Nottawasaga Valley Conservation Authority issues scam alert
UTOPIA, Ontario (January 21, 2020) – The Nottawasaga Valley Conservation Authority (NVCA) is warning residents in the Nottawasaga Valley Watershed and beyond to ignore a scam that uses the organization’s name, slogan and logo.
The scam is disguised as a Go Fund Me campaign, with a photo of a boy in a hospital, with text describing his serious illness and that it will require a large sum of money to help with his recovery. When clicking on the link to donate, it goes to a PayPal payment platform.
“We are asking members of the public to not click, respond or donate when seeing this email,” says Sheryl Flannagan, Director of Corporate Services at the NVCA. “Our staff are working hard to rectify the situation and to find the source of the scam. In the meantime, we would like to ensure everyone that our data is secure. This is a matter of misusing our name, slogan and logo. We invite anyone who has questions or concerns to contact us.”
Formjacking: The ID Thief’s Latest Weapon
If you ever fill a form out online — and most of us have and likely will again — you could be a target for a newer type of scam called formjacking.
It does what its name suggests — hijacks forms. Hackers “inject” code into forms on legitimate websites. This causes the page to release to the crooks confidential information entered on the form.
The tactic is mainly used to steal credit card information, with the stolen data often sold on to a dark web trader for re-sale to anyone who wants it. But it’s also been discovered in online job application forms.
Scammers have switched to formjacking in a big way during the past couple of years, as consumers become wiser to other card info theft tricks, like “skimming” details at ATMs and gas pumps.
Credit reporting agency Experian recently explained in a web posting: “Like a card skimmer, a formjacked website does its dirty work without disrupting a legitimate transaction. When you place an order on a formjacked website, for instance, the sale goes through as expected, even as your data is transferred to the crooked hackers.”
That means people often don’t know they’re victims until their stolen card details start to be used.
According to Internet security firm Symantec, almost 5,000 sites are formjacked every month. In 2018 alone, hackers were said to have attempted more than 3.7 million formjacking attacks. That figure is more than double the number for the prior year, though many of the attacks have been blocked.
Even well-protected business sites have proved vulnerable to attack via some of their small suppliers who work directly with them but don’t have such high-level security. Symantec lists companies such as Ticketmaster, British Airways, and electronics dealer Newegg as being targeted.
“Our data shows that any company, anywhere in the world, that processes payments online is a potential victim of formjacking,” the security outfit said.
The trouble is that it’s often not possible for a user — or even a victim firm — to tell if a form has been infected with malicious code, since it otherwise behaves normally.
So, your best strategy, the firm recommends, is to stay vigilant and watch for signs that your data has been compromised. This echoes the warning we gave in our annual review that regularly monitoring your online financial accounts (daily if possible) will become increasingly important this year.
Here are five important actions you should take to limit the effectiveness of formjacking:
- Check your credit card statement for discrepancies when it comes in every month, but try to monitor you card balance as often as possible, especially if you have recently filled in an online form where you had to disclose personal and confidential information.
- Check your credit scores frequently. It used to be that you could only access your credit report for free three times a year (from AnnualCreditReport.com) but now some of the three big credit reporting agencies, various credit card companies, banks, and even specialist monitoring sites like CreditKarma.com (note: this is not a recommendation specifically for this organization) will give you the information for nothing. You can also pay for other firms to actively and continuously monitor your records in real time and highlight any unusual activity.
- If you wish, you can freeze your credit records with the “big three” agencies. This will stop anyone who has your details from opening new lines of credit in your name. However, you will also have to unfreeze it if you want to open or extend a credit account.
To learn how to freeze your records, see this guide from the Federal Trade Commission: Free Credit Freezes Are Here. Freezes (and unfreezes) are free. You can also freeze the records of your children.
- Keep your Internet security software up to date as security companies are working actively on detection and highlighting form hijacking. Many programs can already identify some of them, and as updates are installed, you should be able to cut your risk of falling victim.
- If you suspect or discover you’re already a victim, notify your bank or card company immediately. You can also add a regular or extended fraud alert, which isn’t the same as a freeze.
Meanwhile, security firms are concentrating their latest efforts on helping targeted companies identify and remove formjacking attempts.
“Corporate awareness of formjacking and the availability of software to detect and disable it means the problem will surely diminish over time,” says Experian. “But as long as hackers keep inventing new forms of electronic theft, we’ll all need to keep watch over our credit activities.”
Alert of the Week
You may have seen new reports warning against abbreviating the date year now that we’ve moved into 2020.
If you were used to just giving only the final two digits of the year, as in 1/1/19, you shouldn’t use that technique this year.
The reason: if you dated a document as 1/1/20, an unscrupulous person could change that to, say 1/1/2015 or 1/1/2030. This could enable them to make serious trouble with some legal documents.
How to Spot and Stop Bank Fraud
Reports of bank fraud is the US have doubled during the past five years according to the Wall Street Journal -- and there’s no sign of a slowdown.
Fortunately for consumers, banks and other institutions shoulder most of the burden of this crime. It costs them an estimated $19 billion a year, with a further $15 billion that they actually spot and stop.
But for individuals who fall victim, there are some cases where banks refuse to pay up -- for example, if they establish that the customer behaved irresponsibly or, occasionally, the crime was not reported until significantly later.
And there’s more. As well as any financial losses consumers suffer, they also can face a huge problem in trying to straighten out their financial records, especially with the credit reporting agencies.
It’s well known too that older folk are the biggest target for scammers, partly because they’re too ready to believe crooks and, often, because of confusion and misunderstandings.
What is Bank Fraud?
So, what exactly is bank fraud?
It’s a potentially wide-ranging crime, but for this report we’re using the Investopedia definition: “when someone attempts to take funds or other assets from a financial institution or from customers of that institution by posing as a bank official.”
This happens most commonly when people receive a text, email or phone message pretending to be from their bank.
The message may say:
Your account has been compromised in some way and that you should get in touch via a phone number the scammers control. Victims are asked to provide their account details, which the crook then uses to log onto their account and drain it.
An email purporting to come from the bank contains a link that the victim is supposed to click to check something in their account. But the link connects to a phony page that looks like the real thing and, once again, the victim is asked to input their credentials.
The bank suspects one of its employees is defrauding them. Victims are asked to cooperate by withdrawing a certain amount of cash, which they are supposed to hand over to this employee (who is really the scammer) who is supposedly being monitored by the bank. The meeting takes place in a public place away from the bank.
A victim is told that they need to transfer their money to a newly set-up account to avoid being defrauded. But the new account is controlled by the crooks who then escape with all the money in the account. Banks don’t do this, so if you get such a request, it’s a scam. Period.
Someone looking for a job online is offered employment but told they need to provide their bank details so payment can be made directly to their account. The scammers don’t get the password this way, but they will try many commonly used passwords or they may be able to buy it on the black market if it’s been stolen in a data breach and the victim is using the same password for all their accounts.
Alternatively, a user’s computer is hacked; the hackers install malware that steals all the necessary banking information to enable them to access the victim’s account.
There are many variations of this crime, but the aim is always the same -- to empty victims’ bank accounts.
One Simple Step
However, your chances of falling victim to most bank fraudsters can be almost eliminated with one simple step.
Whichever message you receive, don’t take any action or hand over any money or information without first phoning your bank and checking if they sent a message.
If the message comes by text or email, it’s almost certainly a scam, since banks don’t usually communicate that way on security matters.
They’re more likely to phone you if there’s a security issue and even then -- even if caller ID suggests it really is your bank -- take no action until you’ve spoken to the bank.
However, there’s a further word of warning about phone calls. You may hang up and then dial your bank’s phone number but if the other party (the scammer) didn’t hang up, at their end you may immediately reconnect with them no matter what number you keyed in. So, if you can, use another phone, like a cell phone or a neighbor’s landline.
there are 7 more steps you can take to avoid bank fraud:
Use a unique password for your online banking and change it regularly.
Check your online account every day so you can spot any unusual transactions.
Keep your security software up to date to avoid malware being installed.
Don’t give your account details to anyone, including an employer, until you know they’re genuine.
When visiting your online account, make sure you keyed in the address correctly. Scammers set up fake sign-on pages hoping that you mis-keyed the web address.
Use a credit card or a service like PayPal when you shop online, so you never have to give out your bank details.
If you feel uneasy about a message you received and don’t know what to do, talk about it with someone you trust -- and contact your bank.
If you do fall victim, the most important action you can take is to contact your bank immediately. And if your account has been compromised, change it, and your password.
Sadly, bank fraud is not only here to stay but is rapidly on the rise. Be skeptical about any communication regarding your finances and then proceed with total caution.
Alert of the Week
It’s new but not really. Tech giant Apple has warned of a familiar trick that re-emerged this past December -- a message telling victims their Apple account has been frozen. They’re asked to click a link and enter their password on a page that looks like Apple’s. DON’T
But, of course, it isn’t.
It’s a simple trick that’s been around for years, using various company names. But the fact that it does keep reappearing suggests that it works. But you won’t fall for it, will you?
That’s all for today -- we’ll see you next week.