Security Center

Social Engineering

Social engineering is when someone tries to manipulate you into performing an action or sharing confidential information. Unfortunately, cybercriminals use social engineering to access computer systems, gather information or make money. Most successful social engineering attacks are caused by human error. If you familiarize yourself with common social engineering methods, you may be able to recognize and stay safe from an attempted social engineering attack. Cybercriminals can use several different methods to trick you with a social engineering attack – we are sharing three common methods below.

• Malicious Links: Cybercriminals may use malicious links to trick you into downloading dangerous software or opening an unsafe webpage. They may send you a phishing email, which is an email that may try to convince you to share sensitive information, click an unsafe link, or download a malicious attachment. For example, you could receive an email that contains a link to access shipping information for an order. Because the email seems legitimate, you may be tempted to click the link. Then, the link could download malicious software that allows the cybercriminal to control your computer. 
• Vishing: Vishing (phone-based phishing) involves one spoofing their phone number to appear the call is originating from wherever they please. It is a method commonly used to steal personal information from individuals as well as businesses. Many fraudsters are spoofing their phone numbers to make it look like a call is coming from the victim’s financial institution (like a credit union). When the member answers the call they are told they need to confirm suspicious debit card transactions. The fraudster will then ask the victim to verify their CVV2/CVC2 code on the back of the card as well as the expiration date. Often, fraudsters will already have a copy of the victim’s card and need this information to reset their PIN number. Once they reset the PIN number, they are free to withdraw from the victim’s account.
• Fake Web Pages: Cybercriminals may create fake web pages to trick you into logging into the page or entering sensitive information. For example, you could receive a phishing email that contains a link to log in to LinkedIn. Because the email seems legitimate, you may be tempted to click the link and enter your login credentials. Once you’ve entered your login credentials, the cybercriminal can log in to your LinkedIn account, view your personal information, and change your password so that you can’t access your account.
• Impersonation: Cybercriminals may impersonate a celebrity or someone you know to trick you into revealing sensitive information, clicking an unsafe link, or downloading a malicious attachment. For example, you could receive a phone call from a cybercriminal posing as your internet provider. The cybercriminal could tell you that your monthly payment is overdue and mention your account number and date of birth. Because the call seems legitimate, you may be tempted to provide your payment information. Keep in mind that impersonation attacks can also occur over email, text message, or social media. Some scammers even use this tactic to take advantage of people in financial need by impersonating local government and directing you to click a link for more information and receive financial assistance. If you click the link, you are taken to a phony government website that will ask for your personal information including your social security number. Don’t be fooled! Anything you enter here is sent directly to the cybercriminals. Should you receive a St. Anne's text message claiming information about a direct deposit payment, please DO NOT click the link and delete immediately.

tIPS FOR sTAYING sAFE FROM sOCIAL eNGINEERING

• Review official government websites and trusted news sources.
• Before clicking a link, hover your mouse over the link to make sure that the link is secure and matches the website you’re looking for. 
• Never click on a link in an email that you weren’t expecting - even if the sender appears to be a legitimate organization. Instead, navigate directly to the website by entering the URL into your address bar. 
• Before sharing sensitive information such as your birth date or your payment information, verify that the source you’re sharing the information with is legitimate. Make sure that the website that you are on is correctly spelled and not mimicking a well-known brand or company. To be on the safe side, also make sure the website starts with https:// before entering any personal information.
• An excess of spelling, punctuation, capitalization, and grammar mistakes can indicate that a website is fake, as it was put together fairly quickly with no regard for professionalism.
• Use another means of communication to reach out to the sender, such as calling their official phone number—not the one listed in the suspicious email.
• Walk away from deals that are too good to be true. Some retailers will discount older merchandise but if the latest item is also heavily discounted, walk away. It’s probably too good to be true!
• Simply, never give any personal information over the phone. St. Anne’s will never request this information from you, nor would we ever need it. If you receive a phone call requesting these details from you, just hang up. Still unsure? Call the credit union directly to confirm the legitimacy of the call.
• Monitor your account activity through Online or Mobile Banking and report suspected fraudulent transactions
• Sign up for free SecureAlerts from St. Anne's to set up customized, real-time account notifications to know instantly when something important happens on your account through texts, push notifications emails or Online Banking Messages. Click here to register today.

St. Anne's takes your privacy and security very seriously. If you think you've been a victim of fraud, contact us immediately at 1.877.STANNES.

ReVerse Instant Payment

Reverse instant payment scams occur when cybercriminals trick victims into sending them money through digital payment apps such as Venmo^®, Zelle^® and PayPal^® that allow users to instantly send funds from their bank accounts to other registered users, needing only the other user's phone number or email address. Cybercriminals will send their victims what appear to be automated text messages asking them if they have attempted to make an instant payment. When the victim replies "No" to the text, they then receive a reply saying that their financial institution's fraud specialist will be contacting them shortly. Cybercriminals who sound credible will then call the victim claiming to be fraud specialists, using sophisticated technology to have their caller ID appear to be the victim's financial institution's legitimate toll-free number. The cybercriminal will then tell the victim to secure their digital payment app account by removing their email address as the cybercriminal proceeds to add the email to an account they control so that when they ask the victim to send another instant payment to themselves over the app in order to "reverse" the payment referenced in the original text message, the payment goes to the cybercriminal rather than back to the victim.

Here's how you can spot a potential reverse instant payment scammer:

• You receive unsolicited requests to verify account information
• You are asked to transfer funds between accounts in order to prevent/reverse fraud - legitimate financial institutions like St. Anne's will never ask you to do that
• Unsolicited callers try to establish credibility by providing your personal information such as Social Security Numbers and past addresses - many criminals have gathered such information through large-scale data breaches over the past decade, so don't let this strategy fool you

Call St. Anne's directly at 1.877.STANNES if you receive an unsolicited request to verify account information - do not simply reply to unsolicited text, phone call or email requests.

For more details on reverse instant payment scams, please refer to the Federal Bureau of Investigation's (FBI) Public Service Announcement here.

Protect yourself during online transactions

Technology has brought us easier ways to bank, shop, sell, and manage our day-to-day lives. It’s also brought forth fraudsters who are using sophisticated technology to defraud you.

Protect yourself when shopping online:

• Review your credit card transactions often
• Create transaction alerts
• Avoid public Wi-Fi
• Verify that the websites you are visiting start with “HTTPS"
• Validate social media deals
• Set strong passwords

Beware of purchasing scams when selling items online as well. It is a “red flag” when anyone responds to your posting or ad wanting to pay more for the item. The buyer offers to use a cashier's check, personal check, or corporate check BUT at the last minute, comes up with a reason for writing the check for more than the sales price. They ask you to wire back the difference after you deposit the check. However, when you deposit the check and after you have already wired the funds back, you find out that the check bounced leaving you liable for the entire amount.

protect yourself when selling online:

• Don't accept a check for more than your selling price, no matter how tempting. Ask the buyer to write the check for the correct amount. If the buyer refuses to send the correct amount, return the check. Don't send the merchandise.
• If the buyer insists that you wire back funds, end the transaction immediately. Legitimate buyers don't pressure you to send money by Western Union or a similar company. In addition, you have little recourse if there's a problem with a wire transaction.

Learn tips, tools, and strategies to protect your money and your technology:

Consumer Online Safety - Federal Trade Commission (FTC)

Identity Theft

Identity theft is the fastest growing crime in America today. It happens when fraudsters willfully and wrongfully obtain and use your personal data to defraud you. Learn how to protect yourself from becoming a victim.

• Consumer Protection Information - Federal Trade Commission (FTC)
• Identity Theft - Federal Trade Commission (FTC)
• Identity Theft - Protecting Your Identity and Safeguarding your Financial Information

Business Security

Running a successful business involves identifying and managing all kinds of risk. To help you protect your business from fraud and other security risks, St. Anne’s provides these helpful articles to take care of your business.

Corporate Account Takeover - Mass.gov