Email Impersonation Scams
E-mail Account Compromise (EAC) and Business E-Mail Compromise (BEC) are sophisticated scams that target the general public and businesses.
In EAC scams, criminals compromise the e-mail accounts of unsuspecting victims. In many cases, a criminal first gains access to a victim’s legitimate e-mail address for reconnaissance purposes. The criminal then creates a spoofed e-mail account that closely resembles the legitimate account. The spoofed e-mail address is designed to mimic the legitimate e-mail in a way that is not readily apparent to the targeted individual. The criminal then uses either the victim’s legitimate e-mail or the spoofed e-mail address to initiate unauthorized wire transfers.
The FBI has identified approximately $14 million in attempted losses associated with open FBI EAC investigations.
Examples of the EAC scam are listed below:
Financial/Brokerage Services –
• An individual’s e-mail account is compromised by a criminal. The criminal, who is posing as the victim, sends an e-mail to the victim’s financial institution or brokerage firm requesting a wire transfer to a person or account under the control of the criminal.
• An accounting firm’s e-mail account is compromised and used to request a wire transfer from a client’s bank, supposedly on behalf of the client.
Real Estate –
• A seller’s or buyer’s e-mail account is compromised through an EAC scam. The criminal intercepts transactions between the two parties and alters the instructions for the transfer of funds.
• A realtor’s e-mail address is used to contact an escrow company to redirect commission proceeds to a bank account associated with the criminal.
• A realtor receives a link within an e-mail from an unknown person who is requesting information related to property. When the realtor clicks on the link, the criminal is able to access the realtor’s e-mail account. The intrusion exposes client information, which the criminal then uses to e-mail the clients and attempt to change wire instructions for loan processing proceeds.
• A criminal compromises an attorney’s e-mail account, which results in the exposure of client bank account numbers, e-mail addresses, signatures, and confidential information related to pending legal transactions.
• The attorney’s compromised e-mail account is used to send overlaid wire instructions to a client.
• A criminal compromises a client’s e-mail account and uses it to request wire transfers from trust fund and escrow accounts managed by the firm.
What to do if you believe you have been a victim of the EAC scam:
• Contact your financial institution immediately upon discovering the fraudulent transfer.
• Contact law enforcement.
• Request that your bank reach out to the financial institution where the fraudulent transfer was sent.
• File a complaint at www.IC3.gov, regardless of dollar loss. Provide any relevant information in your complaint and identify that your complaint pertains to the EAC scam.
Tips to protect yourself:
• Do not open e-mail messages or attachments from unknown individuals.
• Be cautious of clicking links within e-mails from unknown individuals.
• Be aware of small changes in e-mail addresses that mimic legitimate e-mail addresses.
• Question any changes to wire transfer instructions by contacting the associated parties through a known avenue.
• Have a dual step process in place for wire transfers. This can include verbal communication using a telephone number known by both parties.
• Know your customer. Be aware of your client’s typical wire transfer activity and question any variations.
Amalgamated Bank of Chicago (ABOC) takes secure banking very seriously. Our internet banking uses secure technology to encrypt your personal information such as User IDs, Passwords and account information over the Internet.
We also have visual end user verification on our internet banking websites. Extended Validation (EV) certificates provide you the end user a way to visually verify the security of the ABOC website before entering your online banking password or supplying answers to security questions. The EV will cause the secure browser’s address bar to turn GREEN when an end user accesses an EV secured site. It also identifies the legitimate owner of the website, which in this case is Fiserv, Inc.
Because your online security is important to us at ABOC, we would like to share with you the following tips to protect yourself from online threats.
- Keep your login credentials in a secure spot and do not share this information with anyone. If you give out your user name and password, you are putting your money at risk and you could be responsible for money you lose as a result
- Create a strong password. Use a combination of letters, numbers and special characters. Also, don’t use the same password for multiple websites
- We will automatically log you out of your secure session after a period of inactivity to help protect against others using your online accounts
- Avoid downloading files and apps from unknown sources. This includes opening attachments or clicking on links
- Only deal with secure websites. Look for “https” rather than “http” in the site’s address when logging on or providing sensitive information
- Make sure your computer and device software is up to date
- Have good antivirus software installed
- Never put your full account number, user name or password in an e-mail, even to us
- Don’t respond to suspicious or unknown emails
By working together, we can make your online banking experience convenient, safer and more secure.
And, please remember that Fraud never sleeps. It’s global, organized and tech-savvy. Whether online, by phone, through a dating website or in “You May Have Won a Free Prize” offers in your mailbox, criminals will find you.
Identity Theft and Fraud
Identity theft and electronic fraud have become common, everyday crimes. These crimes use many different methods but often have similar characteristics.
Early on consumers received email messages that seemed legitimate but asked for updated billing or personal information. These emails were designed to gather private information including: Social Security Numbers, ATM PIN, bank account or credit card numbers. Often a link to a fraudulent website was employed. This practice became known as "phishing".
More recently criminals have added "vishing" to their bag of tricks. With this method consumers are asked to call a phone number. Those who call are asked for personal and financial information. The calls can be demanding and even rude.
Another method used by identity thieves is offering illegitimate opportunities to purchase attractive goods or services at reduced prices or before they are available to the general public. Often these emails are designed to obtain credit card or bank account information while the sender has no intention of delivering the goods or services purchased.
Criminals are also prone to offer you large sums of money or attractive rewards in exchange for "assistance." One common example is a person "needing help" who asks you to share your bank account number in order to "hold" large sums of money until he or she can retrieve it. In exchange, you may be promised a percentage of the deposit. The criminal will use your bank account number for fraudulent activity, but you will never receive your reward.
Amalgamated Bank of Chicago (ABOC) will never ask for your Social Security Number, ATM PIN, bank account number, User ID or password in an email.
If you receive any suspicious message from or about ABOC, or if you have a security incident related to ABOC or aboc.com, please contact us immediately at 866-440-2086. We will share the details of your event to a security specialist.
Avoid becoming a Victim
The FTC and Privacy Rights Clearinghouse, a nonprofit consumer advocacy group, also advises that you:
- Review and verify credit card and bank statements as soon as you receive them
- Make sure the lock icon displays on the browser status bar before sending any financial information through a website. This is an indication that your information is being sent through a secure site. However, sophisticated scammers also may use encryption technology
- Watch for warning messages when you logon to or access a secure site. If you see such a warning, resist the temptation to simply click on the "OK" button. Stop using the website immediately, and contact the website owner
- Avoid filling out forms in email messages
- Report suspicious activity to the FTC
- File Internet fraud complaints with the FBI if necessary
- Visit the Federal Trade Commission (FTC) for security updates
If you receive any suspicious message from or about Amalgamated Bank of Chicago (ABOC), or if you have a security incident related to ABOC or aboc.com, please follow these steps:
For Credit Card incidents of any kind, please call 800-365-6464
For any other security concerns, please contact us immediately at 866-440-2086. We will share the details of your event to a security specialist.
ATM Safety Tips:
- Always pay close attention to the ATM and your surroundings. Don’t select an ATM at the corner of a building- a corner creates a blind spot. Use an ATM located near the center of the building. Do your automated banking in a public, well lighted location that is free of shrubbery and decorative partitions or dividers
- Maintain an awareness of your surroundings throughout the entire transaction. Be wary of people trying to help you with ATM transactions. Be aware of anyone sitting in a parked car nearby. When leaving an ATM, make sure you’re not being followed. If you are, drive immediately to a police or fire station, or to a crowded well-lighted location or business
- Do not use an ATM that appears unusual looking or offers options with which you’re not familiar or comfortable
- Do not allow people to look over your shoulder as you enter your PIN. Memorize your PIN, never write it on the back of your card. Do not reenter your PIN if the ATM eats your card-contact a bank official
- Do not wear expensive jewelry or take other valuables to the ATM. This is an added incentive to the assailant
- Never count your cash at the machine or in public. Wait until you’re in your car or another private place
- When using an ATM drive up, keep your engine running and your doors locked
- Maintain a supply of deposit envelopes at home or in your car. Prepare all transaction paperwork prior to your arrival at the ATM. This will minimize the time you spend at the machine
- Closely monitor your bank statement as well as your balance, and immediately report any problems to the bank
- If you are involved in a confrontation with an assailant who demands your money, COMPLY
KRACK: Wireless Connection Could Allow for Information Disclosure
The security weakness KRACK was identified in global wireless technology this week. KRACK stands for “key reinstallation attack”. The Wi-Fi Protected Access 2 (WPA2) is the current standard protocol used to secure communications between wireless access points (WAPs) and wireless devices. Wireless devices include mobile phones, tablets, and laptops. Successful exploitation of this weakness allows for an attacker to hijack the wireless connections, view the internet activity and capture sensitive information such as financial data, passwords, and emails. The attacker can continue the attack on additional sensitive data and networks armed with this information.
How Does KRACK Work?
- The KRACK attack requires the attacker to be physically close enough to a Wi-Fi network to perform a “man-in-the-middle” attack
- The attacker exploits the KRACK vulnerability by intercepting the series of messages between the client and access point
What Does This Mean?
Mobile phones and laptops are most at risk. The following link contain additionals details about the vulnerability.