This article from NetworkWorld.com highlights 9 classic but clever ways we should all be alert to.  We urge you to remind friends, family members and coworkers to not fall for these scams.

Note: links to third party sites are provided for your convenience only. Bank of Ann Arbor does not control their content.

Phishing Attacks On Telecommunication Customers Resulting In Account Takeovers

The Internet Crime Complaint Center has received numerous reports of phishing attacks targeting various telecommunication companies' customers. Individuals receive automated telephone calls that claim to be from the victim's telecommunication carrier. Victims are directed to a phishing site to receive a credit, discount, or prize ranging from $300 to $500.

The phishing site is a replica of one of the telecommunication carrier's sites and requests the victims' log-in credentials and the last four digits of their Social Security numbers. Once victims enter their information, they are redirected to the telecommunication carrier’s actual website. The subject then makes changes to the customer's account.

The IC3 urges the public to be cautious of unsolicited telephone calls, e-mails and text messages, especially those promising some type of compensation for supplying account information. If you receive such an offer, verify it with the business associated with your account before supplying any information. Use the information supplied on your account statement to contact the business.

Your C-Level execs are your biggest social engineering threat. Why? 

1) They Expect You to Have Their Back 

These are the people that approve the security budget and they know how much the organization spends on IT security. So when they open an infected attachment that hoses their machine, they ask: "Why didn't you prevent this?" instead of asking themselves what they themselves did wrong. 

2) They Live On The Bleeding Edge 

C-level execs are the heavy hitters, with the busiest schedules and often a daunting workload. No wonder that they are the first ones that insist on new technology that will save them time or make their lives a bit more easy. So these are the people that you see with iPads on the company network, and they expect since this is new technology, it's of course more secure than the 'old stuff'. Unfortunately we know better, as new stuff is buggy and barely out of beta. New stuff can usually be hacked easier and faster. 

3) They Think Security Policy Is Not For Them 

Your C-level people are the best targets for attackers as they usually have the most access to corporate jewels. Since their jobs actually are very demanding, they naturally expect that 'restricting' security rules do not apply to them. They expect to be able to visit the websites that are otherwise blocked by rules in the proxy server, and so on, and on. Problem is of course that their security awareness is no higher than the other employees but C-level folks should be the very best security trained! 

4) Their Family Has A Target On Their Back Too 

Social engineers are 'business people'. Their time is money too, so they go after the low hanging fruit. In many cases that means using social media to infect the PC of the spouse of your C-level at their home, 'own' that low-security peer-to-peer network, which the Exec uses to log on with their company laptop and bingo! Your C-level exec's family needs some security awareness training too. 

This week, it's IT administrators that are specifically targeted with a phishing attack. The bad guys know very well that the most powerful weapons are administrator's credentials, as those really are the keys to the kingdom. So, what they are using is the instantly famous report that Mandiant wrote about the Chinese military hacking into 141 mostly U.S. businesses. An infected PDF version of the original report, titled "APT1: Exposing One of China's Cyber Espionage Units, is now being used as spear phishing bait to get IT people to open it up using two fake names: Mandiant.pdf and Mandiant_APT2_Report.pdf The infected document leverages a just-patched hole in Adobe Reader and was first spotted in Asia. Keep your eyes peeled for it hitting your own inbox. In the meantime, the actual report is fascinating reading, and you can find it here at the Mandiant website: http://intelreport.mandiant.com/.

Source: Cyberheist News,  www.knowbe4.com

Note: links to third party sites are provided for your convenience.  Bank of Ann Arbor does not control their content.

Be wary of those who come bearing gifts. The most recent credit card scam works like this:

A phone call from someone who says that he is from some outfit called: "Express Couriers" asking if someone was going to be home because there is a package, and the caller says that the delivery would arrive at your home in roughly an hour. And sure enough, about an hour later, a delivery man turns up with a beautiful basket of flowers and wine. What a surprise for you (especially if there is no special occasion or holiday), and no-one certainly expects anything like that! Intrigued you ask who the sender is. The deliveryman's reply was, he is only delivering the gift package, but allegedly a card is being sent separately; (the card never arrives). There is also an official looking ‘consignment’ note with the gift. He now goes on to explain that because the gift contains alcohol, there is a $3.50 ‘delivery charge’ as proof that he had actually delivered the package to an adult, and not just left it on the doorstep to just be stolen or taken by anyone. Sounds logical doesn’t it? You offer to pay cash but he tells you that the company requires the payment to be by credit or debit card only, so that no ‘cash’ is exchanged and everything is properly accounted for. You take out your (or your husbands) credit/debit card and the "delivery man" asks you to swipe the card on the small mobile card machine which has a small screen and keypad where you now enter the card's PIN and security number. A receipt is printed out and given to you. 

Next week you will find that money has been charged/withdrawn from your credit/debit account at various ATM machines all over the country. It appears that the "mobile credit card machine" which the deliveryman carried now has all the info necessary to create a "dummy" card with all your card details, after you have swiped the card and entered the requested PIN and security number. 

Please be aware of this most recent scam and share this information with your family, friends, and neighbors. Any suspect description or suspect vehicle information should be reported to your local police agency.

Kimberly Lankford of Kiplinger's Personal Finance has put together a very informative article, Protecting Yourself from New Year's Scams, warning of common scams that appear around the beginning of the new year.  

(Note: links to third party sites are provided for your convenience. Bank of Ann Arbor does not control their content.)

Here are the most recent spear-phishing attacks that are currently making the rounds nationwide, and which pose a significant threat to your data- and financial security. Note that some of these attacks are used for years, because they continue to work on uninformed people.

Number 5
The Better Business Bureau Complaint – In this scam, executives will receive an official-looking email that is spoofed to make it appear as if it comes from the Better Business Bureau. The message either details a complaint that a customer has supposedly filed, or claims that the company has been accused of engaging in identity theft. A complaint ID number is provided, and the recipient is asked to click on a link if they wish to contest or respond to the claim. Once the link is clicked, malware is downloaded to the system.

Number 4
The Smartphone 'Security App' – This is a 2-step attack. With minimal research cybercriminals can find the name and email addresses of a company’s CFO and social engineer them to click a link. That link infects the PC of the CFO with a keylogger. This way the hacker obtains bank account data and passwords. In case the bank uses two-factor authentication, the attacker spoofs an email from the bank asking the CFO to install a smartphone security app, which is actually malware giving them access to the phone. And with that, the cybercriminals have full access to the CFO’s bank account login credentials and at the same time control any two-factor text messages sent to or from the CFO authorizing money transfers.

Number 3
The Watering Hole Attack – Hackers do their research on a targeted executive, and find out which websites the executive frequents, sometimes to discuss industry related topics with their peers, or perhaps a hobby site the hackers learned about through the exec's social media postings. Next, the bad guys compromise that website, and inject a zero-day exploit onto public pages of the website that they hope will be visited by their targeted executive. Once the exec does, their PC is infected with a keylogger and the network penetrated.

Number 2
Free Dinner in Return for Feedback – By reviewing an executive’s social media profiles, cybercriminals are able to determine what charities that individual supports or does business with, as well as his or her favorite local restaurants. The scammer will then spoof an email from a representative of that charity, asking the exec to download a Word Doc that supposedly contains details on an upcoming campaign or event, and promises free dinner at their favorite restaurant as an incentive for providing feedback. When the Word doc is downloaded the user's password is stolen – and gives hackers direct access to the network. Here is a short video of Kevin Mitnick showing how this type of exploit works. Take these two minutes, it's worth seeing: http://www.knowbe4.com/video-mitnick/

Number 1
'We're Being Sued' – In this scenario, attackers dig up the email addresses of a company’s executives and also their legal counsel (in-house or external). They will then spoof an email from the legal counsel to the executive team, and attach a PDF that claims to contain information about new or pending litigation. When the recipients download and open the attachment, their system becomes infected and the entire network is compromised.

While savvy Internet users realize they should not click links or download attachments from unknown senders, spoofed emails and official-looking websites trick recipients into letting their guard down. When executives receive a time-sensitive email that appears to be sent by the Better Business Bureau, a fellow exec, their legal counsel or an organization they support, most won’t think twice before clicking because they trust the person they believe is the sender. That’s what cybercriminals are counting on, and why they’re willing to invest the time to create realistic-looking messages from familiar sources. They’ve discovered just how effective these types of spear-phishing scams can be.

Note: links to third party sites are provided for your convenience only. Bank of Ann Arbor does not control or endorse their content.

Washington – The Department of Justice, the FBI and the National Center for Disaster Fraud (NCDF) remind the public there is a potential for disaster fraud in the aftermath of a natural disaster. Suspected fraudulent activity pertaining to relief efforts associated with the recent series of tornadoes in the Midwest and South should be reported to the NCDF hotline at 866-720-5721. The hotline is staffed by a live operator 24 hours a day, seven days a week, for the purpose of reporting suspected scams being perpetrated by criminals in the aftermath of disasters.

NCDF was originally established in 2005 by the Department of Justice to investigate, prosecute and deter fraud associated with federal disaster relief programs following Hurricanes Katrina, Rita and Wilma. Its mission has expanded to include suspected fraud related to any natural or man-made disaster. More than 20 federal agencies – including the Justice Department’s Criminal Division, U.S. Attorneys’ Offices, Department of Homeland Security, Office of Inspector General and the FBI – participate in the NCDF, allowing the center to act as a centralized clearinghouse of information related to disaster relief fraud.

In the wake of natural disasters, many individuals feel moved to contribute to victim assistance programs and organizations across the country. The Department of Justice and the FBI remind the public to apply a critical eye and do due diligence before giving to anyone soliciting donations on behalf of hurricane victims. Solicitations can originate as emails, websites, door-to-door collections, mailings, telephone calls and similar methods.

Before making a donation of any kind, consumers should adhere to certain guidelines, including the following:

• Do not respond to any unsolicited (spam) incoming emails, including by clicking links contained within those messages, because they may contain computer viruses.
• Be cautious of individuals representing themselves as victims or officials asking for donations via email or social networking sites.
• Beware of organizations with copycat names similar to but not exactly the same as those of reputable charities.
• Rather than following a purported link to a website, verify the existence and legitimacy of non-profit organizations by using Internet-based resources.
• Be cautious of emails that claim to show pictures of the disaster areas in attached files, because those files may contain viruses. Only open attachments from known senders.
• To ensure that contributions are received and used for intended purposes, make donations directly to known organizations rather than relying on others to make the donation on your behalf.
• Do not be pressured into making contributions; reputable charities do not use coercive tactics.
• Do not give your personal or financial information to anyone who solicits contributions. Providing such information may compromise your identity and make you vulnerable to identity theft.
• Avoid cash donations if possible. Pay by debit or credit card, or write a check directly to the charity. Do not make checks payable to individuals.
• Legitimate charities do not normally solicit donations via money transfer services.
• Most legitimate charities maintain websites ending in .org rather than .com.

In addition to raising public awareness, the NCDF is the intake center for all disaster relief fraud. Therefore, if you observe that someone has submitted a fraudulent claim for disaster relief, or observe any other suspected fraudulent activities pertaining to the receipt of government funds as part of disaster relief or clean up, please contact the NCDF.

If you believe that you have been a victim of fraud by a person or organization soliciting relief funds on behalf of hurricane victims, or if you discover fraudulent disaster relief claims submitted by a person or organization, contact the NCDF by phone at (866) 720-5721, fax at (225) 334-4707 or email at http://www.ic3.gov/egress.aspx?u=mailto%3adisaster%40leo.gov&h=4140F8F901080C7FDA8B1827AF951ECF5CBC7A242D8A1F59BF37755CB664DBB0.

You can also report suspicious e-mail solicitations or fraudulent websites to the FBI’s Internet Crime Complaint Center at http://www.ic3.gov/.

Links to third party sites are provided for your convenience. Bank of Ann Arbor does not endorse or control content on these sites.

The Internet Crime Complaint Center (IC3) has recently received reports regarding a scam that baits individuals into intimate online conversations and then extorting them for financial gain. The scam was initiated after the victims met someone online, such as on a dating site, and were asked to connect via a specific online social network. Shortly after, the conversations became sexual in nature. Later, victims received text messages, either containing their names, asking if it was them or containing a statement that indicated their names were posted on a particular website. The victims were provided a link to a page on the website that claimed they were a “cheater.” Photos of the victims and their telephone numbers were also posted. There was an option to view and buy the posted conversations for $9. Victims were also given the option to have their names and conversations removed for $99. Some were even told that once the payment was made, the information would be removed within an hour and the website would not allow anyone to post anything pertaining to the victims’ names again. However, reports do not indicate that the information was ever removed. 

Bank of Ann Arbor offers you a variety of convenient ways to access your accounts. For each, we take the greatest care to ensure that all of our platforms maintain the same high level of security and integrity, from our ATM network to Online Banking to Mobile Banking itself. 

How do we keep your information secure? 

The same industry standards we have always employed to keep Online Banking secure extend to our Mobile Banking application as well. 

• Username and password to confirm your identity and ensure the privacy of each Mobile Banking session you conduct 

• Personal security question to further guard against identity theft 

• Firewalls - to protect our programs from any unauthorized or malicious intrusion 

• Encryption - to protect the transmission of data including customer account information and the integrity of all transactions 

Banking in secure sessions

Each mobile banking session begins only after you establish your identity via unique, encrypted password and security question. These are required every time you log in. Your session automatically ends when you exit the application, and it will automatically time out if you get sidetracked. 

Things you can do to protect yourself 

• Download the app from reputable sources only - such as iTunes® App Store, AndroidTM Market. 

• Use your phone's built-in lock function - set a password-protect for start-up or time-out.

• Protect your password - do not reveal it to anyone. 

• Protect your phone - from viruses and malware just like you do for your computer by installing mobile security software.

• Memorize your password - don't keep it stored or written anywhere. 

• Never leave your mobile device unattended - while using the Bank of Ann Arbor mobile app or any other mobile activity. 

• Never use public Wi-Fi – when accessing online and mobile banking.

• Log out - completely when you complete a mobile banking session.

Secure management of your money (and the personal information required to process your transactions) is at the very foundation of our business. Whether you access your accounts via teller, drive-up, telephone, Internet, or mobile device, Bank of Ann Arbor protects you with the highest security measures available.