Look Before You Pump! Be Careful When You Use Your Card At The Gas Station

Two young ladies filling up car at gas stationHow many times a month do you fill ‘er up? It’s a mindless chore, but did you know it can also be the beginning of a financial nightmare? Gas pump skimming is an old crime that’s made a comeback – and your debit card may be at risk.

Every day, 29 million Americans pay for fuel using a credit or debit card. However, compromised pumps with skimming devices installed by scammers have recently been found in several states.

Since these skimmer devices are almost invisible, they can be really difficult to spot, enabling them to easily capture the information of up to 100 cards a day! And, thanks to Bluetooth technology, the criminal doesn’t even need to return to the scene of the crime to collect the data their skimmer has obtained; it can all be done remotely from as far as 100 yards away.

Yes, EMV-enabled technology has become more commonplace, but gas stations were given until 2020 to update their payment systems. This makes them even more vulnerable to such hacks.

Protect yourself against this heinous hack by arming yourself with all you need to know about card skimmers.

How it works
Hackers choose their gas pumps wisely. They usually opt to outfit the one that is farthest from the on-site convenience shop. This way, their activity is out of the range of any security cameras at the shop’s entrance. The hacker will then place a skimming device on top of the pump’s card reader. It will usually be identical to the existing reader, with only a few and hard-to-spot differences.

Sometimes, hackers may place a skimmer inside the pump itself. This task can be done in less than a minute. The hacker can then leave the area and access all the data being collected by the skimmer, with no one being the wiser.

Choose your payment method wisely
You may consider giving yourself extra protection by using a credit card or cash to pay at the pump. A credit card may be compromised just like a debit card, but you can easily dispute fraudulent charges made on your card. Depending upon your financial institution, your debit card may offer minimal purchase protection.

If you want the safest payment method, cash is a good bet. However, remember that cash cannot be replaced if lost or stolen.

How to spot a skimmer
If you don’t like the idea of carrying around wads of cash, you can still protect yourself against skimmers. Use caution while at the pump, and learn how to spot a skimmer. If something looks suspicious, move on to the next pump and report your findings to the local police as well as the gas attendant on duty.

4 ways to spot a skimmer:

  • Use your eyes. Check out the card reader very carefully. Do the numbers on the PIN pad look raised? Do they look newer or bigger than the rest of the machine? Does anything look like it doesn’t belong? Is the fuel pump’s seal broken?
  • Check the tape. Many gas stations place serial-numbered security tape across the dispenser to protect their pumps from skimmers. If the tape has been broken, or there’s no tape on the dispenser at all, it may have been compromised.
  • Use your fingers. Feel the card reader before sliding your card into the slot. Do the keys feel raised? Is it difficult to insert your card? These are both red flags that the card reader may have been fitted with a skimming device.
  • Use your phone. There are several free anti-skimming apps you can install on your phone, such as Skimmer Scanner. Using these apps, you can scan a card reader for a skimming device and get an alert if one is detected. You can also check your phone’s Bluetooth to see if any strange letters or numbers appear under “other devices.”

General card safety
It’s always a good idea to practice general safety when using a card to pay at the pump.

Choose the pump that is closest to the store and always cover the number pad with your hand when inputting your PIN. If you haven’t yet updated to a chip card, now’s the time to do so. It’ll offer you an extra layer of protection. It’s also a good idea to periodically check your account statements for suspicious charges.

Your Turn:
How do you pay at the pump? Why do you choose this method? Share your thoughts with us in the comments!

SOURCES:
https://budgeting.thenest.com/problems-using-debit-cards-gas-pumps-23710.html

https://www.creditcards.com/credit-card-news/gas-pump-atm-skimmers.php

http://news4sanantonio.com/news/local/skimming-devices-found-on-pumps-at-northwest-side-gas-station

Advertisements

All You Need To Know About Smishing Scams

person using smartphone to send text messageText messaging has come under attack as one of the most vulnerable mediums for identity theft and more. Here’s what you need to know about an SMS message-based scam called “smishing.”

How it works
Smishing scams use text messages to establish contact with the intended victim to later access their personal information.

The scam begins with a supposedly urgent text appearing to be from the victim’s financial institution. The text may claim that the victim’s checking account is locked, or that there has been an unauthorized purchase charged to the victim’s account. The scammer will warn that immediate action must be taken.

The victim is then instructed to call a specified number and, upon doing so, will be asked to share their financial information. Once they’ve got their hands on this info, the scammer is free to steal the victim’s identity, empty their accounts or go on a shopping spree on the victim’s dime.

Who are the victims?
Smishing scams primarily target people who do their banking online, but fraudsters will use any cellphone number they can find. If you own a checking account and a cellphone, you are a candidate for a smishing scam.

Recognizing smishing scams
Your credit union will not alert you of a possible fraud or account lockdown via text; we prefer more personal means to help you know it’s us.

Also, the phone number the smishing text instructs you to call is not ours. You can reach us at 734-676-7000. If you’re told to contact us at a different number, it’s not us you’re calling!

You can also spot the smishing scam just by looking at the phone number. The text will often appear to come from a number that is obviously fake.

If you’ve been targeted
If you receive a suspicious-looking text, do not engage the texter! Jot down the scammer’s number and delete the message. Let us know about the smishing attempt, tell all your friends and alert the FTC.

If you’ve fallen for the scam and your accounts have been compromised, alert your credit card companies and be sure to let us know, too.

Protecting yourself
Always use two-factor authentication for banking app and sites.
Use strong and different passwords across your accounts and apps.
Ignore all text messages from unknown numbers.

Don’t let those crooks get their hands on your money!

Your Turn:
Have you been targeted by a smishing scam? Tell us all about it in the comments!

SOURCES:
https://www.usatoday.com/story/tech/columnist/saltzman/2017/07/03/delete-suspicious-text-messages-on-your-smartphone/439647001/

https://www.google.com/amp/amp.timeinc.net/fortune/2017/07/07/smishing-scam

https://money.usnews.com/money/blogs/my-money/2015/01/23/5-scams-that-target-your-bank-account

https://www.cnbc.com/2017/05/12/this-growing-fraud-will-drain-your-bank-account.html

Beware Tech Support Scams!

Reflection of man over program code pressing "access granted" buttonYou’re always putting yourself out on a limb when you call tech support. You dial the number the company gives you, and perhaps after a while of waiting, you’re connected to someone who may be working on the other side of the world in a completely different time zone. Then you’re asked to give this anonymous person identifying details about your phone or computer and the technical problems you’re experiencing.

Of course, you’re fairly certain the speaker works for your device’s company and you believe it’s perfectly safe to share this information. At the very least, they have contracted with this individual and are tracking their service.

All of that gets a little riskier when you’re asked to allow the tech support agent to have remote access to your device. This step is sometimes necessary to fix the glitch, but it can also be unnerving. Suddenly, it’s as if an invisible person has taken over your screen. Letters you haven’t typed are showing up on the display and the cursor is flying all over the screen, even though you haven’t touched the mouse.

You’re essentially letting someone have free access to a device that houses some of your most personal information. Yikes!

And that’s exactly what tech support scammers are looking for with their nefarious hacks. It’s truly as awful as it sounds: In these scams, fraudsters contact victims and trick them into granting the scammer access to their computers. The crooks may reach out to people through a phone call, insisting the victims have a virus or another problem they’ve somehow detected from the company’s headquarters. Alternatively, they’ll send a popup to the victim’s computer which will flash dire warnings about an impending or existing virus that can be “fixed” by clicking on a link.

There are several outcomes of such tech support scams, none of them good. Sometimes, a scammer will trick you into installing malware on your computer, claiming you have to click on a link in order to heal your computer of its ills. Other times, they might sell you expensive “software” by making the same false claims. Still other times, they’ll direct you to a bogus tech support website where you’ll be asked to input your credit card information. And they’ll oftentimes simply help themselves to the sensitive data they find on your computer and then wreak havoc on your financial life.

Federal Trade Commission (FTC) Scams
Tech support scams are nothing new, but a recent wave of these scams has taken on an ironic twist. The very organization that leads the battle in taking down scammers is being exploited for a particularly heinous hack.

Scammers posing as FTC employees are calling victims, asking for remote access to their computers. They assure victims they can help restore any affected devices to their previous working conditions. Many of them are claiming to represent the FTC’s Advanced Tech Support Refund program.

This program was created to help victims of previous scams collect their refund money from the FTC. The scammers will convince the victims that they are moments away from seeing their money – they just need to provide the alleged FTC employee with remote access to their computer. They may also ask for an upfront payment before the refund can be issued or for checking account information, claiming it’s necessary for the refund to clear.

Of course, none of this is true and the caller has never worked for the FTC. In fact, the FTC will never request remote access to your device or ask you to pay to receive a refund. Also, their refunds are sent in check form via snail mail, and do not require any checking account information at all.

The FTC has alerted the public that the only genuine number to call for information about the Advanced Tech Support Refund program is 877-793-0908. If someone calls you on their own, assume it’s a scam. End the call immediately and report the incident to the FTC.

Recognizing Tech Support Scams
As mentioned, the wave of tech support scams in which fraudsters impersonate the FTC are easy to spot if you know this basic information about the FTC: They will never request remote access to your computer, ask for payment in exchange for a refund, or reach out to you on the phone.

Here’s how to prevent other variations of tech support scams:

  • Never click on a pop-up box that claims your computer has a virus and offers to clean it. This will only infect your computer or grant a scammer remote access to your device.
  • Always call tech support on your own; if they call you, especially if you’re not aware of any problem with your computer, hang up as quickly as you can.
    Never agree to purchase expensive software online to fix an alleged virus.
  • If you think you’ve been scammed, tell everyone you know about it and be sure to alert the FTC. Let’s do our part to put those crooks out of business for good!

Your Turn:
Have you ever been targeted by a tech support scam? Share your experience with us in the comments!

SOURCES:
https://www.ftc.gov/news-events/press-releases/2018/03/ftc-begin-mailing-checks-victims-tech-support-scam

https://www.idtheftcenter.org/Current-Scam-Alerts/ftc-tech-support-scam.html

https://www.consumer.ftc.gov/blog/2018/04/ftc-asking-access-your-computer-its-scam

Ransomware And Mobile Devices

Three bad guys planning ransom demandsOne moment, you’re surfing the internet. A minute later, a pop-up shows your files have been taken hostage and that you’re required to pay a $300 ransom to have them released back to you. You stare at the screen in disbelief. How is this possible, especially considering you are on your mobile device?

Ransomware – malware that accesses your computer system and blocks access to your files until a ransom is paid to restore access all while stealing your payment information – has been becoming more prevalent among PC users. While these attacks typically focused solely on PCs, they are now adapting to include mobile devices. That’s right, the very same mobile devices you use to access your credit union accounts for checking balances, transfer funds and make payments.

An example of a Russian-based mobile device ransomware is called “Svpeng.” It focuses on tactics for infecting mobile phones and mobile banking applications. It infects the device with a phishing window when the application is opened. This overlay attack is used to steal online banking information as the malware pretends to be the application’s login screen. The user enters login and password information, which is then stolen by the hackers. Once they have access to the account, they can control the account. Svpeng also phishes through Google Play if that is on the mobile device.

This tactic also involves SMS messages being sent to two Russian banks to determine if the phone number of the device is connected to any payment cards. If a card is indeed connected to a number, the hackers use commands through the device to transfer the victim’s money into their own accounts. While Svpeng has currently been seen only in Russia, it is expected to expand into other countries; one of the features of the ransomware checks the mobile device’s language settings to determine the appropriate language to use for the attack.

As time goes on, other PC-based ransomware programs may also be adapted for mobile devices, or more ransomware programs that are specifically designed for mobile devices may be created. Hackers are always looking for ways to evolve their tactics in hopes of stealing more information and making immediate profits. Svpeng, for example, had 50 modifications to its malware within a three-month period.

How does this type of malware get onto a PC or a mobile device? It could be through a “drive-by download” where malicious software is downloaded without the user even knowing about it. This happens as the user surfs the internet without a care, yet comes across a compromised webpage or clicks to a website through an HTML-based email. It could have been downloaded through a phishing email, which appears to be from a credit union, yet is a fake email linking to a compromised webpage. The ransomware could also come through an email attachment that is malicious.

After the infection occurs on the mobile device or PC, the overlay or ransomware tactics are used as was described with Svpeng. That way the hackers can either directly steal the login and password information when the credit union account is accessed, or the user is blackmailed by a direct ransomware attack to send money to unlock the mobile device.

Many of the ways ransomware can be prevented from infecting a PC are the same for prevention on a mobile device. Make sure data on a mobile device is regularly backed up. This will help with recovering information if the device is hijacked. Make sure an antivirus program is running on the mobile device. Follow safe web browsing habits. Block suspicious emails.

Don’t download data or apps from questionable sources. Don’t “jailbreak” a device where built-in controls and security features are overridden; this removes an additional layer of protection against ransomware attacks.

If you think your mobile device has become a victim of ransomware, you can try to remove it by running a virus scan through mobile antivirus software. Don’t pay any ransom because it won’t guarantee the release of your data and you are giving additional payment information to the hackers. If none of these work, talk with your mobile device or cellular provider or their tech support. Of course, notify your credit union to monitor your accounts for any potentially fraudulent activity.