Security Threats & Fraud
Below are security issues and fraud attempts recorded by our Customer Information Center or reported by other financial institutions and government agencies. If you recognize the fraud and suspect you’ve been a victim, follow the instructions in the summary.
We’re encouraging customers to be extra careful when using USPS collection boxes.
Several communities around Greater Boston have reported instances of “mailbox fishing” in recent months, in which criminals lower sticky objects into blue USPS mailboxes and pull out the contents. The criminals are looking for envelopes containing checks, such as utility bills. The criminals alter the payee and amount on the checks, and cash them. Since the checks still bear the original payer’s signature, they appear legitimate. The criminal can also use the check information to create even more fraudulent payments.
To combat mailbox fishing, the postal service has begun replacing older mailboxes in Massachusetts with newer, more secure ones with thin slot openings. If these aren’t available in your area, we encourage you to take the following precautions to reduce your risk:
- Make a Secure Handoff: Give your mail directly to a postal worker, or use the drop slot inside the postal building.
- Don’t Leave Your Mail in a Collection Box Overnight: If you’ve missed the last collection time of the day, don’t drop your mail in a collection box to be left overnight. Keep them until the next day.
- Use Felt-Tip Pen on Checks: Avoid writing out checks with a ballpoint pen, as they can be altered more easily.
- Inspect for Tampering: Don’t use a collection box if you notice glue or sticky substances near the slot, or other signs of tampering.
- Consider Using Online Bill Pay: Paying your bills electronically using a secure, online bill pay platform eliminates the risk of sending paper checks entirely. Similarly, you can send money to friends and family using a secure P2P payment platform, such as Popmoney.
We recently contributed an article to the Canton Citizen newspaper about another Grandparent Scam attempt that targeted one of our elderly customers in November 2018. It almost succeeded – but our alert staff spotted the warning signs, and foiled the attempt with the help of the local police.
A Grandparent Scam is a form of fraud in which a scammer contacts an elderly parent or grandparent with a fictitious story that their relative is in trouble and requires money right away – usually just under $10,000. The article about the November 2018 incident provides more detail about Grandparent Scams and how to spot them.
We encourage our elderly customers to learn the signs of this kind of fraud, and to listen to your banker if they express concern about your safety. Oftentimes, your banker will know how to quickly verify urgent requests for money, to make sure the request is legitimate before making a transfer.
If you receive an unexpected, urgent request for money to help your relative, it could be a scam attempt. Ask your banker if they can help you confirm the request is real before sending any money, or call us at 888-828-1690.
The FBI’s Internet Crime Complaint Center (IC3) is warning businesses and consumers of a “payroll diversion” scam that redirects employees’ electronic paychecks into cybercriminals’ accounts.
How it works: first, the cybercriminal gains access to an employee’s payroll account by using phishing techniques that lead the victim to a lookalike payroll website, where the employee is asked to enter their login ID and password. The cybercriminal then harvests the login credentials, uses them to gain access to the employee’s payroll information on the real payroll website, and shuts off any alerts or notifications. The criminal then changes the employee’s direct deposit information, so that the employee’s next paycheck is deposited in the cybercriminal’s account.
Consumers with direct deposit should watch for signs of phishing in unexpected emails coming from their employer with payroll-related instructions. Is the email suspicious in any way? Is the sender’s email address correct? Is the URL you’re being asked to visit the correct URL for your company’s payroll? If you receive an email that might not be authentic, call your Human Resources or I.T. department.
Business owners & human resources personnel can help keep their company and employees safe by reminding them of these precautionary tactics, and also:
- Instruct employees to refrain from supplying log-in credentials or personally identifying information in response to any email.
- Ensure that log-in credentials used for payroll purposes differ from those used for other purposes, such as employee surveys.
- Apply heightened scrutiny to bank information initiated by employees seeking to update or change direct deposit credentials.
- Monitor employee logins that occur outside normal business hours.
Read the full bulletin on the IC3’s website.
If you or your company encounters a payroll diversion scam, report the information to your local FBI field office, and file a complaint with the IC3 at www.ic3.gov.
Bank of Canton customers should exercise extreme caution if they receive unsolicited “tech support” offers by phone or by pop-up message on their computer.
We recently assisted a Bank of Canton customer who was contacted by a scammer posing as a technical support agent. The scammer informed him that his computer had a virus or malware and needed to be repaired immediately. The scammer then took control of his computer remotely, and began perpetrating financial fraud. Fortunately, our customer contacted us and the police when he suspected trouble, and the damage was limited.
If you receive an unexpected warning about your computer with an urgent request to contact tech support, the Federal Trade Commission recommends you take the following steps:
- If you get an unexpected or urgent call from someone who claims to be tech support from Microsoft, Apple, or other well-known technology company, hang up. Even if the Caller ID suggests the call is coming from a legitimate source, do not trust it – criminals can manipulate Caller ID display information.
- If you get a pop-up message that tells you to call tech support, do not call the number. If you have legitimate security software on your computer, it may generate pop-up messages about the health of your computer from time to time. However, it is extremely unlikely that the software would ever ask you call the manufacturer to fix an issue.
- If you are unsure whether a pop-up message is legitimate or not, contact your security software manufacturer by using a phone number from the purchase receipt, packaging, or the software company’s website. Do not dial the number on the pop-up message.
- Never reveal your passwords or grant remote access to your computer to any person or company who contacts you unexpectedly.
The FTC’s Tech Support Scams webpage offers additional information about how the scam is perpetrated and what to do if you’ve been a victim.
Recently a Bank of Canton customer nearly lost thousands of dollars in an apparent “grandparent scam” attempt.
A grandparent scam is a form of fraud in which a scammer contacts an elderly grandparent with a fictitious story that their grandchild is in trouble. The scammer may claim that the grandchild was injured, robbed or arrested, and needs money immediately. Sadly, the scammer may even be a relative or family member.
In this case, the customer withdrew thousands of dollars in cash because her granddaughter had called to tell her she was in jail in another state and needed the money. Our staff recognized the warning signs and, with the help of local law enforcement, intervened in time to prevent the fraud.
Please be cautious if you receive unexpected information about your family members from a third party who demands cash or other forms of payment to resolve an issue. Always verify this information with another trusted source before taking any action.
If you are unsure whether an unexpected, urgent request for money is a scam attempt, contact the bank to find out your options. Working together, we can help keep you safe from fraud.
UPDATE: As of September 21, 2018, instituting a credit freeze/unfreeze is now free of charge at all three major credit bureaus. Additionally, the duration of a fraud alert has increased from 90 days to one year.
Equifax, one of the three major credit bureaus, experienced a massive data breach in May and June. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people.
If you have a credit file, it is safest to assume that your information was compromised. It’s recommended that you take steps to protect yourself and monitor your personal information:
- Monitor your credit reports. You can order a free copy of your credit report from all three of the major credit bureaus (TransUnion, Equifax, and Experian) at https://www.annualcreditreport.com. You are entitled to download one free report from each of the bureaus once per year. You may want to stagger your free downloads so you receive a free report from one of the bureaus every four months.
- Monitor your bank accounts. Monitor your financial accounts regularly for fraudulent transactions. Use online and mobile banking to keep a close eye on account activity. If you notice anything suspicious or unfamiliar, call us immediately at 888-828-1690.
- Consider a fraud alert or credit freeze. A fraud alert puts a red flag on your credit report, which signals to creditors that they should take additional security steps (such as contacting you by phone) before opening a new line of credit. Fraud alerts are free and last for 90 days, and can be renewed. A credit freeze, on the other hand, prevents creditors from accessing your credit information altogether, which would strongly discourage or prevent them from issuing a new line of credit in your name. Unlike a fraud alert, a credit freeze does not expire; it can only be lifted (or “thawed”) with a special PIN the bureau will assign you if/when you want to grant a potential creditor access to your credit file. Placing and lifting a freeze may cost a small fee at each bureau. To determine whether a fraud alert or credit freeze is right for you, consider your personal situation and credit needs. The merits of each approach are thoroughly covered by security expert Brian Krebs on his KrebsOnSecurity website. If you decide you want to put a freeze on your credit file, contact the credit bureaus:
Equifax: 800-349-9960 | Equifax Security Freeze Website
Experian: 888-397-3742 | Experian Security Freeze Center
TransUnion: 888-909-8872 | TransUnion State Security Freeze
- Consider enrolling in a credit monitoring/protection service. There are many providers that offer credit monitoring services. Equifax is offering one year of free credit monitoring and other services; you can sign up at https://www.equifaxsecurity2017.com/.
- Finally, watch out for scams related to the breach. Do not trust emails that appear to come from Equifax regarding the breach. Attackers are likely to take advantage of the situation and craft sophisticated phishing emails.
You can learn more about the breach by visiting the FTC’s web page on the Equifax breach, KrebsOnSecurity, or directly from Equifax. To learn more about how to protect yourself after a breach, visit the resources at IdentityTheft.gov.
The IRS recently issued a Summertime Scams press release that warned about several tax-related scams, including these:
- Electronic Federal Tax Payment System (EFTPS) Scam: The scammer poses as an IRS official and informs the taxpayer that they owe tax and face arrest unless immediate payment is made by loading a prepaid debit card linked to the EFTPS (but which the scammer actually owns).
- Robocalls: Taxpayers receive a prerecorded “robocall” threatening arrest unless an immediate call back is made to the IRS. Similar to the EFTPS scam above, the scammer informs them that tax is owed and payment must be made immediately by wire transfer or by loading a prepaid debit card (that the scammer actually owns).
- Private Debt Collection Scam: The scammer poses as a debt collector working with the IRS to recover a payment owed by the taxpayer. However, the few taxpayers who would be contacted by a legitimate, IRS-contracted collector have known about their debt for years.
- Limited English Proficiency Scams: Like the scams above, the scammer informs the taxpayer (often speaking in their native language) that they must make an immediate tax payment via prepaid debit card, gift card, or wire transfer, or else face deportation, police arrest and license revocation, among other things.
If you suspect you are talking to a scammer, hang up immediately. Do not give out any information. Report the call on the IRS Impersonation Scam Reporting web page (or call 800-366-4484) and on the FTC Complaint Assistant web page (use “IRS Telephone Scam” in the notes).
Remember, the IRS will never call and demand immediate payment via a specific payment method (such as a prepaid debit card, gift card or wire transfer). The IRS will not threaten to immediately arrest you for not paying, nor will they ask for credit or debit card numbers over the phone. Visit “How to know it’s really the IRS calling or knocking on your door” for more information.
Bank of Canton is advising customers to be watchful for a variety of dangerous scams that are perpetrated during tax season.
The IRS recently released its 2017 “Dirty Dozen” list of tax scams, and the top three are very well covered by Thomas J. Duffy, Chair of the Multi-State Information Sharing & Analysis Center™, in his piece, “Staying Safe from Tax Scams.”
To keep yourself safe during tax season (and beyond), Duffy’s key points include:
- File early! Falsely filed tax returns are best prevented by you filing before the would-be criminal. Try to file as soon as the last of your required filing forms is available.
- Avoid clicking links in emails appearing to be from government tax agencies, or financial providers. Instead, type the organization’s website into your browser’s address bar. If something seems suspicious, contact the organization using contact methods listed on their website; don’t use the contact methods contained in the email. And never reply to emails or texts asking for personal or financial information.
- Beware of calls/emails/texts from supposed tax preparers or officials who request personal or financial information from you, or inform you that you owe money that needs to be paid immediately by credit or debit card. Some may even request less common payment methods like wire transfers and gift cards.
If you suspect you’ve received a fraudulent email, forward it to email@example.com. Other forms of tax fraud activity can be reported on the IRS’s website. And as always, if you suspect you’ve been a victim of fraud or identity theft, visit www.identitytheft.gov immediately for step-by-step instructions on security measures you should take.
Some customers have recently reported unauthorized, out-of-state transactions taking place on their Bank of Canton debit cards. To protect our customers, we are currently blocking all ATM withdrawals in New York state.
If you are traveling to New York and may require ATM access there, please complete and return a Travel Maintenance Form to have this block lifted for your card(s).
We are also strongly encouraging all of our customers to review recent account activity for any suspicious transactions. Please report any transactions that you do not recognize at once.
The security of our customers’ information and accounts is our utmost concern. We apologize for the inconvenience this ATM block may cause, and we appreciate your understanding. You are welcome to contact us with any questions.
Business E-mail Compromise (BEC) is a sophisticated & growing scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. Between December 2015 and March 2016, the FBI tracked 44 fraudulent wire transfers resulting from BEC totaling $75,657,487. The largest attempted wire transfer was over $19.8 million.
The BEC scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized wire transfers. The majority of the fraudulent wire transfers are destined for banks in Mainland China and Hong Kong.
To protect themselves against BEC, businesses should:
- Scrutinize all e-mail requests for wire transfers to determine if the requests are out of the ordinary.
- Confirm wire transfer instructions with the requester (especially when the requester is out of the office) using an alternate, previously established communication avenue.
- Question any variations to typical business practices and wire transfer activity, such as a current business contact suddenly asking to be contacted via their personal e-mail address when all previous official correspondence has been through a company e-mail address.
- Require multiple approval authorities, and establish this procedure in such a way that would be difficult for fraudsters to discover.
Read more about this scam & how to protect your business on the FBI’s Internet Crime Complaint Center (IC3) website.