Security Blog

Current Scam Trends

Article Date: February 29, 2024

What new tips are the criminals using now? What tactics have we seen? Read on the top 4 things we have been seeing the criminals use to deceive you.

Business E-mail Compromise – Fraudsters launch attacks against companies attempting to gain access into e-mail accounts or spread malicious software.
- Things to look for:
  - Unexpected requests
  - Similar e-mail addresses
    - Ex: kelly@company.net vs tom.kelley@company.com
  - E-mail sent during “out of office” hours (ex: 11:30 pm)
  - Verbiage directing you to take a certain action quickly (clicking a link, replying, downloading an attachment)
  - E-mail advising that payment instructions had changed or updated.
- Best action to take – Make a phone call with the person sending the request before taking action

Online Job Employment – Fraudsters use online job boards targeting individuals looking for remote job opportunities.
- Things to look for:
  - Company requesting your online banking credentials to deposit your payroll
  - Company e-mailing you a check to deposit into your account
  - Company instructing you to deposit the funds then send a portion of the funds to another business or individual by alternative means: (gift cards, money orders, Cash App, Venmo, Zelle, and etc)

Technical Support – Fraudsters create fake e-mails or websites posing as legitimate companies. The goal is to gain access into the victims computer and access bank account information.
- Things to look for:
  - Random pop ups on your computer directing you to call the number on the screen.
  - Companies needing you to download software to your computer so they can “help fix the issue.”
  - Company “accidently” issuing an over credit to your account and requesting the money back.
- Legitimate tech companies will not text, call, or e-mail you if a problem with your computer occurs.

Romance Scams – Common scam tactic where fraudsters create fake online profiles to meet victims. The fraudsters often use language to establish a relationship with victims in order to gain their trust.
- Things to look for:
  - Individual will only communicate through messaging apps (Whatsapp, Telegram, Facebook Messenger).
  - Individual’s bank accounts “frozen” due to them being overseas or having fraud on their accounts.
  - Individual’s requesting gift cards, money orders, cryptocurrency sent to themselves.
  - Individual’s requesting money to be sent to another person for various reasons.
  - Individual’s promising to meet you in person but always come up with an excuse as to why they cannot come visit you.

Wilson Bank and Trust is here for you. Should you need help, please do not hesitate to reach out to us online at wilsonbank.com, our mobile app, or call us at (844) WBT-BANK (844-928-2265).

Can You Spot a Phishing Scam?

Article Date: October 10, 2023

Every day, thousands of people fall victim to fraudulent emails, texts and calls from scammers pretending to be their bank. And in this time of expanded use of online and mobile banking, the problem is only growing worse. In fact, the Federal Trade Commission’s report on fraud estimates that American consumers lost a staggering $8.8 billion to phishing scams and other fraud in 2022—an increase of more than 65% over 2021.

It’s time to put scammers in their place.

Online scams aren’t so scary when you know what to look for. And at Wilson Bank & Trust, we’re committed to helping you spot them as an extra layer of protection for your account. We’ve joined with the American Bankers Association and banks across the country in a nationwide effort to fight phishing—one scam at a time.

We want every bank customer to become a pro at spotting a phishing scam—and stop bank impostors in their tracks. It starts with these four words: Banks Never Ask That. Because when you know something sounds suspicious, you’ll be less likely to be fooled.

These four phishing scams are full of red flags:

Text Message: If you receive a text message from someone claiming to be your bank asking you to sign in, or offer up your personal information, it’s a scam. Banks Never Ask That.
Email: Watch out for emails that ask you to click a suspicious link or provide personal information. The sender may claim to be someone from your bank, but it’s a scam. Banks Never Ask That.
Phone Call: Would your bank ever call you to verify your account number? No! Banks Never Ask That. If you’re ever in doubt that the caller is legitimate, just hang up and call the bank directly at a number you trust.
Payment Apps: Beware of text messages from someone claiming to be your bank saying your account has been hacked. The scammer may ask you to send money to a new account they’ve created for you, but that’s a scam! Banks Never Ask That.

You’ve probably seen some of these scams before. But that doesn’t stop a scammer from trying. For tips, videos and an interactive quiz to help you keep phishing criminals at bay, visit www.BanksNeverAskThat.com. And be sure to share the webpage with your friends and family.

Wilson Bank and Trust is here for you. Should you need help, please do not hesitate to reach out to us online at wilsonbank.com, our mobile app, or call us at (844) WBT-BANK (844-928-2265).

Have another thought, tip or suggestion? Leave it in the comments below. I would love to hear from you!

What is an Account Takeover (ATO)?

Article Date: March 31, 2023

Recently I discovered some great definitions on what an account takeover is and how it happens. I found this from Fiserv, a financial Technology company. Their explanation was simple and to the point and I wanted to share them with you here.

An Account takeover (ATO) is an attack in which cybercriminals take ownership of online accounts using stolen passwords and usernames. These cybercriminals then use these credentials to commit fraud. These bad actors purchase victims’ Personally Identifiable Information (PII) via the dark web—typically gained from social engineering, e.g., phishing, vishing, or smishing attacks (detailed below) or data breaches. Stolen PII (e.g., name, address, email, phone number, date of birth, business name, cellphone provider, social media and login accounts and passwords) provides the necessary credentials for a fraudster to pose as a cardholder.

With this information fraudsters can engage with the victim’s account holders and make changes to accounts or card settings to execute fraud. They may make demographic changes (e.g., phone numbers, emails, passcodes), or apply for increased limits, Personal Identification Number (PIN) changes and/or travel exemptions to suppress or interfere with our fraud-monitoring tools.

The activities described above are most commonly associated with merchant data breaches described in media reports. However, in the case of account takeover, the stolen data is not obtained from a payment system.

Schemes that Contribute to Account Takeover

Skimming and Malware

Skimming and deployment of point of sale (POS) [cash register] terminal malware continue to be widespread methods for stealing data. Smaller, local merchants are now more likely to be compromised than in years past. Stolen data, which is collected using POS malware, is passed to criminal networks through remote, wireless technologies with increasing speed. By reacting to fraud events quickly, your organization can significantly mitigate losses.

Phishing

The prevalence of phishing (tricking victims into revealing confidential information) and its variants continue to rise. Phishing schemes are becoming more targeted (such as “spear-phishing”) and more difficult to identify than in the past. Instead of using only suspicious links in poorly designed emails, phishing emails are mimicking legitimate websites and appear more polished and credible. The use of web address shortening tools, such as TinyURL, make detection of suspicious links more difficult, even by savvy users. It is important to remind cardholders to safeguard their financial data and their online banking credentials against criminals trying to harvest it.

Vishing and Smishing

Smishing and Vishing schemes use sophisticated methods combined with social engineering to deceive cardholders into revealing critical information and disregarding legitimate fraud warnings. Smishing is the fraudulent practice of sending text messages claiming to be from reputable companies to induce individuals to reveal personal information, such as passwords or credit card numbers. Vishing is the fraudulent practice of making phone calls or leaving voice messages claiming to be from reputable companies to induce individuals to reveal personal information, such as bank details and credit card numbers. Cardholders may be sent a voice or text message with transaction details and requesting the cardholders confirm. When they respond, they may be questioned for account details, or they may be asked to call back a number to provide account information. In some instances, they are sent a one-time passcode (OTP). The caller or text message then instructs the cardholder to reply “No Fraud” to text/voice messages.

It is important to be on the lookout for these kinds of fraudulent messages that disguise themselves as legitimate fraud notifications. These schemes use sophisticated methods combined with social engineering to deceive cardholders into revealing critical information and disregarding legitimate fraud warnings. Additional red flags of note include hyperlinks and grammatical and punctuation mistakes.

Malicious Software

Malicious software, including software which compromises account-holder computers locally via Man-in-the-Browser (MitB) attacks are a significant threat to the security of financial data. Man-in-the-Browser attacks install malicious software in the background via “drive by download.” This malware is then able to monitor and hijack user web sessions to then transfer funds or harvest payment cards and online banking credentials, while redirecting the legitimate cardholder to a fictitious error page. This type of malware often deploys automatically when a user visits a compromised website.

Maintaining a secure, up-to-date operating system along with robust security and anti-malware software are critical first steps in preventing this type of fraud. Availability and deployment of automation and crime-ware is increasing in the card fraud world. Both all-in-one malware packages designed to compromise computer systems (e.g., Zeus, Citadel, Tilon) as well as individual tools able to crack passwords and to automatically carry out brute force attacks are available for purchase on underground websites and on criminal forums. Heavy reliance on one type of security tool or on older tools could lead to more fraud loss. It is always best for customers and businesses to use multi-layered detection and prevention strategy like checking your accounts daily through an app, monitoring for suspicious activity, regularly changing passwords ensuring that passwords are long and unique.

Wilson Bank and Trust is here for you. Should you need help, please do not hesitate to reach out to us online at wilsonbank.com, our mobile app, or call us at (844) WBT-BANK (844-928-2265).

Have another thought, tip or suggestion? Leave it in the comments below. I would love to hear from you!

Never Share Your Password

Article Date: August 31, 2022

According to the American Bankers Association, and the Federal Trade Commission, customers lost a total of $3.3 billion to phishing and other fraud in 2020. That is a staggering number with money going the wrong direction: to the attackers. Attackers get this money through fraud and scams.

One popular scam is targeting your username and password. Getting a potential victim’s username and password is easier than trying to break into systems. Think of usernames and passwords like keys to a safe. Instead of having to drill, cut or tamper with the heavy steel door, the attacker can bypass all of that hard work and use keys to open the front door. Criminals are constantly coming up with new and clever ways to get you to give away your username and password. The most common method—impersonating a bank.

Yes! You read correctly. Criminals are now impersonating banks to get their victims to give away sensitive information such as multi-factor account access codes, usernames and passwords. How? Attackers will usually call customers pretending to be their victim’s bank. The attackers start out with very convincing information such as impersonating a legitimate fraud prevention call. The attackers tell their victims that they (attacker) are the bank and need to confirm information on a recent fraud charge (also fake). During this call, the attackers are very nice, polite and even joke around with their victims. This is all done to get trust from the victim. After a few minutes, the attacker will casually ask to confirm the username on the account. Once confirmed, more small talk continues. The attacker then goes for the gold and casually asks for the password on the account. The attacker assures the victim this is simply a confirmation and may even remind the victim that they can change the password at any time. Again, this is all done in attempt to sound legitimate and obtain trust from the victim.

With the username and password revealed, the attacker can now login as the customer. However, there is one final step needed: the MFA (multi-factor code). The same process continues, and the attacker will casually ask for the MFA code. After this, the attacker can now fully login, appearing as the customer, and access their online bank account. Once access is gained, the attacker can initiate an electronic transfer. Attackers may further convince the victim that they were overpaid through another scam and need to send a refund.

Clearly, the username, password and MFA code are the keys to protecting your account. How do we combat these scams? The simple answer is to remember that WBT will never ask you for your username, password or MFA code. What can you do? If you receive any of the below, disconnect the call and call us at (844) WBT-BANK (844-928-2265).

Text Message: If you receive a text message from someone claiming to be your bank asking you to sign in, or offer up personal information, it’s a scam. Banks never ask that.
Email: Watch out for emails that ask you to click a suspicious link or provide personal information. The sender may claim to be someone from you bank, but it’s a scam. Banks never ask that.
Phone Call: Would your bank ever call you to verify your account number? No! Banks never ask that. If you’re ever in doubt that the caller is legitimate, just hang up and call the bank directly at a number you trust.

Wilson Bank and Trust is here for you. Should you need help, please do not hesitate to reach out to us online at wilsonbank.com, our mobile app, or call us at (844) WBT-BANK (844-928-2265).

Have another thought, tip or suggestion? Leave it in the comments below. I would love to hear from you!

October is National Cybersecurity Awareness Month

Can You Spot a Phishing Scam?

What is an Account Takeover?

The Virtual CISO Moment with Greg Schaffer: A Conversation with Elvis Huff

Never Share Your Password