Here are the most recent spear-phishing attacks that are currently making the rounds nationwide, and which pose a significant threat to your data- and financial security. Note that some of these attacks are used for years, because they continue to work on uninformed people.

Number 5
The Better Business Bureau Complaint – In this scam, executives will receive an official-looking email that is spoofed to make it appear as if it comes from the Better Business Bureau. The message either details a complaint that a customer has supposedly filed, or claims that the company has been accused of engaging in identity theft. A complaint ID number is provided, and the recipient is asked to click on a link if they wish to contest or respond to the claim. Once the link is clicked, malware is downloaded to the system.

Number 4
The Smartphone 'Security App' – This is a 2-step attack. With minimal research cybercriminals can find the name and email addresses of a company’s CFO and social engineer them to click a link. That link infects the PC of the CFO with a keylogger. This way the hacker obtains bank account data and passwords. In case the bank uses two-factor authentication, the attacker spoofs an email from the bank asking the CFO to install a smartphone security app, which is actually malware giving them access to the phone. And with that, the cybercriminals have full access to the CFO’s bank account login credentials and at the same time control any two-factor text messages sent to or from the CFO authorizing money transfers.

Number 3
The Watering Hole Attack – Hackers do their research on a targeted executive, and find out which websites the executive frequents, sometimes to discuss industry related topics with their peers, or perhaps a hobby site the hackers learned about through the exec's social media postings. Next, the bad guys compromise that website, and inject a zero-day exploit onto public pages of the website that they hope will be visited by their targeted executive. Once the exec does, their PC is infected with a keylogger and the network penetrated.

Number 2
Free Dinner in Return for Feedback – By reviewing an executive’s social media profiles, cybercriminals are able to determine what charities that individual supports or does business with, as well as his or her favorite local restaurants. The scammer will then spoof an email from a representative of that charity, asking the exec to download a Word Doc that supposedly contains details on an upcoming campaign or event, and promises free dinner at their favorite restaurant as an incentive for providing feedback. When the Word doc is downloaded the user's password is stolen – and gives hackers direct access to the network. Here is a short video of Kevin Mitnick showing how this type of exploit works. Take these two minutes, it's worth seeing: http://www.knowbe4.com/video-mitnick/

Number 1
'We're Being Sued' – In this scenario, attackers dig up the email addresses of a company’s executives and also their legal counsel (in-house or external). They will then spoof an email from the legal counsel to the executive team, and attach a PDF that claims to contain information about new or pending litigation. When the recipients download and open the attachment, their system becomes infected and the entire network is compromised.

While savvy Internet users realize they should not click links or download attachments from unknown senders, spoofed emails and official-looking websites trick recipients into letting their guard down. When executives receive a time-sensitive email that appears to be sent by the Better Business Bureau, a fellow exec, their legal counsel or an organization they support, most won’t think twice before clicking because they trust the person they believe is the sender. That’s what cybercriminals are counting on, and why they’re willing to invest the time to create realistic-looking messages from familiar sources. They’ve discovered just how effective these types of spear-phishing scams can be.

Note: links to third party sites are provided for your convenience only. Bank of Ann Arbor does not control or endorse their content.

In between the family meals with tables full of turkey and trimmings, the related holiday festivities and watching those favorite movies we all know and love, millions of people are planning on hitting the malls, outlet stores and online retailers for a little (or a lot!) of holiday shopping in the upcoming weeks.

As part of its Go Local initiative to dine local, shop local and bank local, the Independent Community Bankers of America, representing thousands of local community banks across the nation, is launching a “Go Local for the Holidays” campaign to encourage consumers to buy at least 30 percent of their holiday purchases at locally owned businesses.

According to a survey conducted by the National Retail Federation, the biggest portion of 2012 holiday shoppers’ budget will go toward gifts for family members – and on average, about $422 will be spent on them!

Just think about how much good you’ll be doing if you buy even just a few of those gifts on your list from a small business. The money you spend will go towards helping local entrepreneurs to succeed, create jobs and keep money flowing within your community — similar to the way community banks serve their small business customers every day by lending to them and helping them navigate their local market. One of the important reasons they are able to do this is because community banks are small businesses too! They understand the challenges that local small businesses face and they value their customer relationship, not only throughout the holiday season but the entire year. In fact, community banks under $10 billion in assets provide nearly 60 percent of small business loans between $100,000 and $1 million!

It’s all part of a very symbiotic relationship between small businesses and their local community banks. So let’s get into the holiday spirit and add consumers to that list! I have no doubt it will make Santa and a few small business owners and their families very happy this holiday season — not to mention a happier community with more jobs and more dollars being circulated where they belong — locally!

– Terry Jorde, senior executive vice president/chief of staff at ICBA
@terryjorde

Note: links to third party sites are provided for your convenience only. Bank of Ann Arbor does not control or endorse their content.

All Bank of Ann Arbor offices are closed on Monday, November 12, 2012 in observance of Veteran's Day. We'll see you tomorrow, Tuesday, for regular business hours. Meanwhile, thank a veteran today!

On Friday, November 2, 2012 Bank of Ann Arbor was recognized as the Company of the Year by AnnArbor.com at its annual “Deals of the Year” event.

"It is a terrific recognition of all of the amazing work we do at the bank and in the community," said Tim Marshall, President and CEO of Bank of Ann Arbor. "The award was based on the exceptional growth Bank of Ann Arbor hasexperienced over the past three years, our strong commitment to the community in support of the arts, culture, and health and human services, and our highly distinctive and nationally recognized “non-local bankers think” campaign." 

Links to third party sites are provided for your convenience. Bank of Ann Arbor does not endorse or control their content.

Washington – The Department of Justice, the FBI and the National Center for Disaster Fraud (NCDF) remind the public there is a potential for disaster fraud in the aftermath of a natural disaster. Suspected fraudulent activity pertaining to relief efforts associated with the recent series of tornadoes in the Midwest and South should be reported to the NCDF hotline at 866-720-5721. The hotline is staffed by a live operator 24 hours a day, seven days a week, for the purpose of reporting suspected scams being perpetrated by criminals in the aftermath of disasters.

NCDF was originally established in 2005 by the Department of Justice to investigate, prosecute and deter fraud associated with federal disaster relief programs following Hurricanes Katrina, Rita and Wilma. Its mission has expanded to include suspected fraud related to any natural or man-made disaster. More than 20 federal agencies – including the Justice Department’s Criminal Division, U.S. Attorneys’ Offices, Department of Homeland Security, Office of Inspector General and the FBI – participate in the NCDF, allowing the center to act as a centralized clearinghouse of information related to disaster relief fraud.

In the wake of natural disasters, many individuals feel moved to contribute to victim assistance programs and organizations across the country. The Department of Justice and the FBI remind the public to apply a critical eye and do due diligence before giving to anyone soliciting donations on behalf of hurricane victims. Solicitations can originate as emails, websites, door-to-door collections, mailings, telephone calls and similar methods.

Before making a donation of any kind, consumers should adhere to certain guidelines, including the following:

• Do not respond to any unsolicited (spam) incoming emails, including by clicking links contained within those messages, because they may contain computer viruses.
• Be cautious of individuals representing themselves as victims or officials asking for donations via email or social networking sites.
• Beware of organizations with copycat names similar to but not exactly the same as those of reputable charities.
• Rather than following a purported link to a website, verify the existence and legitimacy of non-profit organizations by using Internet-based resources.
• Be cautious of emails that claim to show pictures of the disaster areas in attached files, because those files may contain viruses. Only open attachments from known senders.
• To ensure that contributions are received and used for intended purposes, make donations directly to known organizations rather than relying on others to make the donation on your behalf.
• Do not be pressured into making contributions; reputable charities do not use coercive tactics.
• Do not give your personal or financial information to anyone who solicits contributions. Providing such information may compromise your identity and make you vulnerable to identity theft.
• Avoid cash donations if possible. Pay by debit or credit card, or write a check directly to the charity. Do not make checks payable to individuals.
• Legitimate charities do not normally solicit donations via money transfer services.
• Most legitimate charities maintain websites ending in .org rather than .com.

In addition to raising public awareness, the NCDF is the intake center for all disaster relief fraud. Therefore, if you observe that someone has submitted a fraudulent claim for disaster relief, or observe any other suspected fraudulent activities pertaining to the receipt of government funds as part of disaster relief or clean up, please contact the NCDF.

If you believe that you have been a victim of fraud by a person or organization soliciting relief funds on behalf of hurricane victims, or if you discover fraudulent disaster relief claims submitted by a person or organization, contact the NCDF by phone at (866) 720-5721, fax at (225) 334-4707 or email at http://www.ic3.gov/egress.aspx?u=mailto%3adisaster%40leo.gov&h=4140F8F901080C7FDA8B1827AF951ECF5CBC7A242D8A1F59BF37755CB664DBB0.

You can also report suspicious e-mail solicitations or fraudulent websites to the FBI’s Internet Crime Complaint Center at http://www.ic3.gov/.

Links to third party sites are provided for your convenience. Bank of Ann Arbor does not endorse or control content on these sites.