Fraud

Here’s what you need to know about one-time password scams and how to avoid them.

What is a one-time password scam?

One-time password (OTP) scams are designed to trick individuals into sharing their OTPs, which scammers then use to gain unauthorized access to accounts. Here are the various ways these scams go down:

• Phishing scams. Here, cybercriminals send fake emails or text messages that appear to be from legitimate sources, such as credit unions or banks, online retailers, or social media platforms. These messages often contain urgent requests to verify your account or resolve an issue, prompting you to enter your OTP on a fraudulent website.
• Vishing (voice phishing). In this scam, scammers call victims pretending to be from a reputable organization, such as a bank or government agency. They may claim suspicious activity on your account and request your OTP to secure your account, exploiting your trust and urgency.
• Man-in-the-middle attacks. In this method, attackers intercept communications between you and a legitimate service provider. When you request the OTP, an attacker captures it and uses it to gain access to your account.
• Social engineering. Scammers use psychological manipulation to trick you into revealing your OTP. They may impersonate friends, family, or colleagues, convincing you that sharing the OTP is necessary for a legitimate purpose.

Whichever method is deployed in an attempt to steal your OTP, the scammer will then use it to access your accounts and possibly steal your identity

Red flags

Avoid falling victim to a one-time password scam by watching out for these red flags:

1. Unexpected requests. Be cautious of unsolicited messages or calls asking for your OTP. Legitimate organizations typically won’t ask for your OTP unless you’re actively engaged in a transaction or login process.
2. Urgency and threats. Scammers often create a sense of urgency, claiming that immediate action is required to prevent account suspension or fraud. For example, a text message allegedly sent from your financial institution may claim you have 10 seconds to input the one-time password to verify your account. This tactic can make you act without thinking.
3. Unusual sender information. Check the sender’s email address or phone number carefully. Often, scammers use addresses or numbers that are slightly altered versions of legitimate ones.
4. Suspicious links. Hover over links in emails or messages to see the actual URL before clicking. Be wary of links that don’t match the official website of the organization they’re purportedly from.
5. Generic greetings and language. Scammers often use generic greetings like “Dear Customer” to send out mass emails. Their missives also tend to have spelling or grammatical errors. Legitimate communications are usually more personalized, professional, and proofread.

Protect yourself

Staying safe from OTP scams requires vigilance and adopting best practices for online security. Here are some steps you can take:

• Never share your OTP. Treat your OTP like your password — never share it with anyone, even if they claim to be from a trusted organization.
• Verify the source. If you receive a request for your OTP, verify the legitimacy of the request by contacting the organization directly using a known and trusted communication method.
• Use multi-factor authentication (MFA). Whenever possible, enable MFA on your accounts. MFA typically involves a combination of something you know (password) and something you have (OTP), providing an additional layer of security.
• Be wary of links. Avoid clicking on links in unsolicited emails or text messages. Instead, navigate to the organization’s official website directly through your browser.
• Install security software. Use antivirus and anti-malware software on your devices to help detect and prevent phishing and other cyber threats.
• Educate yourself and others. Stay informed about the latest scam tactics and share this knowledge with friends and family, especially those who may be less tech-savvy.

If you’ve been targeted

If you believe you’ve been scammed and/or have shared your OTP, take immediate action.

First, change the passwords on all affected accounts and those that have similar login credentials. Next, inform the host organization of the account that it’s been compromised. They can help secure your account and guide you on additional steps to take. Monitor your accounts in the ensuing weeks and months, keeping a close eye on your financial statements and account activity for any unauthorized transactions. Finally, file a report with your local consumer protection agency, the Federal Trade Commission (FTC), and the Internet Crime Complaint Center (IC3).

You may also want to consider identity theft protection at this time if sensitive information was compromised.

One-time password scams can be difficult to spot and wreak massive damage. Use this guide to learn about one-time password scams and how to prevent yourself from falling victim.

Stay safe!

What is spoofing? 

Spoofing is the criminal act of disguising a communication from an unknown source to appear as if it’s being sent from a trusted and known contact. The ultimate goal of spoofing is to get the target to share their sensitive information and/or their money with the scammer. For example, a spoofer may pretend to represent a victim’s credit card company and lead them into sharing their account details.

Types of spoofing

Cybercriminals have a variety of ways to pull off their spoofing. Here are the more common forms:

1. Email spoofing

In email spoofing, an attacker sends an email message appearing to be from a known or trusted source. The emails typically include links to harmful websites or attachments that will infect the victim’s device with malware. Alternatively, the scammer may use social engineering to persuade the recipient to share sensitive information.

2. IP spoofing

In IP spoofing, an attacker tries to gain access to a system by sending messages via a bogus or spoofed IP address, which appears to be from a recognized, trusted source, such as one on the same internal computer network. The spoofed IP address will mask the true source, which is a third party that is out to infect the victim’s device with malware and steal their information.

3. Caller ID spoofing

Here, attackers make a phone call to a target that appears to be from a known caller. The scammer will often pose as the victim’s bank or credit union. The victim, believing they are speaking with a representative of their financial institution, will disclose their account information and even passwords, which can lead to the scammer emptying their accounts and/or stealing their identity. Sometimes, the scammer will provide the victim with a phone number to call, which will allegedly connect them with their bank or credit union. This number, of course, will only connect the victim to a scammer.

4. Facial spoofing

In this most recent form of spoofing, a scammer uses a photo or video of a target’s face to simulate their facial biometrics. This enables them to unlock accounts that can only be opened via facial recognition.

5. Website spoofing

In website spoofing, a scammer will create a bogus site that looks just like a reputable website that the victim often visits. Attackers will lure victims to this site for the purpose of stealing their login credentials and personal information.

6. Text-message spoofing

In this scam, also known as smishing, a victim will receive a text message on their personal device appearing to have been sent via a trusted source, such as the victim’s financial institution, place of work, or doctor’s office. The text will ask the victim to share personal information. They’ll often do so, mistakenly believing the sender of the text message to be who they claim to be.

7. Man-in-the-Middle (MitM) attacks

There are three players involved in MitM attacks: the victim, the party the victim is attempting to communicate with, and the “man in the middle”, otherwise known as the scammer who is intercepting the communications. In these spoofs, the scammer tries to eavesdrop on the interaction between the victim and the other party. Alternatively, they may try to impersonate the other party to get at the victim’s personal information.

Deepfakes and spoofing

Deepfakes is a relatively new and dangerous tool for spoofers. A deepfake is a fake image, video, or audio clip that has been edited to appear authentic. For example, a scammer may create a deepfake video using an image and audio recording of a celebrity and make it appear as if they are telling you to open a link or support a specific cause.

Scammers use deepfakes to trap victims and appear as if they represent a trusted source.

Protect yourself

Spoofing is a formidable danger for consumers across the economic spectrum, but with the right tools and knowledge, you can avoid falling victim to these scams. Here’s how to protect yourself from a spoofing attack:

• Turn on your email’s spam filter and be sure to mark incoming emails that look suspicious as spam.
• Use two-factor authentication and/or biometric logins when possible.
• Use strong, unique passwords across all of your accounts.
• Ensure your device’s security system is at its strongest setting and uses the most updated patches. If you haven’t already done so, it’s worthwhile to invest in robust security software.
• Never click on links or open attachments that are sent from an unverified source.
• Never share personal information online or over the phone with an unknown contact.
• If you’re allegedly contacted by your financial institution and asked to provide your login credentials or account details to fix a supposed issue with your account, don’t respond. Instead, delete the message or abort the call and contact your bank or credit union directly to ask about any possible issues with your account.
• Don’t take phone calls at face value, even with caller ID. If you suspect foul play, Google the phone number presented on the caller ID to see if it’s associated with scams.
• Consider an app, like Hiya, that filters out known scammers, spoofers, and other nefarious numbers.
• Opt to display file extensions in Windows. This will enable you to view any spoofed extensions so you can avoid opening malicious files.
• Identify deepfakes by looking for small details that give them away. Zoom into the image or video to verify if the words and lip movements are in sync. Look for lip color that looks unnatural, unrealistic facial hair, exaggeratedly wrinkled or smooth skin, and non-existent moles.

Red flags

Look out for these red flags that can alert you to a possible spoofing attack:

• Websites with a URL that is very similar to the URL of a reputable site.
• Websites riddled with typos, unusual syntax, and spelling errors.
• An alleged rep of your bank or credit union asks you to call a number that is not associated with your financial institution.
• You’re asked to share your login credentials or account number with an unverified contact.
• Familiar corporate branding, such as logos, colors, and call-to-action buttons within a message asking you to take an action that is not typical.

If you’ve been targeted

If you believe you’ve shared sensitive information with a scammer through a spoofing attack, there are steps you can take to mitigate the damage.

First, contact your financial institution to let them know about the attack. You may place a credit alert or a credit freeze on your accounts, making it difficult or impossible for a scammer to open a line of credit or take out a loan in your name. If you believe your identity has been stolen, check out identitytheft.gov to learn what your next step should be. Finally, change the passwords on all your accounts to protect them from further attacks.

Spoofing has gotten a lot more dangerous in recent years, but with proper awareness and basic protective measures, you can avoid getting scammed. Use the tips outlined here to stay safe.

Fortunately, with the right steps and protective measures, you can easily avoid unsafe websites. Here are six ways to tell if a website is safe and secure.

1. Look for an SSL certificate 

Secure websites like ours will have an SSL, or a Secure Sockets Layer. An SSL is a digital certificate that verifies a website is authentic and will automatically encrypt all personal information and financial data. There are two primary indicators of an SSL, both of which are easily visible in the site’s URL that’s displayed in your web browser:

• An ‘s’ after the ‘http’
• A padlock icon

It’s important to note that most browsers will hide the beginning of the URL, which generally includes these two indicators of an SSL. However, you can easily read the entire URL by copying and pasting it to another tab, a Microsoft Word document or a Google Drive doc. Some browsers will also reveal this info if you hover over the left-hand side of the URL. In addition, clicking on the padlock icon will reveal more information about the site’s security.

2. Evaluate the URL structure

Next, look at the URL carefully. Are there any misspelled words? Does the URL mimic a well-known site or retailer? Scammers will often lure victims by creating bogus sites that look like they represent well-known companies. However, careful scrutiny of the URL will reveal basic spelling errors that give the scam away. You may also find that the site, which allegedly represents a famous company, belongs to a public domain, such as Gmail or Yahoo, as opposed to a private business domain, like Amazon.com. This, too, will tell you that you’re likely looking at a scam.

3. Look for the company’s contact info

Legitimate companies are eager to have you connect with them for any reason. They’ll generally display their contact information on their home page or provide a link through which to easily access it. Scammers, on the other hand, try to keep themselves as invisible as possible. You likely won’t find any tabs that say “Contact Us” or “About Us” on their website. You may find their email address on their site, but a phone number and street address will be glaringly absent or clearly made up.

4. Check the spelling and graphics

Authentic companies will take the necessary steps to make a professional impression on visitors to their website. Scammers, on the other hand, will not. Use their carelessness to your advantage by looking out for spelling mistakes and typos throughout the site. You can also be on the lookout for cheap design elements, including images that are clearly not original and logos that are poorly created. Each of these clues can signify a scammy website.

5. Take notice of your device’s security warnings.

If you enter a site’s URL into your computer and a warning pops up to alert you that the site you’re attempting to access is not safe, do not ignore it. You can choose to advance to this site, or back out. Unless you’re absolutely sure the site is secure despite the warning, it’s best not to choose to advance to the site. Websites that are flagged by devices generally do not pass the most basic security tests as detailed above.

6. Opt out of sites that flood you with pop-ups and links

Scammy websites will try to trick you into downloading malware through pop-ups and embedded links. Sometimes, the links will be used to generate ad revenue through clicks. Whatever the intent, it’s important to know that reputable sites will not flood your screen with pop-ups and random links for you to click. If you encounter a site like this, you’re likely looking at a scam and should exit as soon as possible. Then, close your browser and have your security system run a scan on your device to find any possible vulnerabilities or safety breaches.

Don’t get stuck on an unsafe site! Use the tips here to stay safe.

Here are 6 tips for keeping your device safe and secure.

1. Keep your phone locked

If your entire life is on your phone, you run the risk of giving up complete access to your identity if your phone is stolen or misplaced. The best way to prevent this from happening is to have a lock on your screen. Opt for a physical lock if possible, such as fingerprint or face recognition; meaning no amount of automated password inputs can open your phone. Consider installing a tracking device/app on your phone as well to help you locate it and retrieve or erase the data if it gets misplaced. Finally, adjust your phone’s lock settings so the screen automatically locks after the shortest amount of time being idle.

2. Choose strong, unique passwords across all your devices and apps

Passwords should be a blend of letters with varied capitalization use, numbers and symbols. Be sure to use a different password for each of your devices, apps and other online accounts, and to change up your passwords approximately every six months. Don’t store the info for all your passwords in one location on your phone or have your device “remember” your passwords. If you find it challenging to recall all your passwords and login credentials, you may benefit from a password manager like Sticky Password or LastPass.

3. Browse safely

Follow these rules for safe online browsing:

• Look for the padlock icon and the “s” after the “http” in the URL of each landing page you visit to ensure it’s a secure site.
• Never share your personally identifiable information (PII) with an unknown contact.
• If an alleged representative of SRI Federal Credit Union reaches out to you regarding an issue with your account and you’re unsure of whether this contact is legit, reach out to us directly through a secure channel to confirm your suspicions.
• Don’t store your credit card info in online shopping accounts.
• Keep your security settings current.
• Avoid clicking on pop-up ads or links in emails from unverified senders.

4. Use secure Wi-Fi

The first thing many people do when they sit down in a restaurant, at a bar, or almost anywhere, is search for free Wi-Fi access. It’s an easy way to save on data, so why not? Simply put, using public Wi-Fi makes you vulnerable to hacking. It’s best not to use public Wi-Fi at all, especially when banking online. To keep your device safe while using public Wi-Fi, connect to a virtual private network (VPN). Changing your virtual network will protect your location and sensitive information from scammers. In addition, be sure to keep your own Wi-Fi locked to prevent strangers from accessing your network.

5. Encrypt your data

Your phone stores loads of your PII, which can make you vulnerable to identity theft if it’s stolen or misplaced. Protect your information by encrypting all sensitive data on your phone. Most phones have encryption settings, which you can enable easily.

To encrypt data on an Apple device,  go to the settings menu, choose “Touch ID & Passcode” from the pop-up menu and follow the prompts to unlock your phone. When you’ve gained access, scroll down until you see the words “Data Protection”. If this feature is not enabled, enable it now. Your data is now unreadable.

If you own an Android phone, charge your phone at least 80% and unroot it. Next, go to your security settings and choose “Encrypt Phone” from the menu. Encryption may take an hour or more.

6. Install antivirus software on your phone 

The same antivirus programs that protect your laptop can also keep your phone secure. Check out security programs for phones, like McAfee or Norton 360. Antivirus software will provide your phone with protection from security breaches and attacks from scammers.

If you believe your device has been compromised, and/or you’re vulnerable to identity theft, notify SRI Federal Credit Union immediately. Alert the FTC as well.

Smartphones bring a lot of convenience into our lives, but they carry an inherent security risk. Use the tips outlined here to keep your device safe from fraud.