phone Real People in Fake Call Centers
The newest trend in cybercrime is the use of cybercriminal-controlled call centers to trick you into providing your bank or credit card information. Cybercriminals try to use real people in fake call centers to convince you that a scam is legitimate.
A recent call center scam starts with an email that appears to be an invoice for a very large purchase. It is not clear what company this invoice is from or what was purchased, but the payment amount is listed six times. The email also starts and ends with a line directing you to call their number if you did not authorize the transaction. If you call the number provided, a representative happily offers to refund you. But first, they’ll need your bank or credit card information. Unfortunately, the representative is actually a cybercriminal who plans to use your payment information for their own devious purposes.
Follow these tips to stay safe from this social engineering attack:
- The invoice in this attack is specifically designed to cause alarm and frustration. Cybercriminals target your emotions in hopes of tricking you into acting impulsively. Always think before you click.
- A valid phone number doesn’t mean that an email is legitimate. Cybercriminals are real people who can lie over the phone, just as they lie in phishing emails.
- Instead of calling the provided number, reach out to your bank or credit card company to verify the details of the transaction. If by chance there has been unauthorized usage, your bank or credit card company can help correct the issue.
Content provided by KnowBe4.com | 11.4.21
briefcase Phony LinkedIn Job Postings
It was recently discovered that job postings on LinkedIn aren’t as secure as you might expect. Anyone with a LinkedIn profile can anonymously create a job posting for nearly any small or medium-sized organization. The person creating the post does not have to prove whether or not they are associated with that organization. This means that a cybercriminal could post a job opening for a legitimate organization and then link applicants to a malicious website.
Worse still, cybercriminals could use LinkedIn’s “Easy Apply” option. This option allows applicants to send a resume to the email address associated with the job posting without leaving the LinkedIn platform. Since the email address is associated with the job posting and not necessarily the organization, cybercriminals can trick you into sending your resume directly to them. Resumes typically include both personal and professional information that you do not want to share with a cybercriminal.
Follow the tips below to stay safe from this unique threat:
- Watch out for grammatical errors, unusual language, and style inconsistencies in LinkedIn job postings. Be suspicious of job postings that look different compared to other job postings from the same organization.
- Avoid applying for a job within the LinkedIn platform. Instead, go to the organization’s official website to find their careers page or contact information.
- If you find a suspicious job posting on LinkedIn, report it. To report a job posting, go to the Job Details page, click the more icon, and then click Report this job.
Content provided by KnowBe4.com | 9.16.21
To kids, piggybacking is when someone jumps on your back and you carry them around for a while. In the business world, piggybacking is when you let someone that you do not know enter a door that you just opened. A lot of organizations rely on biometrics, key cards, or even regular keys to open locked doors. These could be doors to get into the building, parking garage, a particular office. Piggybacking is when someone you do not know, waits for you to open a locked door, and enters in behind you.
Many people allow this to happen because they want to be nice and courteous and open doors for people, you may even hold the door open for them. While this may be a nice gesture in public places, at the workplace, this could end up costing you. The bad guys, just like they would try and trick you with a fake email, are targeting your good nature, to gain access into a secured building.
If someone you do not know, is trying to enter the door behind you there are a couple of things you can do to still be courteous and follow the rules.
- Ask them where they are going and who they are there to see, then escort them to the office of the person they are going to see, and verify that they are supposed to be there.
- Kindly decline to let them in and explain that your organization has a strict no-piggybacking rule.
Once the bad guys have access to your offices, they can plug into any internet outlets, or sit down at any open and unlocked workstation, or place infected USB keys around the hallways and bathrooms. Remember, when it comes to piggybacking, kindly decline or insist on escorting them to the person they are there to see.
Content provided by KnowBe4.com | 7.20.21
email Phony FINRA Phishing
Once again, cybercriminals are impersonating the Financial Industry Regulatory Authority (FINRA), which is the largest brokerage regulation company in the US. Organizations strive to be compliant with regulations, which is why receiving an email that appears to be from FINRA can be quite startling.
In this FINRA-themed phishing email, the sender’s email address uses the domain gateway[dash]finra[dot]org. The email claims that your organization has received a compliance request and it directs you to click on a link for more information. To add a sense of urgency, the message also states “Late submission may attract penalties”. The email even includes a case number, request ID, and a footer with legal jargon to make it feel legitimate. But if you click the link, you will be redirected to a malicious website. Don’t fall for it!
Use the tips below to stay safe from similar attacks:
- Look for threats of urgency, such as the need to pay a penalty if you don’t act quickly enough. These scams rely on impulsive actions, so always think before you click.
- Check who sent the email. In this case, while the email address included the name FINRA, it did not use the official FINRA.org domain.
- If you are worried that the email could be legitimate, reach out to the company another way. Do not click any links or use the contact information provided in an email.
Content provided by KnowBe4.com | 6.17.21
lock World Password Day
Today, we're celebrating World Password Day! Every year on the first Thursday in May, World Password Day promotes better cybersecurity habits.
Take the #WorldPasswordDay Pledge
Take the World Password Day pledge by sharing and practicing the following cybersecurity tips:
- Change an old password to a long, strong one
- Turn on two-factor authentication for your important accounts
- Password protect your wireless router
- Don’t store passwords on your computer or phone
- Log off when you’re done with a program
- Periodically remove temporary internet files
Content provided by Infotech | 5.06.21
Cybercriminals not only use the internet and email to gain access to sensitive information, they use telephones to their unlawful advantage. Vishing is the term for criminal attempts to influence action or gain confidential information over the phone using social engineering.
How it Works
Criminals have the ability to call from a blocked, “spoofed,” or private number, making it easier to pose as a fellow employee, an authority figure, or any person or organization that you would commonly interact with.
Any information regarding the processes or technologies a company uses would assist in a breach of an organization. Information that you may not consider very sensitive, such as employee names, titles, or ID numbers, could certainly help these criminals.
Don’t Fall for These Phony Attempts
Think twice about giving out personal information to someone who claims to be from a different organization, or within your organization, unless you initiated the call yourself and you are certain the number called was valid. If someone contacts you requesting sensitive information, you can check the caller’s validity by asking to speak to their supervisor, or tell them you will call back, which will buy you time to investigate the request.
Vishing is not limited to gaining data from your organization, as vishers are also known to prey on your personal information. Remember to stop, look, and think before answering unfamiliar numbers, or before calling phone numbers you see in emails, internet ads, or pop-ups.
Content provided by KnowBe4.com | 3.29.21
email Phishing with Phony Loans
A year into the pandemic, bad guys continue to target struggling organizations. A recent example is a phishing email targeting those in the United States. Impersonating a bank, the sender offers loans through the Paycheck Protection Program (PPP). The PPP is a real relief fund that is backed by the United States Small Business Administration (SBA), but the email is nothing short of a scam.
The phishing email directs you to click a link to register for a PPP loan. When clicked, the link takes you to a form with an official-looking header that reads, “World Trade Finance PPP 2021 Data Collection”. The form requests a lot of personal information, such as your organization’s name, your business email, and your social security number. Any of the information submitted on this form goes straight to the cybercriminals.
Here’s how you can stay safe from scams like this:
• Think before you click! Desperate times call for diligent measures.
• If you or your organization need financial help, reach out to legitimate and well-known programs—don’t trust an unexpected email.
• Stay up-to-date on your country’s relief efforts by following local news and other trusted sources.
Content provided by KnowBe4.com
alert Stay Alert and Protect Your Personal Information
As scams continue to increase, we encourage you to do a quick check of your financial well-being and make sure not to let your guard down against scammers. UKFCU will not call, email or text you asking for any of your personal account information. If you suspect fraudulent activity, hang up the phone or don't click that link. When in doubt, call us directly at 859.264.4200 or 800.234.8528.
alert Scams Continue to be on the Rise
We continue to see an increase in scams and phishing attacks in the form of phone calls, texts and emails. We want to remind our members to be diligent when it comes to their account information. These fraudsters are very sophisticated, and it can appear as if they are calling or messaging from UKFCU.
Please remember, UKFCU employees will not call, text or email you asking for:
- Account number
- PIN number
- Full Debit or Credit Card number
- Online and Mobile Banking password
- Social Security Number*
- Security Codes
*When a member calls into our Call Center, we may ask for your social security number for identity verification purposes.
gift Cybersecurity Tips for Holiday Shopping
Streaming Services are being Spoofed in Phishing Attacks
Many streaming services such as Netflix, Spotify and Disney+ are reporting an increase in phishing attacks targeted towards their customers. These attacks range from phony email alerts accusing you of non-payment to offering you free streaming services during the pandemic. Both of these strategies include a link that takes you to a page designed to gather your information and deliver it to the fraudsters.
Remember the following tips to stay safe:
- Other streaming services may be spoofed as well. Remember that if something seems to good to be true, it probably is.
- Never click on a link you weren't expecting. Even if it appears to be from a company or service you recognize.
- When an email asks you to log into an account or service, log in to your account through your browser - not by clicking the link in the email. This way, you can ensure you're logging into the real website and not a phony look-alike.
Content provided by KnowBe4
alert Fraud Alert - Increasing Amount of Scams due to Coronavirus
Some of our members are being targeted with fraudulent text messages. Currently, the scammer indicates they are from our Fraud Department and asks the member if they authorized a certain debit card purchase. If the member replies in any way, they will receive a call which appears to come our call center, 859.264.4200. They will ask if the member made this transaction or not.
Please do not respond to these messages. If you do, and you share any account or sensitive information with the scammer, please contact us directly and cancel your debit card. Or you may need to close your account depending on which account information was given out.
Please remember, UKFCU employees will not text or call you asking for:
- Account number
- PIN number
- Full Debit or Credit Card number
- Online and Mobile Banking password
- Social Security Number
- Security Codes
Please also be on high alert to potential scams based around the government stimulus checks that could be coming in the future. The government will not ask you for your account number nor will they ask you to return a portion of your stimulus check via gift cards or wires.
If you receive a call that shows it's from UKFCU and they ask you for any of this information, hang up immediately and call us at 859.264.4200 or 800.234.8528. If you receive a text of email asking for you to verify this information, please call us.
Some of our members are being targeted with fraudulent text messages. The texts claim that the member's visa card has been "locked", and instructing members to contact an unknown phone number & email. If you receive this text message, or any sort of suspicious communication, do not attempt to contact the provided contact information or click any links that may be present in the communications.
Call us at 859.264.4200 or 800.234.8528 to verify any suspicious communications you may receive.
With the holiday season approaching, UKFCU wants to remind our members that we do everything possible to protect your information. There have been reports of fraudsters "spoofing" financial institution phone numbers so it will show up on your caller ID as UKFCU. We will never call you and ask for the following information:
- Online banking user name and password
- PIN number
- Security codes
- Account number
- Full Debit or Credit Card numbers
- Social Security number
If you receive a call that shows it's from UKFCU and they ask you for any of this information, hang up immediately and call us at 859.264.4200 or 800.234.8528. If you receive a text or email asking for you to verify this information, please call us.
Someone’s been naughty this year-and we’re not talking about you! Those awful scammers don’t take time out for the holidays, and if you don’t know what to expect you can be their next victim.
One of the oldest holiday scams, which is even more prevalent in the age of the internet, is the letter-from-Santa scam.
Here’s all you need to know about this Christmas-themed scheme.
How it plays out
In this ruse, scammers set up bogus websites where parents can order legitimate-looking letters from Santa for their children. The cost is less than $30. All they need to do is share some details about their child along with their credit card information, and the letter is supposedly as good as mailed.
Except that it’s not. Unfortunately, anyone who follows the instructions detailed on the site has just fallen prey to a scam. They’ll never see that promised letter, or the money they paid for the privilege of receiving a note from Santa. Worse, the ring of scammers now has the children’s information and their parent’s credit card details.
This set of circumstances can have all sorts of unhappy endings, from identity theft to emptied accounts. Sometimes, the scammers will go after the child’s credit, which will likely go unchecked for years. When the children are grown and try to open a credit card or take out a loan, they may find that their credit score has been destroyed by these scammers over the years, all without their knowledge.
Some sites will even offer to send the letter at no cost. All you need to do is share some details about your child, like their full legal name, date of birth and home address. Of course, this is also the work of scammers looking to steal your child’s identity.
How can I tell it’s a scam?
There are legitimate websites where you can order a letter from Santa for your child at no risk of identity theft or a ruined credit history. But how can you weed out the phony sites from the authentic services?
We’ve made it simple. Look for the following red flags, which should alert you to the fact that a site is created by scammers:
- The fruadster reaches out to you repeatedly. Promotional emails and ads are one thing; targeted marketing that is so aggressive it borders on harassment is another thing entirely. If a company doesn’t stop sending you emails or alerts about its services, you may be dealing with a scam.
- The site is not secure. As always, check for the lock icon and the ‘s’ after the ‘http’ in the URL; both indicate a site’s security. Also, look for security badges on the bottom of the webpage and click on them to see if they’re actual links to the security company they allegedly represent. Scammers often post static images of well-known security badges, which do fool people into thinking the site is safe.
- You need to answer too many questions. Yes, a service sending your child a letter from Santa will need to know your child’s name and mailing address. They may even ask your child’s age so they can send an age-appropriate letter. But there’s no need for them to be privy to your child’s exact date of birth, and certainly not their Social Security number. If the questions in an online form are making you uncomfortable, opt out.
- You can’t reach a representative by phone. Most websites will have the company’s toll-free contact number on the site’s homepage. If you suspect fraud, try the number. If the company is bogus, the number will likely be a fake.
- You can’t find any positive reviews about the company online. An online search on a legitimate service should bring up basic information and some positive reviews about the service. If a search turns up empty, and of course, if it turns up any reports of past scams, the “company” is run by crooks.
If you’ve recognized a company as a scam, be sure not to click on any links that are embedded in their emails. Flag their emails as spam, and delete every email, message and alert it sends you.
You can still send your child a letter from Santa. Try a legitimate site like Portable North Pole or or better yet, create and send one yourself!
smartphone Robocalls Claiming Your Social Security Number is Suspended
Be on the lookout for a popular robocall scam that is tricking people into believing their Social Security number (SSN) has been suspended. The robocall tells you to call the number provided to speak with a government agent about the issue. Some of the robocalls even threaten to issue an arrest warrant if the victim doesn’t respond.
When you call the number back, you are actually speaking with a fake government agent. This scammer will try to trick you into giving up sensitive personal information like your SSN, birth date, and bank account number.
Always remember the following to stay safe from tricks like this:
- Your Social Security number can never be suspended.
- The Social Security Administration will never threaten to arrest anyone.
- Do not share any type of personal information with anyone you don’t know over the phone.
- If you get this type of call, hang up the phone immediately and report the call to the appropriate agency.
alert Securing Your New Devices
During the holidays, internet-connected devices also known as Internet of Things (IoT) are often popular gifts—such as smart TVs, watches, toys, phones, and tablets. This technology provides a level of convenience to our lives, but it requires that we share more information than ever. The security of this information, and the security of these devices, is not always guaranteed.
The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), recommends these important steps you should consider to make your Internet of Things more secure:
Use Strong Passwords:
Passwords are a common form of authentication and are often the only barrier between you and your personal information. Some Internet-enabled devices are configured with default passwords to simplify setup. These default passwords are easily found online, so they don't provide any protection. Choose strong passwords to help secure your device. See Choosing and Protecting Passwords for more information.
Evaluate Your Security Settings:
Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more at risk. It is important to examine the settings, particularly security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See Good Security Habits for more information.
Ensure You Have Up-to-Date Software:
When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding Patches for more information.
Once your device is connected to the Internet, it’s also connected to millions of other computers, which could allow attackers access to your device. Consider whether continuous connectivity to the Internet is needed. See Securing Your Home Network for more information.
lock Quick Tips on Protecting Your Security
Securing Your Account:
- UKFCU will never ask you to send us your personal information such as account numbers, card PINs, Social Security numbers, or Tax IDs over text or email.
- Enable biometric logins, like finger-print and facial recognition within your phone's settings, for added security within your mobile banking app.
- Frequently check your accounts, verifying your purchases and withdrawals.
Protecting Your Identity:
- Periodically check through your credit reports to make sure your accounts are secured.
- Do not carry sensitive information in your wallet like your Social Security card and Medicare card.
- Keep personal documents in a secure place, and shred sensitive documents when appropriate.
- Sign up for our text and email alerts through Online Banking.
- Stay ahead of the game by learning more about Consumer Protection with our free Smart Money Center Courses.
- Test your identity theft knowledge with this resource: Identity Theft IQ Test!
3/21/18 IMPORTANT INFORMATION: Debit Card Security Alert
Please be advised, if you have recently used an ATM in Lexington and surrounding areas, you need to be aware of a possible debit card compromise on your account. Please keep an eye on your account for any suspicious activity and if you see any fraudulent activity on your account, call 859.264.4200 or 800. 234.8528, immediately.
We will continue to work diligently to ensure your account is as secure as possible and update you on any possible data breaches.
To monitor your account thoroughly, sign up for Online Banking, or download our Mobile App. You may also sign up for Visa Purchase Alerts, which will notify you by email when transactions occur on your account. We apologize for any inconvenience this may cause.
While the internet and computers offer many opportunities and advancements for business and individuals, it also opens your door to predators and crooks. It is important to pay attention to who you are giving your confidential information to and make sure it is someone you know and trust.
You should NEVER be asked for your confidential information over e-mail. E-mail is not a secure method of transmitting information and the messages can be tapped into and information stolen. If you feel that you have received an e-mail or are suspicious of someone trying to commit Identity Theft, it is very important that you report the scam quickly so that law enforcement agencies can shut the fraudulent operations down.
Falcon Fraud Detection is provided to every UKFCU member with your debit and credit card. Falcon Fraud Detection reviews each suspicious transaction, reviews the cardholder account and calls the cardholder if necessary. The number for Falcon Fraud Center is 1.888.918.7313.
Take the Fraud Awareness Quiz- Are you protecting yourself against fraud?