This week, it's IT administrators that are specifically targeted with a phishing attack. The bad guys know very well that the most powerful weapons are administrator's credentials, as those really are the keys to the kingdom. So, what they are using is the instantly famous report that Mandiant wrote about the Chinese military hacking into 141 mostly U.S. businesses. An infected PDF version of the original report, titled "APT1: Exposing One of China's Cyber Espionage Units, is now being used as spear phishing bait to get IT people to open it up using two fake names: Mandiant.pdf and Mandiant_APT2_Report.pdf The infected document leverages a just-patched hole in Adobe Reader and was first spotted in Asia. Keep your eyes peeled for it hitting your own inbox. In the meantime, the actual report is fascinating reading, and you can find it here at the Mandiant website: http://intelreport.mandiant.com/.

Source: Cyberheist News,  www.knowbe4.com

Note: links to third party sites are provided for your convenience.  Bank of Ann Arbor does not control their content.

Bank of Ann Arbor is aware of a text message phishing scam that may lead you to believe your Debit/ATM card has been deactivated. Please know that we do not send unsolicited text message alerts. The most recent phishing scam is tricky in that it requests you to call a phone number to activate your card and the phone number noted has a 734 exchange leading you to believe it is local. If you believe you are a victim of this scam, in that you have called the number and entered your card information please call 1-800-528-2273 and request that your card be cancelled.

Be wary of those who come bearing gifts. The most recent credit card scam works like this:

A phone call from someone who says that he is from some outfit called: "Express Couriers" asking if someone was going to be home because there is a package, and the caller says that the delivery would arrive at your home in roughly an hour. And sure enough, about an hour later, a delivery man turns up with a beautiful basket of flowers and wine. What a surprise for you (especially if there is no special occasion or holiday), and no-one certainly expects anything like that! Intrigued you ask who the sender is. The deliveryman's reply was, he is only delivering the gift package, but allegedly a card is being sent separately; (the card never arrives). There is also an official looking ‘consignment’ note with the gift. He now goes on to explain that because the gift contains alcohol, there is a $3.50 ‘delivery charge’ as proof that he had actually delivered the package to an adult, and not just left it on the doorstep to just be stolen or taken by anyone. Sounds logical doesn’t it? You offer to pay cash but he tells you that the company requires the payment to be by credit or debit card only, so that no ‘cash’ is exchanged and everything is properly accounted for. You take out your (or your husbands) credit/debit card and the "delivery man" asks you to swipe the card on the small mobile card machine which has a small screen and keypad where you now enter the card's PIN and security number. A receipt is printed out and given to you. 

Next week you will find that money has been charged/withdrawn from your credit/debit account at various ATM machines all over the country. It appears that the "mobile credit card machine" which the deliveryman carried now has all the info necessary to create a "dummy" card with all your card details, after you have swiped the card and entered the requested PIN and security number. 

Please be aware of this most recent scam and share this information with your family, friends, and neighbors. Any suspect description or suspect vehicle information should be reported to your local police agency.

SplashData.com recently published the following information regarding the most popular 2012 passwords on the web. The ranking was based on password information from compromised accounts posted by hackers online. The article was also featured on blogs.avg.com.

This year, the list is back! So it's time to see how, if at all, users have learned their lessons about what makes a strong password.

Here's the full list and how it compares to last year's:

#	Password	Change from 2011
1.	password	Unchanged
2.	123456	Unchanged
3.	12345678	Unchanged
4.	abc123	Up 1
5.	qwerty	Down 1
6.	monkey	Unchanged
7.	letmein	Up 1
8.	dragon	Up 2
9.	111111	Up 3
10.	baseball	Up 1
11.	iloveyou	Up 2
12.	trustno1	Down 3
13.	1234567	Down 6
14.	sunshine	Up 1
15.	master	Down 1
16.	123123	Up 4
17.	welcome	New
18.	shadow	Up 1
19.	ashley	Down 3
20.	football	Up 5
21.	jesus	New
22.	michael	Up 2
23.	ninja	New
24.	mustang	New
25.	password1	New

As you can see, people haven’t changed their password habits a whole lot in a year.

If your password is included on that list, or is a close variation of these passwords, it's really important to take action now!

Fixing your password problem can be very simple;

Long is strong: The longer the password, the more difficult it will be for someone to try and crack it using brute force. So, instead of a single word, with a jumble of symbols, numbers and characters, try a string of words. Use a line of your favorite poem, song or just something memorable. Feel free to add your lucky number at the end if you like.

Something like: "withnodirectionhome1085".

A famous Dylan lyric like this will always be easy to remember, and say you were born in October 1985. This means that you've suddenly got a 23 character password, which is much harder to crack than something much harder to remember such as "Phu!R7tRjX".

Variety is the spice of life: The trouble with smaller, complex passwords is that they can be a real hassle to remember, often forcing you to use the same password for multiple accounts which is never a good idea. So another benefit of having long, easy to remember passwords is that you keep many passwords.

 

Source: Internet Crime Complaint Center's 01/07/2013 Scam Alerts. 

 

Note: third party links are provided for your convenience only. Bank of Ann Arbor does not control their content.

Kimberly Lankford of Kiplinger's Personal Finance has put together a very informative article, Protecting Yourself from New Year's Scams, warning of common scams that appear around the beginning of the new year.  

(Note: links to third party sites are provided for your convenience. Bank of Ann Arbor does not control their content.)

Each year millions of senior citizens are victimized by financial fraud or theft of money, property or valuable personal information. Often, an adult child or other relative is responsible. Other situations may involve trusted individuals such as caregivers, legal guardians, investment advisors or new “friends.” And because the types of abuse may differ widely, it’s important to take a variety of precautions. Here are suggestions for protecting yourself and your loved ones:

Choose an advisor carefully. If you’re considering hiring a new broker, attorney, accountant or other professional, even someone recommended by a friend or relative, it’s best to independently look into that person’s background and reputation before investing money or paying for services. For example, you can confirm that this person is properly registered or licensed and has a clean record with regulators and other consumers. When in doubt about how to research this information, ask your state Attorney General’s office or local consumer protection agency for guidance.

Make sure you not only understand the role an advisor will be playing, but trust that this individual will do what’s best for you and your finances. Don’t be afraid to ask questions or say no. After all, it’s your money!

Be careful with powers of attorney. At some point, you may want to have a power of attorney, a legal document that authorizes another person to transact business on your behalf. While powers of attorney can be very helpful, be careful who you name as your representative. “Powers of attorney can be easily misused because they allow the appointed person to step into your shoes and do everything you can do, including taking money from your account and borrowing money in your name,” warned Debi Hodes, an FDIC Consumer Affairs Specialist. “This is a matter to discuss with a lawyer who should prepare or review the document for you.”

Protect your personal financial information. Never give out your bank account numbers, Social Security numbers, PINs (personal identification numbers), passwords or other sensitive information unless you initiate the contact. These requests may come from an unsolicited phone caller, letter writer, e-mailer or a person who shows up at your door. Be especially wary of someone who congratulates you about winning a (bogus) prize or lottery but first demands payment for taxes or other fees.

Also, keep your checkbook, account statements, and other sensitive information in a safe place. And shred paper documents containing sensitive information that is no longer needed.

Closely monitor your credit card and bank account activity. Review your account statements as soon as you receive them and look for unauthorized or suspicious transactions, which should be reported to your bank immediately.

Take your time when deciding on a major financial decision or investment. Make sure you understand the transaction and ask questions if you don’t. If you need to, ask a lawyer or financial advisor to help you understand the documents and discuss what’s best for you. “Walk away from anyone who says you must make a decision or otherwise do something right now,” said Hodes.

Be aware of scams involving reverse mortgages. These loans enable homeowners age 62 or older to borrow money from the equity in their homes. However, reverse mortgages can be complex products with a variety of risks and costs, and there are many reports of schemes by unscrupulous individuals using deceptive offers and high-pressure tactics to steer senior citizens into using the funds from a reverse mortgage for inappropriate or costly loans or investments. For guidance on the responsible use of a reverse mortgage, including how to locate a lender or a housing counselor approved by the U.S. Department of Housing and Urban Development’s Federal Housing Administration, start at www.hud.gov/offices/hsg/sfh/hecm/rmtopten.cfm or call 1-800-569-4287.

Finally, here are additional tips:

• Beware of callers asking for money or information. If you’d like to reduce the number of telemarketing calls you receive, consider signing up for the national Do Not Call Registry (call 1-888-382-1222 or visit www.donotcall.gov). If you are on this list, be suspicious of calls from any company or organization that you have reason to believe is not eligible to contact you under the registry’s rules.
• Don’t comply with requests from strangers to deposit a check into your account (perhaps as part of an Internet sale) and wire some or all of it back. “If you send the money and the check is counterfeit, you may be held responsible by your financial institution for the losses,” said Michael Benardo, Chief of the FDIC’s Cyber-Fraud and Financial Crimes Section.
• If you use social media, many security experts advise against posting the names of relatives and anyone’s home address, full date of birth and daily activities because those can be valuable to a thief. “A scam on the rise involves con artists who look for personal information on the Internet that they can use to call or e-mail an elderly person and pretend to be a relative in distress — such as a grandchild being injured, in jail or lost in a foreign country — and needing money sent fast, without telling anyone else in the family,” added Benardo. “They may also represent themselves as a lawyer or law enforcement agent needing money to help your relative.”

To learn more about common frauds targeting seniors, start at the FBI’s Web page at www.fbi.gov/scams-safety/fraud/seniors. For more guidance on protecting against a variety of schemes, see back issues of FDIC Consumer News (online at www.fdic.gov/consumernews) and visit www.mymoney.gov/category/topics/scams/-fraud.html. 

This article from FDIC's Winter 2012 Consumer News.

An official looking email comes from Twitter.  It warns that another is saying bad things about you or your business. Or some other warning to entice you to click on the link. Don't.  These are very likely scams seeking to lure you to a site to install malware or gain access to information on your computer.

Always log on to your Twitter or social media accounts directly at the site, not by following links sent to you.

Please beware of the following scam email in circulation which claims to be from the FDIC. The email contains a dangerous link. If you are ever unsure of an email, please give us a call at 734-662-1600.

Subject of the email: Each depositor insured to at least $250,000 per insured bank

Content of email message:
Dear Sirs,
Due to the adoption of a new security system, that is aimed at diminishing the number of cases of fraud and scams, all your ACH and WIRE transactions will be blocked until you update your security version in compliance with our new requirements.. In order to re-establish the full functioning of your account, we urgently prompt you to install a special security software. Please open the link below --------- to read the instructions and download all the necessary files.

We apologize for causing you inconveniences by this measure.
Please do not hesitate to contact us if you experience any problems.

Yours truly,

Federal Deposit Insurance Corporation
Security Department

Most of us are familiar with fraud involving automobiles being sold over the Internet. A fraudster will post a nonexistent vehicle for sale on the Internet, typically a luxury or sports car. The details of the vehicle, including photos and description, are typically lifted from legitimate websites. An interested buyer, hopeful for a bargain, responds and is told that the vehicle is located overseas. The fraudster then instructs the victim to send a deposit via wire transfer to initiate the shipping process.

In a new twist to this scam, the fraudster advised there was an issue with the initial wire transfer and sent the victim a cashier's check. The victim was instructed to cash the check and resend a second wire to a different account. Unaware that the check was counterfeit, the victim followed through as instructed by the fraudster. This resulted in the victim getting duped two times and the fraudster accomplishing his "double-dipping" strategy.

Victims should be vigilant when an Internet transaction involves wire transfers and cashier's checks. Most individuals believe that cashier's checks are as good as cash and they clear the day after they are deposited. However, banks are required to make the funds "available" in the individual's account within 48 hours, which can be days before the cashier's check clears or bounces. Once the bank makes the funds available, the counterfeit check circulates to incorrect Federal Reserve locations. Generally, the average cashier’s check takes up to two weeks to clear, not two days. The bottom line: fraudsters understand the U.S. banking system process and capitalize on victims' misconceptions of the term "available funds."

The IC3 has posted multiple alerts warning consumers of various types of counterfeit check scams. The most recent warning was in the IC3 Scam Alert, May 10, 2011, which is available at: http://www.ic3.gov/media/2011/110510.aspx.

To learn more on this scam, prevention tips, and available resources, consumers can visit LooksTooGoodToBeTrue's Types of Fraud page on counterfeit checks at the following link: http://www.lookstoogoodtobetrue.com/fraudtypes/counterfeitcheck.aspx.

E-mails fraudulently claiming to be from the Federal Deposit Insurance Corporation (FDIC) are attempting to get recipients to click on a link, which may ask them to provide sensitive personal information. These e-mails falsely indicate that FDIC deposit insurance is suspended until the requested customer information is provided.

The fraudulent e-mail informs the recipient that “in cooperation with the Department of Homeland Security, federal, state and local governments…” the FDIC has withdrawn deposit insurance from the recipient’s account “due to account activity that violates the Patriot Act.” It further states that deposit insurance will remain suspended until identity and account information can be verified using a system called “IDVerify.” If consumers go to the link provided in the e-mail, it is suspected they will be asked for personal or confidential information, or malicious software may be loaded onto the recipient’s computer.

If you receive this email do NOT access the link provided within the body of the e-mail and do not under any circumstances provide any personal information through this media. The FDIC is attempting to identify the source of the e-mails and disrupt the transmission. Help them out by reporting any similar attempts to obtain this information by sending information to alert@fdic.gov.

Read the full alert from the FDIC.