A new ProFed Digital Banking experience is here! If you need help navigating the changes, please click here.
HomeDiscoverProFed BlogPast Scams

Recent Scams

Stay Informed: Learn About Recent Scams

Posted: May 19, 2022 in Cybersecurity

SolarWinds Security Breach 

April 2021

If you have been watching the news, there is no doubt you have heard of the SolarWinds security breach that affected many companies. SolarWinds is an American company that creates software that helps manage networks. It turns out, the breach may have started with an intern using a simple password that was very easy to guess, solarwinds123. 

We all know that passwords can be frustrating and annoying at times. You probably get tired of password policies that require a certain length and complexity, as well as repeated reminders to not reuse passwords across various systems or passwords that can be easily guessed. Creating a unique and strong password is a cybersecurity basic that helps keep systems secure. Unique passwords help prevent a breached password from being used to compromise your other accounts. It is one of the most important and often overlooked steps, but hackers know people tend to reuse passwords, so they will try a breached password on other sites. 

If you have trouble remembering all your passwords (let's be real, who doesn’t?), check out some well-known commercial password apps that can help. According to PC Magazine, the top 3 password manager apps for 2021 include: LastPass, Keeper, and Dashlane.

If you have an iPhone, the password manager is also a very good tool that will warn you if your password has been repeated on multiple sites, or if the password is too simple and easy to guess. Remember, keep your passwords complex and unique to stay safe! 

SMS Text Scam to Phish PINs for Cards

February 2021

Be alert for a new text/voice message scam that ProFed has heard other credit unions reporting. Several credit unions are reporting that some of their members received phishing texts which claimed to be from their credit union fraud department, including their contact center phone number. 

Here is part of the text:

“Did you attempt $1054.81 at WM SUPERC WAL-M with cardx nnnn?  Reply YES or NO, Case nnnnnn to Opt Out reply STOP.”

When the member replies to the text, the fraudster immediately calls the member saying they are from the fraud department and want to cancel the member’s debit card and expedite sending him/her a new debit card. The fraudster has the member's cell phone number and the last 4 digits of their card number.  They will ask the member for their PIN.  If provided, the scammer will immediately withdraw money at ATMs.       

If you receive one of these messages, delete it. If you responded to this or a similar message and have provided your PIN, please contact Card Services at 260-483-0514 ext. 1632 so your card can be blocked.

ProFed staff will NEVER ask you for your card PIN.

PSA: Members Report Text Phishing Attack Disclosing Public Address

February 2021

Members have alerted us to receiving phishing text messages that claim to come from ProFed.

The text states:  “ProFed reviewed your loan for (property address), please click the following link to see details."  

It is VERY easy to get public records of property addresses, owners, and lien holders. These texts can appear legitimate because they have so much correct information.   

However, these texts are FAKE. If you get one, delete it. If you did respond and provide any of your account or personal information, please call us at 260-438-0514 ext. 1633 so we can help you determine next steps.   

Don't Fall for the Microsoft Impersonation Scam

 January 2021

Recently, we have had multiple members receive pop-up alerts with a message to call Microsoft at a given phone number.

THESE TYPES OF POP-UPS ARE ALWAYS SCAMS!!  

  • Microsoft NEVER puts phone numbers in pop-ups.
  • Microsoft techs will NEVER call you to remove malware from your PC.

Scammers may attempt one or more of the following if you reply:

  1. Ask you security questions so they can steal your identity.
  2. Ask you to allow them to remote into your PC to fix an issue; then install malware.
  3. Ask you to login into your online banking so they can hijack the session and change your multi-factor authentication tokens.
  4. Tell you they have accidentally deposited money to your account and request your debit card number or a gift card number to return the funds.
  5. Ask you for your debit or a gift card number to charge you for their service.

If you receive this type of pop-up, close it. Be sure your antivirus is up-to-date and you have installed all the latest patches directly from the Microsoft site. If you are using old software that is past its end-of-life date and is no longer being patched, replace it.  

If you receive a call from someone claiming to be from Microsoft tech support, hang up!

Zoom and Microsoft Teams Phishing Attacks

January 2021

Zoom and Microsoft Teams-themed phishing attacks have spiked since the start of the pandemic.  Phishers are constantly improving their lures to exploit organizations’ dependence on video-conferencing platforms.

Scammers registered more than 2,449 Zoom-related domains from late April to early May this year alone. Con artists use these domain names, which include the word 'Zoom', or 'Teams', to send phishing attacks that look like they are coming from the official video conferencing services.

To avoid becoming the next victim, the Better Business Bureau provides these examples and tips:

  • "Out of the blue, you receive an email, text, or social media message that includes Zoom’s logo and a message saying something like,‘Your Zoom account has been suspended. Click here to reactivate.’"
  • "You missed a meeting, click here to see the details and reschedule."
  • "Welcome to the platform. Click this link to activate your account."

BBB says use the following tactics to help thwart these types of attacks.

  • “Double check the sender’s information. Zoom.com and Zoom.us are the only official domains for Zoom. If an email comes from a similar looking domain that doesn’t quite match the official domain name, it’s probably a scam."
  • “Never click on links in unsolicited emails. Phishing scams always involve getting an unsuspected individual to click on a link or file sent in an email that will download dangerous malware onto their computer. If you get an unsolicited email and you aren’t sure who it really came from, never click on any links, files, or images it may contain."
  • “Resolve issues directly. If you receive an email stating there is a problem with your account and you aren’t sure if it is legitimate, contact the company directly. Go to the official website by typing the name in your browser and find the ‘Contact Support’ feature to get help.”

Remember to think before you click! It is more important than ever these days.

HO HO HO Holiday Heist Time is Here Again!  

December 2020

It's the holiday season for the bad guys, too! But not the way you might think. They go into scam-overdrive mode. Black Friday and Cyber Monday are the busiest online shopping days and the bad guys are planning to get rich with your money. So, here are this year's top 10 holiday cybersecurity alert tips to keep you safe this season.

  1. Keep all devices up to date with basic security measures to lessen your chance of becoming the victim.
  2. Only connect to known Wi-Fi networks; beware of network names that have typos or extra characters.
  3. Use strong, unique passwords on all accounts. This is a good time to update passwords! For those of you with iPhones, the password vault in iPhone will now tell you which passwords have appeared in breaches, are used on multiple accounts, or are commonly used. 
  4. Be safe on all social media channels; don't overshare and take the time to review your privacy settings on the platforms you use.
  5. Keep an eye on your accounts and monitor your credit report regularly.
  6. Be careful with messages regarding shipping changes. Always use official channels to stay updated.
  7. Watch out for holiday greeting cards that may not be the sender you think! Don't open these unless you're certain you can trust who they came from.
  8. Keep devices in view (or know where they are) throughout the course of all holiday travel.
  9. Pay close attention to the websites you shop on and visit. It's safest to only use those you trust.
  10. Be wary of ads, giveaways, and contests that seem too good to be true. These run rampant during the holiday season!

Here are some recent examples of known scams.

  • Pandora Black Friday Special (Link)
  • Amazon: Black Friday Deal, $50 Off Your $100 Order (Link)
  • Best Buy: Limited time only: Claim your FREE $50 Black Friday Coupon! (Link)
  • Google Calendar: Invitation for Black Friday (Link) (Spoofs Domain)
  • Amazon: Cyber Monday $50 Credit Offer! (Link)
  • Best Buy: Secret Cyber Monday Deal - $100 Best Buy Voucher (Link)

Tips on How to Do Your Part and #BeCyberSmart

October 2020

In October, we celebrate National Cybersecurity Awareness Month (NCSAM). We are excited to share tips on how to do your part and #BeCyberSmart on behalf of the National Cyber Security Alliance, the U.S. Department of Homeland Security, and Infrastructure Security Agency (CISA).

  • If you connect it, protect it. Any device that connects to the internet is vulnerable to risks. The best defense is to keep device security software, web browser and operating systems up to date. #BeCyberSmart by turning on auto-updates.
  • Lock down your login. Whether you are working from a device at home or work, be sure to lock down your login. P@s$w0rds_d0n't_hav3_2_b_th!s_Complic@teD! Seriously, who can remember that? Make your password a passphrase. Remember, length trumps complexity when creating a strong passphrase! 
  • Think before you click. Pay attention to these three red flags when trying to spot a phish. First, if they offer a financial reward, threaten you or claim to need help. Second, if they ask for your personal info. Third, if they want you to download a file or click on a link.  
  • Own your online presence. Do you know how many of your apps have access to your contacts, photos and location data? Time to find out! Configure your privacy and security settings to limit how much data you give away. Do your part to #BeCyberSmart.

Share these tips with your family, friends, and coworkers to ensure that everyone around you is doing their part to stay safe online. For more information on how to #becybersmart, visit staysafeonline.org/cybersecurity-awareness-month.

Don't Fall Victim to SBA Phishing Schemes

August  2020

Malwarebytes reported a phishing campaign first appearing in early August spoofing a U.S. Small Business Administration offer for disaster loan assistance. The phishing emails link to an official looking loan application, which, if completed, will provide the fraudsters with a treasure trove of personal data and banking details, enabling identity theft as well as possible account takeover.

  • Never enter personal or confidential information in response to an unsolicited email.
  • If you have any doubts about the legitimacy of an email, call the published number of the organization, not the one included in the email.

For more information, visit the links below.

Watch Out! Snail Mail Scams

August 2020

Some scammers are returning to snail mail to try to trick people. This may cost the scammers more money to execute, but they are counting on having a higher success rate because people may be more inclined to believe information that looks official and comes in the US mail.

The mail is personally addressed to you stating that someone with your last name has died in a foreign country. You are being contacted to receive the millions in inheritance. If you complete some information (which will be used for identity theft) and send money to cover taxes and/or legal or processing fees (your money is gone and you will never see a penny of the so-called inheritance), the funds will be released to you. Who doesn’t want to be a millionaire?  Of course, it is all fake, 

  • Never send money to receive money.  
  • If it sounds too good to be true, it probably is.

Did you hear about the FBI Mobile Banking Alert?

July 2020

The FBI has recently released an alert to keep an eye out for fraudsters who are targeting mobile banking apps during the pandemic. Amid the practice of social distancing, the adoption of online banking and the strong reliance of online services to complete transactions, financial institutions are becoming an ideal target for cybercriminals.

With fraud and fake mobile applications on the rise, our credit union is committed to the security of our mobile and online banking products. You also play a key role in protecting your online accounts from cybercriminals.  Here are some security best practices to help you mitigate fraud risk.

  • Use passcodes and screen lock timers to protect mobile devices
  • Use a unique password for each site; do not recycle old passwords
  • Keep smart-phone software and firmware system patches and upgrades up-to-date
  • Be aware that jail-breaking or rooting increases the risk of compromise for mobile devices
  • Avoid links or software downloads from unknown sources
  • Install application software updates from legitimate app-stores only
  • Read reviews about the application developers and publisher to determine app credibility 
  • Review and understand the permissions required when downloading/installing applications
  • Install mobile malware protection software
  • Only connect to wireless networks that are known, encrypted, and require a password
  • Turn off additional mobile features that are not being used
  • Turn off or limit geolocation features for applications that do not require them

Other types of fraud attacks to be aware of are phishing, vishing, and social engineering attacks that are used with the intent to trick victims into taking specific action to defraud you through telephone/voice, SMS, chat, email, postal mail, internet/web/social media, and others. Here are a few things you can do to help mitigate fraud risk against these types of attacks.

  • Do not respond to any unsolicited multi-factor authentication (MFA) requests
  • Do not disclose your credentials or MFA code to anyone
  • If you suspect you’ve been part of a phishing, vishing, or social engineering attack, notify a team member at ProFed
  • Change your username & password periodically and use strong passwords (see DHS Password Guidelines)
  • Use complex and unique passwords for all types of online accounts consisting of at least 12+ characters (including special characters and numbers)

Interested in learning more about phishing, vishing, and social engineering? Visit the resource links below.

Targeted Fraud Reported By TransUnion

April 2020

According to a new report by TransUnion:

  • 22% of consumers have been targeted by digital fraud related to Covid-19
  • There has been a 347% increase in account takeover and a 391% rise in shipping and fraud attempts globally against its online customers from 2019-2020.”
  • The operators of the website “coronavirusmedicalkit.com” are defrauding consumers by offering access to WHO vaccine kits in exchange for a shipping charge of $4.95, which consumers pay by entering their credit card information on the website. 

Important reminders:

  • There are currently NO legitimate COVID-19 vaccines available to the public.
  • Fraudsters have registered thousands of new websites with coronavirus or COVID-19 in the name.
  • Fraudsters may name drop WHO or the CDC or some other trusted source, but the only way to get true trusted information is to go to the websites of those agencies directly.

Significant Increase In Phishing Attempts and Scammer Attacks

April 2020

If it seems like you are hearing more than ever about phishing and scammer these days, there is a good reason. According to security expert, Jim Stickley, Barracuda networks has reported a 600% increase in phishing attacks over the past month. Each of you must be very vigilant in watching for anything that seems at all suspicious.

Popular attacks are using Zoom and the COVID-19 virus. In many cases, criminals will purchase domains that contain those as part of the domain name. Stickley did a search and found:

  • 35,604 domains contained zoom as part of the URL
  • 41,0000 plus domains had been purchased containing COVID as part of the name
  • 21,000 plus domains have been purchased using coronavirus as part of the domain name

Now, some of these are probably legit, but more of these have probably been registered by cybercriminals than by the good guys. Be sure to choose a few known sites, like the CDC and known news sites, to get your updates. Don’t click on links in texts, social media, emails, etc. that purport to give you news.

The IN.GOV site for Indiana Attorney General. Curtis Hill, warns of more scams.

  • Fraudsters are posing as ministers and sending out links containing malware. 
  • Emails that appear to come from Amazon are trying to trick people into giving out personal information.

“Those who would use the current perilous circumstances as an opportunity to prey upon others are manifesting a particular kind of wickedness.” - AG Curtis Hill

Be Aware: $50 Gift Card and USB Scam

April 2020 

Recently, an email scam is on the rise with users working from home. The scammer is known to promise you a package including a $50 gift card and a USB stick. The enclosed letter says you can use your gift card to purchase any item available from the USB, just plug it into your computer. Today is your lucky day, right? Unfortunately, no. Don't fall for it.

If you follow the instructions and insert the USB into your computer, the only prize you will get is malware that will allow hackers back door access to your now infected system.

Remember:

  • If it seems too good to be true, it probably is.
  • Never insert or attach an unknown device to your system.

Is Your Smart Speaker Listening While You Are Working From Home?

April 2020

Whether it’s Siri, Alexa, or Google, we are surrounded by devices that are always listening to us. If you are working from home, please make sure that you do not have an ECHO or other listening device in the proximity of your home office area; or if you do, turn it off during working hours because it could be doing more harm than good. Learn more on each specific device below and additional ways you can create better privacy in your home.

ALEXA

For Alexa devices, a new feature has been introduced where you can say, “Alexa, delete everything I said today.” While that will delete recent commands, you still need to delete older history. Follow the steps below to delete your entire history.

  • Open the Alexa app and go into the “Settings” section.
  • Select “History”.  You will see a list of all entries.
  • Tap each entry and hit DELETE.
  • To delete all entries with one click, you must go to amazon.com/mycd (Manage Your Content and Devices)

Another problem with these devices is that employees of the services are listening to us and making transcriptions of what we say to improve their servic

View more posts about Cybersecurity

By accessing the noted link you will be leaving ProFed's website and entering a website hosted by another party. ProFed is not responsible for the content of the alternate website. Please be advised that ProFed does not represent the third party or you (the member) if you and the third party enter into a transaction. We encourage you to read and evaluate the privacy and security policies of the site you are entering, which may be different than those of ProFed Federal Credit Union.

Stay on ProFed Continue

This is NOT a secured email transmission. Please do not send personal/financial information via this method.

Cancel Continue