New American Express Phishing Attack

New American Express Phishing Attack

A new form of phishing attack has recently targeted Amex cardholders and is more sophisticated than what experts have seen in the past. A phishing attack can arrive via email, text, social media message or even as a phone call and appears to be coming from someone you know (a person in your contact list or a company that you regularly interact with, such as your financial institution). According to the Identity Theft Resource Center, “the link embedded in the current American Express phishing attack comes via email and is two different parts. This way the hacker can insert malicious code into the link while also confusing the recipient’s antivirus software. Instead of warning about a harmful link, the software does not recognize it as malicious.”

 

How can you tell if an email is a phishing scam? The Amex email itself was very typical of a phishing attack – it was filled with grammatical errors including spelling and punctuation mistakes. Along with being on the lookout for language errors, here are some additional tips to keep in mind:

 

– Verify that the information is legitimate. If an email comes from your supervisor, call them and make sure. If an email comes from a company that you regularly do business with, ignore it and go directly to their website and check your account.

– Don’t click on a link or download an attachment from an email or message that you aren’t expecting.

– Double-check the sender’s address or the website address. For example, if it says, “AmazOn.com,” it is probably fake.

– Remember that caller ID is not trustworthy.

 

If you think you have received an American Express phishing email, don’t click on any of the links. The company suggests that you forward it to spoof@americanexpress.com so they can act to close down the phishing link. After the email is forwarded, delete it from your inbox.

 

Please call Guard Well Member Services at 888.966.4827 (GUARD) or email memberservices@guardwellid.com if you feel you have been a victim of identity theft. We are always available for you – 24/7/365.

 

 

Two-factor Authentication Phishing  Scam

Two-factor Authentication Phishing Scam

Have you tried to log into an account of yours, such as your insurance or financial institution, and been told to confirm your identity in order to keep your credentials safe? You then receive a code either via text or email which is required for you to enter. Also known as 2FA, this SMS multi-step process has been the trusted security step to protect your accounts … until recently.

 

Unfortunately, there is an automated phishing attack on 2FA, which utilizes two tools: Muraena and NecroBrowser. Reported by Fortune, “The two tools work together like the perfect crime duo. Think of Muraena as the clever bank robber and NecroBrowser as the getaway driver.”

 

The attack was first demonstrated at the Hack in the Box Security Conference in Amsterdam last month. A video of the presentation was posted on YouTube on June 2nd bringing renewed attention to how hackers are getting better at penetrating extra layers of security, despite people using stronger tools, like 2FA.

 

So, what do you do? Do you still want to utilize SMS-based 2FA for your accounts? For the most part, the answer is yes.

 

Think of it like this. Say you want to put a lock on your front door to protect your home. Security professionals are arguing that the best type of lock available is way better than cheaper locks. Sure, makes sense. But if that more expensive lock isn’t available to you, isn’t having a cheaper lock still better than not having a lock at all?

 

As discussed on How-to-Geek’s website, there are some people who are more likely than others to be targeted by sophisticated hackers and should avoid using this SMS-based 2FA. For example, if you’re a politician, journalist, celebrity, or business leader, you could be targeted. Also, if you’re a person with access to sensitive corporate data, such as a system administrator, or just very wealthy, SMS may be too risky.

 

But, if you’re the average person with a Gmail or Facebook account and no one has a reason to spend a bunch of time getting access to your accounts, SMS authentication is fine and you should absolutely use it rather than using nothing at all.

 

If you suspect that your login credentials have been compromised, change your passwords as quickly as possible and report the website to the FTC and/or your identity theft resolution provider.

 

Sources:

https://conference.hitb.org/

https://Howtogeek.com/

 

 

Preventing a Mortgage Closing Scam

Preventing a Mortgage Closing Scam

Searching for a new home, can be as exciting as it is stressful, tedious and time-consuming. It will likely be one of your most memorable life moments, especially for first-time buyers. So when you do find that perfect home for you, your bid is accepted and the inspection comes back great, you and your family celebrate and start down the long check-list of things to do prior to your move.

 

As that closing date approaches, unfortunately, the risk of being a victim of a phishing scam does as well. The ultimate cost could be the loss of your entire life savings and there is usually not an insurance policy that will recover your money if this happens to you.

 

The FBI has reported that scammers are increasingly taking advantage of homebuyers with very complex, sophisticated schemes with reports of mortgage fraud rising over 1,100 percent each year. There was an estimated loss of nearly $1 billion in real estate transaction costs in 2017 alone.

 

How would mortgage fraud happen to you? Mortgage fraud, a sub-category of financial institution fraud (FIF), typically starts with a phishing email that appears to be coming from a trusted professional involved in your property purchase. The email claims to be notifying you of changes to your wiring instructions or that they had made a mistake and previously discussed the wrong wiring instructions with you. Wire fraud is so prevalent that many attorneys, lenders and realtors are starting to include a warning about it in their emails. “We do not accept or request wiring instructions or changes to wiring instructions via email. Always call to verify.” But, be wary that even phone conversations may be fraudulent.

 

What can you do to prevent mortgage fraud from happening to you? Consult the Consumer Financial Protection Bureau’s Mortgage Closing Checklist. Identity two trusted individuals involved in the closing process and have multiple ways for you to contact them. Real estate professionals suggest that you create a code phrase that is only known to the trusted parties involved in the transaction in case there is a need to confirm their identities in the future. Be mindful that email is never a secure way to send financial information or closing details.

 

What if mortgage fraud happens to you? Try to ask for a wire recall with your financial institution. Being swift in reporting the crime can greatly increase the likelihood of recovering your funds. Report the fraud to your identity theft resolution provider. Lastly, file a complaint with the FBI.

 

 

Sources:

https://www.fbi.gov/investigate/white-collar-crime/mortgage-fraud

https://consumerfinance.gov

 

Photo credit:

Tierra Mallorca via Unsplash