Security Tips

• The candidate applies for a "lucrative work-from home job" online
• A "hiring manager" reaches out, usually via Messenger, Telegram, Skype, or a text message
• The "hiring manager" extends an offer to the candidate, but there's a catch.. The candidate is asked to front money or deposit a check, usually in the guise of purchasing work equipment.
• It always ends the same way- with the candidates still out of work, and no means to get their stolen money back.

• Be wary of any job for which the entire interview process takes place through text messages. Legitimate jobs usually require at least one phone call or in-person interview.
• Legitimate jobs don't require you to pay for your own equipment.
• Never give your Zelle account information- including your phone number or email- to unknown individuals.

• If you suspect you're on the phone with a scammer, hang up.
• Never share your bank or Zelle account authentication codes with anyone.
• Don't send money to yourself via Zelle to "reverse unauthorized payments"

• Spoofing is a type of phishing scam in which the scammer is deliberately impersonating a company and/or installing malicious software at the same time.

• Know that Zelle will never solicit money via emails or phone calls.
• Verify that the sender's email address is from an official domain.
• Look for signs of phishing- questionable grammar and a tone of forced urgency are some tip-offs.

• Account takeovers usually unfold the same way as phishing, spoofing or smishing scams wherein the victim clicks on a phony login link.
• This gives the scammer access to your accounts.
• Then, they change your password and other account details to lock you out of your account.
• Since the locked-out account is still connected to your bank account, you'll be the one footing the bill for the scammer's spending spree.

• Only enter your Zelle login credentials on the official Zelle app or website.
• Send a $1.00 transfer to confirm that you've reached the intended recipient prior to making larger transfers.

• In this scam, the alleged buyer responds to a listing on Facebook Marketplace asking if the item is still available. This usually happens within a couple of hours after the listing goes up. The scammer often pretends to be a senior citizen who isn't very tech-savvy.
• They ask for your phone number or email address to send you the money on Zelle.
• You may then receive a phishing email from Zelle lookalike domain, "ZelleSupport@gmail.com" is an example.
• These emails typically prompt you to pay to upgrade to a Zelle business account. You may even be asked to pay via link in the phishing email.

• Ask for the recipient's Zelle email address- not a phone number. Spotting typos in email addresses is easier (and more obvious) than identifying incorrect digits in a phone number.
• Remember that you don't need a Zelle business account to make and accept payments on Zelle.
• Don't use Zelle for commercial transactions.

• You may receive a call out of the blue flagging a fraudulent transaction from your bank account.
• The caller purports to be from your bank and even offers evidence such as a seemingly legitimate caller ID.
• They then walk you through an elaborate, fake Zelle refund process. You inadvertently end up paying the scammer to reclaim funds you never lost in the first place.

• If you're not convinced you're speaking to a bank representative, hang up and call the official number on your bank's website.
• Be wary if anyone demands upfront payment to "recover" your lost funds on account access.

• If rental scams pressure you into paying advances for a listing that's too good to be true, overpayment scams operate differently.
• An "interested" buyer may contact you about the item you're selling on Craigslist.
• When the buyer pays you with a certified or cashier's check, you notice it exceeds the sale price.
• They then urge you to deposit the check and wire the overpaid amount.
• By the time the bank flags the counterfeit check, you've lost the sale item and the overpaid amount.

• Look up the bank account address, and phone number for the bank name displayed on any check you receive. Call the bank's official phone number- not the one listed on the check- to confirm.
• Turn down checks made out to an amount larger than what you discussed. If the buyer insists that you return any over payments using apps like Zelle, it's a scam.

• If the person you're sending money to is also a Zelle user, the payment can't be canceled.
• Zelle- like Venmo or Cash App- was designed to transfer money between family and friends, not unknown users. This is why Zelle uses the Automated Clearing House payments system to expedite transactions.

• Unlike its competitors, Zelle is owned by Early Warning Services- a fintech company run by seven of the largest banks in the United States.
• Money transfers require little more than tapping on the Zelle integration on participating bank's mobile app.
• If your bank doesn't integrate with Zelle, the standalone Zelle app will initiate transfers as long as you connect Visa or Mastercard debit card.

• ONLY SCAMMERS DEMAND PAYMENT IN CRYPTOCURRENCY. No legitimate business is going to demand you send cryptocurrency in advance- not to buy something, and not to protect your money. That's always a scam.
• ONLY SCAMMERS WILL GUARANTEE PROFITS OR BIG RETURNS. Don't trust people who promise you can quickly and easily make money in the crypto markets.
• NEVER MIX ONLINE DATING AND INVESTMENT ADVICE. If you meet someone on a dating site or app, and they want to show you how to invest in crypto, or asks you to send them crypto, that's a scam.

• A so-called "investment manager" contacts you out of the blue. They promise to grow your money- but only if you buy cryptocurrency and transfer it into their online account. The investment website they steer you to looks real, but it's a fake, and so are their promises. If you log in to your "investment account", you won't be able to withdraw your money at all, or only if you pay high fees.
• An online "love interest" wants you to send money or cryptocurrency to help you invest. That's a scam. As soon as someone you meet on a dating app asks you for money, or offers you investment advice advice, know this: that's a scammer. The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
• Scammers guarantee that you'll make money or promise big payouts with guaranteed returns. Nobody can make those guarantees. Much less in a short time. And there's nothing "low risk" about cryptocurrency investments. So: if a company or person promises you'll make a profit, that's a scam. Even if there's a celebrity endorsement or testimonials from happy investors. Those are easily faked.
• Scammers promise free money. They'll promise free cash or cryptocurrency, but free money promises are always fake.
• Scammers make big claims without details or explanations. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details. 
• IF YOU SEE A TWEET ( OR A TEXT, OR OTHER MESSAGE ON SOCIAL MEDIA) THAT TELLS YOU TO PAY WITH CRYPTOCURRENCY, THAT'S A SCAM!

Technology Topic of the Month

Account Takeover

What is Account Takeover

Account Takeover (ATO) fraud involves a criminal gaining unauthorized access to a user's account and using it for some type of personal gain.

What is Account Takeover Fraud?

Account takeover fraud can involve any type of online account, social media, and online banking accounts. Commonly targeted accounts are those from which a criminal can steal money. For example, a hacker might gain access to an online banking account and send funds to their own account. A fraudster could take over a social media account and invent a reason to request money from family and friends of the victim.

Difference Between Account Takeover and Identity Theft

With account takeover, the fraudster is using an existing account, whereas in identity theft, they would open up a new account while posing as the victim.

How Do Criminals Get Credentials In the First Place?

Data Breaches

A data breach is when a list of usernames (and potentially accompanying passwords) is leaked. These lists go on sale on the black market, meaning any number of criminals could be using them at the same time.

If a username and password for one account is known, hackers can use automated systems to try the same combination on a list of popular online platforms. This is referred to as credential stuffing, and is the reason it's so important to use a different password for every account.

Phishing Scams

These attacks may occur via email, over the phone, or via text message. The fraudster is trying to get you to hand over your login information. A phishing email might pose as a customer support message that persuades you to click a link to a phishing site (a fake website designed to phish for information). Here, you are prompted to enter your login information, which is then stolen by criminals.

Phone Scams

An example of an account takeover scam initiated over the phone is an iteration of the tech support scheme.

For example, the criminal poses as a Microsoft representative and persuades you that your computer has a virus and needs to be fixed. You hand over remote access to your device, and the criminal can access any accounts you have credentials stored for. They may purport to be "testing" accounts and access them in plain sight, or they could remote access to install spyware.

Spyware

Specific types of malware downloaded onto your device from malicious email links or attachments could expose your credentials. Some spyware takes regular images of your computer sessions, while key loggers record every keystroke, exposing your usernames and passwords.

Hacking Over Unsecured Wife

Many people think nothing of logging in to free Wi-Fi while at a cafe', mall, hotel, or airport. But these networks are often unsecured and represent a great opportunity for hackers to steal your information. A common attack over these networks is a man in the middle attack in which the hacker intercepts the contents of your internet traffic.

What are Attackers Trying To Do?

Here are some of the different things that criminals can get up to once they have access:

• Credit Card Fraud- Credit Card details for use in credit card fraud.
• Merchant Account Fraud- With access to bank account, an attacker can transfer funds to another account, among other things.
• Re-sell credentials: Username and password combinations may be posted for sale on the black market.
• Take out loans: Access to financial accounts can be used to take out loans and even mortgages in the victim's name.
• Monetary requests: By taking over a victim's social media account, the attacker can pose as the victim and make requests to family and friends for money.

* Once a criminal has access to an account, they usually very quickly try to lock the real user out by changing the password, recovery email, two-factor authentication settings, and security questions and logging out of other devices.

• say they've noticed some suspicious activity or log-in attempts- they haven't
• claim there's a problem with your payment information- there isn't
• say you need to confirm some personal or financial information- you don't
• include an invoice you don't recognize- it's fake
• want you to click on a link to make a payment- but the link has malware
• say you're eligible to register for a government refund- it's a scam
• offer a coupon for free stuff- it's not real

• The email has a generic greeting
• The email says your account is on hold because of a billing problem.
• The email invites you to click on a link to update your payment details.

• something you know- like a passcode, a PIN, or the answer to a security question.
• something you have- like a one-time verification passcode you get by text, email or from an authentication app; or a security key

• You received an unsolicited email or social media message that promises easy money for little or no effort.
• The "employer" you communicate with uses web-based email services (such as outlook, Gmail, Yahoo, Hotmail, etc.)
• You are asked to open a bank account in your own name or in the name of a company you form to receive and transfer money.
• As an employee, you are asked to receive funds in your bank account and then "process" or "transfer" funds via: wire transfer, ACH, mail, or money service business (such as Western Union or MoneyGram).
• You are allowed to keep a portion of the money you transfer.
• Your duties have no specific job description.

• An online contact or companion, whom you have never met in person, asks you to receive money and then forward to one or more individuals you do not know.

• Do online searches to check the legitimacy of any company that offers you a job.
• DO not accept any job offers that ask you to use your own bank account to transfer money. A legitimate company will not ask you to do this.
• Be wary if an employer asks you to form a company to open up a new bank account.
• Be suspicious if an individual you met on a dating website wants to use your bank account for receiving and forwarding money.
• Never give your financial details to someone you don't know and trust, especially if you met them online.

• Stop communicating with the suspected criminal(s)
• Stop transferring money or any other items of value immediately.
• Maintain any receipts, contact information, and relevant communications (emails, chats, text messages, etc)
• Notify your bank and the service you used to conduct the transaction.
• Notify law enforcement. Report suspicious activity to the FBI's Internet Crime Complaint Center and contact your local FBI field office.

• Don't send a payment to claim a prize or collect sweepstakes winnings.
• Don't give your account credentials to anyone that contacts you.
• Before you submit any payment, double-check the recipient's information to make sure you're sending money to the right person.
• If you get an unexpected request for money from someone you do not recognize, speak with them to make sure the request really is from them- and not a hacker who got access to their account.

• Cash App. Cash App recommends chatting through their app for the fastest service. To do so, open the app, go to your profile, and choose Support. You can also get help through cash.app/help or by calling 1 (800) 969-1940.
• Venmo. Venmo recommends chatting through their app for the fastest service. To do so, open the app, go to your profile, and choose Get Help. You can also email Venmo through their contact form or call them at 1 (855) 812-4430.
• PayPal. Report it online through PayPal's Resolution Center or call PayPal at 1 (888) 221-1161.

• Don't allow your device to auto-join unfamiliar networks.
• Always turn off WiFi when you aren't using it or don't need it.
• Never send sensitive information over WiFi unless you're absolutely sure it's a secure network.

• Only use apps available in your device's official store- NEVER download from a browser.
• Be wary of apps from unknown developers or those with limited/bad reviews.
• Keep them updated to ensure they have the latest security.
• If they're no longer supported by your store, just delete!
• Don't grant administrator, or excessive privileges to apps unless you truly trust them.

• Watch for ads, giveaways and contests that seem too good to be true. Often these lead to phishing sites that appear to be legit.
• Pay close attention to URLs. These are harder to verify on mobile screens but it's worth the effort.
• Never save your login information when you're using a web browser.

• Disable automatic Bluetooth pairing.
• Always turn it off when you don't need it.

• Don't trust messages that attempt to get you to reveal any personal information.
• Beware of similar tactics in platforms like What's App, Facebook Messenger Instagram, etc.
• Treat messages the same way you would treat email, always think before you click!

• Do not respond to telephone or email requests for personal financial information. If you are concerned, call the financial institution directly, using the phone number that appears on the back of your credit card or monthly statement.
• Never click on a link in an unsolicited commercial email.
• Speak only with live people when providing account information, and only when you initiate the call.