Financial Solutions... from people you know
Phishing Scams

ALERT - SEPTEMBER 2011

 We have become aware of a phishing scam where cyber crooks are using malware to collect personal information. Here is how it works: upon visiting a bank web site and attempting to access online banking, the malware redirects the unknowing customer to a fake (but sometimes real looking) online banking log in web page.

After entering their user ID information, the customer receives a 'bad' reply and is asked to provide other information in order to confirm their ID.  F&M Trust will NOT do this. You identity is confirmed through authentication process, not requesting personal ID.  The scam to collect your ID might look like this: 

If this happens to you, DO NOT ENTER any information.  Since the "redirect" occurs on the user's PC (not the bank's web site), please close your Internet connection immediately and scan your PC with the latest updates for viruses and malware.  (Remember: F&M Trust will NEVER ask for personal information in this manner.)  If you feel you have been a victim, please contact our security department immediately at 1-888-264-6116.

 

 

ALERT - RECENT PHISHING SCAM - JULY 2011  

FDIC – The FDIC has received reports that individuals and/or companies have received a fraudulent email that has the appearance of having been sent from the FDIC. 

DO NOT REPLY or RESPOND to this email. Both the email and the related website are fraudulent - they were not sent by the FDIC. To read the FDIC Warning Alert, click here. 

Recipients should consider these e-mails an attempt to collect personal or confidential information, or to load malicious software onto end users' computers. Recipients should NOT access the link provided within the body of the e-mails and should NOT install any related files or software updates.

Consumers should be aware that these fraudulent e-mails may be modified over time with other subject lines, sender names, and narratives. The FDIC does not directly contact bank customers, nor does the FDIC request bank customers to install software upgrades.

If malicious code is detected or suspected on a computer, consult with a computer security or anti-virus specialist to remove malicious code or re-install a clean image of the computer system.

Always use anti-virus software and ensure that the virus signatures are automatically updated. Ensure that the computer operating systems and common software applications security patches are installed and current. Be alert for different variations of fraudulent emails.

= = = = = Sample Email = = = = = =

 

 

"SMISHING" Scam - "Phishing scams" have now migrated to text (or SMS) messages - - - there's even a term for it - "Smishing." Here's how it works: You get a text message from your bank telling you there's been suspicious activity on your account. You call the number on your phone to see what's going on, and before you know it, you're a victim.

Scammers have been using scam text messages to prey on small regional banks and their customers. Here's how the scam works. The criminals pick a bank or credit union in an area or county -- then they bombard every phone in a certain area code with a phishing message sent by SMS (Short Message Service) telling the victims to call a fake 800 number that looks like it's from a local bank or credit union. Because they're targeting a bank in the region, the bad guys have a pretty good chance of hitting real customers who may not have heard about the scam.

They use the open-source asterisk software to set up a fake voice-operated system and steal information when people enter their account numbers, passwords and other sensitive information to authenticate themselves on the system. When the criminals use this information to transfer money overseas.

By targeting local or regional banks, the scam initally managed to stay somewhat under the radar and not attract a lot of attention. Another problem for the banks is that the scam subverts one of the main techniques that banks and security experts have been trying to drill into their customer's heads for years now - 'If you have any questions, call your bank, or they'll call you.'  Many people think of text messages or SMS as being pretty close to calling your bank, so they assume that it is legitimate. 

Remember that most banks don't send out text messages unless you as a customer has requested it.  If you have questions, the best policy is to pick up the phone and call your banker.

 

PHISHING SCAM - JULY 2010 & OCTOBER 2011  NACHA – The Electronic Payments Association has received reports that individuals and/or companies have received a fraudulent email that has the appearance of having been sent from NACHA. See sample below.

The subject line of the email states: “Unauthorized ACH Transaction.” The email includes a link that redirects the individual to a fake Web page and contains a link that is almost certainly an executable virus with malware. Do not click on the link. Both the email and the related website are fraudulent.

NACHA itself does not process nor touch the ACH transactions that flow to and from organizations and financial institutions. NACHA does not send communications to individuals or organizations about individual ACH transactions that they originate or receive.

= = = = = Sample Email = = = = = =

From: Information
Sent: Thursday, July 22, 2010 8:27 AM
To: Doe, John
Subject: Unauthorized ACH Transaction

Dear bank account holder,

The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report

------------------------------------------------------------------

Copyright ©2010 by NACHA - The Electronic Payments Association

= = = = = = = = = = = = = = = = = = =

 

ANOTHER EXAMPLE - This phishing scam was done with cyber crooks using malware to collect personal information.  Upon visiting a bank web site and attempting to access online banking, the malware redirects the unknowing customer to a fake (but real looking) online banking log in web page. 

 After entering their user ID information, the customer is directed to another fake page titled "Customer Identification" that looks like this: 

 

 

 

If this happens to you, DO NOT ENTER any information.  Since the "redirect" occurs on the user's PC (not the bank's web site), please close your Internet connection immediately and scan your PC with the lates updates for viruses and malware.  (Remember: F&M Trust will NEVER ask for personal information in this manner.)  If you feel you have been a victim, please contact our security department immediately at 1-888-264-6116.

 

What is Phishing?
Phishing is one of the latest cons used by high-tech criminals to facilitate one of America's leading forms of fraud - identity theft. Basically, the scam uses spam (unsolicited e-mail) to bait consumers into disclosing sensitive personal information - such as social security numbers, account and routing numbers, credit card numbers, personal identification numbers (PINs), passwords, and other private data.

Many of the phishing attempts will be sent to an individual's computer on a Saturday, Sunday or holiday.  This is done when the bank is closed so that the consumer can't contact the bank about the e-mail.  Be particularly suspicious of e-mail that appears to come from a financial institution on weekends and holidays.

According to the Federal Trade Commission (FTC), phishers send an email or pop-up message that claims to be from a business or organization that you deal with - for example, your Internet service provider (ISP), bank, online payment service, or even a government agency. The message usually says that you need to "update" or "validate" your account information. It might threaten some dire consequence if you don't respond. The message directs you to a Web site that looks just like a legitimate organization's site, but it isn't. The purpose of the bogus site? To trick you into divulging your personal information so the operators can steal your identity and run up bills or commit crimes in your name.

What can you do?
To avoid getting reeled into one of these scams, the FTC offers the following guidance:

  • If you get an email or pop-up message that asks for personal or financial information, do not reply or click on the link in the message. Legitimate companies don't ask for this information via email. If you are concerned about your account, contact the organization in the email using a telephone number you know to be genuine, or open a new Internet browser session and type in the company's correct Web address. In any case, don't cut and paste the link in the message.
  • Don't email personal or financial information. Email is not a secure method of transmitting personal information. If you initiate a transaction and want to provide your personal or financial information through an organization's Web site, look for indicators that the site is secure, like a lock icon on the browser's status bar or a URL for a website that begins "https:" (the "s" stands for "secure"). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
  • Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
  • Use anti-virus software and keep it up to date. Some phishing emails contain software that can harm your computer or track your activities on the Internet without your knowledge. Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files. Anti-virus software scans incoming communications for troublesome files. Look for anti-virus software that recognizes current viruses as well as older ones; that can effectively reverse the damage; and that updates automatically.A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It's especially important to run a firewall if you have a broadband connection. Finally, your operating system (like Windows or Linux) may offer free software "patches" to close holes in the system that hackers or phishers could exploit.
  • Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
  • Report suspicious activity to the FTC. If you get spam that is phishing for information, forward it to spam@uce.gov. If you believe you've been scammed, file your complaint at www.ftc.gov, and then visit the FTC's Identity Theft Web site at www.consumer.gov/idtheft to learn how to minimize your risk of damage from ID theft. Visit www.ftc.gov/spam to learn other ways to avoid email scams and deal with deceptive spam.

The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit www.ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

As your financial institution, we at F&M Trust want to help you combat identity theft. One of the best ways to fight fraud is to educate yourself and be aware of a possible scam before it happens to you. Be cautious when providing information, and learn the steps you can take to help protect your sensitive, personal information in an attempt to stay ahead of these criminals.

F&M Trust strongly recommends that you NOT send personal information to the bank via e-mail. You are urged only to use secure locations on our site (for example, online banking, online trust access, online investing, etc.) to conduct transactions and change or update information. In addition, customer service representatives of F&M Trust will NOT ask you to send any private information to us via e-mail. If you are asked by someone indicating that they represent F&M Trust, please contact our security department immediately at 1-888-264-6116.

 

 

Recipients should consider these e-mails an attempt to collect personal or confidential information, or to load malicious software onto end users' computers. Recipients should NOT access the link provided within the body of the e-mails and should NOT install any related files or software updates.

Financial institutions and consumers should be aware that these fraudulent e-mails may be modified over time with other subject lines, sender names, and narratives. The FDIC does not directly contact bank customers, nor does the FDIC request bank customers to install software upgrades.