Learn More About Simple Ways to Keep Your Money Secure
Common Fraud Tactics
Different fraud tactics all share the same goal: to obtain your personal, confidential and financial information for fraudulent use.
From obtaining your information ‘the old fashioned way’ via discarded mail, to emails that ask you to verify personal information under the guise of a trusted source, like your financial institution, fraudulent activity comes in many different forms.
Fraud tactics include:
Dumpster Diving: Thieves rummage through trash looking for bills or other paper that includes your personal information.
Malware: Also known as ‘malicious software’, malware is designed to harm, attack or take unauthorized control over a computer system. Malware includes viruses, worms and Trojans. It’s important to know that Malware can include a combination of all three of the types noted.
Phishing: A scam that involves the use of replicas of existing Web pages to try to deceive you into entering personal, financial or password data. Often suspects use urgency or scare tactics, such as threats to close accounts.
Vishing: Vishing is a type of phishing attack where the attacker uses a local phone number in the fake email as a means of obtaining your sensitive information. The goal is to fool you into believing the email is legitimate by instructing you that responding to the request by phone is safer than responding by email and shows authenticity. The unsuspecting caller is then tricked through an automated phone system to relinquish their sensitive information.
Smishing: Similar to phishing and vishing, smishing scams attempt to deceive you into divulging personal financial information directing you to a fictitious phone number or website through the use of Text messaging.
Pharming: Pharming takes place when you type in a valid Web address and you are illegally redirected to a Web site that is not legitimate. These ‘fake’ Web sites ask for personal information such as credit card numbers, bank account information, Social Security numbers and other sensitive information.
Trojan: A Trojan is malicious code that is disguised or hidden within another program that appears to be safe (as in the myth of the Trojan horse). When the program is executed, the Trojan allows attackers to gain unauthorized access to the computer in order to steal information and cause harm. Trojans commonly spread through email attachments and Internet downloads. A common Trojan component is a “keystroke logger” which captures a user’s keystrokes in an attempt to capture the user’s credentials. It will then send those credentials to the attacker.
Spoofing: Spoofing is when an attacker masquerades as someone else by providing false data. Phishing has become the most common form of Web page spoofing. Another form of spoofing is URL spoofing. This happens when an attacker exploits bugs in your Web browser in order to display incorrect URLs in your browser location bar. Another form of spoofing is called “man-in-the-middle”. This occurs when an attacker compromises the communication between you and another party on the Internet. Many firewalls can be updated or configured to significantly prevent this type of attack.
Spyware: Loaded on to your computer unbeknownst to you, spyware is a type of program that watches what users do and forwards information to someone else. It is most often installed when you download free software on the Internet. Unfortunately hackers discovered this to be an effective means of sending sensitive information over the Internet. Moreover, they discovered that many free applications that use spyware for marketing purposes could be found on your machine, and attackers often use this existing spyware for their malicious means.
Pop-Ups: A form of Web advertising that appears as a “pop-up” on a computer screen, pop-ups are intended to increase Web traffic or capture email addresses. However, sometimes pop-up ads are designed with malicious intent like when they appear as a request for personal information from a financial institution, for example.
Virus: A computer virus is a malicious program that attaches itself to and infects other software applications and files without the user’s knowledge, disrupting computer operations. Viruses can carry what is known as a “payload,” executable scripts designed to damage, delete or steal information from a computer.
A virus is a self-replicating program, meaning it copies itself. Typically, a virus only infects a computer and begins replicating when the user executes the program or opens an “infected” file.
Viruses spread from computer to computer only when users unknowingly share “infected” files. For example, viruses are commonly spread when users send emails with infected documents attached.
RetroVirus: This virus specifically targets your computer defenses. It will look for vulnerabilities within your computer operating system or any third party security software. Most security vendors have some form of tamper-proof measure in place, so it is important to keep your patches up-to-date. Retro Viruses are usually combined with another form of attack.
Worm: A worm is similar to a virus but with an added, dangerous element. Like a virus, a worm can make copies of itself; however, a worm does not need to attach itself to other programs and it does not require a person to send it along to other computers.
It’s not always easy to identify online fraud. Understanding how fraudulent activity takes place helps with prevention, and keeps you safe.
Safeguard your identity online
Do not allow a Web site to keep sensitive information or credentials for future convenience.
It is a common practice when registering for access to a Web site or making a purchase from a Web site to be asked if you want to keep your access credentials, credit card number or other sensitive information on file as a matter of convenience. This common request is referred to as “remembering” for the future use.
Be selective about where you surf.
Not all Web sites are benign. Sites that are engaged in illegal or questionable activities often host damaging software and make users susceptible to aggressive computer attacks.
Don’t choose “Remember My Password.”
You should never use the “remember password” feature for online banking or transactional Web sites.
Don’t use public computers for sensitive operations.
Since you cannot validate the computer’s integrity, there’s a higher risk of fraud when you log in from a public computer.
Work on a computer you trust.
Firewalls, antivirus, anti-spyware and other protection devices help keep a computer properly monitored and provide peace of mind. These tools are important in order to protect your computer and data. A good firewall is critical if you commonly access the Internet via a wireless connection. It is also important to keep your computer up-to-date with patches to security tools as well as to the operating system and other programs on your computer. Make sure to configure your computer to update all security fixes.
Select a strong password.
The best password is an undetectable one. Never use birth dates, first names, pet names, addresses, phone numbers, or Social Security numbers. Use a combination of letters, numbers and symbols. Be sure to change your passwords regularly.
Use a secure browser.
Only use secure Web pages when you’re conducting transactions online (a Web page is secure if there is a locked padlock in the lower left-hand corner of your browser).
Sign off, shut down, disconnect.
Always sign off or logout from your online banking session or any other Web site that you’ve logged into using a user ID and password. When a computer is not in use, it should be shut down or disconnected from the Internet.
Lock your computer when it is not in use.
This helps protect you from unauthorized user access.
Beware of shoulder surfing.
This is a common tactic that happens in public places such as coffee shops, airports, libraries etc. where an attacker will look over your shoulder when you’re logged in to obtain your sensitive information. Be vigilant and aware of prying eyes.
Set up a timeout.
The Timeout feature is an additional safety check. It can prevent others from continuing your online banking session if you left your PC unattended without logging out. You can set the Timeout period in the User Options screen.
Safeguard your email
In addition to safeguarding your online identity, there are a number of guidelines to follow that will help protect your email.
Email is often a vehicle used to transmit malware and commit fraud. It is important to evaluate your email behaviors and develop good habits to help protect your computer and your identity.
In addition to viruses and worms that can be transmitted via email, phishing also threatens email users. A type of email fraud, phishing occurs when a perpetrator, posing as a legitimate, trustworthy business, attempts to acquire sensitive information like passwords or financial information.
To safeguard your email:
Never open or respond to SPAM (unsolicited bulk email messages).
Delete all spam without opening it. Responding to spam only confirms your email address to the spammer, which can actually intensify the problem.
Never click on links within an email.
It’s safer to retype the Web address than to click on it from within the body of the email.
Don’t open attachments from strangers.
If you do not know the sender or are not expecting the attachment, delete it.
Don’t open attachments with odd filename extensions.
Most computer files use filename extensions such as “.doc” for documents or “.jpg” for images. If a file has a double extension, like “heythere.doc.pif,” it is highly likely that this is a dangerous file and should never be opened. In addition, do not open email attachments that have file endings of .exe, .pif, or .vbs. These are filename extensions for executable files and could be dangerous if opened.
Never give out your email address or other sensitive or personal information to unknown web sites.
If you don’t know the reputation of a Web site, don’t assume you can trust it. Many Web sites sell email addresses or may be careless with your personal information. Be wary of providing any information that can be used by others for fraudulent purposes.
Never provide sensitive information in email.
Forged email purporting to be from your financial institution or favorite online store is a popular trick used by criminals to extract personal information for fraud.
Don’t believe the hype.
Many fraudulent emails send out urgent messages that claim your account will be closed if sensitive information isn’t immediately provided, or that important security needs to be updated online. Your financial institution will never use this method to alert you of an account problem.
Be aware of poor design, and/or bad grammar and spelling.
A tell-tale sign of a fraudulent email or Web site includes typos and grammar errors as well as unprofessional design layout and quality. Delete them immediately.
Backup your sensitive data records.
Consider backing up all sensitive files. This will not only help you restore damaged or corrupted data, but it will help protect against fraud attacks and help recover lost files if needed.
Email Fraud: If you believe you have received a suspicious or fraudulent email that appears to be from Tropical Financial Credit Union, do not reply or click on any of its links, contact any phone numbers or otherwise provide any personal information. Please forward it immediately to email@example.com.
Identity Fraud: If you know, or even think, you’ve been a victim of identity fraud, take immediate action and follow these five steps.
More specifics can be found on the FTC’s Identity Theft Site, located here:
- Report the fraudulent activity. If the activity is related to our financial institution please contact us directly. If it is related to another financial institution, your credit card company, or any other organization contact them directly.
- Contact one of the three consumer reporting companies and have a fraud alert placed on your credit report. This will help stop fraudsters from opening any additional accounts in your name. Contact only one of the following (the others are required to contact the other two):
Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 7501
TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
- Close any accounts that you know - or even think – might have been tampered with or opened fraudulently. Report the transgression to a security spokesperson at the relevant company. Ask them about any additional steps – they’ll probably ask you to send relevant copies of the fraudulent activity.
You can also use the FTC Theft Affidavit ID Theft Affidavit (PDF, 56KB) as formal certification of your dispute.
- File your complaint with the FTC. Use the online complaint form; or call the FTC’s Identity Theft Hotline, toll-free: 1-877-ID-THEFT (438-4338); TTY: 1-866-653-4261; or write Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
Sharing your identity theft complaint with the FTC will help law enforcement officials track down identity thieves and stop them.
- Call or visit the local police or police in the community where the identity theft took place and file a report. Have a copy of your FTC ID Theft complaint form available to give them. Obtain a copy of the police report and the police report number.
ATM/Debit Card Safety
ATM/Debit cards provide a great convenience for withdrawing funds or for purchasing goods and services without the need for paper money. Although there is a variety of security measures in place to help prevent fraud and theft while at the ATM or when using your card at a merchant, not all crimes are preventable. Therefore, we have provided the following tips you can do to help to keep you safe and further prevent the risk of ATM and Debit fraud.
To prevent ATM and Debit fraud:
Sign your cards as soon as you receive them.
Your signature helps to protect you from fraud. Merchants often compare signatures and ID’s before completing a transaction.
Memorize your PIN (personal identification number).
Do not write your PIN on your card or share it with anyone.
Be aware of your surroundings.
Survey the surrounding area before approaching and using an ATM. After your transaction has been completed, remember to take your card, receipt, and cash then leave immediately. Never count your cash at the machine. Wait until you have reached a safe area to do so.
Conceal your PIN.
Shield the screen and keypad with your body when entering your PIN to prevent others from seeing your number.
Keep it in a safe place.
Treat your card like cash and do not display it until needed.
Don’t let others use your card.
Avoid lending your card to anyone or leaving them unattended and unsecured, including your car (even if locked) or at work.
Inspect the receipt before you sign.
Watch the merchant perform your card authorization and ensure purchases are recorded properly before signing the receipt.
Shred all receipts when no longer needed.
Some receipts may contain card numbers or other account information. Always destroy them before placing them in the trash.
Monitor account activity.
Review your account statements as soon as you receive them for suspicious transactions.
Inspect the ATM or terminal for any evidence of tampering.
Thieves can install electronic devices used for capturing your card information. This is commonly known as ‘skimming’.
Immediately report any lost or stolen cards.
It is important that you report the lost or stolen card as quickly as possible to limit any potential financial loss.
Many times education is our first line of defense against fraudsters attempting to scam us into unwittingly handing over funds for false reasons or stealing our identities. This section offers practical expert advice from the Internet Crime Complaint Center (IC3) and the Internal Revenue Service (IRS) that will help you from becoming a victim from some of the most common scams. If you believe you may have fallen victim to any of these scams and wish to report it, please file a complaint with the IC3 in addition to notifying your respective financial institution(s).
Work at Home: Consumers need to be vigilant when seeking employment online. Victims are often hired to “process payments,” “transfer funds,” or “reship products.” These job scams involve the victims receiving and cashing fraudulent checks, transferring illegally obtained funds for the criminals, or receiving stolen merchandise and shipping it to the criminals.
Other victims sign up to be a “mystery shopper,” receiving fraudulent checks with instructions to cash the checks and wire the funds to “test” a company’s services. Victims are told they will be compensated with a portion of the merchandise or funds. Work-at-home schemes attract otherwise innocent individuals, causing them to become part of criminal schemes without realizing they are engaging in illegal behavior.
Job scams often provide criminals the opportunity to commit identity theft when victims provide their personal information, sometimes even bank account information, to their potential “employer.” The criminal/employer can then use the victim’s information to open credit cards, post on-line auctions, register websites, etc., in the victim’s name to commit additional crimes.
“Advance Fee” or “Nigerian 419”: Named for the violation of Section 419 of the Nigerian Criminal Code, the 419 scam combines the threat of impersonation fraud with a variation of an advance fee scheme in which a letter, email, or fax is received by the potential victim. The communication from individuals representing themselves as Nigerian or foreign government officials offers the recipient the "opportunity" to share in a percentage of millions of dollars, soliciting for help in placing large sums of money in overseas bank accounts. Payment of taxes, bribes to government officials, and legal fees are often described in great detail with the promise that all expenses will be reimbursed as soon as the funds are out of the country. The recipient is encouraged to send information to the author, such as blank letterhead stationery, bank name and account numbers, and other identifying information using a facsimile number provided in the letter. The scheme relies on convincing a willing victim to send money to the author of the letter in several installments of increasing amounts for a variety of reasons.
Lottery Schemes: The lottery scheme deals with persons randomly contacting email addresses advising them they have been selected as the winner of an International lottery. The Internet Crime Complaint Center has identified numerous lottery names being used in this scheme.
The email message usually reads similar to the following:
“This is to inform you of the release of money winnings to you. Your email was randomly selected as the winner and therefore you have been approved for a lump sum payout of $500,000.00. To begin your lottery claim, please contact the processing company selected to process your winnings.”
An agency name follows this body of text with a point of contact, phone number, fax number, and an email address. An initial fee ranging from $1,000 to $5,000 is often requested to initiate the process and additional fee requests follow after the process has begun. These emails may also list a United States point of contact and address while also indicating the point of contact at a foreign address.
Tax Return Preparer Fraud: Return preparer fraud generally involves the preparation and filing of false income tax returns by preparers who claim inflated personal or business expenses, false deductions, unallowable credits or excessive exemptions on returns prepared for their clients. Preparers may also manipulate income figures to obtain tax credits, such as the Earned Income Tax Credit, fraudulently.
In some situations, the client (taxpayer) may not have knowledge of the false expenses, deductions, exemptions and/or credits shown on their tax returns. However, when the IRS detects the false return, the taxpayer — not the return preparer — must pay the additional taxes and interest and may be subject to penalties.
While most preparers provide excellent service to their clients, the IRS urges taxpayers to be very careful when choosing a tax preparer. Taxpayers should be as careful as they would be in choosing a doctor or a lawyer. It is important to know that even if someone else prepares a tax return, the taxpayer is ultimately responsible for all the information on the tax return.
Thinking about shopping for the holidays? It’s no secret that browsing and buying online can save you time, money, and effort. The Federal Trade Commission (FTC), the nation’s consumer protection agency, says shoppers who stop and think before they click can prevent an online Scrooge from interfering with their purchases and ultimately, their holiday fun.
The FTC and the technology industry launched OnguardOnline, a campaign to help consumers integrate online safety into their daily online routines. The agency says that consumers who take a few precautions when they’re online can help minimize the chances of a mishap.
Among the tips from OnGuardOnline.gov are:
- Know who you're dealing with. Anyone can set up shop online under almost any name. Confirm the online seller's physical address and phone number in case you have questions or problems. If you get an email or pop-up message while you're browsing that asks for financial information, don't reply or click on the link in the message. Legitimate companies don't ask for this information via email.
- Know exactly what you're buying. Read the seller's description of the product closely, especially the fine print. Words like "refurbished," "vintage," or "close-out" may indicate that the product is in less-than-mint condition, while name-brand items with "too good to be true" prices could be counterfeits.
- Know what it will cost. Check out websites that offer price comparisons and then, compare "apples to apples." Factor shipping and handling — along with your needs and budget — into the total cost of the order. Do not send cash under any circumstances.
- Pay by credit or charge card. If you pay by credit or charge card online, your transaction will be protected by the Fair Credit Billing Act. Under this law, you have the right to dispute charges under certain circumstances and temporarily withhold payment while the creditor is investigating them. In the event of unauthorized use of your credit or charge card, you generally would be held liable only for the first $50 in charges. Some companies offer an online shopping guarantee that ensures you will not be held responsible for any unauthorized charges made online, and some cards may provide additional warranty, return, and/or purchase protection benefits.
- Check out the terms of the deal, like refund policies and delivery dates. Can you return the item for a full refund if you're not satisfied? If you return it, find out who pays the shipping costs or restocking fees, and when you will receive your order. A Federal Trade Commission (FTC) rule requires sellers to ship items as promised or within 30 days after the order date if no specific date is promised.
- Keep a paper trail. Print and save records of your online transactions, including the product description and price, the online receipt, and copies of every email you send or receive from the seller. Read your credit card statements as you receive them and be on the lookout for unauthorized charges.
- Don't email your financial information. Email is not a secure method of transmitting financial information like your credit card, checking account, or Social Security number. If you initiate a transaction and want to provide your financial information through an organization's website, look for indicators that the site is secure, like a lock icon on the browser's status bar or a URL for a website that begins "https:" (the "s" stands for "secure"). Unfortunately, no indicator is foolproof; some fraudulent sites have forged security icons.