The Financial Home to NH Postal Employees and ALL Their Family Members.

Preventing P2P Fraud Pitfalls

The NCUA has provided some useful tips to keep money safe when using P2P apps:

1. Question

Ask yourself if using a P2P payment app makes sense for your transaction. Use P2P payment apps only with people you know and trust, if possible. You should never have to transfer money to receive money from an app. If you are asked to do that, it’s a scam.

1. Verify

Always double-check the recipient’s information to make sure you’re sending money to the right person, even if it is someone you know. A good practice is to have the intended recipient send you a request before you send the money.

1. Review

Familiarize yourself with the fraud protection policies of the P2P payment app that you are using and understand whether and how you can recover funds if a problem arises.

1. Reconsider

If your P2P app is linked to a checking account as a source of funds, consider linking instead to a credit card. A credit card provides added protection if you don’t receive the goods or services you purchased.

1. Protect

Protect your payment app and log in with the strongest authentication available, like Face ID or Touch ID, two-factor authentication, a strong password, or a PIN. Turn off automatic login settings and set up notifications for all payment transactions.

1. Contact

Never provide sensitive account information to someone on the phone or via links in an email. Legitimate customer service representatives will not ask for this information. If someone contacts you requesting this information, contact customer service directly to confirm. Scammers can spoof emails and phone numbers.

What is an Account Takeover (ATO)?

Account takeover is an attack in which cybercriminals take ownership of online accounts using stolen passwords and usernames. These cybercriminals then use these credentials to commit fraud. These bad actors purchase cardholders’ Personally Identifiable Information (PII) via the dark web—typically gained from social engineering, e.g., phishing, vishing, or smishing attacks (detailed below) or data breaches. Stolen PII (e.g., name, address, email, phone number, date of birth, business name, cellphone provider, social media and login accounts and passwords) provides the necessary credentials for a fraudster to pose as a cardholder. 

With this information fraudsters can engage with the cardholder’s financial organization and make changes to accounts or card settings to execute fraud. They may make demographic changes (e.g., phone numbers, emails, passcodes), or apply for increased limits, Personal Identification Number (PIN) changes and/or travel exemptions to suppress or interfere with our fraud-monitoring tools. 

The activities described above are most commonly associated with merchant data breaches described in media reports. However, in the case of account takeover, the stolen data is not obtained from a payment system.

Schemes that Contribute to Account Takeover 

Skimming and Malware

Skimming and deployment of POS terminal malware continue to be widespread methods for stealing data. Smaller, local merchants are now more likely to be compromised than in years past. Stolen data, which is collected using POS malware, is passed to criminal networks through remote, wireless technologies with increasing speed. By reacting to fraud events quickly, your organization can significantly mitigate losses

Phishing

The prevalence of phishing (tricking cardholders into revealing confidential information) and its variants continue to rise. Phishing schemes are becoming more targeted (such as “spear-phishing”) and more difficult to identify than in the past. Instead of using only suspicious links in poorly designed emails, phishing emails are mimicking legitimate websites and appear more polished and credible. The use of web address shortening tools, such as TinyURL, make detection of suspicious links more difficult, even by savvy users. It is important to remind cardholders to safeguard their financial data and their online banking credentials against criminals trying to harvest it.

Vishing and Smishing

Smishing and Vishing schemes use sophisticated methods combined with social engineering to deceive cardholders into revealing critical information and disregarding legitimate fraud warnings. Smishing is the fraudulent practice of sending text messages claiming to be from reputable companies to induce individuals to reveal personal information, such as passwords or credit card numbers. Vishing is the fraudulent practice of making phone calls or leaving voice messages claiming to be from reputable companies to induce individuals to reveal personal information, such as bank details and credit card numbers. Cardholders may be sent a voice or text message with transaction details and requesting the cardholders confirm. When they respond, they may be questioned for account details, or they may be asked to call back a number to provide account information. In some instances, they are sent a one-time passcode (OTP). The caller or text message then instructs the cardholder to reply “No Fraud” to text/voice messages. 

It is important to be on the lookout for these kinds of fraudulent messages that disguise themselves as legitimate fraud notifications. These schemes use sophisticated methods combined with social engineering to deceive cardholders into revealing critical information and disregarding legitimate fraud warnings. Additional red flags of note include hyperlinks and grammatical and punctuation mistakes. 

Malicious Software

Malicious software, including software which compromises account-holder computers locally via Man-in-the-Browser (MitB) attacks are a significant threat to the security of financial data. Man-in-the-Browser attacks install malicious software in the background via “drive by download.” This malware is then able to monitor and hijack user web sessions to then transfer funds or harvest payment cards and online banking credentials, while redirecting the legitimate cardholder to a fictitious error page. This type of malware often deploys automatically when a user visits a compromised website. 

Maintaining a secure, up-to-date operating system along with robust security and anti-malware software are critical first steps in preventing this type of fraud. Availability and deployment of automation and crime-ware is increasing in the card fraud world. Both all-in-one malware packages designed to compromise computer systems (e.g., Zeus, Citadel, Tilon) as well as individual tools able to crack passwords and to automatically carry out brute force attacks are available for purchase on underground websites and on criminal forums. Heavy reliance on one type of security tool or on older tools could lead to more fraud loss. We recommend a dynamic, multi-layered detection and prevention strategy.

Recommendations: 

      Be aware of what information you are choosing to give out and never easily provide personal information.

      If you are concerned about an automated message, you should not respond to the call, text, or email. You should contact the company in question using the official customer service number or contact information listed on the company’s legitimate website. You should not contact any number provided by the fraud call or message and should not click on links in emails or text messages.

      Members should always keep two-factor authentication codes private. Do not provide them via phone, text, or email. These codes should only be used to sign into the banking, merchant, or payment account when you are trying to access it.

 Report Fraud:

In October 2020 the FTC launched ReportFraud.ftc.gov a site for people to report fraud and other illegal business practices. Reports from consumers are stored in the Consumer Sentinel Network, a secure online database available only to law enforcement.

IRS Identity Theft Awareness

The IRS Identity Theft Awareness

The Internal Revenue Service (IRS) has launched its “Identity Theft Central” webpage to provide 24/7 access to online information regarding tax-related identity theft and data security protection. Tax-related identity theft occurs when someone steals personal information to commit tax fraud.

StayConnectedNH Launches Today Sponsored by NH Credit Unions/ Better Values - Better Banking  

Isolated and vulnerable, more than 3 million older Americans are victims of financial abuse every single year.  

Today, a new tool is added to the arsenal to protect New Hampshire’s vulnerable populations by raising awareness of financial exploitation in the Granite State: StayConnectedNH.org.