Fraud Alerts

Fraud Alerts

WE NEED YOUR CELL PHONE NUMBER IN THE EVENT WE MUST CONTACT YOUR REGARDING POTENTIAL FRAUD ON YOUR VISA DEBIT AND/OR MASTERCARD. LOG INTO CU@HOME AND SEND US UPDATED INFO.

Posted 2.22.2013: Several institutions in the area are reporting that members are receiving phone calls, emails, and text messages warning the member that their card has been deactivated.

If you receive such a message, please disregard and delete it immediately. DO NOT take the actions requested in the message.

Remember, if you receive a call or message claiming to be from HMFCU that asks you to provide your details - delete it! HMFCU

will never call or send a message asking you to provide us information. We will have your information and only ask you to verify it.

Posted 10.17.2012: The Internet Crime Complaint Center (IC3) has reported that they are aware of various malware attacks against Android mobile device operating systems.

The Internet Crime Complaint Center (IC3) has reported that they are aware of various malware attacks against Android mobile device operating systems.

The complete alert is posted at: http://www.ic3.gov/media/2012/121012.aspx

Two examples of malware that are being used by criminals are Loozfon and FinFisher.

Loozfon is one version which is a work-at-home opportunity that promises a profitable payday just for sending out e-mail. A link within these advertisements leads to a website that is designed to push Loozfon on the user’s device. The malicious application steals contact details from the user’s address book and the infected device’s phone number.
FinFisher is a spyware capable of taking over the components of a mobile device and can be transmitted to a smartphone when the user visits a specific web link or opens a text message masquerading as a system update. When installed the mobile device can be remotely controlled and monitored no matter where the Target is located.

IC3 has suggested the following safety tips to help protect your mobile device:

When purchasing a smartphone, know the features of the device, including the default settings. Turn off features of the device not needed to minimize the attack surface of the device.
Depending on the type of phone, the operating system may have encryption available. This can be used to protect the user’s personal data in the case of loss or theft.
With the growth of the application market for mobile devices, users should look at the reviews of the developer/company who published the application.
Review and understand the permissions you are giving when you download applications.
Passcode protect your mobile device. This is the first layer of physical security to protect the contents of the device. In conjunction with the passcode, enable the screen lock feature after a few minutes of inactivity.
Obtain malware protection for your mobile device. Look for applications that specialize in antivirus or file integrity that helps protect your device from rogue applications and malware.
Be aware of applications that enable geo-location. The application will track the user’s location anywhere. This application can be used for marketing, but can also be used by malicious actors, raising concerns of assisting a possible stalker and/or burglaries.
Jailbreak or rooting is used to remove certain restrictions imposed by the device manufacturer or cell phone carrier. This allows the user nearly unregulated control over what programs can be installed and how the device can be used. However, this procedure often involves exploiting significant security vulnerabilities and increases the attack surface of the device. Anytime an application or service runs in “unrestricted” or “system” level within an operation system, it allows any compromise to take full control of the device.
Do not allow your device to connect to unknown wireless networks. These networks could be rogue access points that capture information passed between your device and a legitimate server.
If you decide to sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data on the device.
Smartphones require updates to run applications and firmware. If users neglect this, it increases the risk of having their device hacked or compromised.
Avoid clicking on or otherwise downloading software or links from unknown sources.
Use the same precautions on your mobile phone as you would on your computer when using the Internet.

If you have been a victim of an Internet scam or have received an e-mail that you believe was an attempted scam, please file a complaint at www.IC3.gov.

FBI warns financial institutions are being highly targeted by fraudsters

The complete story is posted at http://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf

On September 17, the FBI reported that cyber criminals have recently shifted their point of attack efforts from financial institution customers to financial institution employees to steal money and gain access to financial institution account by using spam, phishing emails, keystroke loggers and Remote Access Trojans (RAT) targeted at employees. Small to medium sized banks or credit unions have been targeted in most of the reported incidents, however a few large banks have also been affected.

Specifically, the criminals are looking to compromise financial institution networks and obtain employee login credentials. The stolen credentials are used to initiate unauthorized wire transfers overseas. The wire transfer amounts have varied between $400,000 and $900,000, and, in at least one case, the criminals raised the wire transfer limit on the customer's account to allow for a larger transfer. In most of the identified wire transfer failures, the perpetrators were only unsuccessful because they entered the intended account information incorrectly, the FBI stated.

The cyber criminals used spam and phishing e-mails to target financial institution employees. Once compromised, keyloggers and RATs installed on the financial institution employee's computer provided the criminals with complete access to internal networks and logins to third party systems. In some instances, the criminals stole multiple employee credentials or administrative credentials to third party services and were able to circumvent authentication methods used by the financial institution(s) to deter fraudulent activity. This allowed the intruders to handle all aspects of a wire transaction, including the approval.

The unauthorized transactions were preceded by unauthorized logins that occurred outside of normal business hours using the stolen financial institution employees' credentials. In at least one instance, attackers browsed through multiple accounts, apparently selecting the accounts with the largest balance.

The FBI made a number of recommendations for financial institutions to help prevent security problems:

Educate employees on the dangers associated with opening attachments or clicking on links in unsolicited emails.
Do not allow employees to access personal or work emails on the same computers used to initiate payments.
Do not allow employees to access the Internet freely on the same computers used to initiate payments.
Do not allow employees to access administrative accounts from home computers or laptops connected to home networks.
Ensure employees do not leave USB tokens in computers used to connect to payment systems.
Review anti-malware defenses and ensure the use of reputation based content and website access filters.
Ensure that workstations utilize host-based IPS technology and/or application whitelisting to prevent the execution of unauthorized programs.
Monitor employee logins that occur outside of normal business hours.
Consider implementing time-of-day login restrictions for the employee accounts with access to payment systems.
Restrict access to wire transfer limit settings.
Reduce employee wire limits in automated wire systems to require a second employee to approve larger wire transfers.

9.12.2012 The Better Business Bureau, Wal-Mart, Target and Best Buy are company names being used to promote bogus gift cards. Be cautious if you receive an email advising that one of these vendors is promoting a give-away of Visa gift cards (usually for $1000). This email is probably a scam and fraudsters are trying to get your personal information.

How the Scam Works:

People nationwide are receiving emails informing them that one of the above vendors is giving away $1,000 Visa gift cards. Emails come from a variety of email addresses and contain different links, but all use a variation of the message below:

Dear Jim,

On behalf of the (Better Business Bureau, Wal-mart, Target, Best Buy or possibly another vendor), you have been issued a $1,000 Visa Gift Card free of charge.

Card type: Visa Gift
Card Issued to: Jim Jones
Issuing branch: San Antonio, Texas
Valid until: 08/2015

Please use the following website to claim your card and have it shipped to the address of your choosing: Go to: www reward2012 com to claim your prize. Please note that claims must be made within 48 hours from this email being sent, or the above link will become invalid.

Sincerely, Melissa
Customer Service Employee Benefits Center, LLC

If you go to this web site (in the email), you will be asked to input information about your age, address, email and cell phone number. Given that the survey does not request your Social Security Number, banking information or ask you to download a malware file, it is not likely an attempt at ID theft. Rather, it’s probably an unscrupulous way to collect consumer data, such as email addresses and phone numbers.

The best advice to give if this scenario should occur is to avoid taking this offer serious and just delete the email.