Customer Alerts

The following scenario was excerpted from an article we contributed recently to the Canton Citizen newspaper’s annual “Financial Fitness” edition.

Bank impersonation scams also pose a serious threat. Last month, we notified our business customers about a recent scam targeting Paycheck Protection Program (PPP) loan borrowers. Although no Bank of Canton customers have reported being impacted, we learned from a cybersecurity watchdog group that scammers were referencing government-published PPP loan information and contacting the listed businesses, posing as their PPP lender (and presumed primary bank). A typical scenario:

You’re contacted unexpectedly by your bank, and informed there’s an urgent problem with your account (e.g., a wire transfer, payment or payroll problem). To fix the problem, they ask you for your online banking User ID, perhaps adding that it’s “just a security precaution” or “just to verify your identity.” Then they send you a security code. When it arrives, they ask you to tell them the code. (In reality, the scammer has initiated the “Forgot Password?” process for your online banking User ID, and the code they’re asking for is the password reset verification code that gets sent to your phone.) Armed with your User ID and verification code, the criminal resets your password and locks you out of online banking. They now have complete access to your accounts. You might be told that you won’t be able to access online banking “while they are fixing the problem,” but they are just buying time while transferring money out of your account.

Businesses can protect themselves from this scam and others by following these guidelines:

• Never share account information, login credentials, or validation code texts with anyone. Banks will never ask for these.
• Never allow remote access to your computer or mobile device to anyone who contacts you unexpectedly.
• If you’re the slightest bit uncertain about the authenticity of someone you’re communicating with, or feel pressured to act immediately, stop the communication and contact the organization using a publicly available phone number. Do not use the contact information the other person gives you.

Fraud Alert Scams

Recently, there has been an increase in Fraud Alert Scam attempts in our area. That’s why we’re asking you to beware of unexpected text messages and calls about supposed fraudulent activity on your account or debit card – even if the sender/caller appears to be from Bank of Canton.

You may be asked for your debit card or account number, passcodes, or login credentials “for security purposes” or “to verify your identity” to resolve the situation. That’s how you can tell it’s a scam: Bank of Canton will never ask you for account numbers, card numbers, verification codes, or login information.

Fraudsters can spoof the bank’s phone number on your Caller ID display, and impersonate customer service agents very convincingly. But they will ask you to provide information that a real Bank of Canton employee would never ask for.

What to Do if You Are Texted or Called

If this happens to you, delete the text without responding and/or end the call immediately. Never share your personal information, account information, or any validation code texts with anyone else.

If you are unsure whether a call/email/text might be a scam, stop communicating with the other party and call us using your phone’s keypad (not a link) at 888-828-1690 to verify the situation. We’ll always be happy to help you.

Security Resources

You can read a 2022 public service announcement from the FBI to learn more about Fraud Alert Scams. You can find a variety of other security resources on our website, including tips and information about phishing, identity theft, cybersecurity and more, plus links to SANS Institute newsletters and security-focused organizations and agencies.

Working together, we can help keep your accounts and information safe.

The following stories are excerpted from an article we contributed recently to the Canton Citizen newspaper’s annual “Financial Fitness” edition.

A customer received an email about an “outstanding balance” with an antivirus provider. He called the customer service number in the email, and the antivirus representative who answered requested remote access to the individual’s cell phone to resolve the issue. Once that access was granted, the representative had full access to the individual’s phone, including stored passwords and financial information. The end result: fraudulent gift card purchases of more than $1,000.

Another individual’s fake antivirus experience was more complex. She received a text alert about her computer being involved in fraud. She was put in touch with a Federal Trade Commission agent, who requested remote access to her desktop in order to put $9,000 of traceable “bait money” into her checking account to help catch the criminals behind the fraud. The agent then instructed the individual to transfer the $9,000 to the fraudsters’ Bitcoin address. But it was all a scam, and the $9,000 turned out to be the individual’s own money from another bank account. Once it was transferred to the Bitcoin address, it was gone.

If you find yourself in an unexpected situation involving requests for money or computer access, remember:

• Don’t allow remote access to your computer or mobile device.
• Don’t send money via Bitcoin or purchase gift cards on anyone else’s behalf.
• Don’t share a texted verification code so that someone else can access your account.
• The police or government will never seek your involvement in a criminal investigation.
• If you’re the slightest bit uncertain about the authenticity of someone you’re communicating with, stop communicating and contact the organization using a publicly available phone number or email address. Do not use the contact information the other person gives you.

And finally, please listen to your banker if they raise concerns about a transaction you want to make. We see (and stop) several fraud attempts every year; we’re trained to spot the warning signs. And you can always ask us for advice if you’re not sure.

Please remember these tips, and help us help you keep your money safe.

We’re encouraging customers to be extra careful when using USPS collection boxes.

Several communities around Greater Boston have reported instances of “mailbox fishing” in recent months, in which criminals lower sticky objects into blue USPS mailboxes and pull out the contents. The criminals are looking for envelopes containing checks, such as utility bills. The criminals alter the payee and amount on the checks, and cash them. Since the checks still bear the original payer’s signature, they appear legitimate. The criminal can also use the check information to create even more fraudulent payments.

To combat mailbox fishing, the postal service has begun replacing older mailboxes in Massachusetts with newer, more secure ones with thin slot openings. If these aren’t available in your area, we encourage you to take the following precautions to reduce your risk:

• Make a Secure Handoff: Give your mail directly to a postal worker, or use the drop slot inside the postal building.
• Don’t Leave Your Mail in a Collection Box Overnight: If you’ve missed the last collection time of the day, don’t drop your mail in a collection box to be left overnight. Keep them until the next day.
• Use Felt-Tip Pen on Checks: Avoid writing out checks with a ballpoint pen, as they can be altered more easily.
• Inspect for Tampering: Don’t use a collection box if you notice glue or sticky substances near the slot, or other signs of tampering.
• Consider Using Online Bill Pay: Paying your bills electronically using a secure, online bill pay platform eliminates the risk of sending paper checks entirely. Similarly, you can send money to friends and family using a secure payment platform, such as Zelle®.

We recently contributed an article to the Canton Citizen newspaper about another Grandparent Scam attempt that targeted one of our elderly customers in November 2018. It almost succeeded – but our alert staff spotted the warning signs, and foiled the attempt with the help of the local police.

A Grandparent Scam is a form of fraud in which a scammer contacts an elderly parent or grandparent with a fictitious story that their relative is in trouble and requires money right away – usually just under $10,000. The article about the November 2018 incident provides more detail about Grandparent Scams and how to spot them.

We encourage our elderly customers to learn the signs of this kind of fraud, and to listen to your banker if they express concern about your safety. Oftentimes, your banker will know how to quickly verify urgent requests for money, to make sure the request is legitimate before making a transfer.

If you receive an unexpected, urgent request for money to help your relative, it could be a scam attempt. Ask your banker if they can help you confirm the request is real before sending any money, or call us at 888-828-1690.

The FBI’s Internet Crime Complaint Center (IC3) is warning businesses and consumers of a “payroll diversion” scam that redirects employees’ electronic paychecks into cybercriminals’ accounts.

How it works: first, the cybercriminal gains access to an employee’s payroll account by using phishing techniques that lead the victim to a lookalike payroll website, where the employee is asked to enter their login ID and password. The cybercriminal then harvests the login credentials, uses them to gain access to the employee’s payroll information on the real payroll website, and shuts off any alerts or notifications. The criminal then changes the employee’s direct deposit information, so that the employee’s next paycheck is deposited in the cybercriminal’s account.

Consumers with direct deposit should watch for signs of phishing in unexpected emails coming from their employer with payroll-related instructions. Is the email suspicious in any way? Is the sender’s email address correct? Is the URL you’re being asked to visit the correct URL for your company’s payroll? If you receive an email that might not be authentic, call your Human Resources or I.T. department.

Business owners & human resources personnel can help keep their company and employees safe by reminding them of these precautionary tactics, and also:

• Instruct employees to refrain from supplying log-in credentials or personally identifying information in response to any email.
• Ensure that log-in credentials used for payroll purposes differ from those used for other purposes, such as employee surveys.
• Apply heightened scrutiny to bank information initiated by employees seeking to update or change direct deposit credentials.
• Monitor employee logins that occur outside normal business hours.

Read the full bulletin on the IC3’s website.

If you or your company encounters a payroll diversion scam, report the information to your local FBI field office, and file a complaint with the IC3 at www.ic3.gov.

Bank of Canton customers should exercise extreme caution if they receive unsolicited “tech support” offers by phone or by pop-up message on their computer.

We recently assisted a Bank of Canton customer who was contacted by a scammer posing as a technical support agent. The scammer informed him that his computer had a virus or malware and needed to be repaired immediately. The scammer then took control of his computer remotely, and began perpetrating financial fraud. Fortunately, our customer contacted us and the police when he suspected trouble, and the damage was limited.

If you receive an unexpected warning about your computer with an urgent request to contact tech support, the Federal Trade Commission recommends you take the following steps:

• If you get an unexpected or urgent call from someone who claims to be tech support from Microsoft, Apple, or other well-known technology company, hang up. Even if the Caller ID suggests the call is coming from a legitimate source, do not trust it – criminals can manipulate Caller ID display information.
• If you get a pop-up message that tells you to call tech support, do not call the number. If you have legitimate security software on your computer, it may generate pop-up messages about the health of your computer from time to time. However, it is extremely unlikely that the software would ever ask you call the manufacturer to fix an issue.
• If you are unsure whether a pop-up message is legitimate or not, contact your security software manufacturer by using a phone number from the purchase receipt, packaging, or the software company’s website. Do not dial the number on the pop-up message.
• Never reveal your passwords or grant remote access to your computer to any person or company who contacts you unexpectedly.

The FTC’s Tech Support Scams webpage offers additional information about how the scam is perpetrated and what to do if you’ve been a victim.

Recently a Bank of Canton customer nearly lost thousands of dollars in an apparent “grandparent scam” attempt.

A grandparent scam is a form of fraud in which a scammer contacts an elderly grandparent with a fictitious story that their grandchild is in trouble. The scammer may claim that the grandchild was injured, robbed or arrested, and needs money immediately. Sadly, the scammer may even be a relative or family member.

In this case, the customer withdrew thousands of dollars in cash because her granddaughter had called to tell her she was in jail in another state and needed the money. Our staff recognized the warning signs and, with the help of local law enforcement, intervened in time to prevent the fraud.

Please be cautious if you receive unexpected information about your family members from a third party who demands cash or other forms of payment to resolve an issue. Always verify this information with another trusted source before taking any action.

If you are unsure whether an unexpected, urgent request for money is a scam attempt, contact the bank to find out your options. Working together, we can help keep you safe from fraud.

UPDATE: As of September 21, 2018, instituting a credit freeze/unfreeze is now free of charge at all three major credit bureaus. Additionally, the duration of a fraud alert has increased from 90 days to one year.

—-

Equifax, one of the three major credit bureaus, experienced a massive data breach in May and June. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people.

If you have a credit file, it is safest to assume that your information was compromised. It’s recommended that you take steps to protect yourself and monitor your personal information:

• Monitor your credit reports. You can order a free copy of your credit report from all three of the major credit bureaus (TransUnion, Equifax, and Experian) at https://www.annualcreditreport.com. You are entitled to download one free report from each of the bureaus once per year. You may want to stagger your free downloads so you receive a free report from one of the bureaus every four months.
• Monitor your bank accounts. Monitor your financial accounts regularly for fraudulent transactions. Use online and mobile banking to keep a close eye on account activity. If you notice anything suspicious or unfamiliar, call us immediately at 888-828-1690.
• Consider a fraud alert or credit freeze. A fraud alert puts a red flag on your credit report, which signals to creditors that they should take additional security steps (such as contacting you by phone) before opening a new line of credit. Fraud alerts are free and last for 90 days, and can be renewed. A credit freeze, on the other hand, prevents creditors from accessing your credit information altogether, which would strongly discourage or prevent them from issuing a new line of credit in your name. Unlike a fraud alert, a credit freeze does not expire; it can only be lifted (or “thawed”) with a special PIN the bureau will assign you if/when you want to grant a potential creditor access to your credit file. Placing and lifting a freeze may cost a small fee at each bureau. To determine whether a fraud alert or credit freeze is right for you, consider your personal situation and credit needs. The merits of each approach are thoroughly covered by security expert Brian Krebs on his KrebsOnSecurity website. If you decide you want to put a freeze on your credit file, contact the credit bureaus:
  Equifax: 800-349-9960 | Equifax Security Freeze Website
  Experian: 888-397-3742 | Experian Security Freeze Center
  TransUnion: 888-909-8872 | TransUnion State Security Freeze
• Consider enrolling in a credit monitoring/protection service. There are many providers that offer credit monitoring services. Equifax is offering one year of free credit monitoring and other services; you can sign up at https://www.equifaxsecurity2017.com/.
• Finally, watch out for scams related to the breach. Do not trust emails that appear to come from Equifax regarding the breach. Attackers are likely to take advantage of the situation and craft sophisticated phishing emails.

Additional Resources

You can learn more about the breach by visiting the FTC’s web page on the Equifax breach, KrebsOnSecurity, or directly from Equifax. To learn more about how to protect yourself after a breach, visit the resources at IdentityTheft.gov.