Home   Website
Security Center
Online Security Online Banking Online Bill Pay eStatements Mobile Banking
Online Security
How We Protect You Security Tips Scams To Be Aware Of

   
Our Security Center is designed to help you be aware of how we're working hard to keep your personal and financial information safe, and to help you know what to consider suspicious activity to ensure you don't get caught in a scam.
Top of Mind Topics
  • Email
  • Phishing
  • Mobile Fraud
  • Malware
  • Vishing
  • Smishing
  • Twishing
 
Email Scams
Some email users have lost money to bogus offers that arrived as spam in their in-box. Con artists are very cunning; they know how to make their claims seem legitimate. Some spam messages ask for your business, others invite you to a website with a detailed pitch.


Download More Details
 
Phishing
In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.


Download More Details
 
Mobile Fraud
Mobile Banking has made it easier than ever to check your account balance, view transactions, and pay bills, right from the palm of your hand. By taking the following steps to protect your mobile phone, you can make sure that you're taking the proper steps to keep your personal and financial information safe and secure.

Download More Details
 
Malware
Malware, short for malicious software, is software designed to secretly access a computer system without the owner's informed consent.





Download More Details
 
Vishing
Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and phishing.

Download More Details
 
Smishing
In computing, Smishing is a form of criminal activity using social engineering techniques similar to phishing. The name is derived from "SMS Phishing." SMS (Short Message Service) is the technology used for text messages on cell phones.


Download More Details
 
Twishing
Twishing is the act of sending a message to a Twitter user in an attempt to obtain his or her name and password. The message may instruct the recipient to visit a website where he or she is asked to log in. The website, however, is bogus and set up only to steal the user's information.


Download More Details
Businesses Click Here
  • Videos
  • Games
Watch videos and play games provided by OnGuardOnline.gov to help you learn about spam and phishing. Keeping yourself informed by watching these videos and playing games can help in keeping you and your kids safe online, while reducing spam, and protecting your computer against unwanted intrusions.

Video:
Phishy Home
Video:
Phishy Office
Video:
Phishy Store
Watch videos and play games provided by OnGuardOnline.gov to help you learn about spam and phishing. Keeping yourself informed by watching these videos and playing games can help in keeping you and your kids safe online, while reducing spam, and protecting your computer against unwanted intrusions.

Game:
Beware of Spyware
Game:
ID Theft FaceOff
Game:
Phishing Scams
Game:
The Case of the Cyber Criminal
Game:
Online Lineup
Game:
Spam Scam Slam
  Sign Up!
Sign up for our educational email series. We'll send you one email a week for five weeks with information to help you develop your knowledge about online security.
Click Here
Visit S1.com
Email Scams

Some email users have lost money to bogus offers that arrived as spam in their in-box. Con artists are very cunning; they know how to make their claims seem legitimate. Some spam messages ask for your business, others invite you to a website with a detailed pitch. The following tips can help you avoid spam scams: While some consumers find unsolicited commercial email—also known as "spam"—informative, others find it annoying and time consuming. Still others find it expensive; they're among the people who have lost money to spam that contained bogus offers and fraudulent promotions.

Many Internet service providers and computer operating systems offer filtering software to limit the spam in their users' email in-boxes. In addition, some old-fashioned "filter tips" can help you save time and money by avoiding frauds pitched in email. OnGuard Online wants computer users to screen spam for scams, send unwanted spam on to the appropriate enforcement authorities, and then hit delete. 10 common spam scams are: Here's how to spot these 10 common spam scams.

1. The "Nigerian" Email Scam

The Bait:
Con artists claim to be officials, businesspeople, or the surviving spouses of former government honchos in Nigeria or another country whose money is somehow tied up for a limited time. They offer to transfer lots of money into your bank account if you will pay a fee or "taxes" to help them access their money. If you respond to the initial offer, you may receive documents that look "official." They then ask you to send money to cover transaction and transfer costs and attorney's fees, as well as a blank letterhead, your bank account numbers, or other information. They may even encourage you to travel to the country in question, or a neighboring country, to complete the transaction. Some fraudsters have even produced trunks of dyed or stamped money to try to verify their claims.

The Catch: The emails are from crooks trying to steal your money or your identity. Inevitably, in this scenario, emergencies come up, requiring more of your money and delaying the transfer of funds to your account. In the end, there aren't any profits for you, and the scam artist vanishes with your money. The damage can sometimes be felt even beyond your pocket: according to State Department reports, people who have responded to "pay in advance" solicitations have been beaten, subjected to threats and extortion, and in some cases, murdered.

Your Safety Net: If you receive an email from someone claiming to need your help getting money out of a foreign country, don't respond. If you've lost money to one of these schemes, call your local Secret Service field office. Local field offices are listed in the Blue Pages of your telephone directory.

Forward "Nigerian" scams—including all the email addressing information—to spam@uce.gov.


2. Phishing

The Bait
: Email or pop-up messages that claim to be from a business or organization you may deal with, such as, an Internet service provider (ISP), bank, online payment service, or even a government agency. The message may ask you to "update," "validate," or "confirm" your account information or face dire consequences.

The Catch: Phishing is a scam where Internet fraudsters send spam or pop-up messages to reel in personal and financial information from unsuspecting victims. The messages direct you to a website that looks just like a legitimate organization's site, or to a phone number purporting to be real. But these are bogus and exist simply to trick you into divulging your personal information so the operators can steal it, fake your identity, and run up bills or commit crimes in your name.

Your Safety Net: Make it a policy never to respond to emails or pop-ups that ask for your personal or financial information, click on links in the message, or call phone numbers given in the message. Don't cut and paste a link from the message into your Web browser—phishers can make links look like they go one place, but then actually take you to a look-alike site. If you are concerned about your account, contact the organization using a phone number you know to be genuine, or open a new Internet browser session and type in the company's correct Web address yourself. Using antivirus and anti-spyware software and a firewall, and keeping them up-to-date, can help.

Forward phishing emails to spam@uce.gov and to the organization that is being spoofed.

3. Work-at-Home Scams

The Bait
: Advertisements that promise steady income for minimal labor—in medical claims processing, envelope-stuffing, craft assembly work, or other jobs. The ads use similar come-ons: Fast cash, minimal work, no risk, and the advantage of working from home when it's convenient for you.

The Catch: The ads don't say you may have to work many hours without pay, or pay hidden costs to place newspaper ads, make photocopies, or buy supplies, software, or equipment to do the job. Once you put in your own time and money, you're likely to find promoters who refuse to pay you, claiming that your work isn't up to their "quality standards."

Your Safety Net: The Federal Trade Commission (FTC) has yet to find anyone who has become rich stuffing envelopes or assembling magnets at home. Legitimate work-at-home business promoters should tell you—in writing—exactly what's involved in the program they're selling. Before you commit any money, find out what tasks you will have to perform, whether you will be paid a salary or work on commission, who will pay you, when you will get your first paycheck, the total cost of the program—including supplies, equipment, and membership fees—and what you will get for your money. Can you verify information from current workers? Be aware of "shills," people who are paid to lie and give you every reason to pay for work. Get professional advice from a lawyer, an accountant, a financial advisor, or another expert if you need it, and check out the company with your local consumer protection agency, state Attorney General and the Better Business Bureau—not only where the company is located, but also where you live.

Forward work-at-home scams to spam@uce.gov.

4. Weight Loss Claims

The Bait
: Emails promising a revolutionary pill, patch, cream, or other product that will result in weight loss without diet or exercise. Some products claim to block the absorption of fat, carbs, or calories; others guarantee permanent weight loss; still others suggest you'll lose lots of weight at lightning speed.

The Catch: These are gimmicks, playing on your sense of hopefulness. There's nothing available through email you can wear or apply to your skin that can cause permanent or even significant weight loss.

Your Safety Net: Experts agree that the best way to lose weight is to eat fewer calories and increase your physical activity so you burn more energy. A reasonable goal is to lose about a pound a week. For most people, that means cutting about 500 calories a day from your diet, eating a variety of nutritious foods, and exercising regularly. Permanent weight loss happens with permanent lifestyle changes. Talk to your health care provider about a nutrition and exercise program suited to your lifestyle and metabolism.

Forward weight loss emails to spam@uce.gov.

5. Foreign Lotteries

The Bait
: Emails boasting enticing odds in foreign lotteries. You may even get a message claiming you've already won! You just have to pay to get your prize or collect your winnings.

The Catch: Most promotions for foreign lotteries are phony. The scammers will ask you to pay "taxes," "customs duties," or fees, and then keep any money you send. Scammers sometime ask you to send funds via wire transfer. Don't send cash or use a money-wiring service because you'll have no recourse if something goes wrong. In addition, lottery hustlers use victims' bank account numbers to make unauthorized withdrawals or their credit card numbers to run up additional charges. And one last important note: participating in a foreign lottery violates US law.

Your Safety Net: Skip these offers. Don't send money now on the promise of a pay-off later.

Forward solicitations for foreign lottery promotions to spam@uce.gov.

6. Cure-All Products

The Bait
: Emails claiming that a product is a "miracle cure," a "scientific breakthrough," an "ancient remedy"—or a quick and effective cure for a wide variety of ailments or diseases. They generally announce limited availability, and require payment in advance, and offer a no-risk "money-back guarantee." Case histories or testimonials by consumers or doctors claiming amazing results are not uncommon.

The Catch: There is no product or dietary supplement available via email that can make good on its claims to shrink tumors, cure insomnia, cure impotency, treat Alzheimer's disease, or prevent severe memory loss. These kinds of claims deal with the treatment of diseases; companies that want to make claims like these must follow the FDA's pre-market testing and review process required for new drugs.

Your Safety Net: When evaluating health-related claims, be skeptical. Consult a health care professional before buying any "cure-all" that claims to treat a wide range of ailments or offers quick cures and easy solutions to serious illnesses. Generally speaking, a cure-all is a cure none.

Forward spam with miracle health claims to spam@uce.gov.

7. Check Overpayment Scams

The Bait
: A response to your ad or online auction posting, offering to pay with a cashier's, personal, or corporate check. At the last minute, the so-called buyer (or the buyer's "agent") comes up with a reason for writing the check for more than the purchase price, and asks you to wire back the difference after you deposit the check.

The Catch: If you deposit the check, you lose. Typically, the checks are counterfeit, but they're good enough to fool unsuspecting bank tellers and increase the balance in your bank account—temporarily. But when the check eventually bounces, you are liable for the entire amount.

Your Safety Net: Don't accept a check for more than your selling price, no matter how tempting the plea or convincing the story. Ask the buyer to write the check for the purchase price. If the buyer sends the incorrect amount, return the check. Don't send the merchandise. As a seller who accepts payment by check, you may ask for a check drawn on a local bank, or a bank with a local branch. That way, you can visit the bank personally to make sure the check is valid. If that's not possible, call the bank the check was drawn on using the phone number from directory assistance or an Internet site you know and trust, not from the person who gave you the check. Ask if the check is valid.

Forward check overpayment scams to spam@uce.gov and your state Attorney General. You can find contact information for your state Attorney General at www.naag.org.

8. Pay-in-Advance Credit Offers

The Bait: News that you've been "pre-qualified" to get a low-interest loan or credit card, or repair your bad credit even though banks have turned you down. But to take advantage of the offer, you have to pay a processing fee of several hundred dollars.

The Catch: A legitimate pre-qualified offer means you've been selected to apply. You still have to complete an application and you can still be turned down. If you paid a fee in advance for the promise of a loan or credit card, you've been hustled. You might get a list of lenders, but there is no loan, and the person you've paid has taken your money and run.

Your Safety Net: Don't pay for a promise. Legitimate lenders never "guarantee" a card or loan before you apply. They may require that you pay application, appraisal, or credit report fees, but these fees are seldom required before the lender is identified and the application is completed. In addition, the fees generally are paid to the lender, not to the broker or person who arranged the "guaranteed" loan.

Forward unsolicited email containing credit offers to spam@uce.gov.

9. Debt Relief

The Bait
: Emails touting a way you can consolidate your bills into one monthly payment without borrowing; stop credit harassment, foreclosures, repossessions, tax levies and garnishments; or wipe out your debts.

The Catch: These offers often involve bankruptcy proceedings, but they rarely say so. While bankruptcy is one way to deal with serious financial problems, it's generally considered the last resort. The reason: it has a long-term negative impact on your creditworthiness. A bankruptcy stays on your credit report for 10 years, and can hurt your ability to get credit, a job, insurance, or even a place to live. To top it off, you will likely be responsible for attorneys' fees for bankruptcy proceedings.

Your Safety Net: Read between the lines when looking at these emails. Before resorting to bankruptcy, talk with your creditors about arranging a modified payment plan, contact a credit counseling service to help you develop a debt repayment plan, or carefully consider a second mortgage or home equity line of credit. One caution: While a home loan may allow you to consolidate your debt, it also requires your home as collateral. If you can't make the payments, you could lose your home.

Forward debt relief offers to spam@uce.gov.

10. Investment Schemes

The Bait
: Emails touting "investments" that promise high rates of return with little or no risk. One version seeks investors to help form an offshore bank. Others are vague about the nature of the investment, but stress the rates of return. Promoters hype their high-level financial connections; the fact that they're privy to inside information; that they'll guarantee the investment; or that they'll buy it back. To close the deal, they often serve up phony statistics, misrepresent the significance of a current event, or stress the unique quality of their offering. And they'll almost always try to rush you into a decision.

The Catch: Many unsolicited schemes are a good investment for the promoters, but not for participants. Promoters of fraudulent investments operate a particular scam for a short time, close down before they can be detected, and quickly spend the money they take in. Often, they reopen under another name, selling another investment scam.

Your Safety Net: Take your time in evaluating the legitimacy of an offer—the higher the promised return, the higher the risk. Don't let a promoter pressure you into committing to an investment before you are certain it's legitimate. Hire your own attorney or an accountant to take a look at any investment offer too.

Forward spam with investment-related schemes to spam@uce.gov.

Fighting Back
Con artists are clever and cunning, constantly hatching new variations on age-old scams. Still, skeptical consumers can spot questionable or unsavory promotions in email offers. Should you receive an email that you think may be fraudulent, forward it to the FTC at spam@uce.gov, hit delete, and smile. You'll be doing your part to help put a scam artist out of work.

How to Report Spam
If you receive an email that you think may be a scam: Supporting Sources: OnGuardOnline.gov
Phishing

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social websites, auction sites, online payment processors, or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by email or instant messaging, and it often directs users to enter details at a fake website that has a look and feel almost identical to the legitimate one.

Phishing email messages take a number of forms. They might appear to come from a financial institution, a company you regularly do business with, or from a social networking site such as Facebook or LinkedIn. To avoid getting hooked:

If you should ever receive an email that you believe to be a phishing scam using our name and logo, please forward us a copy, as well as emailing a copy to spam@uce.gov and to any company, or organization impersonated in the phishing email. You may also report phishing email to reportphishing@antiphishing.org. The Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions, and law enforcement agencies, uses these reports to fight phishing.

Contributing source: OnGuardOnline.gov
Mobile Fraud

Mobile Banking has made it easier than ever to check your account balance, view transactions, and pay bills, right from the palm of your hand. By taking the following steps to protect your mobile phone, you can make sure that you're taking the proper steps to keep your personal and financial information safe and secure.

Secure your phone
Most mobile phones let you set up a password or PIN, requiring that it's entered into your phone prior to use. This ensures that your phone can't be used if it's lost or stolen. Make sure that you always have this feature enabled and that your password or PIN is not shared with anyone.

Beware of trojans and spyware

Trojans and spyware are viruses and software that are used by fraudsters to steal personal details when installed on your computer or mobile phone. They're usually installed without your knowledge when you follow a link, open an attachment, or download software from a fraudulent email or text message.

To protect yourself: Install security software
Just like your computer, mobile phones are vulnerable to viruses, some of which can give fraudsters access to your personal information.

To keep your information safe: Keep your mobile software up-to-date
On occasion your mobile phone manufacturer will likely release software updates for your phone. These should be downloaded and installed regularly to ensure your mobile phone has the most current and up-to-date software installed.

Avoid sharing your mobile phone
If you have to share your mobile or send it off for repairs:
Malware

Malware, short for malicious software, is software designed to secretly access a computer system without the owner's informed consent.

The prevalence of malware as a vehicle for organized Internet crime, along with the general inability of traditional anti-malware protection platforms (products) to protect against the continuous stream of unique and newly produced malware, has seen the adoption of a new mindset for businesses operating on the Internet: the acknowledgment that some sizable percentage of Internet customers will always be infected for some reason or another, and that they need to continue doing business with infected customers.

Common types of malware delivery mechanisms

The anatomy of malware attacks
To infect a computer through a Web browser, an attacker must accomplish two tasks.

1. First, they must find a way to connect with the victim.
2. Second, the attacker must install malware on the victim's computer.

Both of these steps can occur quickly and without the victim's knowledge, depending on the attacker's tactics.

One way for an attacker to make a victim's browser execute their malicious code is to simply ask the victim to visit a website that is infected with malware. Of course, most victims will not visit a site if told it is infected, so the attacker must mask the nefarious intent of the website. Sophisticated attackers use the latest delivery mechanisms, and often send malware-infected messages over social networks, such as Facebook, or through instant messaging systems. While these methods have proved successful to a degree, they still rely on tempting a user to visit a particular website. Other attackers choose to target websites that potential victims will visit on their own. To do this, an attacker compromises the targeted website and inserts a small piece of HTML code that links back to their server. This code can be loaded from any location, including a completely different website. Each time a user visits a website compromised in this manner, the attacker's code has the chance to infect their system with malware.

Contributing source: OnGuardOnline.gov
Vishing

Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and phishing.

Vishing exploits the public's trust in landline telephone services, which have traditionally terminated in physical locations which are known to the telephone company, and associated with a bill-payer. The victim is often unaware that VoIP makes formerly difficult-to-abuse tools/features of caller ID spoofing, complex automated systems (IVR), low cost, and anonymity for the bill-payer widely available. Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.

We will never call you to request that you update or verify your personal or financial details over the phone. If you ever receive a call requesting this information, please call us using the phone number on your account statement, on the back of your ATM or Debit Card, or local telephone directory to confirm the call is legitimate.

Vishing is very hard for legal authorities to monitor or trace. To protect themselves, consumers are advised to be highly suspicious when receiving messages directing them to call and provide credit card or bank numbers. Rather than provide any information, if speaking to a human ask them for an incident number and then hang up. Then place a call to the number printed on your credit card or billing statement from a telephone number the bank has on file, usually your home land line. While consumer caller id is trivial to fake the bank's call center gets much more reliable billing information provided by trunked 1-800 service and thus both parties have high confidence the other party is who they claim to be.

Area codes can mislead. Some scammers send emails that appear to be from a legitimate business and ask you to call a phone number to update your account or access a "refund." Because they use Voice over Internet Protocol technology, the area code you call does not reflect where the scammers really are. If you need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card. And delete any emails that ask you to confirm or divulge your financial information.

Security. If you use VoIP for your home phone service you should know that VoIP calls are transmitted over the Internet, which raises security risks that are not an issue with regular telephone service. For example, VoIP services can be attacked by computer viruses or worms; you can be subject to SPIT (Spam over Internet Telephony), a different kind of spam, and left with mass voice mail messages in your inbox; and you can be caught in a denial of service attack.

Contributing source: OnGuardOnline.gov
Smishing

In computing, Smishing is a form of criminal activity using social engineering techniques similar to phishing. The name is derived from "SMS Phishing." SMS (Short Message Service) is the technology used for text messages on cell phones.

Similar to phishing, smishing uses cell phone text messages to deliver the "bait" to get you to divulge your personal information. The "hook" (the method used to actually "capture" your information) in the text message may be a website URL, however it has become more common to see a phone number that connects to an automated voice response system.

The smishing message usually contains something that wants your "immediate attention", some examples include "We're confirming you've signed up for our dating service. You will be charged $2/day unless you cancel your order on this URL: www.????.com."; "(Name of popular online bank) is confirming that you have purchased a $1,500 computer from (name of popular computer company). Visit www.?????.com if you did not make this online purchase."; and "(Name of a financial institution): Your account has been suspended. Call ###.###.#### immediately to reactivate". The "hook" will be a legitimate looking website that asks you to "confirm" (enter) your personal financial information, such as your credit/debit card number, CVV code (on the back of your credit card), your ATM card PIN, SSN, email address, and other personal information. If the "hook" is a phone number, it normally directs to a legitimate sounding automated voice response system, similar to the voice response systems used by many financial institutions, which will ask for the same personal information.

This is an example of a (complete) smishing message in current circulation: "Notice—this is an automated message from (a local credit union), your ATM card has been suspended. To reactivate call urgent at 866-###-####".

In many cases, the smishing message will show that it came from "5000" instead of displaying an actual phone number. This usually indicates the SMS message was sent via email to the cell phone, and not sent from another cell phone.

This information is then used to create duplicate credit/debit/ATM cards. There are documented cases where information entered on a fraudulent website was used to create a credit or debit card that was used halfway around the world, within 30 minutes.
Twishing

Twishing is the act of sending a message to a Twitter user in an attempt to obtain his or her name and password. The message may instruct the recipient to visit a website where he or she is asked to log in. The website, however, is bogus and set up only to steal the user's information.

Twishing is a combination of the words Twitter and phishing. The idea is that bait is given out—the concept behind the term phishing—to Twitter users with the hopes that while most will ignore the bait, a small percentage will be tricked into revealing their user names and passwords. Twishing may also be seen written in lowercase as twishing.
Email Samples

Content...
Online Samples

Content...