using the phone number found on your monthly statement or in the phone book. Do not use the phone number provided in the email correspondence or that the caller provides to you.
- Do not use your confidential information as a Personal Identification Number (PIN) or a password.
- When completing online applications or making purchases, ensure the website is utilizing encryption and the page shows as an “https” page.
- Do not record your Social Security number on a check, traveler's check, gift certificates, etc., unless required by law.
- Don't carry your Social Security card and be cautious of your surroundings. Old fashioned wallet stealing is still profitable and utilized by criminals.
- Be mindful when using online social networking. Use a search engine to see how much information about you is listed online and could be pieced together to commit Identity Theft.
- Order your FREE Annual Credit Report.
- Reduce the amount of mail and paper with your personal information printed on it to reduce the chance of criminals stealing it.
- Sign up for electronic statements and stop receiving paper account statements.
- Sign up for direct deposit with your employer to have your funds put directly in your account without paper checks.
- Pay your bills with online bill payment to reduce the risk of sending your checks in the mail.
- Watch for the signs of identity theft such as receiving bills in the mail for things you didn’t authorize.
- Purchase a shredder and shred bills and statements.
- Anti-spyware and anti-virus protection detects and removes viruses and spyware, which can steal vital information.
- A firewall prevents unauthorized users from gaining access to a computer or monitoring transfers of information to and from the computer.
- Operating system and software updates, sometimes called "patches" or "service packs," should be installed as soon as possible.
- Web browser updates are deployed with your security in mind so keep them current.
- Your smartphone contains a host of personal information about you. Secure access to your application by applying a strong password.
- Change your password regularly and never write it down or share it with anyone.
- Configure your phone to automatically lock and apply the password when your device is not in use.
- Do not allow the device to save your mobile banking passwords. Anyone else who uses your device can easily gain access to your account because the access information would already be stored.
- If your phone is lost or stolen, report it to us immediately.
- Links in emails, tweets, social networking postings and text messages are often ways cybercriminals disperse their malware. If it looks suspicious, even if you know the sender, it’s best to delete it or call the sender to validate the message.
- Be wary of any communications that require you to act immediately or ask for personal information. Remember, Orrstown Bank will never:
- Call, email or text you asking for your online banking password, wire pin or challenge question answers
- Email or text you about a problem with your account
- Consider adding anti-virus software to your smartphone.
- Mobile Banking does send confirmation messages to your device to alert you of transactions taking place. These messages do not contain private information about you or your account. Become familiar with content of these messages and contact us immediately if you receive a message you feel is suspicious.
- Jailbreaking is a method of “self-hacking” your smartphone. This makes your smartphone more susceptible to malware and other malicious programs. If you choose to use your mobile device for online banking we advise you not to jailbreak your smartphone.
- Review your account transactions regularly and immediately report any suspicious activity.
Criminals “phish” for your personal information. Phishing can take place via phone calls, emails, text messages, visiting your place of business or by directing you to a phony website that claims to be Orrstown Bank.
Stop and ask yourself, if you were to receive an email, text message or phone call from Orrstown Bank stating there was a problem with your account, would you question the validity of the message?
Criminals attempt to trick us in to believing the communication we are seeing or hearing is from someone we trust.
Remember, Orrstown Bank Will Never:
- Call, email or text you asking for your online banking password, wire pin or challenge question answers.
- Direct you to a website that asks you to update your personal account information.
- Email you computer software updates.
- Email or text you about a problem with your account.
- Visit your place of business and request to perform maintenance on your computer.
If you receive a phone call, email, text message or visit to your place of business that you question, please take the time to call and ask us to validate the communication before taking any action requested. Please do not use the contact information provided in the email or text message you receive. Use the number advertised on our website or on the back of your debit card so you know you’re reaching us.
Criminals may send you an email that looks like it has come from Orrstown Bank. These phony emails may contain an infected link or attachment. These emails will either ask you to reply and provide your confidential information or they will direct you to a website that asks you to enter your confidential information. Remember, Orrstown Bank will not ask you to email us your personal information nor will we ask you to enter it online to update our records. Do not take any action requested in the message. Report the message to us.
These messages are usually well-crafted to trick you in to thinking that you must take immediate action. Be on the lookout for messages such as the following:
- Urgent appeals claim that your account may be closed if you fail to confirm, verify or authenticate your personal information.
- Messages about system and security updates claim that the bank needs you to confirm important information and states that you must update your information online.
- Offers that sound too good to be true often are. You may be asked to fill out a short customer service survey in exchange for money being credited to your account, and you are then asked to provide your account number for proper routing of the supposed credit.
- Typos and other errors are often the mark of fraudulent emails. Be on the lookout for typos or grammatical errors.
If you receive a suspicious email, do not click on any links or reply to it. Simply delete it. To report a suspicious email that is abusing Orrstown Bank’s brand, please contact our Customer Service Center at 1.888.677.7869 or locally in the Shippensburg area at 717.530.3530, Monday - Friday, 8:00 AM to 6:00 PM and Saturday, 8:00 AM to Noon
Phone Phishing, called “Vishing” uses Voice over Internet Protocol (VoIP) to generate automated phone calls. The calls are usually an automated recording that states your account has experienced unusual activity. The message instructs you to call a phone number to have the issue corrected.
Rather than return the phone call, contact us and report the incident. We do not utilize automated systems to contact you about your accounts. Please do not use the number in the message. Contact our Customer Service Center at 1.888.677.7869 or locally in the Shippensburg area at 717.530.3530, Monday - Friday, 8:00 AM to 6:00 PM and Saturday, 8:00 AM to Noon
Text message Phishing, called “SMShing” is phishing that happens via SMS text messages. A criminal sends a text message tricking you into providing financial or personal information or clicking on links that will sneak viruses onto your mobile device.
Do not respond to these messages or click the links in the messages. Please contact our Customer Service Center at 1.888.677.7869 or locally in the Shippensburg area at 717.530.3530, Monday - Friday, 8:00 AM to 6:00 PM and Saturday, 8:00 AM to Noon to report the incident.
Malware is a general term for software that is meant to cause harm. Computer viruses, spyware, adware, and Trojan horses are all examples of malware. The purpose of malware can be something as seemingly harmless (yet annoying) as popping up a window to show you unwanted advertising, or as dangerous as capturing the keystrokes as you type your internet banking password or internet banking challenge question answers.
Computers become infected with malware through a number of mechanisms – sharing files on USB thumb drives or DVD’s, opening suspicious e-mail attachments, clicking on links in e-mails or visiting websites that are themselves infected with malware. Malware can also arrive with downloaded files, such as music or videos from peer-to-peer file sharing networks (such as Kazaa or BitTorrent), or simply by visiting a website that has been hacked and infected. No longer is it a matter of staying away from “bad” websites. Unfortunately, any website that is not properly secured can be hacked and infected with malware that could infect your PC and you most likely will not receive any warning that malware is being downloaded on to your computer. In most cases, the website owners themselves do not know their sites have fallen victim to dispersing criminal malware.
How do you avoid getting malware? Taking these steps can help limit the chances of infection:
- Install and use well-known, reputable anti-virus software. Configure the software to update the virus definitions daily and to scan files and your system in real-time. Setting up an additional full system scan on a regular basis is a good practice as well. This software can help in providing a layer of protection when you visit a site that has been hacked and infected. Anti-virus is no longer enough though. If the only measure you employ is anti-virus, you don’t have enough layers of protection to protect you from attacks.
- Use a firewall. If you are using Windows XP or Vista, enable the Windows Firewall. If you have a Mac, enable the built-in firewall. If you have the means to install a corporate firewall that protects the PC’s within your network that is most certainly recommended as well.
- Avoid fake anti-malware. Don’t buy anti-malware software advertised in pop-up ads. Legitimate software isn’t sold this way.
- Don’t open suspicious e-mail attachments or click the links within emails. Infected e-mail attachments and html website links are one of the most popular ways to spread malware. Even if you know the sender of the email, it’s better to verify why they sent you the message before clicking the attachment or links. They may not know they’ve sent you the message.
Cyber criminals disguise their emails to look as though they’re from a legitimate business. Often, they employ some type of scare tactic to entice you to open the email and/or provide account information. For example, emails may state they are from:
- UPS claiming there is a “problem with your shipment”
- A Financial Institution claiming there is a “problem with your banking account”
- The Better Business Bureau stating “A compliant has been filed against you.”
- Court system stating that “You have been served with a subpoena.”
Other popular emails are ones that claim to show photos or video of current events like natural disasters and major sporting events.
- Don’t respond to messages that try and scare you in to providing an “Immediate Response”. E-mails stating your account is subject to being closed or stating that you’re required to install new software updates should be reported immediately. If either of these situations were true we would have sent you previous correspondences letting you know of an upcoming change or issue with your account status.
- Patch your computer regularly. Ensure your applying vendor-distributed patches.
- Report suspicious behavior. If you cannot access our online banking site, contact us immediately to determine if the site is down for scheduled maintenance or if a fraudster is deliberately locking you out of viewing your account activity.
- Review your account activity on a regular basis and report suspicious activity.
Money mules are unsuspecting victims who become middlemen for criminals trying to launder stolen funds. Victims are lured by the promise of a new career opportunity making large sums of money for minimal work. Criminals recruit money mules, send them stolen money and then ask the money mules to wire or transfer the money unwittingly to the criminals. Using the money mule masks the criminal's identity.
The money mule may keep a commission for performing the transfer or wire. The victims of these scams may not only have their bank accounts closed and financial reputation ruined, but are often left financially responsible for returning the stolen funds.
Common signs of a money mule scam:
- Overseas companies requesting money transfer agents in the United States.
- Opening new bank accounts to receive money from someone you don't know.
- Accepting large sums of money into your personal bank account for a new job.
- Transferring or wiring funds out of your personal bank account to people you do not know.
Beware of these latest scams:
Many services, from grocery pickup to credit score updates, offer notifications via text messages or short message service (SMS). Typically, these notifications are short, vague, and include a link—which makes them great for spoofing! Bad guys use fake notification messages for SMS Phishing, or Smishing attacks.
In a recent smishing attack, the bad guys spoof shipping companies and send multiple fake text message notifications. The text messages state that you have an urgent notification regarding the delivery of a package. Each notification includes a link for more information. Clicking this link takes you to a phony Google login page that is designed to steal any information you enter.
It can be tricky to spot smishing attacks, but like a traditional phishing attack, there are steps you can take to keep your information safe. Follow these tips:
- Think before you click. Were you expecting this message? When did you give this company your phone number? Did you sign up for text notifications?
- Be cautious of a sense of urgency. The bad guys send multiple texts and use words like “urgent” to try and trick you into impulsively clicking a malicious link.
- Never trust a link in a text message that you were not expecting. If you think the notification could be legitimate, contact the company another way, such as by visiting their official website.
The U.S. Small Business Administration (SBA) has discovered an email scam originating from sba-attorneys.com that seeks to create alarm among Paycheck Protection Protection (PPP) loan borrowers. The email falsely warns that PPP funds were issued to the recipient in error, and that immediate action must be taken to avoid "potential criminal liability."
A sample of the scam appears below. If you receive such an email, consider marking the item as SPAM and deleting it from your inbox. Under no circumstances should you reply to the sender or click on any of the message's embedded links (all of which have been removed here for your protection).
* * *
From: Sba-attorneys <info @ Sba-attorneys.com>
Sent: XXXXXXXX
To: XXXXXXXXXX
Subject: Refund of your loan
Hello,
As a representative attorney of the SBA, personal guarantors and Federal debtors for the Treasury department’s bureau of Fiscal service, now mandated to contact and bring to your attention The SBA and the Treasury Department new guidance clarifying that the loans you took were not intended for you and companies with access to the equity market.
The SBA and the Treasury Department clarified that the loans were not intended for you or a company with access to the equity market and other funding. Currently you are on the list of those who received SBA PPP Loans under the CARES Act which were not intended for you.
We now warned you of impending consequences of an audit, and potential criminal liability as we did not receive the return of the funds "in good faith" from you, since the deadline of May 7th. Please note, Over $436 million of the over $1.3 billion received for SBA PPP Loans under the CARES Act has been returned to us. Awaiting your prompt response and more details will be provided to you on the way forward.
Brandon Alcott, Principal Partner Sba-attorneys
Last week, the President of the United States, Donald Trump, announced that he and the first lady tested positive for coronavirus. This announcement and the status of President Trump’s health is currently dominating the media—both in the US and around the world.
Cybercriminals use high-profile news stories like this to catch your attention and manipulate your emotions. In the coming weeks, we expect to see cybercriminals referencing President Trump's health in their phishing attacks and in their social media disinformation campaigns.
Here are some tips to stay safe:
- Be suspicious of emails, texts, and social media posts that contain shocking developments to the story. This could be false information designed to intentionally mislead you—a tactic known as disinformation.
- No matter how shocking the news, always think before you click. Cyber attacks are designed to catch you off guard and trigger you to click impulsively.
- Stay informed by following trusted news sources and do some research to check the accuracy of sensational headlines.
This past July, Twitter fell victim to an infamous social engineering attack. The attack gave hackers control of over one hundred high-profile accounts—from politicians to celebrities. The hackers used these accounts to scam Twitter followers out of money. Now, cybercriminals are using this event as bait for a convincing phishing scam.
The phishing email uses text that is very similar to the official statement that Twitter made in response to the July attack. The email claims that due to a security breach, you must confirm your identity by clicking on a link in the email. If you click the link, you are redirected to a site that looks very similar to the real Twitter login page. The site is actually a look-alike designed to steal your login credentials. Any information that you enter on this page is delivered straight to the bad guys.
Don’t be fooled! Follow these tips:
- Never click on a link within an email that you weren’t expecting.
- When you’re asked to log in to an account or online service, navigate to the official website and log in. That way, you can ensure you’re logging in to the real site and not a phony look-alike.
- Email security filters can only do so much to protect you from malicious emails. Stay alert and help create a human firewall for your organization.
Working with a third-party organization can be a great help, but what happens if that third party falls victim to a cybersecurity attack? Not only could your organization’s shared data be exposed, but you may become the target of a very unique phishing attack.
Once a scammer has access to a third party’s email account, they can use it to send phishing emails from a legitimate and familiar email address. Some cybercriminals take this attack a step further by forwarding or replying to real emails that were already in the third party’s inbox. Posing as the original sender, the bad guy sends a simple message such as “Here’s that document you needed.” and includes their own malicious link or attachment. Typically, the phishing email is completely unrelated to the original email but the attack can still be convincing because it appears to be part of a previous conversation.
Don’t be fooled! Here’s how to stay safe from third-party phishing attacks:
- Never click a link or download an attachment from an email that you weren’t expecting—even if it appears to be from someone you know.
- Read the prior conversation and compare it to the newest email. If you find that the information is unrelated or if the sender never mentioned a link or an attachment previously, this could be a phishing attack.
- If you’re unsure whether or not an email is legitimate, reach out to the sender by phone. One quick call could save your organization from a potential data breach.
In early September, a phishing attack surfaced that imitates one of our security awareness training email notifications. The phishing email comes from our evil twin (the cybercriminals behind this attack) and claims that your training assignment will expire within 24 hours. You are directed to click a link to complete your training.
The link in the email shows the name of your training platform, but if you hover over this link with your mouse, you'll see that the destination domain is actually “msk.turbolider.ru”. Clicking on this disguised phishing link takes you to a phony Microsoft Outlook login page. If you enter information on this page, it will be sent directly to the bad guys.
How do you tell if an email came from the good twin or the evil twin? Follow these tips:
- Remember that any site, brand, or service can be spoofed. Always think before you click, especially if you were not expecting the email.
- Before you click, always hover over a link to preview the destination—even if you think the email is legitimate. Pay close attention to URL misspellings or unusual domain names.
- If you are suspicious of an email that claims to be a training notification, reach out to your manager or training coordinator for help. They can find out if the notification is legitimate.
The COVID19 pandemic has led to many creative phishing attacks such as phony offers for free testing, claims that you have come in contact with an infected person, and even accusations that you have violated health and safety protocols. Scammers have come up with yet another Coronavirus-themed attack. This time, they are taking advantage of the worldwide race to develop a vaccine.
The phishing email uses the subject line “URGENT INFORMATION LETTER: COVID-19 NEW APPROVED VACCINES”. Within the email, you are directed to download an attachment to view this letter. The attachment itself is named “Download_Covid 19 New approved vaccines.23.07.2020.exe”. If you were to download and open this file, you would find that it is actually a piece of malicious software designed to gather data such as usernames, passwords, and other sensitive information.
Don’t be fooled! Remember these tips:
- Watch for sensational words like “URGENT”. Remember, the bad guys want you to panic and click without thinking.
- Never download an attachment from an email you weren’t expecting.
- Don’t trust an email. Instead, visit an official government website or a trusted news source for information on vaccine developments.
Voice phishing, or “Vishing”, is a phishing attack conducted by phone. This is a classic tactic that bad guys typically use to collect your credit card or financial data, along with other personal information. Here’s an example: You receive a call from someone claiming to be a customer service representative for a specific retailer. They say your order could not be processed because your credit card was declined. But not to worry! They are happy to help correct the issue. The caller claims that they need your credit card number, expiration date, and code on the back.
While this scheme is simple, it is also surprisingly effective. The bad guys catch victims off-guard with a pressing issue, like a declined payment. The victim is then relieved when the scammers offer an easy and immediate solution. If you don't take the time to stop and think about the situation, you could give away your personal data before you realize what is really happening.
Remember to stop, think, and follow these tips:
- Don’t trust the caller ID. Phone numbers can be spoofed to look like a familiar or safe caller.
- Never provide personal information over the phone, unless you are the one who initiated the call.
- If you receive a suspicious phone call, hang up, and use the company's official phone number to call them directly.
Have you ever found yourself staring at a wobbly letter trying to decide if it is an X or a Y, just to prove to a website that you’re not a robot? This funny little test is called a CAPTCHA and it is used to help prevent automated malicious software, known as “bots”, from accessing sensitive information. Unfortunately, cybercriminals are now using CAPTCHAs as a way to make their phishing scams seem more legitimate.
In a recent Netflix-themed attack, scammers are sending a phishing email that claims "your payment did not go through and your account will be suspended in the next 24 hours". To resolve the issue, you're instructed to click on a link in the email to update your information. If you click the link, you’re taken to a CAPTCHA page. Once you pass the CAPTCHA, you’re redirected to an unrelated webpage that looks like a Netflix login page. Here you’re asked to enter your username and password, your billing address, and your credit card information. Don’t be fooled! Anything entered here is sent directly to the cybercriminals.
Remember these tips:
- Phishing emails are often designed to create a sense of urgency. In this case, “your account will be suspended in the next 24 hours”! Think before you click, the bad guys rely on impulsive clicks.
- When an email asks you to log in to an account or online service, log in to your account through your browser and not by clicking the link in the email. That way, you can ensure you’re logging into the real website and not a phony look-alike.
- Remember, anyone can create a CAPTCHA webpage, so don't fall for this false sense of security.