Maintaining the confidentiality of customer information is one of our fundamental responsibilities, and we want to ensure customers know how to protect themselves from fraud and identity theft.
Remember, Dean Bank will never request confidential information via email solicitation. Please report any such requests by calling 508.528.0088.
March 29, 2023 Risk Office Advisory: Account Takeover
What is an Account Takeover (ATO)?
Account takeover is an attack in which cybercriminals take ownership of online accounts using stolen passwords and usernames. These cybercriminals then use these credentials to commit fraud. These bad actors purchase cardholders’ Personally Identifiable Information (PII) via the dark web—typically gained from social engineering, e.g., phishing, vishing, or smishing attacks (detailed below) or data breaches. Stolen PII (e.g., name, address, email, phone number, date of birth, business name, cellphone provider, social media and login accounts and passwords) provides the necessary credentials for a fraudster to pose as a cardholder.
With this information fraudsters can engage with the cardholder’s financial organization and make changes to accounts or card settings to execute fraud. They may make demographic changes (e.g., phone numbers, emails, passcodes), or apply for increased limits, Personal Identification Number (PIN) changes and/or travel exemptions to suppress or interfere with our fraud-monitoring tools.
The activities described above are most commonly associated with merchant data breaches described in media reports. However, in the case of account takeover, the stolen data is not obtained from a payment system.
Schemes that Contribute to Account Takeover
Skimming and Malware
Skimming and deployment of POS terminal malware continue to be widespread methods for stealing data. Smaller, local merchants are now more likely to be compromised than in years past. Stolen data, which is collected using POS malware, is passed to criminal networks through remote, wireless technologies with increasing speed. By reacting to fraud events quickly, your organization can significantly mitigate losses
The prevalence of phishing (tricking cardholders into revealing confidential information) and its variants continue to rise. Phishing schemes are becoming more targeted (such as “spear-phishing”) and more difficult to identify than in the past. Instead of using only suspicious links in poorly designed emails, phishing emails are mimicking legitimate websites and appear more polished and credible. The use of web address shortening tools, such as TinyURL, make detection of suspicious links more difficult, even by savvy users. It is important to remind cardholders to safeguard their financial data and their online banking credentials against criminals trying to harvest it.
Vishing and Smishing
Smishing and Vishing schemes use sophisticated methods combined with social engineering to deceive cardholders into revealing critical information and disregarding legitimate fraud warnings. Smishing is the fraudulent practice of sending text messages claiming to be from reputable companies to induce individuals to reveal personal information, such as passwords or credit card numbers. Vishing is thefraudulentpractice of making phone calls or leaving voice messagesclaimingto be fromreputablecompanies to induce individuals to reveal personal information, such as bank details and credit card numbers. Cardholders may be sent a voice or text message with transaction details and requesting the cardholders confirm. When they respond, they may be questioned for account details, or they may be asked to call back a number to provide account information. In some instances, they are sent a one-time passcode (OTP). The caller or text message then instructs the cardholder to reply “No Fraud” to text/voice messages.
It is important to be on the lookout for these kinds of fraudulent messages that disguise themselves as legitimate fraud notifications. These schemes use sophisticated methods combined with social engineering to deceive cardholders into revealing critical information and disregarding legitimate fraud warnings. Additional red flags of note include hyperlinks and grammatical and punctuation mistakes.
Malicious software, including software which compromises account-holder computers locally via Man-in-the-Browser (MitB) attacks are a significant threat to the security of financial data. Man-in-the-Browser attacks install malicious software in the background via “drive by download.” This malware is then able to monitor and hijack user web sessions to then transfer funds or harvest payment cards and online banking credentials, while redirecting the legitimate cardholder to a fictitious error page. This type of malware often deploys automatically when a user visits a compromised website.
Maintaining a secure, up-to-date operating system along with robust security and anti-malware software are critical first steps in preventing this type of fraud. Availability and deployment of automation and crime-ware is increasing in the card fraud world. Both all-in-one malware packages designed to compromise computer systems (e.g., Zeus, Citadel, Tilon) as well as individual tools able to crack passwords and to automatically carry out brute force attacks are available for purchase on underground websites and on criminal forums. Heavy reliance on one type of security tool or on older tools could lead to more fraud loss. We recommend a dynamic, multi-layered detection and prevention strategy.
- Cardholders are reminded to be aware of what information they are choosing to submit online and never easily provide their personal information.
- If a consumer is concerned about an automated message, they should not respond to the call, text, or email. They should contact the company in question using the official customer service number on their own card or contact information listed on the company’s legitimate website. They should not contact any number provided by the fraud call or message and should not click on links in text messages.
- Cardholders should always keep two-factor authentication codes private. Do not provide them via phone, text, or email. These codes should only be used to sign into the banking, merchant, or payment account when the consumer is trying to access it.
November 23, 2020 COVID-related scams CONTINUE to affect many local residents
Do not fall victim to the many fraud attempts currently being conducted in our area. Here's the latest from the Social Security Administration:
Help Protect Yourself from Fraud
My Social Security Account
Create a my Social Security account, and conveniently complete much of your Social Security-related business from home, or on any computer, and skip the trip to a Social Security office.
What You Can Do Online
FOR MORE INFORMATION
Protect Yourself from Social Security Scams
The most convenient way to conduct Social Security business from anywhere at any time, is to visit www.ssa.gov There, you can:
- Create a my Social Security account to request a replacement Social Security card, review your Social Security Statement, verify your earnings, print a benefit verification letter, change your direct deposit information, request a replacement Medicare card, get a replacement SSA-1099/1042S, and more.
- Apply for Extra Help with Medicare prescription drug plan costs.
- Apply for retirement, disability, and Medicare benefits.
- Find copies of our publications.
- Get answers to frequently asked questions.
- So much more!
If you don’t have access to the internet, we offer many automated services by telephone, 24 hours a day, 7 days a week. Call us toll-free at 1-800-772-1213 or at our TTY number, 1-800-325-0778, if you’re deaf or hard of hearing.
If you need to speak to a person, we can answer your calls from 7 a.m. to 7 p.m., Monday through Friday. We ask for your patience during busy periods since you may experience a higher than usual rate of busy signals and longer hold times to speak to us.
If you need to find your local office, use our office locator We look forward to serving you.
May 23, 2020 COVID-related scams are everywhere including phishing and text phishing attempts! Be ready.
To our customers:
Below are some cyber security related items / advisories Dean Bank would like to share with our customers. We are all collectively navigating our way through these tricky times:
Feds Suspect Vast Fraud Network Is Targeting U.S. Unemployment Systems
Investigators see evidence of a sophisticated international attack they said could siphon hundreds of millions of dollars that were intended for the unemployed. The attack has exploited state unemployment systems at a time when they are straining to process a crush of claims.
A group of international fraudsters appears to have mounted an immense, sophisticated attack on U.S. unemployment systems, creating a network that has already siphoned millions of dollars in payments that were intended to avert an economic collapse, according to federal authorities.
The attackers have used detailed information about U.S. citizens, such as social security numbers that may have been obtained from cyber hacks of years past, to file claims on behalf of people who have not been laid off, officials said. The attack has exploited state unemployment systems at a time when they are straining to process a crush of claims from an employment crisis unmatched since the Great Depression.
With many states rushing to pay claims, payments have gone straight to direct-deposit accounts. In Washington State, the agency tasked with managing unemployment claims there began realizing the extent of the problem in recent days when still-employed people called to question why they had received confirmation paperwork in the mail.
“This is a gut punch,” said Suzi LeVine, the commissioner of Washington State’s Employment Security Department.
In a memo obtained by The New York Times, investigators from the U.S. Secret Service said they had information suggesting that the scheme was coming from a well-organized Nigerian fraud ring and could result in “potential losses in the hundreds of millions of dollars.” Roy Dotson, a special agent who specializes in financial fraud at the Secret Service, said in an interview investigators were still working to pinpoint who was involved and exactly where they were.
”We are actively running down every lead we are getting,” Mr. Dotson said.
Mr. Dotson said it appeared the fraud was being aided by a substantial number of “mules” — people, often in the United States, who were used as intermediaries for money laundering after making connections with fraudsters online. He warned people to be wary of quick-money job offers or other suspicious financial arrangements.
The Secret Service memo said Washington State had emerged as the primary target thus far, but there was also evidence of attacks in Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island and Wyoming. The agency warned that every state was vulnerable and could be targeted, noting that the attackers appeared to have extensive records of personally identifiable information, or P.I.I.
“It is assumed the fraud ring behind this possess a substantial P.I.I. database to submit the volume of applications observed thus far,” the memo said.
Rhode Island State Police reported on Monday that it had received “numerous reports of suspected fraud” related to unemployment benefits.
Scott Jensen, the director of Rhode Island Department of Labor and Training, said Saturday that it could be hard to distinguish between a legitimate claim and a fraudulent one when impostors provided the proper information. He said the fraudulent cases that were emerging seemed to have their paperwork in order without the hallmarks of other times when claims might have mistakes or other indicators that they were not genuine.
“Whoever it is seems to be fairly sophisticated and good at what they are doing,” Mr. Jensen said. He did not know whether it was a group of international actors but was hopeful investigators would get to the bottom of the fraud. In the meantime, he said, the state is clamping down and taking a closer look at claims surrounding specific banks.
Ms. LeVine said she did not want to put a number on the losses so far in Washington State but believed it was in the millions of dollars. The state is working with law enforcement agencies to try and reclaim some of the funds.
Some workplaces have been hit particularly hard. At Western Washington University in Bellingham, Wash., more than 400 out of about 2,500 total employees have been targeted with fraudulent claims, Paul Cocke, the university’s spokesman, said.
The state has been inundated with calls from people and businesses asking about unemployment notifications that have been sent to them. They have flooded a hotline and have forced the state to hire more people to answer the phones.
One of those who filed a complaint, Anna Zivarts, a Seattle resident who works at the nonprofit Disability Rights Washington, said she found a series of official envelopes from the government in her mail on May 8. At first, she worried that she might owe taxes. Then, when she opened the mail, she had another worry.
“I called my boss and said, ‘Am I getting laid off and I just don’t know about it?’” Ms. Zivarts said. But her boss assured her that she was still employed.
Ms. Zivarts said she called and emailed to flag the issue for the state but did not hear back. Her employer has also notified the state.
- A recent notification from the United States Secret Service states that "Massive Fraud" attempts against state unemployment insurance programs is underway. Here's an excellent article that provides details: https://krebsonsecurity.com/2020/05/u-s-secret-service-massive-fraud-against-state-unemployment-insurance-programs/
- Dean Bank received an alert related to medical fraud as well. Read it here: FinCENAdvisoryMedicalFraudCovi
- A text comes in on your phone or an email into your inbox. “It’s from the IRS and your economic relief check is ready, pending your acceptance. There’s a form to fill out. All you have to do is click the link.”
Please—Don’t. Click. The. Link.
- Scams are on the rise. The Federal Trade Commission has received more than 14,000 coronavirus-related complaints, reporting $10 million in total losses in 2020.Visit their web site here for more details: https://www.ftc.gov/coronavirus/scams-consumer-advice
- On March 20, the Federal Bureau of Investigation issued a warning about a rise in fraud schemes and urged “vigilance” during the pandemic. These scams are designed to get you to take immediate action, more and more through texts and calls. Circulating schemes involve:
- Stimulus checks
- Airline refunds
- Fines for breaking social-distancing rules
- “Mandatory” Covid-19 preparedness tests
- Unproven treatments
- Sales of in- demand supplies like masks or thermometers.
- SSA will never call to threaten your benefits or tell you to wire money, send cash, or put money on gift cards.
Anyone who tells you to do those things is a scammer. EVERY TIME.
- Talk about it. If you’re getting these calls or texts, chances are your friends and family are too. Please talk with them about it. People who know about scams are much less likely to fall for them. So by discussing them you are helping protect people you care for and people in your community.
Be well and “stay cyber” safe along the way.
Protect Your Social Security Number (SSN)
- Never send your SSN by unsecured email to anyone.
- Request another number on your drivers’ license instead of your SSN.
- Never carry your SSN in your wallet.
- Do not print your SSN on your checks.
- Do not give your SSN out just because someone asks for it. Understand why they need it and know whom you are doing business with.
Protect Other Personal Information
- Never keep PINs (Personal Identification Numbers) and Passwords in your wallet or any visible location.
- Be aware when using your PIN number that it should be protected.
- Be aware of giving personal information over the phone, by email and over the internet, unless you have initiated the contact.
- Be suspicious of anyone who calls you requesting personal information.
- Shred any personal information or documents you no longer need that could be used to establish an identity in your name:
- Pay stubs
- Pre-approved credit offers
- Shopping receipts
- Utility and phone bills
- Insurance documents
- Obtain your credit report regularly to check for fraud
- Review your bank and credit card statements for accuracy
If your card is lost, stolen, or if you think your PIN is being used by an unauthorized person(s), please call us immediately at 508.528.0088 during business hours or 800.528.2273 after normal business hours.