Security

Email Impersonation Scams

E-mail Account Compromise (EAC) and Business E-Mail Compromise (BEC) are sophisticated scams that target the general public and businesses.

In EAC scams, criminals compromise the e-mail accounts of unsuspecting victims. In many cases, a criminal first gains access to a victim’s legitimate e-mail address for reconnaissance purposes. The criminal then creates a spoofed e-mail account that closely resembles the legitimate account. The spoofed e-mail address is designed to mimic the legitimate e-mail in a way that is not readily apparent to the targeted individual. The criminal then uses either the victim’s legitimate e-mail or the spoofed e-mail address to initiate unauthorized wire transfers.

The FBI has identified approximately $14 million in attempted losses associated with open FBI EAC investigations.

Examples of the EAC scam are listed below:

Financial/Brokerage Services –

• An individual’s e-mail account is compromised by a criminal. The criminal, who is posing as the victim, sends an e-mail to the victim’s financial institution or brokerage firm requesting a wire transfer to a person or account under the control of the criminal.
• An accounting firm’s e-mail account is compromised and used to request a wire transfer from a client’s bank, supposedly on behalf of the client.

Real Estate –

• A seller’s or buyer’s e-mail account is compromised through an EAC scam. The criminal intercepts transactions between the two parties and alters the instructions for the transfer of funds.
• A realtor’s e-mail address is used to contact an escrow company to redirect commission proceeds to a bank account associated with the criminal.
• A realtor receives a link within an e-mail from an unknown person who is requesting information related to property. When the realtor clicks on the link, the criminal is able to access the realtor’s e-mail account. The intrusion exposes client information, which the criminal then uses to e-mail the clients and attempt to change wire instructions for loan processing proceeds.

Legal -

• A criminal compromises an attorney’s e-mail account, which results in the exposure of client bank account numbers, e-mail addresses, signatures, and confidential information related to pending legal transactions.
• The attorney’s compromised e-mail account is used to send overlaid wire instructions to a client.
• A criminal compromises a client’s e-mail account and uses it to request wire transfers from trust fund and escrow accounts managed by the firm.

What to do if you believe you have been a victim of the EAC scam:

• Contact your financial institution immediately upon discovering the fraudulent transfer.
• Contact law enforcement.
• Request that your bank reach out to the financial institution where the fraudulent transfer was sent.
• File a complaint at www.IC3.gov, regardless of dollar loss. Provide any relevant information in your complaint and identify that your complaint pertains to the EAC scam.

Tips to protect yourself:

• Do not open e-mail messages or attachments from unknown individuals.
• Be cautious of clicking links within e-mails from unknown individuals.
• Be aware of small changes in e-mail addresses that mimic legitimate e-mail addresses.
• Question any changes to wire transfer instructions by contacting the associated parties through a known avenue.
• Have a dual step process in place for wire transfers. This can include verbal communication using a telephone number known by both parties.
• Know your customer. Be aware of your client’s typical wire transfer activity and question any variations.

Online Security

Amalgamated Bank of Chicago (ABOC) takes secure banking very seriously. Our internet banking uses secure technology to encrypt your personal information such as User IDs, Passwords and account information over the Internet.

We also have visual end user verification on our internet banking websites. Extended Validation (EV) certificates provide you the end user a way to visually verify the security of the ABOC website before entering your online banking password or supplying answers to security questions. The EV will cause the secure browser’s address bar to turn GREEN when an end user accesses an EV secured site. It also identifies the legitimate owner of the website, which in this case is Fiserv, Inc.

Because your online security is important to us at ABOC, we would like to share with you the following tips to protect yourself from online threats.

By working together, we can make your online banking experience convenient, safer and more secure.

And, please remember that Fraud never sleeps. It’s global, organized and tech-savvy. Whether online, by phone, through a dating website or in “You May Have Won a Free Prize” offers in your mailbox, criminals will find you.

Identity Theft and Fraud

Identity theft and electronic fraud have become common, everyday crimes. These crimes use many different methods but often have similar characteristics.

Early on consumers received email messages that seemed legitimate but asked for updated billing or personal information. These emails were designed to gather private information including: Social Security Numbers, ATM PIN, bank account or credit card numbers. Often a link to a fraudulent website was employed. This practice became known as "phishing".

More recently criminals have added "vishing" to their bag of tricks. With this method consumers are asked to call a phone number. Those who call are asked for personal and financial information. The calls can be demanding and even rude.

Another method used by identity thieves is offering illegitimate opportunities to purchase attractive goods or services at reduced prices or before they are available to the general public. Often these emails are designed to obtain credit card or bank account information while the sender has no intention of delivering the goods or services purchased.

Criminals are also prone to offer you large sums of money or attractive rewards in exchange for "assistance." One common example is a person "needing help" who asks you to share your bank account number in order to "hold" large sums of money until he or she can retrieve it. In exchange, you may be promised a percentage of the deposit. The criminal will use your bank account number for fraudulent activity, but you will never receive your reward.

Amalgamated Bank of Chicago (ABOC) will never ask for your Social Security Number, ATM PIN, bank account number, User ID or password in an email.

If you receive any suspicious message from or about ABOC, or if you have a security incident related to ABOC or aboc.com, please contact us immediately at 866-440-2086. We will share the details of your event to a security specialist.

Avoid becoming a Victim

The FTC and Privacy Rights Clearinghouse, a nonprofit consumer advocacy group, also advises that you:

 

How to Report a Suspicious Incident

If you receive any suspicious message from or about Amalgamated Bank of Chicago (ABOC), or if you have a security incident related to ABOC or aboc.com, please follow these steps:

For Credit Card incidents of any kind, please call 800-365-6464

For any other security concerns, please contact us immediately at 866-440-2086. We will share the details of your event to a security specialist.

ATM Safety Tips:

 

SECURITY ADVISORY                                                                                                          
 

KRACK: Wireless Connection Could Allow for Information Disclosure

OVERVIEW:

The security weakness KRACK was identified in global wireless technology this week. KRACK stands for “key reinstallation attack”. The Wi-Fi Protected Access 2 (WPA2) is the current standard protocol used to secure communications between wireless access points (WAPs) and wireless devices. Wireless devices include mobile phones, tablets, and laptops. Successful exploitation of this weakness allows for an attacker to hijack the wireless connections, view the internet activity and capture sensitive information such as financial data, passwords, and emails. The attacker can continue the attack on additional sensitive data and networks armed with this information.
 

How Does KRACK Work?

 

Example:

 KRACK example 

What Does This Mean?

Mobile phones and laptops are most at risk. The following link contain additionals details about the vulnerability.

Link:

https://krebsonsecurity.com/tag/krack-attack/