Fraudsters targeting your phone, college prep and paycheck
Katie Franklin recently received a telephone call that didn’t seem unusual at first. Her caller ID indicated that it was her bank, and the caller knew some of her personally identifiable information (PII), including the last four digits of her debit card and Social Security number. However, Katie became suspicious when the caller asked her to verify both of these important pieces of information. She was smart enough to hang up because she suspected that the call was a scam. Katie was correct. It’s called caller ID spoofing.
Don’t trust your caller ID
On Oct. 31, 2018, Lisa Lake, a consumer education specialist for the Federal Trade Commission (FTC), wrote an alert on its website about these types of relatively new telephone scams. (See Spear phishing scammers want more from you.) They’re similar in motive but differ in other respects.
The motive of any type of telephone or email spearphishing or spoofing scam is to attempt to get potential victims to reveal PII, which the fraudsters will use for identity theft purposes. Also, the scams give the impression that they’re from a legitimate organization. But the scams differ in that the name of the organization making the call is listed on the caller ID only in the caller ID phishing scam. According to the article, here’s an example of what the caller says:
“I’m calling from (pick any bank]. Someone’s been using your debit card ending in 2345 at (pick any retailer]. I’ll need to verify your Social Security number — which ends in 8190, right? — and full debit card information so we can stop this unauthorized activity. ...”
The FTC recommends these steps to deal with these scams so that you aren’t a victim:
Don’t assume what’s on your caller ID is really who’s calling. Scammers can make it look like they’re calling from any trusted company.
If you get a phone call, email or text from anyone asking for PII, don’t respond. Confirm the source through other means.
Scammers can get all of kinds of PII about you, so don’t trust someone just because they have that information.
If you’ve given out your PII, visit IdentityTheft.gov to find out what to do.
Even if you didn’t reveal any PII, report the scam to the FTC. Your information will help with investigations.
Always report these schemes to your local law enforcement agency and media outlets so they can alert the public to minimize the damage. Spearphishing and spoofing scams using emails have been active for years, but fraudsters are now preferring the telephone to target victims So, keep alert!
SAT test prep? Maybe, maybe not
You think you’re helping your child get admitted to their dream college, but you could be a victim instead. (See College test prep scams are happening, by FTC consumer education specialist Ari Lazarus, Oct. 23, 2018.)
Fraudsters are using email or telephones to pose as employees from The College Board, the company that administers the PSAT and SAT tests that institutions of higher education use to admit students. These crooks do their homework beforehand to obtain student names and PII. They then use a similar script and ask parents for credit card numbers to pay for PSAT or SAT prep materials that no one actually ever ordered.
The FTC offers this advice to avoid becoming a victim from this scam:
The College Board will never ask you to give payment or password information over the phone or via email. (See their security tips.)
Make sure the company offering test prep materials is legitimate by researching the company. Search for their name plus the word “scam” or “complaint.” Also, talk to someone you trust before you pay.
Consider using a credit card if you decide to pay because it has significant fraud protection built into it. If anyone asks you to pay by wiring money or by using a reloadable card or gift card, it’s always a scam.
Diverting your paychecks
You work hard for your money, but so do fraudsters. The FBI reported that cybercriminals are using a new scam to rob employees’ payroll checks. (See Cybercriminals utilize social engineering techniques to obtain employee credentials to conduct payroll diversion, Sept. 18, 2018.) They’re targeting online payroll accounts in a myriad of industries, including education, health care and commercial airway transportation. No doubt, other industry sectors will be compromised in the future.
To pull off this scam, the cybercriminals first capture an employee’s login credentials via a phishing scam. Then they gain access to the employee’s payroll account to change their account information and add rules that prevent the employee from receiving alerts pertaining to direct deposit changes. When an employer uses the direct deposit system for that employee’s pay, it’s redirected to an account controlled by a cybercriminal — often a prepaid card — who then converts the card into cash.
The FBI recommends these steps to help avoid this scam:
Alert your workforce about this scheme and prepare preventative strategies and reactive measures should a breach occur.
Tell employees to hover their cursor over hyperlinks included in emails they receive to view the actual URL. It might show that the URL isn’t from the company that the email says it is.
Tell employees to never supply login credentials or PII in response to any email.
Have employees forward suspicious requests to the IT or HR departments.
Make sure that employees have unique login credentials for their payroll.
Increase security measures for any requests to update or change direct deposit credentials. Monitor employee logins that aren’t during normal business hours.
Restrict access to the internet on systems handling sensitive information or implement two-factor authentication for access to sensitive systems and information.
The FBI, on its website, encourages victims to report information concerning suspicious or criminal activity to their local FBI field office and file a complaint with the IC3. Find a list of its field offices here. The list includes a website address for each office that contains a wealth of important information for all viewers.
Consumers and organizations should contact their local FBI office to report any type of suspected fraud problem to seek help, which will help the FBI to accumulate the frequency of a scam and issue an alert to the public.
Please share this information with your business associates, family, friends and clients and include it in your outreach programs. An important takeaway from this column is that newer versions of old scams continue to emerge as well as new ones. You’ve been forewarned, so tread with care!
Please contact me if you have any identity theft or cyber-related issues you’d like me to research and possibly include in future columns or if you have any questions about this column or any other cybersecurity and identity theft issues. I don’t have all the answers, but I’ll do my best to help. Stay tuned!