PRIVACY & SECURITY
SECURITY / FRAUD ALERTS
If you are using a debit card to make a purchase (especially at the gas pump), DO NOT run the card as a debit with your PIN#, always choose the option to run it as Credit. We believe our area is being targeted by a group who are skimming card data and PIN#s. As always...it is important you monitor your account balances as often as you can and using our mobile app and our Card Valet app can help you with this. If anyone needs assistance setting these apps up, please stop in and we will be more than happy to help you!
CELL PHONE "PORT-OUT" SCAM **
If you’re like most Americans, your cell phone is probably one of the first things you look at in the morning and one of the last things you look at at night. Imagine then, waking up to find that your phone suddenly doesn’t work, and it’s just constantly in emergency mode. For a growing number of consumers, this is the first sign that they are a victim of the port-out scam.
In the scam (also known as the “SIM-swap scam”), a fraudster tricks a cell phone carrier into transferring or porting a consumer’s legitimate phone number to a phone in a scammer’s controls. Once a number is ported, all calls and text messages that are sent to that number go to the scammer’s phone. With that power, scammers are able to get around security features, like two-factor authentication, that are in place to protect consumers’ sensitive email, banking, and social media account information.
In a typical port-out scam, the fraudster will first obtain key details about their victims, such as the last four digits of a Social Security number, a phone number, name on the account, and the victim’s address--all of which are widely available on online black markets thanks to years of data breaches.
Armed with this information, the scammer then calls the victim’s wireless provider and impersonates their victim. Once the scammer establishes contact with the cell phone company, if the victim did not establish a security pin, all the scammer needs to do is correctly confirm the last 4 digits of their victim’s Social Security number and mailing address. The scammer then asks the wireless company to port “their” number to a different phone. After the carrier switches the victims’ phone number to the fraudster’s phone, the victim’s phone will go dead, and the scammer will then use the phone in his possession to reset passwords or gain entry to accounts that use two-factor text authentication. The most common target for these scammers are bank accounts. Once a bank account is accessed, the scammer can quickly transfer funds to an account that the scammer controls.
This scam can be financially devastating to its victims, but there are several steps you can take to prevent the scam from happening in the first place:
- Contact your carrier and ask them to add a unique personal identification number (PIN) to your account. This PIN number will need to be provided any time you wish to make a change to your account, including upgrading your cell phone. This extra layer of security will help stem any would-be scammer from running the port-out scam on your phone. The process for adding a PIN depends on your provider. See below for details on how to add an account PIN for each of the four major national wireless providers:
- AT&T - Log into your ATT.com account, go to your profile by clicking your name, and under the wireless passcode drop down menu, click on “manage extra security.”
- T-Mobile - Call 611 or (800) 937-8997 from your cell phone to speak with a customer service agent.
- Sprint - Sprint automatically requires their customers to set up a PIN when an account is opened.
- Verizon - Visit vzw.com/PIN or call (800) 922-0204.
- Always use good password hygiene. Regardless of account, choose a password that is unique, complex, and contains upper- and lower-case letters, numbers, and symbols. It is critical not to reuse passwords across multiple accounts. That way, if one account becomes compromised, then every account with that password can become compromised as well. For the best password security, use a password manager that creates and remembers random passwords.
- Consider alternatives to text two-factor authentication. For your most important accounts, like your online bank account, see if they allow other versions of two factor authentication such as a security key or a third-party authenticator app like Authy.
- Be wary of suspicious emails or phone calls from people purporting to be from your bank. Remember, your bank will never ask you to enter confidential information in an email.
Even despite our best efforts, fraudsters will likely still be able to pull off the port-out scam. If this happens to you, and your phone stops working, you should:
- Immediately notify your cell phone provider, and report any fraud to your bank. Quick action on your part can minimize any damage the fraudster could inflict on you. Your cell phone provider can turn off your phone number and prevent scammers from using that number to bypass two-factor text authentication. Notifying your bank the moment you notice unauthorized charges or that you are at risk for fraudulent two-factor authentication can also minimize your liability.
- File a report at Fraud.org via our secure online complaint form. We’ll share your complaint with our network of law enforcement and consumer protection agency partners who can investigate and help put fraudsters behind bars.
- File a police report at your local police station.
**Information from www.fraud.org**
Internet scam artists are moving beyond your email inbox and targeting your text messages instead. With this new scam, called “smishing,” scammers are trying to get you to send them your personal information that could help them access your bank account or other online profiles.
Here’s what you should know.
What are smishing scams?
“Smishing” scams are so named because they’re like a phishing email, except sent via SMS, the technology underlying the typical text message. They often prey on people’s panic or sense of urgency, according to Jason Hong, associate professor at Carnegie Mellon University’s Human-Computer Interaction Institute. For example, one fraudulent message might appear to be a warning from your bank about an unauthorized charge.
“That’s one of the main ways they try to trick you,” says Hong. “There’s urgency to the message. There’s something that needs your attention right now.”
How can you avoid smishing scams?
Hong says you should make sure to use different passwords for everything from your bank’s website and social media apps to your email account. Two-factor authentication and password managers like Dashlane and 1Password can also be useful. And in the hypothetical case outlined above, you should call you bank or credit card company directly to verify the alert, rather than clicking any links in suspicious text messages.
Unfortunately, there’s no foolproof way to block smishing messages entirely, says Steve Wicker, a computer engineering professor at Cornell University. Wicker says the best course of action is to be vigilant for suspicious text messages, just like you should watch out for strange emails. One tip: Look out for text messages from phone numbers that clearly appear fake or suspicious.
Why are scammers using smishing scams?
Scammers could have one of several motives, Hong says. They could be trying to steal a victim’s identity, to access their bank account, or to blackmail them into giving out personal or company secrets.
“That’s where the money is,” Hong added. “People are getting more suspicious of emails. Companies are getting better at detecting fake accounts and shutting them down. So the next easiest thing for [a scammer] to do is to go to mobile.”
Is smishing a new phenomenon?
Smishing scams have been around since as early as 2008, but experts say they are becoming more prevalent. They’re also popping up on all sorts of messaging apps, not just simple text messages.
“This is impacting all systems in the mobile arena, it’s not just limited to one system,” says William Beer, who works on cybersecurity matters for professional services firm EY, previously known as Ernst & Young. “There’s never 100% security on any app, whether they be desktop or mobile.”
*Information from Fortune.com