Combating fraud is easy when you are fully aware of the types of scams out there and how to avoid them. To make sure you’re the first to know about new scams—or old ones with a new twist—be sure to sign up for Visa Fraud News Alerts. Visa will keep you up-to-date and at the cutting edge, ensuring the latest information and fraud-fighting techniques are always at your fingertips. Here are a few of the latest headlines:
Growing Phishing Industry Underscores Need for Consumer Education
Phishing scams have plagued consumers for a number of years, morphing to adapt to changing trends and technologies. Once perpetrated by mail and phone, this tactic is now also common by email and text message.
Phishing is when fraudsters pretending to be from well-known companies, organizations, or government agencies contact consumers and try to trick them into revealing their Social Security numbers, financial account information, passwords, or other personal information. That information is then used to make unauthorized purchases, take over victims' accounts, open new accounts, or even to apply for jobs or get tax refunds and other government benefits.
Even though phishing scams are not new, they continue to pose a serious problem. According to RSA's recent Fraud Report, the total number of phishing attacks launched in 2012 was 59% higher than in 2011. Further, the report estimates that global losses from phishing last year were around $1.5 billion.
With fraudsters becoming ever more sophisticated at impersonating trusted organizations, it's important for consumers to stay a step ahead and recognize these scams and better protect their personal information. That is why we are working together with the Consumer Federation of America to develop consumer education materials to help address this trend.
Watch the new video or access the tip sheet to get more information on how to avoid this type of scam:
Did that really come from Visa? Don’t be fooled by these phishing scams!
Criminals are always looking for new ways to trick consumers into handing over their personal or financial information. A favorite fraudster tactic is to use the name of a recognized company or organization to gain consumers' trust. This tactic is known as "phishing" and can take many forms – an email, phone call, mobile text message or even a website.
Over the years, Visa has done a lot to earn consumers' trust. Now fraudsters are taking advantage of our good work by using our name and logo to prey on consumers – and that's not something we take lightly. We investigate all potential Visa-related phishing scams and work with anti-phishing organizations and law enforcement to alert web browser vendors of confirmed phishing attacks and help shut them down.
Consumers can help, too! Below we dissect and highlight several warning signs in four examples of recent phishing scams. If you suspect you received a Visa-related phishing attempt, report it to firstname.lastname@example.org for inclusion in our security analysis. By participating in our anti-phishing security efforts, you can help prevent other consumers from becoming victims.
Visa Email Phishing Scam: This popular scam masquerades as an email from Visa to trick consumers into providing their payment information.
1. Don't be fooled by the email address. Scam artists can fake the sender's email address and mask the true account they are using.
2. Notice that the extra spacing in the subject line and the improper capitalization of certain words throughout. Spelling and grammar errors are common in phishing scams.
3. The customer is not addressed by name.
4. Visa does not contact cardholders to request their personal account information, so the email's request that the consumer "update" card information is suspicious.
5. Be wary of hyperlinks and avoid clicking them if possible. A single click can cause your computer to become infected, and there may not always be visual clues of a compromise.
6. By assigning a 72-hour deadline and threatening account suspension, the criminals hope to add a sense of urgency that they hope will override the cardholder's normal sense of caution.
7. There is no contact information to speak to a customer representative. Given the urgency of the email, a customer support phone number would likely have been included in a legitimate request. However, the presence of a phone number also doesn't guarantee legitimacy. If you're unsure about the request, call the number on the back of your card.
Verified by Visa Email Phishing Scam: Verified by Visa is another Visa-brand that scammers like to use to trick consumers. Below is an example of a popular email phish that has circulated in recent months.
1. If you see an email claiming to come from Verified by Visa – STOP! Send it as an attachment to email@example.com. "@VerifiedbyVisa.com" is not a legitimate Visa email address.
2. Don't be fooled by email addresses. Scam artists can fake the sender's email address and mask the true account they are using.
3. The legitimate Verified by Visa solution carries only the Visa logo. The inclusion of MasterCard's SecureCode logo is another tip off that the email is fake.
4. The customer is not addressed by name.
5. The words "Security" and "Update" are improperly capitalized.
6. Don't click on hyperlinks, files or images unless you know the email request is legitimate.
7. Visa does not contact cardholders to request their personal account information.
8. Creating a sense of urgency and making threats are warning signs of a scam.
9. There is no contact information to speak to a customer representative. However, the presence of a phone number also doesn't guarantee legitimacy. If you're unsure about the request, call the number on the back of your card.
Visa Text Message Scam: We have read reports of scammers using text messages as another avenue to trick cardholders. When called, the phone number provided in the text prompts the consumer to walk through a series of steps to verify themselves or re-activate the card by entering their account information, PIN, expiration date and/or 3 digit CVV code.
The text message does not contain the name of the issuing bank or any other information to identify your card (usually the last two or four digits of your account).
Additional tips to avoid text messaging scams:
1. The text message does not contain the name of the issuing bank or any other information to identify your card (usually the last two or four digits of your account).
2. Visa does not contact cardholders to request their personal account information.
Remember, phishing text messages may contain a link instead of a phone number – so be careful before clicking on any links if the text message is at all suspicious. Consumers can forward suspicious text messages to the short code 7726 (the numbers spell the word "SPAM").Text messages may also contain dangerous hyperlinks that can open in a mobile phone, so think twice before clicking!.
Fake Verified by Visa Validation Prompt: This new scam targets consumers whose computers were previously hacked and have malicious code (malware) installed. When the consumer begins the checkout process for an online purchase, the malware is activated and presents a fake Verified by Visa prompt to phish the consumer's information. This attack is not common, but we want to raise consumer awareness. Consumers should be suspicious of Verified by Visa forms that ask for more information than usual. The following is an example of a suspicious Verified by Visa validation prompt during the checkout process.
1. Review the Verified by Visa prompt carefully. If something looks odd and the prompt seems irregular in some way there is probably a good reason for suspicion.
2. Always remember that a legitimate Verified by Visa prompt will include both the Verified by Visa logo AND your issuing bank's logo.
3. A legitimate Verified by Visa prompt will never ask you to enter your card details and your Verified by Visa password. It may ask you to verify one or the other – but never both.
4. Unusual fields in the validation box should raise suspicions. For example "Sort Code" is not a field in a true validation prompt. If you are unsure, call your issuing bank
Consumers should keep their antivirus software current and run checks regularly to minimize the risk of this type of scam. And, if you suspect your credit card data may have been compromised, contact the number on the back of your card or on your bank statement.
Visa Phone Phishing Scam Alert
Fraud Avengers has reported that scam artists are posing as Visa or MasterCard representatives to trick consumers into providing the three digit security code on the back of their payment card. Here's how the scam works: the fraudster calls the consumer claiming to be a Visa or MasterCard representative from the company's "Security and Fraud Department." The fraudster explains that the consumer's card has been flagged for suspicious transactions and needs to verify that the consumer is currently in possession of his/her card by providing the three-digit security code on the back of the payment card. What makes this particular scam especially believable is that the fraudster already has several pieces of personal information about the consumer such as name, address, and telephone number -- reinforcing the appearance that the call is legitimate.
It is important to note that Visa does not call or email cardholders to request their personal account information. If you receive such a call, do not provide your information. Instead, hang up. If possible note the phone number used by the scammer and call your issuing bank immediately. Your issuing bank will be able to tell you whether any suspicious transactions have been made to your account. Consumers can report Visa phone scams to us at firstname.lastname@example.org and should include the phone number that was used by the fraudster if available. Visa works to actively disable phone numbers confirmed to be used for these types of fraudulent activities.
As always, proceed with caution when receiving an unsolicited call, email or letter asking for personal information. Phishing scams can take various disguises to trick consumers. To learn more about these disguises, read "How to Catch a 'Phish' " and "How Not to Get Speared by Phishing."
Secure Holiday Shopping Tips
American shoppers spent $41.9 billion online in the third quarter, a 15 percent increase over the previous year, according to a November 2012 report by comScore. If the trend continues, this holiday shopping season will be a strong one, with many consumers choosing to make holiday gift purchases on the Internet. While Black Friday and Cyber Monday are now behind us, Visa data suggests that the busiest online shopping period is still to come. According to Visa, over the last 10 years, December 22, 23 and 24th have been the busiest online shopping days of the holiday season.
Whether you're planning ahead or waiting until the last minute, take precautions when making online purchases to help ensure a secure shopping experience. Shop safe with these tips from Visa:
- Make sure your inoculations are up to date. Before you start shopping online, make sure your computer's anti-virus software is updated. Take the extra time to keep cybercriminals from invading your computer or stealing sensitive personal information.
- Don't forget to check your URL. Double-check the website's URL before you enter any of your payment details. Be certain that the URL begins with "https://". The "s" at the end of the "http" confirms that the site has a secure connection.
- Know who you're dealing with. Shop at online stores you know and trust. Be cautious when visiting unfamiliar sites offering deals that are too-good-to-be-true.
- Look before you leap. Beware of phishing scams in all forms including email and unsolicited phone calls. You can learn some of the warning signs of a phishing scam. The Federal Bureau of Investigation also cautions consumers to be wary of "one day only" email promotions from recognized brands; such emails may be another tool fraudsters use to obtain payment information from unsuspecting shoppers.
- Consider a digital wallet. Digital wallet services such as Visa's recently launched V.me by Visa helps provide an additional layer of protection when purchasing online. Among its advantages is that it does not share your full account information with online merchants.
Cyber Crime Twitter Chat Recap
Last week we joined the National Cyber Security Alliance, Department of Homeland Security, and Washington State Patrol for a Twitter chat on cyber crime. Moderated by @StopThinkConnect, the chat gave consumers and security gurus an opportunity to ask questions and share resources about staying safe online.
Read highlights of our discussion:
@StaySafeOnline: Let's get started! @VisaSecurity & @ITRCSD, can you name one important #cyber threat people should be aware of? #ChatSTC
@VisaSecurity: According to @rsasecurity, phishing attacks were up 14% from June to July. A phish tries to trick you into providing info. #ChatSTC
@InfoSight: People forget about their phones being a threat. Phones are little computers, facing the same malware threat that exists online. #ChatSTC
@Lookout: @Lookout found that in the United States, 4 in 10 users will click on an unsafe link on a mobile device this year #ChatSTC
@StaySafeOnline: #Online #shopping is really popular these days. How can people protect themselves from #fraud when shopping online? #ChatSTC
@STOPTHNKCONNECT: Don't shop on an unsecured wifi connection. If using a mobile device, 3G/4G is safer in those situations. http://bit.ly/HZkpLc #ChatSTC
@cyber: Learn how to shop more securely from US-CERT (http://goo.gl/3hBOg) and spread the word to friends & family #ChatSTC
@VisaSecurity: Look for "https:" in your browser before entering payment info. The "S" indicates a secure connection. #ChatSTC
@StaySafeOnline: @VisaSecurity & @ITRCSD if someone gets a letter that their payment data may have been exposed in a breach, what should they do? #ChatSTC
@VisaSecurity: Monitor your statements. The good news is that in many cases stolen payment data is not used to make fraudulent charges. #ChatSTC
@Lookout: Download an app like @mint that monitors and tracks your spending. #ChatSTC
@ITRCSD: @StaySafeOnline @VisaSecurity here are the first steps for breach victims. http://www.idtheftcenter.org/artman2/publish/c_guide/Solution_15.shtml … #ChatSTC
Read more here. And don't forget to join the National Cyber Security Alliance later this week for another chat on cyber education and digital literacy. More info here: http://stopthinkconnect.org/get-involved/twitter-chats/
Guest Blog – Visa Partners with FCC to Release Small Biz Cyber Planner 2.0 to Empower Small Businesses with Customizable Cybersecurity Plans
By Jordan Usdan, Acting Director, Public Private Initiatives, Federal Communications Commission
Small businesses are more dependent on the Internet than ever before, but 83 percent don't have a formal cybersecurity plan to protect against cyber threats, according to a new study released by Symantec and the National Cyber Security Alliance. As larger companies improve cyber defenses, American small businesses are now more vulnerable targets. According to Symantec, they were subject to hundreds of millions of cyber threats in just the first few months of 2012. A typical cyber-attack can cost a business on average, close to $200,000 – enough to put many of them out of business.
But there are tools and resources available for business owners to take action, and National Cyber Security Awareness Month – happening now – provides a great opportunity to shine a light on them. This week, the Federal Communications Commission is re-launching the Small Biz Cyber Planner 2.0, an online resource to help small businesses create customized cybersecurity plans. Originally launched in October 2011, it is the result of an unprecedented public-private partnership between government experts and private IT and security companies, including Visa, DHS, NCSA, NIST, The U.S. Chamber of Commerce, The Chertoff Group, Symantec, Sophos, Microsoft, HP, McAfee, The Identity Theft Council, ADP and others.
The Cyber Planner 2.0 covers multiple facets of cyber security, including best practices to protect payment data and secure payment systems as well as how to avoid advanced versions of spyware and what immediate steps to take in case of infection, and recommendations to install new software systems that enable remote cleaning and tracking of laptops and mobile devices in the case of theft. The FCC is also releasing an updated one page Cybersecurity Tip Sheet. The quick resource features new tips on creating a mobile device action plan and on payment card security.
Small businesses are a driving force on our economy. As they continue to leverage broadband technology, including smartphones, mobile payments, and the cloud, they must increase security and follow best practices so that they can continue to run efficiently.
The Small Biz Cyber Planner will be of particular value for businesses that lack the resources to hire a dedicated staff member to protect themselves from cyber threats. The tool will walk users through a series of questions to determine what cybersecurity strategies should be included in the planning guide, and generate a customized PDF that will serve as a cybersecurity strategy template.
The FCC, working with government and the private sector, is committed to furthering the message of the national cybersecurity awareness campaign. We must all Stop. Think. Connect. and together we can strengthen U.S. small businesses and ensure they remain a vibrant engine of the nation's economy.
Retailer Security Focus: Help Protect Your Business from Skimming
Criminals are actively targeting merchant point-of-sale (POS) terminals for "skimming," a technique that involves transferring payment card data and PINs to another source. The perpetrators then use the stolen data to create counterfeit payment cards for fraudulent purposes.
The good news is that merchants can take steps to reduce POS terminal weaknesses and the possibility of POS tampering. Although there is a tendency to look for a silver bullet that will stop POS terminal tampering incidents, the most effective strategy is to take a layered approach to security. The following best practices have been created to help merchants maintain the highest level of POS equipment security and reduce the possibility of skimming.
Keep a Watchful Eye on Your Point-of-Sale Equipment
Continually track and monitor all POS terminals that accept payment cards. Examine your terminals periodically and look for abnormalities like missing or altered seals or screws, extraneous wiring, holes in the device – these could be clues that criminals have tampered with your device.
At a minimum, routinely inspect your POS terminals and PIN-entry devices (PEDs) for the following:
- Is the POS terminal and its PED in its designated location?
- Is the POS terminal's manufacturer name and/or model number correct?
- Is the POS terminal serial number correct?
Merchants must maintain a record of all serial numbers along with model numbers assigned to each of its acceptance locations.
Use Only PCI-approved terminals and PIN pads
Merchants should only use PEDs that are currently approved by the Payment Card Industry
Security Standard Council (PCI SSC). A list of such devices can be found at: www.pcisecuritystandards.org. Click on "Approved Companies & Providers" and then visit the "Approved PIN Transaction Security" page.
Safeguard Your POS Equipment and Surrounding Areas
Whenever possible, secure POS equipment to prevent any unauthorized removal attempts from your merchant location. The use of secure stands, tethers, alarms or security cables is an accepted practice. This prevents the substitution of terminals and protects against the possibility of tampering. Where permitted by the design of the terminal, the cables connecting to terminals should be protected using a conduit, or they should be held within a physically secure structure.
Carefully check your POS environment for hidden cameras or recording devices
Merchants should verify there are no additional or unauthorized displays where a camera could be hidden and inspect the ceiling area above the POS device. Additionally, use a CCTV recording system to deter criminals from removing or tampering with POS equipment. Position the CCTV cameras so that they properly monitor all POS terminal locations, but do not record PIN-entry actions during the transaction process. Review the CCTV images on a regular basis to make certain your security measures are being carried out correctly and that your POS equipment has not been tampered with or impaired in any way.
Train Your Staff on POS Equipment Tampering Prevention
As part of card acceptance training, make sure your staff is up to speed on how to recognize noticeable signs of equipment tampering. Making the staff aware of POS equipment-tampering schemes and skimming attacks can help reduce the possibility of fraud exposure and associated losses.
If you believe your business has been subject to device tampering, contact your acquirer or processor immediately.
Additional information on POS terminal security and skimming is available here:
- Visa Guide: Point-of-Sale Terminal Tampering is a Crime...and You Can Stop It at http://usa.visa.com/download/merchants/alert-pos-terminal-tampering-020311.pdf
- Visa PIN Security and Key Management Program at http://usa.visa.com/merchants/risk_management/cisp_pin_security.html
- Skimming Prevention – Best Practices for Merchants at https://www.pcisecuritystandards.org/education/info_sup.shtml
Election Season Scams
The U.S. presidential election season is fully underway, and that means plenty of business for pollsters, pundits, advertising agents and, according to the Better Business Bureau, scammers hoping to perpetrate phone scams. Here are two types of election phone scams to be look out for:
Polling Scams: According to the BBB, the scammers use hot-button topics to hook consumers into participating in phony telephone surveys in return for a "free" cruise. At the end of the poll, the fraudster asks for a payment card number "to help cover fees and taxes." As the Better Business Bureau reminds consumers, "Legitimate polling companies will never offer prizes for participating in a telephone survey, nor ask for a credit card number."
Phony Fundraising Calls: Some scammers are also taking advantage of common fundraising tactics, by calling consumers to solicit campaign donations. Don't rely on caller ID to verify the legitimacy of a call, as such devices can be tricked into displaying a name or organization other than the one the person is calling from. If you're unsure about the legitimacy of the caller, look up the candidate's website separately to ensure you're donating through the campaigns officially sanctioned channels. And remember, if you choose to donate online, make sure the web browser starts with "https://". The "S" indicates a secure connection for entering your payment information.
Scammers aren't limiting their attacks to phone calls. Be vigilant of election scams by include text messages, social media requests and even requests by phony door-to-door political canvassers that hope to trick people into providing personal financial details and Social Security information -- just the information they need to commit identity theft and other forms of fraud.
As always, Visa advices cardholders to be especially wary about giving out their personal or payment card details, particularly in cases in which they don't initiate the conversation.
Be Smart About Sharing Personal Information Online
One of the great modern marvels of technology is the ability to connect with large numbers of people across the globe – instantly. With one click, you can post pictures, updates, your location...just about anything.
Next time you decide to post information online on public social networking sites or a blog, pause and make sure you consider the sensitivity of the information you are about to share. Posting personal information could be an open invitation for scam artists to target your payment accounts. This includes sharing pictures that could expose your information, like tweeting a picture of your payment card, as a FOX TV affiliate recently reported.
A study release by Javelin Strategy & Research found that 68 percent of people with public social media profiles shared their birth dates; 63 percent shared their high school name; and 18 percent shared their phone number. Remember, the more information you post, the more likely a thief will have enough information to access your accounts or commit fraud.
Security is always top of mind for us here at Visa. We work hard every day behind the scenes, monitoring our network for suspicious activity to help prevent and detect fraud, but we can't do it alone. It's important to remember that cardholders also have a vital role to play in keeping their personal information safe.
So next time you're online, remember these 5 security tips:
- Personal information is just that – personal. Don't post information such as your social security number or payment card information in a public forum or social networking site.
- Pay close attention to what you share on social networking sites; even seemingly innocuous information such as your mother's maiden name, your high school mascot or the name of your pet can help a thief gain access to your accounts.
- Familiarize yourself with your social network's privacy settings to help control who can see your information and manage what information can be seen.
- Create strong, unique passwords for each of your accounts. Using different passwords will limit any damage if one password is ever compromised.
- Be suspicious of any requests for your personal or payment information no matter how convincing the communication or phone call you received may be. Scammers may use tactics like phishing and social engineering to trick consumers into divulging additional personal or payment information.
To read more online safety tips, read our Preventing Fraud section.
Visa is also a board member of the National Cyber Security Alliance, which provides additional information on social network security tips.
Guest Blog – You on Twitter? So are scammers.
By John Breyault, Vice President of Public Policy, Telecommunications & Fraud, National Consumers League
Many consumers find the popular social media site, Twitter, useful for staying in touch with friends and family and getting updates from organizations or famous people. Unfortunately, scammers see the millions of Twitter users very differently: as potential targets.
Scams on Twitter usually involve some kind of link or promise from either a user you don't know or a user whose account has been compromised.
A common scheme is for a scammer to create an account then follow or direct message hundreds or thousands of other users. Each time a user is followed, they receive an alert with a link to the scammer's profile. The profile often contains links to malware or phishing sites. A recently popular method of this is a direct message or tweet with a message like "lol is this really you?" with a link attached.
Yet another scheme scammers use is to post something that leads to a link that looks like a Twitter login page, but isn't, and thus when a user types in his username and password, the fraudster has access to their account and can use it to target others.
Other signs of a fraudulent account are: repeatedly posting duplicate updates, abusing basic functions of Twitter to get attention, and posting links with unrelated tweets.
How can Twitter users avoid falling for a scam?
Twitter users should ignore any direct messages or tweets that promise that by simply clicking on a link they will receive thousands of followers. Any "get followers quick" links could be a way to steal money or private information by installing malicious software onto your device or redirecting you to an illegitimate website that may ask you for your personal or payment information.
Twitter is aware of scammers using its site, and shuts down the accounts of spammers that users report, so users shouldn't hesitate to report a suspicious Twitter handle that displays any of the red flags.
Other tips for using Twitter and avoiding the pitfalls of a scam are:
- Use a strong password
- Always make sure you're on Twitter.com before giving login information
- Make sure you see "HTTPS" in the address bar, indicating a secure connection
- Beware of direct messages from people you don't know, especially if they promise to help you "immediately" get thousands of followers
- Be suspicious is you are followed by someone posing as a celebrity. Well-known Twitter users often have Verified Accounts (signified by a check mark next to their profile name
- If you don't know someone following you, don't click on links in their profile
- If you encounter abusive and/or annoying behavior on Twitter, block and ignore the profile responsible and report it to Twitter
There are many organizations with Twitter accounts that work to protect people from online fraud and other consumer issues such as the Better Business Bureau (@BBB_US) and the Federal Trade Commission (@FTC), Visa Security Sense (@VisaSecurity), StopBadware.org (@StopBadware), and the National Cyber Security Alliance (@StaySafeOnline).
Twitter's Help Center (@Support) also provides useful information on identifying spammers and protecting your account.
Stay safe and have fun in the Twittersphere!
This blog posting provided as part of an unrestricted educational grant from Visa to the National Consumers League. For more security news and tips from the National Consumers League, visit: www.nclnet.org.
Simple Steps to Protect Your PIN
Payment cards have made shopping and banking across the globe faster and more convenient than ever before. While the incidence of fraud within the Visa system is at near historic lows, criminals are always looking for opportunities to steal payment cards and PIN numbers in order to make unauthorized purchases and cash withdraws.
Visa works in partnership with all participants in the payment system including financial institutions, merchants, ATM operators and law enforcement in order to secure payment card data, including PINs. But consumers have an important role to play, too.
Here are some tips that will help protect your PIN and reduce the risk of fraud at retail and ATM locations:
- Be aware of your surroundings and watch for anything unusual or out of the ordinary. Does the card reader seem loose? Does it seem larger than usual?
- Take care to physically shield your PIN number from prying eyes whether you're at the checkout counter or the ATM. Cover the PIN pad with your free hand when entering your PIN number.
- Guard your PIN securely. Memorize it and never write it down or give it to anyone.
- If an ATM is in a poorly lit or concealed location, or if you're just not feeling comfortable, use another ATM. Criminals may be less likely to tamper with the device in a place where they could get caught.
- When using an indoor ATM that requires your card for access, avoid letting unknown people in with you.
- Monitor your account statements regularly. Contact your financial institutions to sign up for Visa transaction alerts, which are sent to your mobile device in near real-time.
- Report any suspicious activity on your account to your card-issuing financial institution immediately.
As security blogger Brian Krebs recently reported, criminals are constantly trying new ways to steal payment card information and PIN numbers – so stay alert and be aware of your surroundings.
LinkedIn Member Password Compromise
Yesterday LinkedIn announced that the log in credentials to members' accounts were compromised. According to the New York Times, around 6.5 million LinkedIn passwords have been posted to a hacker website.
While payment card fraud is not the primary concern with this compromise, it is a good time to raise two important security reminders:
- Create strong, unique password for each of your accounts. In the event of a password compromise like this one, making sure you have different passwords can help prevent hackers from accessing your other accounts. Make sure your passwords are hard to guess. Security blogger Brian Krebs outlines good tips on how to do this.
- Be on the lookout for phishing scams. The New York Times is reporting that phishing emails purporting to come from LinkedIn have already begun to surface. This is only one type of attack to be mindful of. A fraudster who has certain pieces of information about you like your personal or professional contacts or information about your work experience could have enough information to attempt a "spear phishing" scam – an attack in which a criminal attempts to extract personal or payment information by pretending to represent an entity you trust or someone you know such as an old friend or distant relative. The key is vigilance. If you receive a phone call or email requesting you to provide or to confirm your account details or personal information, proceed with caution. It could be fraud at work.
If you suspect you have received a suspicious email, forward it to email@example.com.
Guest Blog - My Phishing Story: Close Call Proves Customer Education is Critical
By Tracy Kitten, Managing Editor, Bank Info Security
There's a limit to how much a banking institution or other organization can control when it comes to preventing online fraud. My personal experience with a phishing scam illustrates why it's so important to educate consumers and businesses about how to spot suspicious requests and potential fraud.
My Phishing Story
Several weeks ago I was replying to online ads for ticket sales to the Kentucky Derby - a big event that no doubt attracts all types of scammers trying to sell cons.
I got a reply from a seller who seemed legitimate. I provided the seller my mobile number, so we could discuss the logistics of payment. He requested my eBay ID, saying I could pay for the tickets through eBay and bypass PayPal. Odd, I thought. But giving him the benefit of the doubt, I provided my eBay ID, thinking this guy just didn't really understand how PayPal and eBay work. Within five minutes, I got a confirmation for an eBay transaction texted to my phone. And a few minutes later, I received an e-mail from what appeared to be eBay. And a few minutes after that, the seller e-mailed me, asking me to give him the confirmation code that was sent to my phone.
Right then, I knew this was a scam. The e-mail was convincing, though a few details seemed sketchy, like the fact that my alleged eBay representative lived in England and that my name was misspelled. And the fact that this person asked me to provide the texted verification code was a big indicator this was a scam.
To the casual user, however, those sketchy details might not have stood out.
Knowing not to click any links, I logged in to my eBay account and checked my inbox. Nothing. I immediately called eBay, forwarded the phishy e-mail to eBay's customer service department.
Here an excerpt of the well-composed response I got from eBay:
Thanks for forwarding the suspicious email you received. The email is a spoof, also known as a "phishing," e-mail. (That's phishing, as in "fishing" for personal information.) It didn't come from eBay. Our Trust & Safety team is working to disable any websites it links to.
Copies of any e-mails we send you about the status of your account or a change in your account information will be displayed in My Messages. This is especially helpful since many spoof emails try to convince you that your account is in jeopardy.
Important - *Never* respond to a suspicious e-mail or click any links in the e-mail message. If you think you may have given out personal information in a spoof email or website, you need to take steps to protect your identity right away. ...
Keep those reports coming -- you're helping protect the global Internet community! Our Trust & Safety team works closely with Internet Service Providers to shut down fraudulent sites. We also send your reports to Web browser companies so that they can develop tools to identify spoof sites.
Why We Need More Education
Had I fallen for this scam, my first reaction as a consumer would be to blame eBay. But eBay was in no way involved. The tickets were not even advertised on eBay. Banks and credit unions face similar issues.
I don't think consumer education is the only answer, but online users have to increase their security savvy. My education about how fraud is perpetrated saved me in this case. But were I a typical user, this could have turned out badly.
This story was adapted from an article Tracy published on April 20, 2012.To read Tracy's full story and other articles by this reporter, visit http://www.bankinfosecurity.com/.
Click here for an example of an email phishing scam and what red flags to look for.
Sun, Sand and Scams: Beware of the Timeshare Resale Scam
Do you own a timeshare property? Be warned; that unsolicited telephone call informing you that there's a buyer interested in your vacation property might be coming from rip-off artists in what could be a timeshare resale scam.
In this type of scam, the fraudster calls a timeshare property owner claiming to have an interested buyer. The fraudster then asks the timeshare owner to sign a contract and pay a transaction fee – usually with a credit or debit card – before the alleged sale can proceed. In reality, the buyer never existed and the contract was for advertising services only. And once the fraudulent reseller has your money, don't expect to hear back. The fraudulent reseller will typically avoid your calls, deny refund requests or stall.
Visa and the Federal Trade Commission have teamed up to offer the following tips to help you spot a timeshare resale scam:
- Don't agree to anything on the phone or online until you've had a chance to research the reseller. Contact the Better Business Bureau (www.bbb.org), state Attorney General (www.naag.org), and local consumer protection agencies (www.consumeraction.gov) in the state where the reseller is located. Ask if any complaints are on file.
- Before you sign a contract with a reseller, get the details in writing and make sure that the contract spells out the services the reseller will perform as well as any fees, commissions, and any other costs you must pay and when.
- Ask if the reseller's agents are licensed to sell real estate where your timeshare is located. If so, verify it with the state Real Estate Commission. Deal only with licensed real estate brokers and agents, and ask for references from satisfied clients.
- Ask how the reseller will advertise and promote the timeshare unit. Will you get progress reports? How often?
- Ask about fees and timing. It's preferable to do business with a reseller that takes its fee after the timeshare is sold.
If you believe you may be a victim of a timeshare resale scam and have not been able to resolve the issue directly with the merchant, call the financial institution that issued your credit or debit card to dispute the charge. You also can report your experiences to the FTC. For additional information on timeshare resale fraud including see Selling a Timeshare Through a Reseller: Contract Caveats and Time and Time Again: Buying and Selling Timeshares and Vacation Plans.
Global Payments Phishing Scam
We recently heard reports that, in the wake of the Global Payments data compromise, some scam artists are taking advantage of the news to try and extract card payment information directly from consumers. Callers pretending to be from Visa or a financial institution are asking consumers for payment card information and claiming they need it for fraud management or security reasons. This type of phishing scam is known as "vishing" or voice phishing. If you receive such a call, proceed with caution. Visa does not call or email cardholders to request their personal account information.
What this shows is that criminals are fast moving and opportunistic. They may take advantage of the fear, confusion and uncertainty that data breaches can create to perpetrate vishing and phishing scams without actually having any information originating from the breached entity.
Phishing can happen in many ways including by email, text message or phone. Here are four tips to keep in mind:
- Consider all email requests for personal or payment information to be suspicious.
- If in doubt, call the number printed on the back of your payment card and verify the request.
- Don't rely on your caller ID to verify the legitimacy of a caller. Fraudsters have ways of tricking the caller ID into thinking the call is from a different number or organization. Similarly, fraudsters can make the "From" line in an email address appear to come from someone or somewhere other than the actual source.
- Just because an email has a company's logo on it does not make it legitimate.
View our interactive graphic on how to spot an email phishing scam. For more advice on how to avoid phishing, click here. Report any suspicious emails or calls to firstname.lastname@example.org or to the FTC's Complaint Assistant.
If you believe your payment card data may have been compromised in a data breach, read our Fraud News post with additional helpful information.
If you suspect that you may have disclosed personal information such as your Social Security number to a fraudster, you may be at risk for identity theft.Contact your bank and one of the three nationwide consumer credit reporting bureaus – Equifax, Experian or TransUnion – immediately.
How We Help Protect Consumers in the Event of Third-Party Data Breach
When Visa becomes aware of a data breach at a third-party that handles payment card information, our first priority is to protect cardholders. We work closely with the breached entity and issuing banks in order to heighten monitoring of potentially compromised accounts and minimize fraud losses.
Knowing that your payment data may have been stolen is unsettling, but the good news is that in most cases stolen payment data is never actually used to make fraudulent charges. However, in the rare event that fraud does occur, we protect U.S. cardholders through our Zero Liability policy, which ensures that you won’t be held responsible for that charge.
We have numerous layers of protections in place to help keep our cardholders safe, but cardholders can play an important role in their security, too, by regularly monitoring their accounts for unusual activity and reporting suspicious charges to their issuers.
For more information on what to do in the event you believe your payment data has been compromised, click here.
Are You Sharing Too Much Information Online?
Equipped with enough personal information, identity thieves can wreak havoc with your finances, take over your bank account or make purchases using your payment information.
According to a new study released by Javelin Strategy & Research, incidents of identity theft rose 10 percent in 2011 compared to the prior year.Javelin advises consumers to pay close attention to what they share on social media sites.Even seemingly innocuous information such as your mother’s maiden name, your high school mascot or the name of your pet can help a thief gain access to your accounts.
Think you’re doing a good job of protecting your information? Take the following safety quiz to find out: http://www.idsafety.net/quiz.php
For safety tips on how to help protect your identity or to read more about Javelin’s study, click here. If you suspect you have been the victim of identity theft, contact Call For Action at 1-866-ID-HOTLINE or visit www.callforaction.org for free, confidential assistance.
Hang Up on Fraud
From time to time we receive reports from consumers letting us know they've received a telemarketing call from someone claiming to be from Visa and asking for personal information like a credit card or social security number. If you receive such a call -- proceed with caution. It could very well be fraud at work in a scam sometimes called "vishing" or voice phishing.
Visa does not call or email cardholders to request their personal account information. Also important to know is that Visa's call centers do not make telemarketing calls.
Phone fraud takes on many forms, and you shouldn't rely on your caller ID to determine whether the call you've received is legitimate. Fraudsters can trick your caller ID into thinking the call is coming from a different number or organization, a tactic known as phone spoofing.So if you get a fishy call from someone requesting your payment card information, hang up and report the situation to the FTC and your issuing bank. You can find your issuing bank's phone number on the back of your credit or debit card. To limit telemarketing calls, you also can register your number with the FTC's National Do Not Call Registry.
Be very careful about providing your account or personal information over the phone unless you initiated the communication yourself or have positively verified the source.
Think you know how to catch a phish?
March 4 – 10 marks National Consumer Protection Week across the U.S. In support of this important week, we're introducing @VisaSecurity on Twitter. Much like what we try to do on this website, @VisaSecurity will be a one-stop resource for consumers on the latest payment security news, including information on scams and fraud prevention advice.
In addition, we're challenging consumers to see if they know how to catch a phish. A phish is an email that attempts to trick the reader into submitting valuable personal or payment information. These types of attacks are on the rise. According to RSA, phishing attempts jumped 37 percent in 2011 compared to 2010 and resulted in an average of $4,500 in stolen funds per attack.
Even more troubling is the fact that fraudsters are deploying increasingly sophisticated phishing tactics which can take the form of an email, text message, phone call or postal mail. Fraudsters can make their phish appear to be from banks, payment card companies and other organizations you know and trust. So remember, proceed with caution any time you're asked to provide personal or payment information.
Think you know how to catch an email phish? Test your knowledge and learn the top five tips to avoid getting caught by the phishing hook here.
Super Bowl-bound? Read These Tips Before Planning your Trip
Planning to watch the big game live? Avoid the spate of Super Bowl scams that make the rounds this time each year by keeping the following tips in mind:
- Tickets: Avoid ticket scams by buying your tickets from a legitimate, trusted merchant to ensure you aren’t left standing in the cold on February 5. Ticketmaster is listed on the NFL Super Bowl XLVI website as the official ticket exchange of the NFL. If you decide to buy from another source, the Better Business Bureau has a list of business reviews to help substantiate a business’ legitimacy. And don’t forget -- when going through the online checkout process, make sure the URL in your browser begins with “https.” The “s” stands for secure and means that the transaction information you enter is encrypted.
- Hotel/Airfare: Fraudsters are also trying to make a buck selling bogus airfare and lodging packages. As with tickets, buy from a well-known travel agent or travel website. Additionally, if making a reservation through an agent or travel website, you also may want to call the airline or hotel separately after making your booking to ensure your reservation is in the system.
- How to Pay: Paying with a credit card provides an extra layer of protection. The Fair Credit Billing Act allows consumers to dispute charges for goods or services that weren’t received.
For additional advice and tips, check out the BBB’s recent news brief.
Merchants Getting Snagged by Phishing Hook
There has been a trend in e-mail "phishing" scams aimed not at the usual suspects – consumers – but instead at merchants.
Fraudsters are using e-mails that look as though they are from legitimate financial institutions, transaction processors or other businesses to lure merchants into providing sensitive account information, passwords, login credentials or other payment transaction information.
The e-mail may also include a link, which when clicked, leads to the fraudster's website or computer where malicious software – “malware” – is downloaded to the merchant's computer and gathers private information.
As always, be wary of any requests for sensitive information. If you receive a suspicious email, do not click on any links. Instead, pick up the phone and call the company directly using a phone number you know is legitimate.
Keep Your Holiday Happy: Tips for smart, secure online shopping
The holidays are here and many shoppers are choosing to stay in and log on to get their Christmas shopping done. But when shopping from the safety of your own home, be careful to safeguard your personal information and avoid suspicious websites, emails and promotions.
A new CNET video explains several preventive measures consumers can take to stay safe. So go ahead -- put your feet up and enjoy a cup of hot cocoa as you finalize your gift giving…but keep these useful to tips in mind to ensure a very, merry fraud-free holiday:
- Keep your computer’s virus protection up to date
- Create strong passwords that aren’t easy to guess (hint: avoid these top 25 worst internet passwords)
- Ignore emails from senders you don’t know, especially if the sender is requesting money or your personal information
- Shop at stores you know and trust and, before entering your payment information, make sure the website’s URL begins with “https://” which indicates a secure connection
And remember: in the unlikely case that fraud does occur, Visa’s Zero Liability policy means you won’t be held responsible for fraudulent purchases made with your card or account information.
Watch Out for Phishing Emails Purporting to Come from the BBB
The Better Business Bureau recently issued an alert warning businesses and consumers about and email phishing scam that appears to originate from a bbb.org email address. The fraudulent email asks consumers to follow up on a recently filed complaint and contains a malicious attachment and link.
If you receive such an email, do not open the attachment or click on the link. Instead, report any information directly to the BBB’s Scam Source and then delete it.
Phishing emails such as this have the potential to cause significant disruption to your computer and/or gather information without your knowledge. Always open suspicious emails with caution – particularly if it contains a request for personal information. If you have any doubts about an email’s trustworthiness, look up the sending institution’s or company’s phone number separately (don’t call any phone numbers listed in the suspicious email) and contact the company directly to verify the legitimacy of the inquiry.
For additional tips on how to stay safe online, see our Tips for Preventing Fraud at VisaSecuritySense.com.
Don’t be a Turkey this Thanksgiving: Be aware of discounted gift card scams before shopping this holiday weekend
With Black Friday and Cyber Monday just a few days away, it’s an opportune time to remind shoppers that there are some gift card discounts you should be weary of. While gift cards are budget friendly and save you the headache of trying to guess exactly what your loved ones want this Christmas, it’s important to be careful of scams when deciding where to buy a gift card.
The Better Business Bureau recently warned consumers to watch out for a discounted gift card scam that has surfaced recently. Here’s what the scam looks like: a shopper responds to an ad on Craigslist for a gift card that is being re-sold at a bargain price. When the shopper tries to redeem the card value at the store, the card either doesn’t work or has no value remaining on it.
Fraudsters are becoming increasingly sophisticated in their ability to trick consumers. The best way to avoid scams this holiday season is to visit www.visa.com/gift and find a reputable online or local merchant to purchase from. If you’re going to take your chances and buy a gift card from a stranger, let your common sense prevail: if it’s too good to be true, it probably is.
For additional tips on how to stay secure while shopping in stores and online this weekend, check out our fraud prevention tips at Visa Security Sense.
Small Businesses Fraud Tips from the Better Business Bureau
We recently came across this great set of security tips posted online by the Better Business Bureau. It was such a perfect reminder of all that is at stake, and the relatively simple steps each small business can take to help ensure no one falls victim to fraud.
Each year the BBB is inundated with complaints from small businesses caught in fraudsters' webs. Perhaps it is an invoicing scam or being duped into paying for something they neither asked for nor wanted.
There are costs to fraud that go far beyond and far deeper that the merely financial—the harm to a business’s hard-won reputation chief among them. The article was quick to remind us that often fraudsters are simply after data or an identity under which to perpetrate their further scams.
Knowledge and vigilance are keys to beating fraud. However, it never hurts to run down the list of well-known fraud types, so here they are:
- Directory Scams – A fraudster calls your business asking to update an entry in an online or printed business directory. The services are billed and paid for, but no listing is ever placed.
- Office Supply Scams – Fraudsters sometimes target small business owners by billing for office supplies that were never ordered hoping the business won't notice.
- Overpayment Scams – Be wary when a customer "mistakenly" overpays and then asks you to wire a refund. Later, when your financial institution goes to withdraw funds on the original payment, the fraudster's account is empty. You do not get paid, and the refund you wired is gone.
- Data Breaches – An unauthorized leak of data, such as your customers' social security and credit card numbers, birthdates, addresses and more, can devastate the trust you have worked so hard to build.
- Vanity Awards – Beware of business "awards" in which you are required to pay for anything—trophies, plaques, and certificates. Many are just moneymaking schemes with no merit.
- Stolen Identity – Fraudsters may pretend to be your company for the purpose of scamming your consumers. While you may not lose financially, the damage to your company's reputation can be devastating.
- Phishing E-mails – Phishing e-mails have been targeting small businesses to break into their computer networks. Fraudsters will claim to be the IRS pursuing an audit or even the Better Business Bureau claiming to have received a complaint. Don't click on any links or attachments in a suspicious e-mail.
There seems to be no end to the creativity that fraudsters can muster in their attempts get your personal information or your money. Knowing their tactics and a few simple security tips—like these from the Better Business Bureau—you and your small business can beat fraudsters and stay fraud free.
And, as always, you can always stay up on the lasts fraud alerts and helpful security tips right here at Visa Security Sense.
Help Celebrate National Cyber Security Awareness Month
October is National Cyber Security Awareness Month. It’s also the first anniversary of launching Fraud News and the VisaSecuritySense.com website. The theme for National Cyber Security Awareness month this year is “Our Shared Responsibility.” Many consumers want to take an active role in managing and protecting their payment card account. In fact, a study by Javelin Strategy & Research found more than half of consumers view the responsibility for protecting financial accounts from fraud is equally shared between themselves and their financial institution.
With that in mind, like to mark the occasion by encouraging readers to review the many helpful tips we’ve offered here already. We hope VisaSecuritySense.com has played a part in empowering cardholders and business owners with information to help prevent fraud and increase awareness about important protections and available resources.
Visa joins with the National Cyber Security Alliance (NCSA) in marking National Cyber Security Awareness Month, now in its eighth year. The public-private partnership is focused on providing Americans with the information they need to stay safe online, whether shopping or surfing the Internet.
Additional National Cyber Security Awareness Month resources:
SMiSh Smash, Avoiding a Text Scam Bath
Recently, the Massachusetts Attorney General’s office reported that it has received hundreds of complaints from consumers who received text messages attempting to gain access to bank accounts and Social Security numbers. This is just the latest in a growing and persistent form of fraud known as SMiShing, for "SMS Phishing." In other words: text message fraud.
SMiShing usually involves a text to your mobile phone asking you to call a phone number and enter personal data, but sometimes it may be a link to a website where you are asked for private information.
Subtler SMiShing schemes may even appear totally harmless, asking for information that seems unimportant.But don't be fooled. If you respond to a text message, the fraudsters may be simply confirming the validity of your phone number, which then gets put in a database and sold down the line.
What should you do if you receive a suspicious text message from a bank or other party? The best and easiest tactic is to assume fraud first and call your financial institution—at a number you trust—to confirm the authenticity of the request. You can also report suspicious messages to the Federal Trade Commission at 1-877-FTC-HELP (382-4357) or www.ftc.gov.
Of course, be sure to visit VisaSecuritySense often for all the latest scam alerts and security tips to beat fraudsters at every turn.
Card Security Tips for the Savvy Summer Traveler
With the summer vacation season in full swing, it’s important to keep a few security tips in mind when it comes to traveling with payment cards. While most payment card transactions go through without problems, savvy consumers can help protect themselves from unauthorized purchases. Card security tips consumers should keep in mind while traveling include:
- If traveling outside the United States, inform the bank that issued your card which countries you will be visiting, and for how long.
- Keep a copy of your bank's name, its customer service phone numbers, and your Visa account number in a convenient place – separate from your card. Toll-free numbers may not work internationally. If you don’t have the bank’s direct number, dial Visa’s help line at 1-800-VISA-911 or 1-303-967-1096.
- Report lost or stolen cards and/or unauthorized transactions to your financial institution issuer immediately.
- Limit the number of payment cards and other personal information that you carry in your wallet or purse.
- Be aware of your surroundings when entering your Personal Identification Number (PIN) at an ATM or at the checkout.
- Don't leave your cards in your car’s glove compartment. An alarming number of payment card thefts are from car glove compartments.
- Save and check all receipts against your statement.
Cyber Thieves Can Make Social Networking Risky Business
Social networking can keep us connected to family and friends and help us stay in touch with news in real time. However, today’s cyber criminals can view social networking sites as rich and valuable sources of personal data. Using crafty schemes, they can loot your private information piece by piece and gather enough data to raid your identity and online accounts.
Reduce your exposure. A few simple steps can minimize risk on social networking sites:
- Get familiar with privacy and security settings.
Security and privacy settings can limit access to your information. Become familiar with them and update them often. Be sure to opt out of sharing your data when you add new apps.
- Don’t give away your birth date.
The day, year and location of your birth can help an identity thief unlock your financial identity. Also, beware of giving away answers top common security questions such as your mother’s maiden name, high school or hometown.
- I’m in Hawaii – make yourself at home.
It’s better to post vacation photos after you return, rather than letting potential burglars know when your home is empty. And, think twice before publishing your home address on social networking sites.
- Don’t provide password clues.
Your social network profile can give away password clues such as your pet’s name or favorite football team. Your passwords should be unique and difficult to guess. For example, you could choose a password that doesn't contain a readable word, mix upper and lower case letters, or use a number or symbol in the middle of the word. Most importantly, don’t use the same password for every site you visit. Read here for more tips on creating tough passwords.
- Don’t friend strangers.
Be wary of friending people online you don’t know in real life, even if they seem to be connected to people in your network. A 2011 survey showed that nearly 13 million U.S. adults will accept any social media connection request from a member of the opposite sex, regardless of whether or not they know that person. Just because someone is connected to a friend of yours doesn’t mean he or she is trustworthy.
- Get familiar with privacy and security settings.
Charity Scams: Reach Out, Be Smart
A recent blog post on Forbes.com highlighted, sadly, that criminals have been quick to jump on the tragedy in Japan as an open invitation to commit fraud. People around the world have received spam and phishing attempts seizing upon the desire to help.
Some fraud victims have been lured to fake YouTube, CNN, Facebook, or Twitter pages that are really just Trojan horse efforts to infect computers with malicious software. As the Japan tragedy confirms, cyber crooks will stop at nothing and they have at their disposal a number of electronic tools to perpetrate their crimes to get personal data, financial information, payment card numbers and more.
We thought it the perfect time to review a few of our tried-and-true fraud-busting tips:
- Never click on an attachment or a link in an email you don't trust. Your computer could be infected with a virus or malware meant to steal your personal information.
- Block pop-ups, they are a popular tool for fraudsters as a portal into your computer. They can even push bogus pop-ups to you via legitimate websites.
- Never provide usernames, passwords, credit-card numbers, bank account details, Social Security numbers, or other personal information electronically unless you initiated the communication.
- Especially for immediate tragedies, be vigilant and verify the legitimacy of the charities you are considering.
- Keep your virus protection up-to-date and install a spam filter and an anti-spyware program.
- Report any suspicious emails or other communications to the FBI’s Internet Crime Complaint Center at www.ic3.gov.
As Japan has reminded us, it is natural to want to help victims of natural disaster. Don't let fraud or identity theft add to your grief: follow these simple steps and you can be sure that your donation goes to those who truly need it, and not into the waiting hands of a criminal.
As always, you can visit VisaSecuritySense.com to keep up on the latest fraud alerts and tips to make sure you stay fraud free.
Epsilon Email Security Breach
In a security breach, online marketer Epsilon has fallen victim to a hacker who gained access to client names and e-mail addresses from numerous well-known U.S. companies and institutions.
Luckily card fraud is not a primary concern with this compromise, but phishing and spamming could be. A criminal who now knows that you shop at a certain retailer can direct a very convincing phishing email to you. The email may seem more credible because you’re familiar with the supposed sender and it could reference your full name. This type of very directed phishing scam is called “spear phishing.”
Consumers should be on the lookout for spear phishing scams. If you receive a request by email asking for personal financial information, please use utmost caution and assume that it is fraudulent. You can also get some great tips for avoiding "spear phishing" e-mails in this fraud alert we put out just a few weeks ago.
While Visa was not affected by the Epsilon incident, this is another opportunity to remind you that Visa never solicits or requests personal financial data by email or phone.
As always, you will find lots of valuable anti-fraud and security tips, as well as all the latest security alerts, right here on VisaSecuritySense.com. With a bit of vigilance and a few time-tested tips, you can help protect yourself from fraud before it happens.
Fraud Targeting Small Businesses
It is encouraging when anyone posts an opening for a job, especially when that poster is one of America’s hardworking small businesses—the backbone of our economy and the key to a robust recovery.
It is with appropriate concern then that we have learned that these small businesses are increasingly falling victim to fraud and scams, particularly when posting new job openings.
It starts like this: Your business posts a job opening online only to be targeted by cyber criminals who send emails and resumes laced with malware, viruses and other programs of ill-intent that destroy data, slow computers or, worse, steal valuable personal information from your business. Most recently, a new type of malware has been discovered that gives hackers direct access to banking information.
In another form of fraud targeting small businesses, according to the IC3, the FBI's Internet crime unit, small business owners are receiving emails with a cleverly disguised, exceedingly convincing phony receipts that mask malware. The malware infests your computer, scooping up valuable sensitive financial information and sending it to the criminals. This scam has been particularly effective on sellers in online marketplaces.
Beating these new types of fraud is not complicated. Vigilance is key, says the IC3. A few tips are all it takes to protect your small business from fraud. First, be sure virus scan software is on and up-to-date. To further protect your business, the FBI even recommends not doing online banking on the same computer you receive email job submissions.
With a few insights and some simple steps, America’s small businesses can be sure they don’t fall victim to fraud. Be sure to return to VisaSecuritySense.com to stay on top of the latest fraud alerts and the easy tips you need to stay fraud free.
Did I Really Miss Jury Duty? (Or Was I Just the Victim of Identity Theft?)
Word is spreading of a new wave of an old sort of identity fraud. This type preys upon our collective civic responsibility. In this sting, a caller claims that you have failed to report for jury duty and that there is a warrant for your arrest.
The caller will likely claim your arrest is certain, but the matter can be resolved quickly over the phone...if you can just verify some personal information—your Social Security number, birth date and maybe even a bank or credit card account number. Fraudsters always seem to want the same data, no?
With this information, the criminal on the other end of the line can take your identity and use it get credit cards and loans, even expensive medical services all in your name.
Reports of "jury duty scam" first surfaced in 2006 and seem to be on the rise again. Don’t be fooled when your caller ID says the call is from a local courthouse either. Fraudsters can easily fool caller ID using "spoofing" products that let them steal the identity of any phone number they want, just as easily as they would like to steal your identity.
But, what if I really missed jury duty? How will I know? If you suspect you are the target of a jury duty scam, don’t give out any personal information. Check that the call is legitimate by calling the courthouse yourself and speaking with a clerk.
Fraudsters are clever, to be sure, but they can always be undone by caution and due diligence on the part of well-informed people like you. To make sure you stay fraud free, be sure to visit VisaSecuritySense.com frequently to keep up with the latest scam alerts and lots of helpful tips on beating card fraud and identity theft.
Be Wary of Fake Receipt Scam, Warns FBI’s Internet Crime Unit
If you’re a small business owner, you should be pay very close attention to that receipt in your e-mail inbox. That’s the warning recently issued by IC3, a division of the FBI tasked with investigating Internet crime.
A new scam takes particular aim at sellers at online marketplace websites. Criminals are generating very convincing, yet phony receipts, according to the IC3. In reality, the receipt is actually a form of malware – an executable file designed to scoop up a company’s sensitive financial information and transmit it back to the fraudsters.
“Many sellers on these markets will ask the buyer to send them a copy of the receipt should the buyer run into trouble, have orders go missing, lose the license key for a piece of software, and so on,” the IC3 bulletin explains. “The scammer relies on the seller to accept the printout at face value without checking the details.” Vigilance is the key, advises IC3.
Seniors at Risk for Scammers Seeking to Snare Passwords
Americans of all ages are logging on to computers in ever-greater numbers to conduct online banking and other financial transactions. Recently, AARP published tips to help seniors better protect their passwords from would-be hackers. The tips could not have come at a better time. According to the 2011 Identity Fraud Report released by Javelin Research, seniors are far less likely to use the privacy settings provided on social media sites.
Javelin’s James Van Dyke writes, “Think about the information that is available so freely, and tell me it doesn’t remind them of the questions customer service agents ask when giving you your lost password back: birthdate, social security number, favorite pet’s name, even the first car and high school name. Is anyone using Facebook to stay in touch with their high school classmates?”
Van Dyke urges seniors to place better protections such as anti-virus software on their computers and to refrain from posting personally identifiable information that can be used by criminals to guess passwords.
Get a Password Makeover for Stronger Security
Chances are, the password you’re using isn’t very strong. If you're like a large percentage of people identified in a survey on password use, you change passwords infrequently (if at all) and use just one password for all your accounts.
Weak passwords are an open invitation to criminals to wreak havoc on our financial accounts. For small business owners, it may be an open door into your payment system, placing your customers’ account information and their trust in you in jeopardy. Not only do some business owners have weak passwords, but often times they fail to change the default passwords that come with their payment systems – and are well known by hackers.
Fortunately, there are steps that you can take. An article in Slate summarizes rules from several experts on how to make your password less vulnerable to hackers, including:
“Choose a password that doesn't contain a readable word. Mix upper and lower case. Use a number or symbol in the middle of the word, not on the end. Don't just use 1 or !, and don't use symbols as replacements for letters, such as @ for a lowercase A—password-guessing software can see through that trick. And of course, create unique passwords for your different sites.”
By beefing up your password strength now, you can save yourself a lot of hassle later.
Phony White House e-Card Causes Holiday Hangover
A story by security blogger Brian Krebs serves as a reminder that one can never be too careful and that even tech-savvy professionals can be taken in by clever deceptions.
Just before Christmas, a criminal sent e-mail holiday cards purportedly from the White House. When the targeted victims clicked on the link provided, a malware virus known as ZueS was downloaded onto their system to steal password and other sensitive information. Along with the virus was a program designed to steal documents from the victim’s computer.
According to Krebs’ post, the criminal may have accessed a large number of highly sensitive documents from the computers of security-related professionals working in government.
A security rule of thumb holds that e-mails from senders you don’t know should be ignored, but this cagey criminal correctly surmised that for some, the flattery of receiving a holiday card from the White House would be too tempting to resist.
New Year, Renewed Vigilance to Online FraudAs we were browsing Visa’s “Practical Money Skills” recently, we came across this article which reminds us why card security is so important these days, especially at this time of year.
The holiday season and the New Year are a magical time—a time for thinking of others, a time for gathering with friends, and a time for taking stock of all the good things in life. In other words, it’s a perfect time for a fraudster to pounce while our guard is down, especially when shopping online.
The New Year also means renewed vigilance to online fraud. It’s not hard; a few tips are all it takes. We’ve made our list. We’ve checked it twice. Here are Visa’s easy steps to foil fraud online in 2011 and beyond:
- Secure is the cure. Learn how to tell if the site you are shopping is secure. Only shop sites that start with “https”. That “s” stands for “secure.” It means your personal data is protected. There are other security clues, too, like a padlock icon next to the address.
- Keep it personal. Never send personal or financial information by email or to sites you don’t know and trust.
- Inoculate to insulate. Keep anti-virus and anti-spyware software up to date. Never click a pop-up window or follow links in questionable emails. Create strong passwords.
- Free, but at a price. Free trials are rarely free. Understand all terms and conditions. Note and understand suspicious pre-checked boxes before you order online.
- Keep track. Review receipts before you hit “Submit” and regularly review your statements. Report suspicious or unauthorized charges immediately.
- Stay alert. You can sign up for email or text alerts from your bank for transactions that meet certain rules you set such as charges over a certain amount or foreign purchases.
Of course, VisaSecuritySense.com is a great resource to help you beat fraud, online or off. In addition to all the great information you will find here, there are many other great resources out there waiting to help you foil fraud:
- Visa’s “Practical Money Skills” website includes numerous tips on security in addition to its great advice on personal finance.
- The National Cyber Security Alliance is chock-a-block with tips for fraud-free shopping.
- The Federal Trade Commission offers great information about identity theft, privacy and information security.
- Better Business Bureau provides an online database of businesses that meet the BBB Code of Business Practices and display the BBB Accredited Business seal.
A new year is a perfect time for reflection and looking forward. To ensure your new year is everything you expect, learn how to beat fraud at every turn.
- Secure is the cure. Learn how to tell if the site you are shopping is secure. Only shop sites that start with “https”. That “s” stands for “secure.” It means your personal data is protected. There are other security clues, too, like a padlock icon next to the address.
Have a Holly, Jolly, Fraud-free Holiday
Much has been written lately about holiday fraud. This recent post from Javelin points out some lesser-known facts, separates a few identity-theft myths from reality, and reminds us we must be extra vigilant about fraud during the holiday season.
When shopping on or off-line, buying gifts, and making a charity donation, we can all take precautions to reduce our risk of fraud. An unhappy holiday can be avoided by taking a few simple steps. For starters, you’ll find a lot of great advice right here on VisaSecuritySense. Or, click over to our Visa Viewpoints blog, which focuses frequently on matters of fraud and card security.
The basics are easy. Here are just five top tips for beating fraud and ensuring this holiday season is the best ever:
- Make a list. Review every receipt at the store before you sign.
- Check it twice. Review statements every month.
- Count your blessings and your cards. Report lost credit cards immediately.
- Naughty or nice? Don’t get “shoulder surfed” at the ATM. Protect that PIN.
- Weather outside frightful? If you’re shopping online, be on-guard. Keep security software up-to-date.
A holly, jolly, fraud-free holiday is easy, if you follow a few simple rules. This holiday season, you can rest assured that whenever you use your Visa there are multiple layers of security standing between you and fraud.
Sniffing Out a Charity Scam this Holiday Season
A devastating earthquake. A flash flood. A tender holiday plea to help a child in need. Some stories are almost beyond belief and the human tragedies are equally difficult to comprehend. Others tug at your heartstrings. But, believe it or not, there are scammers out there waiting for opportunities like these to prey on your emotions to get your personal data and steal your well-intentioned donations.
Though lots of charity, emergency relief and holiday giving websites are legitimate, many aren’t, and you need to know how to tell the difference. Even when the website is not a scam, a well-meaning donor must decide which organizations are the most efficient with their money and which are best able to respond meaningfully to the crisis at hand.
The safest and surest way to beat these web scams is to donate only to well known international relief organizations, like the Red Cross and others. However, if you find yourself considering a web donation to an organization you don’t know well, try to find out who is behind the site and carefully gauge their qualifications to solicit money.
If you can’t find out from the site who is running it, chances are that the owner is trying to hide something and it may not be legitimate. Then again, even if you determine the site’s owner, you must ask yourself if your donation is best spent with them, or with another, more qualified organization.
Regardless, all it takes is a little caution and a little research to avoid web scam altogether. To beat web scams this holiday season and beyond, you can check out the many tips available from Better Business Bureau. Another resource to indentify holiday scams this year is US-Cert.gov and the Federal Trade Commission’s Charity Checklist.
Did You Order a Virus?
FedEx is warning about fraudulent e-mails claiming to be FedEx tracking messages. But instead of real shipping information, this attachment carries a nasty computer virus. Be sure to review the information from FedEx to safeguard your personal information this holiday season
Don’t Make a Scammer’s Vish Come True
Like its sibling “phishing,” in which a fraudster uses bogus emails and websites to trick you to enter valuable personal data and credit card numbers, vishing is a new trend that uses phone calls to get such information. In fact, the word “vishing” is a combination of “voice” and “phishing.” Consumer Reports recently raised red flags about vishing—and a new variation via text messaging called “smishing”—in an article on its website.
Vishers use a recorded message system, an email, or sometimes a live person telling you there’s been an attempted fraud on your card and instructing you to call a third number to enter credit card numbers, expiration dates, personal identification numbers (PINs) and more. These calls sound legitimate, but beware: fraudsters can easily trick your callerID to display a number that appears to be from Visa, Inc. Before you know it your data, and soon your money, are gone.
Don’t make a scammer’s vish come true. Learn how vishing works and what to do any time a caller asks you for personal data such as social security numbers, dates of birth, credit card numbers, and more. Never give personal information to someone who calls you. Visa will never ask for your personal information, though we may call you to report suspicious activity on your account. Get an incident number, and then call back the number on your credit card, not the number the caller gives you. A few simple rules are all you need to beat vishing.
If you have received a call you believe to be vishing, please email Visa describing your experience at email@example.com. We appreciate your input sincerely. Due to the high volume of emails, Visa is unable to respond to each message individually. We do, however, investigate each claim fully to shut down fraud at the source. The Federal Trade Commission likewise provides information and a fraud-reporting form on the web at FTC.gov/phonefraud.
How to Deconstruct a Social Engineering Scam
Let’s say you are a fraudster who wants to illegally access someone’s bank account or credit card, which do you think is easier: trying to guess the password, or getting the owner to tell it to you? The answer, surprisingly, is the latter. Winning someone’s confidence and getting them to freely tell their private information is a scam known as “social engineering” by those who practice it. And it works all too well.
Social engineering is a con, an elaborate lie in which the scammer pretends to be someone they are not to earn trust and get valuable personal information over the phone or via email. Of all the types of electronic fraud, social engineering is, perhaps, the most difficult to discern. Anyone can be a victim; in fact, there is a social engineering technique known as “whaling”—a play on “phishing”—that targets high-level corporate executives. Even CEOs have been victims—the bigger the better. Other scammers have been known to pretend to be bank or Visa employees to glean information from unwitting customers.
Regardless of the ruse, the safest, surest way to beat social engineering is to never, under any circumstances divulge personal information over the phone or, especially, via email. Also, understand that no employee of Visa or your financial institution would ever contact you and ask for such information.
Bottom line: protect your information as if it were worth more than gold … because it is.
Protect Yourself From Online Tactics
Tired of being charged for things you didn’t think you signed up for? A tactic known as a “negative option” is sneaking into more and more online transactions.
In case you didn’t know, negative options occur when you accept an online offer, often for a free trial or product, after which you will be billed for a recurring monthly charge. Some merchants may hide these offers and charges in the fine print. Without a careful eye, you may sign up for a monthly subscription when you really thought you were getting only a free trial or a free product.
Visa, along with partners such as the Federal Trade Commission (FTC) and Better Business Bureau (BBB), have created some simple tips to help you spot deceptive free trial offers and how to deal with unauthorized charges.
In addition to helping you arm yourself against this practice, Visa is trying to help combat the problem on our end. We carefully monitor our payment network to identify excessive levels of reported cardholder disputes, which may signal the use of deceptive marketing practices. When we spot a problem, we require that a merchant’s bank work with the merchant to correct the problem and reduce excessive consumer disputes, or risk termination of Visa acceptance privileges. Learn more about negative options, how you can protect yourself and what we’re doing to help at www.visa.com/negativeoption.
How Not to Get Speared by Phishing
These days, almost everyone communicates with their banks, credit card companies, and other financial institutions via email. This makes the potential for electronic scamming—also known as phishing—more likely. Most phishing is random. Scammers send out emails from a given bank or financial institution to a large group assuming that at least a few of the recipients will be customers of that particular bank and will respond.
As the public’s knowledge of phishing has become more sophisticated, so have phishers’ techniques. They are targeting emails and getting more clever, aiming for smaller groups or, even better, at single users. It is their precision that makes these emails so deceptive, and so successful. With a new technique, known as “spear phishing,” the scammers try to determine which bank or credit card company you use before sending their bogus emails. This targeting—or “spearing”—increases the apparent legitimacy of the request, and makes the phishing a little harder to spot by the consumer.
You can beat spear phishing, however. The first rule of electronic communication is that no legitimate bank or financial institution would ever ask you to “verify” your personal information via email. If you receive a communication from your bank or financial institution that you are unsure about, you can always call the phone number on the back of your card for more information.
If you receive an email you believe to be phishing, please let Visa know by forwarding it to firstname.lastname@example.org. We appreciate your input sincerely. Due to the high volume of emails we receive, Visa cannot respond to each message individually. We do, however, fully investigate each claim to stop fraud at the source. The Anti-Phishing Working Group (APWG) also provides information on phishing at www.apwg.org.
The National Cyber Security Alliance is another great source for tips to beat phishing. You can find them online at www.staysafeonline.org.
Curbing the “Data Pass” Tactic
U.S. Senator John D. Rockefeller, IV (D-WV), recently investigated an aggressive marketing practice known as “data pass.” Here’s how it works: you check out as you usually do from a familiar retailer, but then receive an offer for a discount or reward. These offers sometimes come from a different merchant that may make an additional monthly charge that is not adequately disclosed.
Visa agrees with Senator Rockefeller that such undisclosed marketing practices should be stopped. We value our customers and their confidence in the products we provide. We think deceptive marketing practices degrade the efficiency, reliability and security of electronic payments; at the end of the day, assuring your card confidence is our top priority.
To address this issue, we require Web merchants to prompt consumers to re-enter their card information in order to accept a subsequent offer from a third-party merchant. This reentering of information works to provide a clear signal to cardholders that a second purchase is occurring. While we’re doing our part, we also hope you’ll learn [http://corporate.visa.com/media-center/press-releases/press1011.jsp] more tips on how to protect yourself when shopping online.