Security Tips

• The candidate applies for a "lucrative work-from home job" online
• A "hiring manager" reaches out, usually via Messenger, Telegram, Skype, or a text message
• The "hiring manager" extends an offer to the candidate, but there's a catch.. The candidate is asked to front money or deposit a check, usually in the guise of purchasing work equipment.
• It always ends the same way- with the candidates still out of work, and no means to get their stolen money back.

• Be wary of any job for which the entire interview process takes place through text messages. Legitimate jobs usually require at least one phone call or in-person interview.
• Legitimate jobs don't require you to pay for your own equipment.
• Never give your Zelle account information- including your phone number or email- to unknown individuals.

• If you suspect you're on the phone with a scammer, hang up.
• Never share your bank or Zelle account authentication codes with anyone.
• Don't send money to yourself via Zelle to "reverse unauthorized payments"

• Spoofing is a type of phishing scam in which the scammer is deliberately impersonating a company and/or installing malicious software at the same time.

• Know that Zelle will never solicit money via emails or phone calls.
• Verify that the sender's email address is from an official domain.
• Look for signs of phishing- questionable grammar and a tone of forced urgency are some tip-offs.

• Account takeovers usually unfold the same way as phishing, spoofing or smishing scams wherein the victim clicks on a phony login link.
• This gives the scammer access to your accounts.
• Then, they change your password and other account details to lock you out of your account.
• Since the locked-out account is still connected to your bank account, you'll be the one footing the bill for the scammer's spending spree.

• Only enter your Zelle login credentials on the official Zelle app or website.
• Send a $1.00 transfer to confirm that you've reached the intended recipient prior to making larger transfers.

• In this scam, the alleged buyer responds to a listing on Facebook Marketplace asking if the item is still available. This usually happens within a couple of hours after the listing goes up. The scammer often pretends to be a senior citizen who isn't very tech-savvy.
• They ask for your phone number or email address to send you the money on Zelle.
• You may then receive a phishing email from Zelle lookalike domain, "ZelleSupport@gmail.com" is an example.
• These emails typically prompt you to pay to upgrade to a Zelle business account. You may even be asked to pay via link in the phishing email.

• Ask for the recipient's Zelle email address- not a phone number. Spotting typos in email addresses is easier (and more obvious) than identifying incorrect digits in a phone number.
• Remember that you don't need a Zelle business account to make and accept payments on Zelle.
• Don't use Zelle for commercial transactions.

• You may receive a call out of the blue flagging a fraudulent transaction from your bank account.
• The caller purports to be from your bank and even offers evidence such as a seemingly legitimate caller ID.
• They then walk you through an elaborate, fake Zelle refund process. You inadvertently end up paying the scammer to reclaim funds you never lost in the first place.

• If you're not convinced you're speaking to a bank representative, hang up and call the official number on your bank's website.
• Be wary if anyone demands upfront payment to "recover" your lost funds on account access.

• If rental scams pressure you into paying advances for a listing that's too good to be true, overpayment scams operate differently.
• An "interested" buyer may contact you about the item you're selling on Craigslist.
• When the buyer pays you with a certified or cashier's check, you notice it exceeds the sale price.
• They then urge you to deposit the check and wire the overpaid amount.
• By the time the bank flags the counterfeit check, you've lost the sale item and the overpaid amount.

• Look up the bank account address, and phone number for the bank name displayed on any check you receive. Call the bank's official phone number- not the one listed on the check- to confirm.
• Turn down checks made out to an amount larger than what you discussed. If the buyer insists that you return any over payments using apps like Zelle, it's a scam.

• If the person you're sending money to is also a Zelle user, the payment can't be canceled.
• Zelle- like Venmo or Cash App- was designed to transfer money between family and friends, not unknown users. This is why Zelle uses the Automated Clearing House payments system to expedite transactions.

• Unlike its competitors, Zelle is owned by Early Warning Services- a fintech company run by seven of the largest banks in the United States.
• Money transfers require little more than tapping on the Zelle integration on participating bank's mobile app.
• If your bank doesn't integrate with Zelle, the standalone Zelle app will initiate transfers as long as you connect Visa or Mastercard debit card.

• ONLY SCAMMERS DEMAND PAYMENT IN CRYPTOCURRENCY. No legitimate business is going to demand you send cryptocurrency in advance- not to buy something, and not to protect your money. That's always a scam.
• ONLY SCAMMERS WILL GUARANTEE PROFITS OR BIG RETURNS. Don't trust people who promise you can quickly and easily make money in the crypto markets.
• NEVER MIX ONLINE DATING AND INVESTMENT ADVICE. If you meet someone on a dating site or app, and they want to show you how to invest in crypto, or asks you to send them crypto, that's a scam.

• A so-called "investment manager" contacts you out of the blue. They promise to grow your money- but only if you buy cryptocurrency and transfer it into their online account. The investment website they steer you to looks real, but it's a fake, and so are their promises. If you log in to your "investment account", you won't be able to withdraw your money at all, or only if you pay high fees.
• An online "love interest" wants you to send money or cryptocurrency to help you invest. That's a scam. As soon as someone you meet on a dating app asks you for money, or offers you investment advice advice, know this: that's a scammer. The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
• Scammers guarantee that you'll make money or promise big payouts with guaranteed returns. Nobody can make those guarantees. Much less in a short time. And there's nothing "low risk" about cryptocurrency investments. So: if a company or person promises you'll make a profit, that's a scam. Even if there's a celebrity endorsement or testimonials from happy investors. Those are easily faked.
• Scammers promise free money. They'll promise free cash or cryptocurrency, but free money promises are always fake.
• Scammers make big claims without details or explanations. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details. 
• IF YOU SEE A TWEET ( OR A TEXT, OR OTHER MESSAGE ON SOCIAL MEDIA) THAT TELLS YOU TO PAY WITH CRYPTOCURRENCY, THAT'S A SCAM!

Technology Topic of the Month

Account Takeover

What is Account Takeover

Account Takeover (ATO) fraud involves a criminal gaining unauthorized access to a user's account and using it for some type of personal gain.

What is Account Takeover Fraud?

Account takeover fraud can involve any type of online account, social media, and online banking accounts. Commonly targeted accounts are those from which a criminal can steal money. For example, a hacker might gain access to an online banking account and send funds to their own account. A fraudster could take over a social media account and invent a reason to request money from family and friends of the victim.

Difference Between Account Takeover and Identity Theft

With account takeover, the fraudster is using an existing account, whereas in identity theft, they would open up a new account while posing as the victim.

How Do Criminals Get Credentials In the First Place?

Data Breaches

A data breach is when a list of usernames (and potentially accompanying passwords) is leaked. These lists go on sale on the black market, meaning any number of criminals could be using them at the same time.

If a username and password for one account is known, hackers can use automated systems to try the same combination on a list of popular online platforms. This is referred to as credential stuffing, and is the reason it's so important to use a different password for every account.

Phishing Scams

These attacks may occur via email, over the phone, or via text message. The fraudster is trying to get you to hand over your login information. A phishing email might pose as a customer support message that persuades you to click a link to a phishing site (a fake website designed to phish for information). Here, you are prompted to enter your login information, which is then stolen by criminals.

Phone Scams

An example of an account takeover scam initiated over the phone is an iteration of the tech support scheme.

For example, the criminal poses as a Microsoft representative and persuades you that your computer has a virus and needs to be fixed. You hand over remote access to your device, and the criminal can access any accounts you have credentials stored for. They may purport to be "testing" accounts and access them in plain sight, or they could remote access to install spyware.

Spyware

Specific types of malware downloaded onto your device from malicious email links or attachments could expose your credentials. Some spyware takes regular images of your computer sessions, while key loggers record every keystroke, exposing your usernames and passwords.

Hacking Over Unsecured Wife

Many people think nothing of logging in to free Wi-Fi while at a cafe', mall, hotel, or airport. But these networks are often unsecured and represent a great opportunity for hackers to steal your information. A common attack over these networks is a man in the middle attack in which the hacker intercepts the contents of your internet traffic.

What are Attackers Trying To Do?

Here are some of the different things that criminals can get up to once they have access:

• Credit Card Fraud- Credit Card details for use in credit card fraud.
• Merchant Account Fraud- With access to bank account, an attacker can transfer funds to another account, among other things.
• Re-sell credentials: Username and password combinations may be posted for sale on the black market.
• Take out loans: Access to financial accounts can be used to take out loans and even mortgages in the victim's name.
• Monetary requests: By taking over a victim's social media account, the attacker can pose as the victim and make requests to family and friends for money.

* Once a criminal has access to an account, they usually very quickly try to lock the real user out by changing the password, recovery email, two-factor authentication settings, and security questions and logging out of other devices.