Fraud

What is spoofing? 

Spoofing is the criminal act of disguising a communication from an unknown source to appear as if it’s being sent from a trusted and known contact. The ultimate goal of spoofing is to get the target to share their sensitive information and/or their money with the scammer. For example, a spoofer may pretend to represent a victim’s credit card company and lead them into sharing their account details.

Types of spoofing

Cybercriminals have a variety of ways to pull off their spoofing. Here are the more common forms:

1. Email spoofing

In email spoofing, an attacker sends an email message appearing to be from a known or trusted source. The emails typically include links to harmful websites or attachments that will infect the victim’s device with malware. Alternatively, the scammer may use social engineering to persuade the recipient to share sensitive information.

2. IP spoofing

In IP spoofing, an attacker tries to gain access to a system by sending messages via a bogus or spoofed IP address, which appears to be from a recognized, trusted source, such as one on the same internal computer network. The spoofed IP address will mask the true source, which is a third party that is out to infect the victim’s device with malware and steal their information.

3. Caller ID spoofing

Here, attackers make a phone call to a target that appears to be from a known caller. The scammer will often pose as the victim’s bank or credit union. The victim, believing they are speaking with a representative of their financial institution, will disclose their account information and even passwords, which can lead to the scammer emptying their accounts and/or stealing their identity. Sometimes, the scammer will provide the victim with a phone number to call, which will allegedly connect them with their bank or credit union. This number, of course, will only connect the victim to a scammer.

4. Facial spoofing

In this most recent form of spoofing, a scammer uses a photo or video of a target’s face to simulate their facial biometrics. This enables them to unlock accounts that can only be opened via facial recognition.

5. Website spoofing

In website spoofing, a scammer will create a bogus site that looks just like a reputable website that the victim often visits. Attackers will lure victims to this site for the purpose of stealing their login credentials and personal information.

6. Text-message spoofing

In this scam, also known as smishing, a victim will receive a text message on their personal device appearing to have been sent via a trusted source, such as the victim’s financial institution, place of work, or doctor’s office. The text will ask the victim to share personal information. They’ll often do so, mistakenly believing the sender of the text message to be who they claim to be.

7. Man-in-the-Middle (MitM) attacks

There are three players involved in MitM attacks: the victim, the party the victim is attempting to communicate with, and the “man in the middle”, otherwise known as the scammer who is intercepting the communications. In these spoofs, the scammer tries to eavesdrop on the interaction between the victim and the other party. Alternatively, they may try to impersonate the other party to get at the victim’s personal information.

Deepfakes and spoofing

Deepfakes is a relatively new and dangerous tool for spoofers. A deepfake is a fake image, video, or audio clip that has been edited to appear authentic. For example, a scammer may create a deepfake video using an image and audio recording of a celebrity and make it appear as if they are telling you to open a link or support a specific cause.

Scammers use deepfakes to trap victims and appear as if they represent a trusted source.

Protect yourself

Spoofing is a formidable danger for consumers across the economic spectrum, but with the right tools and knowledge, you can avoid falling victim to these scams. Here’s how to protect yourself from a spoofing attack:

• Turn on your email’s spam filter and be sure to mark incoming emails that look suspicious as spam.
• Use two-factor authentication and/or biometric logins when possible.
• Use strong, unique passwords across all of your accounts.
• Ensure your device’s security system is at its strongest setting and uses the most updated patches. If you haven’t already done so, it’s worthwhile to invest in robust security software.
• Never click on links or open attachments that are sent from an unverified source.
• Never share personal information online or over the phone with an unknown contact.
• If you’re allegedly contacted by your financial institution and asked to provide your login credentials or account details to fix a supposed issue with your account, don’t respond. Instead, delete the message or abort the call and contact your bank or credit union directly to ask about any possible issues with your account.
• Don’t take phone calls at face value, even with caller ID. If you suspect foul play, Google the phone number presented on the caller ID to see if it’s associated with scams.
• Consider an app, like Hiya, that filters out known scammers, spoofers, and other nefarious numbers.
• Opt to display file extensions in Windows. This will enable you to view any spoofed extensions so you can avoid opening malicious files.
• Identify deepfakes by looking for small details that give them away. Zoom into the image or video to verify if the words and lip movements are in sync. Look for lip color that looks unnatural, unrealistic facial hair, exaggeratedly wrinkled or smooth skin, and non-existent moles.

Red flags

Look out for these red flags that can alert you to a possible spoofing attack:

• Websites with a URL that is very similar to the URL of a reputable site.
• Websites riddled with typos, unusual syntax, and spelling errors.
• An alleged rep of your bank or credit union asks you to call a number that is not associated with your financial institution.
• You’re asked to share your login credentials or account number with an unverified contact.
• Familiar corporate branding, such as logos, colors, and call-to-action buttons within a message asking you to take an action that is not typical.

If you’ve been targeted

If you believe you’ve shared sensitive information with a scammer through a spoofing attack, there are steps you can take to mitigate the damage.

First, contact your financial institution to let them know about the attack. You may place a credit alert or a credit freeze on your accounts, making it difficult or impossible for a scammer to open a line of credit or take out a loan in your name. If you believe your identity has been stolen, check out identitytheft.gov to learn what your next step should be. Finally, change the passwords on all your accounts to protect them from further attacks.

Spoofing has gotten a lot more dangerous in recent years, but with proper awareness and basic protective measures, you can avoid getting scammed. Use the tips outlined here to stay safe.

Fortunately, with the right steps and protective measures, you can easily avoid unsafe websites. Here are six ways to tell if a website is safe and secure.

1. Look for an SSL certificate 

Secure websites like ours will have an SSL, or a Secure Sockets Layer. An SSL is a digital certificate that verifies a website is authentic and will automatically encrypt all personal information and financial data. There are two primary indicators of an SSL, both of which are easily visible in the site’s URL that’s displayed in your web browser:

• An ‘s’ after the ‘http’
• A padlock icon

It’s important to note that most browsers will hide the beginning of the URL, which generally includes these two indicators of an SSL. However, you can easily read the entire URL by copying and pasting it to another tab, a Microsoft Word document or a Google Drive doc. Some browsers will also reveal this info if you hover over the left-hand side of the URL. In addition, clicking on the padlock icon will reveal more information about the site’s security.

2. Evaluate the URL structure

Next, look at the URL carefully. Are there any misspelled words? Does the URL mimic a well-known site or retailer? Scammers will often lure victims by creating bogus sites that look like they represent well-known companies. However, careful scrutiny of the URL will reveal basic spelling errors that give the scam away. You may also find that the site, which allegedly represents a famous company, belongs to a public domain, such as Gmail or Yahoo, as opposed to a private business domain, like Amazon.com. This, too, will tell you that you’re likely looking at a scam.

3. Look for the company’s contact info

Legitimate companies are eager to have you connect with them for any reason. They’ll generally display their contact information on their home page or provide a link through which to easily access it. Scammers, on the other hand, try to keep themselves as invisible as possible. You likely won’t find any tabs that say “Contact Us” or “About Us” on their website. You may find their email address on their site, but a phone number and street address will be glaringly absent or clearly made up.

4. Check the spelling and graphics

Authentic companies will take the necessary steps to make a professional impression on visitors to their website. Scammers, on the other hand, will not. Use their carelessness to your advantage by looking out for spelling mistakes and typos throughout the site. You can also be on the lookout for cheap design elements, including images that are clearly not original and logos that are poorly created. Each of these clues can signify a scammy website.

5. Take notice of your device’s security warnings.

If you enter a site’s URL into your computer and a warning pops up to alert you that the site you’re attempting to access is not safe, do not ignore it. You can choose to advance to this site, or back out. Unless you’re absolutely sure the site is secure despite the warning, it’s best not to choose to advance to the site. Websites that are flagged by devices generally do not pass the most basic security tests as detailed above.

6. Opt out of sites that flood you with pop-ups and links

Scammy websites will try to trick you into downloading malware through pop-ups and embedded links. Sometimes, the links will be used to generate ad revenue through clicks. Whatever the intent, it’s important to know that reputable sites will not flood your screen with pop-ups and random links for you to click. If you encounter a site like this, you’re likely looking at a scam and should exit as soon as possible. Then, close your browser and have your security system run a scan on your device to find any possible vulnerabilities or safety breaches.

Don’t get stuck on an unsafe site! Use the tips here to stay safe.

Here are 6 tips for keeping your device safe and secure.

1. Keep your phone locked

If your entire life is on your phone, you run the risk of giving up complete access to your identity if your phone is stolen or misplaced. The best way to prevent this from happening is to have a lock on your screen. Opt for a physical lock if possible, such as fingerprint or face recognition; meaning no amount of automated password inputs can open your phone. Consider installing a tracking device/app on your phone as well to help you locate it and retrieve or erase the data if it gets misplaced. Finally, adjust your phone’s lock settings so the screen automatically locks after the shortest amount of time being idle.

2. Choose strong, unique passwords across all your devices and apps

Passwords should be a blend of letters with varied capitalization use, numbers and symbols. Be sure to use a different password for each of your devices, apps and other online accounts, and to change up your passwords approximately every six months. Don’t store the info for all your passwords in one location on your phone or have your device “remember” your passwords. If you find it challenging to recall all your passwords and login credentials, you may benefit from a password manager like Sticky Password or LastPass.

3. Browse safely

Follow these rules for safe online browsing:

• Look for the padlock icon and the “s” after the “http” in the URL of each landing page you visit to ensure it’s a secure site.
• Never share your personally identifiable information (PII) with an unknown contact.
• If an alleged representative of SRI Federal Credit Union reaches out to you regarding an issue with your account and you’re unsure of whether this contact is legit, reach out to us directly through a secure channel to confirm your suspicions.
• Don’t store your credit card info in online shopping accounts.
• Keep your security settings current.
• Avoid clicking on pop-up ads or links in emails from unverified senders.

4. Use secure Wi-Fi

The first thing many people do when they sit down in a restaurant, at a bar, or almost anywhere, is search for free Wi-Fi access. It’s an easy way to save on data, so why not? Simply put, using public Wi-Fi makes you vulnerable to hacking. It’s best not to use public Wi-Fi at all, especially when banking online. To keep your device safe while using public Wi-Fi, connect to a virtual private network (VPN). Changing your virtual network will protect your location and sensitive information from scammers. In addition, be sure to keep your own Wi-Fi locked to prevent strangers from accessing your network.

5. Encrypt your data

Your phone stores loads of your PII, which can make you vulnerable to identity theft if it’s stolen or misplaced. Protect your information by encrypting all sensitive data on your phone. Most phones have encryption settings, which you can enable easily.

To encrypt data on an Apple device,  go to the settings menu, choose “Touch ID & Passcode” from the pop-up menu and follow the prompts to unlock your phone. When you’ve gained access, scroll down until you see the words “Data Protection”. If this feature is not enabled, enable it now. Your data is now unreadable.

If you own an Android phone, charge your phone at least 80% and unroot it. Next, go to your security settings and choose “Encrypt Phone” from the menu. Encryption may take an hour or more.

6. Install antivirus software on your phone 

The same antivirus programs that protect your laptop can also keep your phone secure. Check out security programs for phones, like McAfee or Norton 360. Antivirus software will provide your phone with protection from security breaches and attacks from scammers.

If you believe your device has been compromised, and/or you’re vulnerable to identity theft, notify SRI Federal Credit Union immediately. Alert the FTC as well.

Smartphones bring a lot of convenience into our lives, but they carry an inherent security risk. Use the tips outlined here to keep your device safe from fraud.

How the scams play out

In a digital kidnapping scam, a hacker or ring of scammers will take control of one or more of a target’s social media profiles. The target will be effectively locked out of their own social media accounts and will be unable to access or update them. Once the scammer has control of the profile, they’ll contact the target, demanding a hefty ransom in return for access to the account. They may even threaten to post damaging or humiliating content on the social media profile unless the ransom is paid.

In another version of this scam, hackers will “kidnap” a photo of a child or baby off an unsecured social media account. They will post these photos in their own accounts, using the picture-perfect moments to create a fantasy world of their own. In a creepy twist of reality, they’ll pretend these are snapshots of their own family. They may use this fake world to help them create an imaginary escape, or to draw traffic to their own public accounts. Sometimes, they’ll utilize these photos to help build a bogus story, such as a baby being put up for adoption, or a charitable fund to benefit a child whose parents are struggling financially. Unfortunately for the actual parents, it can be months or years before they find out that their child’s picture is splashed across a public account with thousands of followers.

If you’ve been targeted

If you believe you’ve been targeted by a digital kidnapping scam, there are steps you can take to mitigate the damage. First, alert the company that owns the social media platform to let them know your account has been compromised. They’ll likely have specific instructions for you to follow to ensure your account remains safe. They may even advise you to close the compromised account and open a new one. Next, tip off the Federal Trade Commission (FTC) and local law enforcement agencies which can help you determine whether it makes sense to pay the requested ransom. Finally, clean up your accounts and make sure there is no identifying or potentially dangerous information being posted on a public forum.

Protect yourself

The best way to protect yourself from digital kidnapping is by keeping your accounts private and secure. Always choose the strongest security settings on your devices and opt for private social media accounts across every platform. This will limit your audience to by-invitation-only viewers while helping to keep hackers and creeps away.

It’s also a good idea to be mindful of what you post, and how often you post it. Even when using the strongest security settings, sharing a picture online essentially means sharing it with the public. You never know who may be trolling your accounts or looking for pictures to “adopt” as their own. Think three times before posting a picture of your kids. Extra caution is advised for those with super-cute kids.

Finally, be sure to follow basic online safety rules to avoid giving a scammer access to your accounts. Use strong, unique passwords for each of your online accounts and change up your passwords every six months or so. Avoid using public WiFi unless absolutely necessary. Accept every security and software update offered for your device to keep them operating at optimal security. Finally, avoid sharing sensitive information with an unverified contact and never download an attachment or click on a link within an email from an unknown sender.

Stay alert and stay safe!