Phishing, Vhishing and Smishing
The following scams have been reported:
Active Text Phishing Targeting F&M Bank – November 18, 2013
F&M Bank has received reports of customers and non-customers receiving text messages claiming to be from F&M Bank. The text messages are from a variety of 562 area code numbers and ask the recipient to call (850) 677-3020. The text message either says that they need to contact the Security Department to activate their card or that they have been selected to receive an ‘Achieve Card’ from F&M Bank. Please be advised that these are not legitimate messages from F&M Bank. Do not call the number or provide any sensitive information back to the text message. If you receive a suspicious text message, please report it to firstname.lastname@example.org.*
The National Automated Clearing House Association (NACHA) has warned of a phishing attempt against them. Random individuals and/or companies may have received a falsified e-mail with the subject title "Rejected ACH Transaction." This e-mail appears to be from NACHA - The Electronic Payments Association telling them that there is a problem with an ACH transaction they have originated. The e-mail includes a link which redirects the individual to a phony web page that appears like the NACHA website and contains a link which is most likely an executable virus. Please alert any financial institution of any questionable email claiming to be from NACHA.
Fraudulent E-Mails Claiming to Be From the FDIC:
The Federal Deposit Insurance Corporation (FDIC) has warned of e-mails that appear to be sent from the FDIC that ask recipients to download and open a "personal FDIC insurance file" to check their deposit insurance coverage. These e-mails are fraudulent and were not sent by the FDIC. The FDIC is attempting to identify the source of the e-mails and disrupt the transmission.
Currently, the subject line of the fraudulent e-mails includes the wording "check your Bank Deposit Insurance Coverage." The e-mails state: "You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets."
The e-mails ask recipients to "visit the official FDIC website" by clicking on a hyperlink provided, which appears to be related to the FDIC and directs recipients to a fraudulent Web site. The Web site includes hyperlinks that appear to open forms. However, it is believed that clicking on the hyperlinks will cause an unknown executable file to be downloaded. While the FDIC is working with the United States Computer Emergency Readiness Team (US-CERT) to determine the exact effects of the executable file, recipients should consider the intent of the software as a malicious attempt to collect personal or confidential information, some of which may be used to gain unauthorized access to online banking services or to conduct identity theft. Financial institutions and consumers should NOT access the Web site or download the executable files provided on the Web site.
Information about counterfeit items, cyber-fraud incidents and other fraudulent activity may be forwarded to the FDIC's Cyber-Fraud and Financial Crimes Section, 550 17th Street, N.W., Room F-3054, Washington, D.C. 20429, or transmitted electronically to email@example.com. Information related to federal deposit insurance or consumer issues should be submitted to the FDIC using an online form that can be accessed at http://www2.fdic.gov/starsmail/index.asp
For your reference, FDIC Special Alerts may be accessed from the FDIC's website at http://www.fdic.gov/news/news/SpecialAlert/2009/index.html
Types of Scams:Phishing
Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumer's personal identity data and financial account credentials. Social engineering schemes use spoofed e-mails purporting to be from legitimate businesses and agencies to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as usernames and passwords. Technical subterfuge schemes plant crime ware onto PCs to steal credentials directly, often using systems to intercept consumers online account user names and passwords and to corrupt local navigational infrastructures to misdirect consumers to counterfeit websites (or authentic websites through phisher controlled proxies used to monitor and intercept consumers keystrokes).
• Phishing (sometimes called carding or brand spoofing) uses e-mail messages that purport to come from legitimate businesses that one might have dealings with such as:
• banks such as Citibank
• online organizations such as eBay and PayPal
• Internet service providers such as AOL, MSN, Yahoo and EarthLink
• online retailers such as Best Buy
• insurance agencies
• The messages may look quite authentic
• They feature corporate logos and formats similar to the ones used for legitimate messages.
• Typically, they ask for verification of certain information, such as account numbers and passwords, allegedly for auditing purposes or Security concerns of the account.
Also called "VoIP phishing," it is the voice counterpart to phishing. Instead of being directed by e-mail to a Web site, an e-mail message asks the user to make a telephone call. The call triggers a voice response system that asks for the user's credit card number. The initial bait can also be a telephone call with a recording that instructs the user to phone an 800 number.
In either case, because people are used to entering credit card numbers over the phone, this technique can be effective. Voice over IP (VoIP) is used for vhishing because caller IDs can be spoofed and the entire operation can be brought up and taken down in a short time, compared to a real telephone line.
Similar to phishing, smishing uses cell phone text messages to deliver the "bait" to get you to divulge your personal information. The "hook" (the method used to actually "capture" your information) in the text message may be a web site URL, however it has become more common to see a phone number that connects to automated voice response system.
The smishing message usually contains something that wants your "immediate attention", some examples include "We're confirming you've signed up for our dating service. You will be charged $2/day unless you cancel your order on this URL: www.?????.com."; "(Name of popular online bank) is confirming that you have purchased a $1500 computer from (name of popular computer company). Visit www.?????.com if you did not make this online purchase."; and "(Name of a financial institution): Your account has been suspended. Call ###.###.#### immediately to reactivate." The "hook" will be a legitimate looking web site that asks you to "confirm" (enter) your personal financial information, such as your credit/debit card number, CVV code (on the back of your credit card), your ATM card PIN, SSN, e-mail address, and other personal information. If the "hook" is a phone number, it normally directs to a legitimate sounding automated voice response system, similar to the voice response systems used by many financial institutions, which will ask for the same personal information.
This is an example of a (complete) smishing message in current circulation: "Notice - this is an automated message from (a local credit union), your ATM card has been suspended. To reactivate call urgent at 866-###-####."
In many cases, the smishing message will show that it came from "5000" instead of displaying an actual phone number or from a company domain. This usually indicates the SMS message was sent via e-mail to the cell phone, and not sent from another cell phone.
This information is then used to credit duplicate credit/debit/ATM cards. There are documented cases where information entered on a fraudulent web site (used in a phishing, smishing, or vishing attack) was used to create a credit or debit card that was used halfway around the world.