Shimming Right Along To Skim Your Payment Card Number

By now, most of us have at least one or two EMV (Europay, MasterCard, Visa) cards. These are the payment cards that were touted as far more secure than the ones with the magnetic strips on the backs. And indeed, if you ask Visa these cards have resulted in a 75% decrease in fraud in the three years since they were introduced. Cybercriminals are of course finding ways to take advantage of the EMV cards too. Now, there are reports of a new method called “shimming,” which is the new “skimming.”

The magnetic strips on the backs of the cards are easily read by a skimmer. That’s a device that is installed on the card reader, often at ATMs that would record the strip information for the thieves. Those devices are not so difficult to spot because they are a bit “clunky” and are installed over the original reader on the machine. Well, a shimmer is much more difficult to detect. These are supposedly extremely thin…like a sheet of paper. It’s very difficult to see. However, it contains a microchip that can read the data on the EMV chip.

Don’t despair, though. It’s still harder to get the information from the chip than a magnetic strip. And a criminal still has to physically install the devices on the machines. There are ways you can keep on top of payment card fraud and they apply whether you’re still using a magnetic strip card or the EMV card:

– If you need to get cash, go inside a bank branch or use an ATM

that is secured or inside a building with cameras.

– Most debit cards can also be used as credit. Use the credit option on machines when given the choice. While this doesn’t prevent shimming, it will provide more protection for you if your card number is used fraudulently.

– Monitor your charges regularly. If it’s possible, do this more often than monthly. Most financial institutions make it relatively easy to check your charges these days with their websites and mobile apps.

– Report potential fraudulent activity right away.

– Consider setting up alerts for your cards. They can be set up to alert you any time a purchase is made using the card or if a certain amount is charged. While it might be a bit overwhelming to get an alert for every charge, putting in some alert is useful. Don’t make the amount too large though. Criminals will often make small purchases to not set off these alarms.

New technologies are indeed making it more difficult for criminals. But they aren’t giving up at all. As long as we embrace technology, our information is at risk. Keeping up with the latest threats will help you shimmy right ahead of the hackers.

Stickley on Security
Published March 20, 2019

Payment Fraud Happens In Many Flavors

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

There are several common wire transfer fraud scams going around and new ones are being created every single day.

Employees at all types of companies are targeted with phishing email messages all the time. It’s not just Fortune 500 companies, but small businesses are also targeted. While a large company may be able to survive financially, small organizations often go out of business if an employee falls for a phishing scam.

Early in 2018, the City of Pittsburg, Pennsylvania was hit with a phishing attack resulting in theft of information from W-2s. In 2016, something similar happened at Seagate and Snapchat. In all of these, the criminals managed to get information on employees by sending an email pretending to be a C-Level executive and asking for the information contained on W-2 forms or asking for the W-2 forms specifically.

In both 2016 and 2017, the eSignature service, DocuSign was used in another attack that used previous email conversations to distribute malware in phishing campaigns. It was used again in a similar way, but omitting the malware. Instead, it phished for legitimate employee information and acquired, it was used to infiltrate email conversations again and find out about active projects or current payments. With such specific information, employees are more likely to click or visit a website.

When it comes to business accounts, large amounts of money can be wired out all the time. And if a request is made by a high level person for one to be made or for credentials to be shared, it can be uncomfortable to question it. However, when the funds and login credentials of the corporate accounts are at risk for theft, it’s important to be skeptical if something just doesn’t seem right or asks you to bypass typical procedures.

While the above are still common, there are some new kids on the block too. We will discuss a few of the scams that can catch employees and others out here, so you will know what to look for when determining if a suspicious request could be this type of fraud.

Paycheck Direct Deposit Redirect Scams

The Better Business Bureau identified a newer scam early in 2018 where employees were sent an email seemingly from their payroll department or company asking them to take a survey. When they clicked the included link or went to a specified website, they were asked to confirm the employee’s identity by typing in his or her password or other sensitive credentials. Once those login credentials were entered, hackers used them access the employer’s payment portal. From there, the direct deposit paycheck was rerouted to another account.

Real Estate Scams

One that has started gaining popularity among the scammers deals with real estate transactions. The scammers will find out names of escrow companies, break into their networks or perform social engineering scams and get information related to upcoming transactions. They then will email homebuyers or those refinancing a home and ask them to change the account number on the wire instructions for an upcoming transaction regarding their loan. This is common in states where real-estate prices are high, but it can happen to anyone, anywhere. Even if a refinance isn’t in the millions, it can still be a great payday for a scammer.

What someone who has permissions to perform wire transfers needs to be aware of is that a last-minute request for this really shouldn’t happen. Always call the escrow company.

Payment Services

Other scams use payment services such as PayPal or Venmo to take advantage of others. One happens when people receive a check in the mail and are asked to deposit it into their own bank accounts. This may seem like an easy scam to spot, but the ruse is that they are being “hired” to perform a temporary service to test the quality of one of these services. Part of it involves having the victims wire most of the money they deposited into another account in order to provide this feedback to the company. However, as payment for this testing service, they get to keep some of it for themselves as payment for a job well done. As you guessed it, the money is stolen and it is all a big moneymaking scam involving wire transfers.

While it may seem obvious to some that this is a sham, for some being paid for the service and the whole explanation of the review process makes a lot of sense and may not be so obvious. What someone at a financial institution needs to look out for is a deviation in typical deposits, withdrawals, and transfers.

Vendor Invoice and Services Scams

You have probably received an invoice in your email at some point. Vendors send invoices in email quite often these days. And nearly everyone uses a shipping service such as FedEx or UPS, especially at the office. Scammers take advantage of that fact by sending fake invoices hoping someone will pay them. There are even scams that use actual PayPal accounts and company logos. Often these will include links to fake web pages asking for bank account logins so that the “invoice” can be paid directly from the account.

There are many variations of wire transfer fraud these days. Though they are somewhat new in the grand scheme of cyber fraud, they have changed quite a lot since the beginning. They started out using the names, email addresses, and other details of C-level executives. For example, they would gather information off of various business networking websites or even by calling the receptionist at the company to find out the names. Then, they would gather other information, such as who works in the finance department. They would use this information in social engineering scams by sending email to that finance department employee asking for a large sum of money to be wired to some account. The scam worked if the money was wired without question.

We get it. You don’t want to question the boss. However, won’t the CEO be happier if you asked if that request was real before sending a bunch of money off to a scammer? And if it is a real request, you will feel better knowing so.

Detection and Prevention

There are some ways to spot and prevent wire transfer fraud or BEC from happening in your workplace:

– First, remember that if you are not expecting a link or attachment in an email, just don’t open it without verifying it first. The best way to confirm is to place a phone call. Get that verbal OK.

– Don’t bypass policies and procedures for wire transfers, no matter who asks. Those are in place for a reason and should always be followed.

– If a request to wire money or pay an invoice gives a sense of urgency and/or if there is a threat of something happening if you don’t pay it, it is likely a scam. Stop. Verify it first with the requestor. There is nothing so urgent you can’t take a moment to place a quick phone call just to make sure.

– If you are not expecting to receive an invoice from any company, yet you receive one in email, take a moment to confirm it first. Contact the vendor or the person(s) who made the purchase before even clicking a link or attachment and certainly before sending money.

– Remember that if you are contacting a requestor, use a phone number or email address you know is legitimate. Don’t count on the information sent in an email being real. Cybercriminals are actually making scams a business and setting up call centers to receive these “verification” calls.

– If you have a transaction set up and get a last minute request to change it, definitely take a minute to check with your financial institutions. Most of the time, wire instructions are not changed that quickly or with such a sense of urgency. It is OK to question these, and you should.

– Lastly, if you receive a sum of money in the mail and are asked to deposit it in your own account, don’t. Legitimate companies won’t ask you to go to such lengths to test a service.

Remember that no amount of technology can prevent 100% of the phishing emails from getting through. The cybercriminals are just getting too good at bypassing those. But by being aware of the verbiage used, the greetings, the logos, the little nuances in the wording or visuals, and of course being skeptical if a link or attachment is not anticipated, you can avoid falling for these scams.

Stickley on Security
Published March 21, 2019

Keep Your Last-Minute Tax Filing Stress-Free

Whoever came up with the saying, “The best things come to those who wait” never filed their taxes at the last minute.

Anyone who’s ever put off filing until the eleventh hour knows how stressful it can be. Facing the crunch of a deadline, you dig through papers looking for the right forms, try to remember the password to your online filing resource, and keep your fingers crossed that urgent personal or work matters don’t suddenly pop up.

If you think that you might find yourself in this scenario, here are some helpful tips that will minimize the anxiety of a down-to-the-wire tax filing:

Get Organized Now

If you haven’t started already, organize all of your required documents. This includes employment forms like W2’s and 1099’s. If you haven’t received these documents from your employer, contact them ASAP. Itemizing deductions? It’s time to find your receipts and documentation.

Don’t Rush

You don’t want to feel more crunched for time than you already are when inputting important data—that’s how mistakes happen. Double check your numbers.

Even if you’re using an online resource that does the math for you, confirm that you’ve entered the correct information. Being thorough and accurate is not only required by law, it will protect you in the event of an audit by the IRS.

File Online

With the deadline looming, filing online is your fastest option. Digital resources like TurboTax and H&R Block can import data based on certain information. And if you’ve filed with them in previous years, they may carry over other personal and employment details, expediting the process even more.

Don’t Do It in One Sitting

It’s important to keep your mind fresh. Data entry—even when it’s your own data—can be a dry task. Make sure you take breaks throughout the filing process.

You may be pressed for time, but errors on your tax return can have serious consequences. You may have to amend or refile your taxes, or if you don’t catch the mistake, potentially face closer inspection by the IRS.


Nine Ways to Freshen Up Your Finances

When it comes to spring cleaning, most people target their homes. And while it’s always a good idea to reduce clutter and clean up, don’t forget to refresh your finances as well. That’s right, it’s time to scrub away bad financial habits and dust off your savings goals.

Check out these nine ways review and improve your finances:

1. Add Up Your Total Debt

If you have multiple credit cards, check the balances on each. Knowing the total amount that you owe across each line of credit can put debt in perspective, and motivate you to eliminate it.

2. …And Make a Plan to Pay It Off

Next, take proactive steps to paying off your total debt once and for all. Set a timeline for yourself. Can you be debt-free in six months? A year? Keep it realistic with how much you can reasonably pay, but also push yourself to commit more.

3. Step Up Monthly Payments

The fastest way to become debt-free is to pay more every month. Target the highest-interest debt first. Re-direct money from less expensive debt, and increase your repayment dollars. After it’s paid off, focus on the next most expensive credit card, etc.

4. Review (or Make) a Budget

Spring symbolizes rebirth, so it’s fitting that you breathe new life into one of the most fundamental tools of personal finance: your budget. Review your previous budget. Is it still relevant? (Re)create expense categories, designate priorities, and set limits for discretionary spending.

5. Slash Excessive Spending

Do you buy coffee every day? Subscribe to multiple streaming services when you really only use one? It’s okay to allow yourself some personal expenses, but try to cut back on excess.

6. Set Financial Goals

If you’re determined to buy a home same day, make a plan. Even if it’s a more modest goal like a new computer, you won’t be able to afford it if you don’t start actively saving every month.

7. Contribute More to Savings

We all want to increase the balance in our savings account, but it’s easy to get distracted. The best way to ensure that you add more to savings every month is to automate transfers from your checking account.

8. Practice Financial Peace

Accept that you can’t buy everything you want, and try to be happy with what you have. It’s essential to your peace of mind. If you fight against the limits of your finances, you’ll likely wind up in debt or feel unfulfilled.

9. Kickstart Your Retirement/College Savings Account

If you’ve fallen behind on retirement contributions or haven’t yet started a college account for your kids, now is the time to make a plan. Figure out how much you can afford to put away. Even if it’s not as much as you’d like, a smaller sum is better than no sum at all.


Four Tricks to Boost Your Credit Score Quickly

First thing’s first: there is no magic solution to raising your credit score overnight.

If you have a low score due to, say, bankruptcy (which can affect your credit for up to seven years), boosting it requires a long-term plan of consistent on-time payments, and other responsible credit practices.

However, a low score due to a lack of credit can jump much more quickly. Check it out:

Fix Errors on Your Credit Reports

According to the Federal Trade Commission, one in four credit reports contains small errors, which can affect your score. Errors might include false information attributed to you because of identity theft or just a simple mix up, accounts that don’t belong to you, and more.

If the mistake negatively affected your score, you can expect it to improve in approximately 60 days after correction, reportedly.

Pay Off Credit Cards Every Month

If you pay off your debts, you’ll see your score go up. That doesn’t mean you should run out and buy things you don’t need, however. Instead, charge expenses like bills and gas (things you already pay for in cash) on your credit cards, and pay them off every month.

If you’re struggling to cover your existing debt, create a debt management plan to free up extra cash.

Stay Away from Your Credit Limits

Paying down the debt will improve your creditworthiness, and help your “credit utilization” (the amount of debt you have relative to your credit card limits). When you get closer to your limits, you reduce your available credit, which is bad for your score.

So bring down your debt to an acceptable amount as defined by the credit bureaus, and your score will improve.

Set Up Automatic Payments

Your credit score takes a hit with every late payment. That’s because payment history comprises 35% of your score. If you struggle to remember when money is due, set up automatic payments with your credit cards. It’s an easy way to stay punctual and—barring other major marks against your credit—turn your score around in a relatively short amount of time.


New Tool Gets Around Security Verification

Email phishing has long been the hacker’s gold-card of success. One important part of keeping secure is taking additional steps to verify your identity when shopping or banking online, or simply logging in to any online account. One of the most useful tools for an identity check is using 2-Factor Verification (2FA). It provides added steps to verify your identity as part of logging in to an account. It’s been around a while and is a simple and direct way of taking an additional security precaution–until now. Security researches recently discovered a way hackers can get to your 2FA steps in a way that gives them access to your accounts, without you even knowing they were there.

Training and cybersecurity education have helped reduce email phishing attacks, but this latest hack tricks users into providing their passwords by pretending to be that extra 2FA step you count on for online security. Through its trickery, socially engineered phishing campaigns are now more successful than ever. Hackers present a web site designed to be the spitting image of the login page you expect to see for your account. But rather than just crafting the website to look like your legitimate site, a bypass tool being called Modlishka actually pulls the real content from the actual website so that it’s identical to what you expect. That’s the scary part. Then, through a series of bogus transactions designed to fool you, your 2FA is compromised without your knowledge. Once the hackers get what they want, they pass you on to your intended website.

Although 2FA doesn’t guarantee safety from phishing hacks, as this instance demonstrates, it still gives a second layer of comfort toward that end. It should always be used when it’s provided as an option for your online accounts.

To counteract 2FA compromise, there’s a more secure version

Multi-Factor Authentication (MFA), the latest and greatest log in security tool. Especially important for high-security logins (think nuclear power plants and government accounts), MFA combines three or more ways to verify your identity. According to Techopedia, MFA uses three foolproof means of identification as follows:

  1. Something to confirm the user’s physical security, such as an employee ID card;
    2. Something to confirm the user’s knowledge of the account, such as a PIN or password;
    3. Something to verify the user’s biometric identity, using fingerprints, eye retina, or voice acknowledgement.

For those of us without high security jobs, start with the basics like strong passwords that are regularly changed. And always keep a sharp eye out for attempted phishing attacks. Though they are now finding their way into your accounts in sneakier ways, there still are ways to identify them and as with Modlishka, they start with a phishing email that appear to be from someone you know, such as your financial institution:

  • If you are not expecting links or attachments in an email or text, don’t click them.
  • If you notice typos, misspellings, or incorrect grammar, be very suspicious.
  • If the email states something that tries to “scare” you into taking quick action, immediately stop and think first. Then, contact the sender independently before clicking. The financial institution or retailer will appreciate being alerted to nefarious activity involving them. If it is legitimate, they will let you know that too.
  • Do a quick check of the URLs for important websites before entering personal information. Be 100% certain it’s where you want to be.
  • Before clicking anything you’re not certain about, do an independent verification by calling the sender before clicking. Be sure to use a number from a website you know is the right one or that you already have saved. Don’t use information sent in the email.

If any website offers 2FA or MFA, don’t hesitate to use it. Although they may not be the absolute security guarantee you hope for, any additional verification steps are always recommended.

Stickley on Security
Published March 11, 2019