Beware of Scams
There are new scams and risks all the time. At KaiPerm, we want to help educate you to avoid these scams.
Home Warranty Products — Please see the attached PDF for an example of a home warranty letter that a member recently received. KaiPerm is not affiliated with any home warranty companies.
Thank You for Calling — Here’s Some Malware A recent social engineering scam uses real people in a call center to trick you into downloading malware onto your computer. Here’s how the scam works: You receive an email claiming that your trial subscription to a publishing company will expire soon. The email states that you will be charged if the subscription is not canceled, and it directs you to call a phone number for assistance. If you call this number a representative happily walks you through how to unsubscribe. The representative directs you to a generic-sounding web address, asks you to enter the account number provided in the original email, and tells you to click a button labeled “Unsubscribe”. If you click, an excel file is downloaded onto your computer. The representative tells you to open that file and enable macros so you can read a confirmation number to them. If you enable macros, a malicious file is installed that allows cybercriminals backdoor access to your system. The bad guys can use this access to install more dangerous malware, such as ransomware. Follow these tips to stay safe from this social engineering attack:
- This attack tries to spark feelings of alarm and frustration by claiming that you will be charged for something you didn’t sign up for. Don’t let the bad guys toy with your emotions.
- Remember that cyber-attacks come from real people and real people can lie over the phone, just as they do in phishing emails.
- If you’re concerned that a warning could be legitimate, look up the company and try contacting them another way—not by using the phone number that they provided in an email.
Scammers – Package Delivery: KaiPerm received notification of this scam from a friend of the credit union.
Wednesday, a week ago, I had a phone call from someone saying that he was from some outfit called: “Express Couriers,” (The name could be any courier company). He asked if I was going to be home because there was a package for me that required a signature.
The caller said that the delivery would arrive at my home in approximately an hour. Sure enough, about an hour later, a uniformed delivery man turned up with a beautiful basket of flowers and a bottle of wine. I was very surprised since there was no special occasion or holiday, and I, certainly, didn’t expect anything like it. Intrigued, I inquired as to who the sender was.
The courier replied, “I don’t know, I’m only delivering the package.”
Apparently, a greeting card was being sent separately. (The card has never arrived!) There was also a consignment note with the gift.
He then went on to explain that because the gift contained alcohol, there was a $3.50 “delivery/ verification charge,” providing proof that he actually had delivered the package to an adult (of legal drinking age), and not just left it on the doorstep where it could be stolen or taken by anyone, especially a minor.
This sounded logical and I offered to pay him cash. He then said that the delivery company required payment to be by credit or debit card only, so that everything is properly accounted for, and this would help in keeping a legal record of the transaction.
He added, “Couriers don’t carry cash to avoid loss or being, likely, targets for robbery.”
My husband, who by this time was standing beside me, pulled out his credit card, and the “delivery man,” asked him to swipe the card on a small mobile card machine with a small screen and keypad. Frank, my husband, was asked to enter his PIN number and a receipt was printed out. He was given a copy of the transaction. The guy said everything was in order, and wished us a good day, and left.
To our horrible surprise, between Thursday and the following Monday, $4,000 had been charged/withdrawn from our credit/debit account at various ATM machines.
Apparently, the “mobile credit card machine,” which the deliveryman carried, now, had all the info necessary to create a “dummy” card with all our card details including the PIN number.
Upon finding out about the illegal transactions on our card, we, immediately, notified the bank which issued us a new card, and our credit/debit account was closed.
We also went to the police, where it was confirmed that it is, definitely, a scam because several households had been similarly hit.
WARNING: Be wary of accepting any “surprise gift or package,” which you neither expected nor personally ordered, especially if it involves any kind of payment as a condition of receiving the gift or package. Also, never accept anything if you do not, personally, know or there is no proper identification of who the sender is. Above all, the only time you should give out any personal credit/debit card information is when you yourself initiated the purchase or transaction yourself!
Last-Minute Holiday Shipping Scams: The holiday season is a time for love, joy, togetherness—and last-minute online orders! We’ve all been there: anxiously awaiting a package and hoping you didn’t forget anyone on your shopping list. The holidays have a way of creeping up on us, so expect scammers to be creeping into your inbox as well. Fake shipping notifications are especially popular during the holiday season. These can come in the form of an email (Phishing) or a text message (Smishing). Typically, the message will offer an urgent update about your package, such as a shipping delay, and you will be directed to click a link for more information. If you click the included link, you’ll be taken to a malicious website that asks for login credentials or other sensitive information. Any information entered on this page will be a gift from you to the cybercriminals! Here are some tips to keep you safe from shipping notification scams:
- This attack exploits the stress and excitement of the holiday season. Don’t let the bad guys play with your emotions. Think before you click!
- Legitimate shipping notifications will include specific order information, such as your shipping address, an item description, or the name of the sender.
- Stay up-to-date on your orders by visiting the retailer’s official website. If you receive an unexpected notification, be sure to visit their website using your browser—not by clicking the link in the email.
Exploiting the Coronavirus: Phony Form from HR For many months, organizations across the globe have been working remotely due to the coronavirus pandemic. In a new phishing attack, the bad guys target your feelings of stress or excitement about returning to the office. The phishing email resembles something that your human resources department might send about returning to the office. Attached to the email is an HTML file that includes your name in the file name. If you download and open this attachment, you’ll be taken to a file that is hosted on the file-sharing site, Microsoft SharePoint. According to the document, you must acknowledge the return to office policy by providing your username and password. If you enter your credentials here, the information will be sent directly to the bad guys and they’ll have the same access to your organization as you do. Don’t fall for this trick! Remember these tips:
- This attack tries to exploit the uncertainty of going back to work in the office. Don’t let the bad guys toy with your emotions. Think before you click!
- Never impulsively click on a link or download an attachment that you weren’t expecting, even if it appears to be from your own organization.
- When in doubt, reach out to the sender by phone to confirm the legitimacy of the email before clicking a link or downloading an attachment.
Tricky Tags in Google Drive Phishing Attack: Phishing emails are often designed to trick you into clicking a malicious link. Most email clients, such as Microsoft Outlook and Gmail, have filters that add warning messages to emails with suspicious-looking links. Unfortunately, the bad guys are always finding new ways to bypass these security filters. The latest way that scammers sneak past your email security is by taking advantage of the collaboration tools available for the Google Drive platform. The platform allows you to tag any user in a file by using their Gmail address. Once tagged, the user will receive a notification directly from Google. This means that if a bad guy tags you in a Google document, you will receive a legitimate notification from Google that includes a link to the bad guy’s file. If you view the file, you’ll likely find that it directs you to click another link. This second link is actually a malicious attempt to steal your sensitive information. Don’t fall for this trick! Remember:
- Always be suspicious of emails or notifications from someone you do not know.
- Never click on a link within an email that you weren’t expecting—even if it came from a legitimate website.
- If you receive a suspicious email or notification, contact your IT department or follow the specific procedure for your organization.
Phishing attacks use fraudulent email messages and web sites designed to fool recipients into divulging personal financial data, such as social security numbers, credit card numbers, account user names, and passwords.
Phishing attacks happen frequently. Once phishers gain access to personal information, they can use your credit cards, steal your identity, and ruin your credit rating. In a typical case, you’ll receive an email that appears to come from a reputable company that you recognize and do business with, such as your credit union or insurance company. In some cases, the email may appear to come from a government agency.
Many phishing emails will warn you of a serious problem that requires your immediate attention. Email phrases such as “immediate attention required” or “please contact us immediately about your account” will then encourage you to click on a link to go to the institution’s website.
In Phishing scams you could be redirected to a phony website that may look exactly like the real thing. Sometimes, in fact, it may be the company’s actual web site. In these cases, a pop-up window will quickly appear for the purpose of harvesting your financial information. In either case, you may be asked to update your account information or to provide information for verification purposes: your social security number: your account number, your password, or the information you use to verify your identity when speaking to a real financial institution, such as your mother’s maiden name or your place of birth. If you provide the requested information, you may find yourself the victim of identity theft.
KaiPerm Northwest Credit Union will never solicit personal/private information via email.
How to protect yourself:
- Never provide your personal information in response to an unsolicited request, whether it is over the phone or over the Internet. E-mails and Internet pages created by phishers may look exactly like the real thing. They may even have a fake padlock icon that ordinarily is used to denote a secure site. If you did not initiate the communication, you should not provide any information.
- If you believe the contact may be legitimate, contact the legitimate company or financial institution yourself. You can find phone numbers and web sites on the monthly statements you receive from your financial institution, or you can look the company up in a phone book or on the Internet. The key is that you should be the one to initiate the contact, using contact information that you have verified yourself.
- Never provide your password over the phone or in response to an unsolicited Internet request. A financial institution would never ask you to verify your account information online. Thieves armed with this information and your account number can help themselves to your savings.
- Review account statements regularly to ensure all charges are correct. If your account statement is late in arriving, call your financial institution to find out why. If your financial institution offers electronic account access, periodically review activity online to catch suspicious activity.
WHAT TO DO IF YOU FALL VICTIM
Contact us immediately and alert us to the situation. If you have disclosed sensitive information in a phishing attack, you should also contact one of the three major credit bureaus and discuss whether you need to place a fraud alert on your file, which will help prevent thieves from opening a new account in your name. Here is the contact information for each bureau’s fraud division.
P.O. Box 740241
Atlanta, GA 30374-0241
P.O. Box 2002
Allen, TX 75013
P.O. Box 1000
Chester, PA 19016
Click here to report all suspicious contacts to the Federal Trade Commission or call 1-877-IDTHEFT.
We look forward to helping you bank like you won't believe!