Skip Navigation Download Acrobat Reader 5.0 or higher to view .pdf files.
Merchants Bank of Commerce
picture of locks on a screen

Alerts & Scams

Identity theft occurs when someone uses your personally identifying information, like your name, Social Security number, credit or debit card number, without your permission, to commit fraud or other crimes. Identity theft can happen to anyone, but there are steps you can take to minimize your risk of becoming a victim. 
Scam of the Week - The information provided below belongs to and is provided by KnowBe4 and is intended for informational purposes only
April 30, 2021: Voice Changing “Catphish”
In a recent phishing attack that targets single men, cybercriminals show us how they use modern technology to trick their victims. The scam starts with the cybercriminal posing as a single woman and befriending their target on social media. Then, they start building rapport with the target through various interactions. Eventually, the cybercriminal sends audio messages with a woman’s voice to convince their target that they are who they claim to be.

The target doesn’t know it, but the cybercriminal is actually using a voice changing software to disguise their true identity. If the target falls for the fake audio messages, they receive a video file of their newfound love interest. Except, the file is actually a dangerous piece of malware designed to grant the cybercriminals access to the victim’s entire system.
 
This tactic isn’t exclusive to romantic scams, so be sure to remember these tips:
 
  • Keep your social media accounts private and only accept friend requests from people that you know and trust.
  • If you meet someone online, be sure to verify their identity. You could use a search engine to find their other social media profiles or simply ask to have a video call to make a face-to-face connection.
  • Remember that cybercriminals can use more than just links within emails to phish for your information. Always think before you click!
April 23, 2021: Tricky PDF Files
Cybercriminals have a new favorite phishing lure: PDF files. A PDF is a standard file type that presents text and images in their original format regardless of which program you use to open the file. Unfortunately, this makes the use of PDFs a great way for cybercriminals to get creative and trick victims into clicking on malicious links.

One common tactic for phishing with PDF files is to include an image that looks like something that you should interact with. The PDF may include a fake captcha image with the “I am not a robot” checkbox. Or the PDF may include an image of a paused video with a play button over the display. If you try to click the captcha checkbox or play the phony video, you’ll actually be clicking a link to a malicious website.
 
Don’t fall for these tricks! Remember the following tips:
 
  • Never click or download an attachment in an email that you were not expecting.
  • Remember that cybercriminals can use more than just links within emails to phish for your information. Always think before you click!
  • If you receive a suspicious email, be sure to contact your IT department or follow the specific procedure for your organization.
April 16, 2021: Advanced Phishing Hidden in Plain Text
Cybercriminals are using advanced tactics to disguise dangerous malware as harmless text files. Using a phishing email, the bad guys try to trick you into downloading a file attachment named “ReadMe_knl.txt”. Typically, files ending in .txt are plain text documents that can be opened in any text editing software. But in this case, the cybercriminals use a trick called Right-to-Left Override (RLO) to reverse part of the file name.

The true name of the attached file is “ReadMe_txt.lnk.lnk”. It is not a plain text document, but actually, a command that instructs your computer to download the bad guy’s malware. Once the malware is installed, cybercriminals have complete access to your system. They can access everything from your browser history to your cryptocurrency wallet and they can even take photos using your webcam.
 
Advanced phishing tactics can be intimidating, but you can stay safe by practicing the tips below:
 
  • Remember that bad guys can disguise anything, even file types.
  • Never click a link or download an attachment in an email that you were not expecting.
  • When in doubt, reach out to the sender by phone to confirm the legitimacy of the email.
April 9, 2021: Classic Facebook Phishing
While cyber threats continue to advance in new and intimidating ways, classic phishing methods are still a favorite among bad guys. Let’s take a look at a recent Facebook-themed phishing attack and see if you can spot the red flags:
 
The email appears to come from Facebook and starts with “Hi User”. The body states that there is an issue with your account that you must log in to resolve. The email includes a link to “verify” your account and ends with the line “This link will expires in 72 hours, We appreciate your attention to this matter.” If you click the link, you are taken to a phony look-alike Facebook login page. Any information that you enter on this page is delivered straight to the bad guys.
 
How many red flags did you see? Remember the following tips:
 
  • Question everything. For example, your name is part of your Facebook profile, so why is the email addressing you as “User”?
  • Look for a sense of urgency. In this example, the email gives you 72 hours to verify your account. Remember, the bad guys rely on impulsive clicks.
  • Pay close attention to the grammar and capitalization. For example, the words “This link will expires in...” should be “This link will expire in...”. Also in that same line, the word “We” is in the middle of a sentence, so this should be lowercase.
April 2, 2021: Instagram Influencer Scams
As the name suggests, an influencer is someone whose opinions influence a large social media audience. While influencers usually attract sponsorships from legitimate brands, these accounts can also be used as a tool for cybercriminals.
 
Instagram influencers often host special giveaways to raise brand awareness. Typically followers are asked to comment on the post for their chance to win. Unfortunately, bad guys then use these comments to target their victims. You may receive a message from someone spoofing the influencer’s account or claiming that they work with the giveaway host. Then, you are told that you won the giveaway, but that you need to pay a shipping fee or provide some personal information. Any information provided goes straight to the cybercriminals.
 
Don’t fall for it!
 
Here are some tips to stay safe from influencer scams:
 
  • The technique could easily be used on any social media platform. Be skeptical of anyone who contacts you that you don’t know personally.
  • This attack exploits your excitement of winning a prize to get you to act impulsively. Don’t let the bad guys play with your emotions.
  • Remember that cybercriminals use more than just emails to phish for your information. Always think before you click!
March 26, 2021: Malicious Mobile Apps in Disguise
Google recently removed a number of dangerous mobile applications (apps) from the Google Play store. These were disguised as generic VPN and audio control apps that appeared to be safe, but once installed, they tricked victims into allowing downloads from untrusted sources.

If you download a disguised app and fall victim to this scam, a dangerous piece of malicious software (malware) is installed on your device. The malware adds malicious code into your financial apps, giving the bad guys access to your banking and credit card accounts. Over time, cybercriminals use this malware to gain complete control over your device and use it however they please.

This is not the first time that malicious apps were found on Google Play or on the Apple app store—and it won’t be the last. When you download applications, remember these tips:

  • Read reviews and ratings for the app. Look for reviews that are critical or reviews with three stars or less, as these are less likely to be fake.
  • Avoid apps with few or no reviews and apps that have a low number of downloads.
  • Only download apps from trusted publishers. Remember, anyone can publish an app on official app stores—including cybercriminals.

March 19, 2021: Scammers Use FINRA as Phish Bait
Earlier this month, cybercriminals impersonated the largest brokerage regulation company in the US: the Financial Industry Regulatory Authority (FINRA). Seeing such a vital organization be used as phish bait is chilling. Fortunately, if you know what to look for, this scam is easy to spot!

The phishing email starts with the vaguely-startling subject line “ATTN: FINRA COMPLIANCE AUDIT”. The email is sent from supports[at]finra-online. The email asks you to review an attached document and respond immediately. The short email message closes with, “If you've got more questions regarding this letter don't hesistate to contact us.” Anyone who falls for this scam and downloads the attachment will find that the file is actually a nasty piece of malicious software.

Here’s how you can stay safe from similar attacks:

  • By asking for your immediate response regarding an audit, the bad guys create a sense of urgency. These scams rely on impulsive actions, so always think before you click.
  • Watch for poor spelling and grammar in supposedly-official messages. Did you catch the spelling error in the example above? The word “hesitate” is misspelled as “hesistate”.
  • Check who sent the email. In this case, while the email address included the name FINRA, it did not use the official FINRA.org domain.
March 12, 2021: LinkedIn File Sharing Scam
LinkedIn is a networking site used to connect with colleagues, employers, and other business contacts. Even though LinkedIn is designed for professionals, it is just as vulnerable as any other social media platform.
 
In a recent scam, cybercriminals use stolen LinkedIn accounts to message the contacts of those accounts. The message includes a link to a “LinkedInSecureMessage”—which is not a service that LinkedIn provides. The link takes you to an official-looking page that includes the LinkedIn logo and a “View Document” button. If you click the button, a phony LinkedIn login page opens. Information entered on this screen will be sent straight to the cybercriminals who will likely sell your account for use in similar social networking scams.
 
Don’t fall for it! Remember these tips:
 
  • Stay up-to-date on which features your accounts and platforms offer. For example, LinkedIn does not offer a file sharing feature.
  • Never trust a link in a message that you were not expecting. If you think the notification could be legitimate, reach out to the sender by phone to be sure.
  • Remember that cybercriminals use more than just emails to phish for your information. Always think before you click!

March 5, 2021: Shipping Scam Spoofs “Dhl Express”
Many of us are used to receiving messages from shipping companies, so cybercriminals use similar emails as phish bait. Let’s take a look at a recent shipping-themed phishing attack and see if you can spot the red flags:
 
Sent from “Dhl Express”, the email claims that you have something waiting for you at your local post office. The message states “To receive your parcel, Please see and check attached shipping documents.” and it includes a .html file as an attachment. If you open the attachment, a web page displays that looks like a blurred-out Excel spreadsheet. Covering this blurred image is a fake Adobe PDF login window with your email address already populated in the username field. If you enter your password and click “View PDF Document” your email address and password will be sent straight to the bad guys.
 
How many red flags did you see? Remember the following tips:
 
  • Look for poor grammar and capitalization. For example, the sender name “Dhl” should be “DHL”. Also, in the body of the email, the word “Please” is in the middle of a sentence, so this should be lowercase.
  • Check the file type. The email attachment is a .html file, but most legitimate documents are shared as PDFs, spreadsheets, or word documents. HTML files are designed to be opened in a web browser, much like a link to a website.
  • Watch out for anything out of the ordinary. An Adobe PDF login window blocking what appears to be a Microsoft Excel file is quite unusual.
February 26, 2021: Exploiting the Coronavirus: Vaccine Invitation Scam
Access to the COVID-19 vaccine is limited, which leaves many people anxiously waiting for a way to further protect themselves from the virus. Cybercriminals are taking advantage of this anxiety with vaccine-themed phishing emails.
 
A recent phishing attack in the UK spoofs the National Health Service (NHS). The phishing email claims that you have the opportunity to get vaccinated and it includes a link to accept the invitation. If you click on the link, a convincing NHS look-alike page opens. The phony site asks for personal information such as your name, address, and phone number, along with your credit card and banking details. Unfortunately, any information that you provide here goes straight to the cybercriminals and you are not in line for vaccination.
 
Follow these tips to stay safe from similar scams:
 
  • We all want the pandemic to be over and this attack tries to exploit those feelings. Don’t let the bad guys toy with your emotions. Think before you click!
  • Don’t trust an email. Visit an official government website or a trusted news source for information on vaccine availability.
  • Remember, even if the sender appears to be a legitimate organization, the email address could be spoofed.
February 19, 2021: Phishing with Phony Loans
A year into the pandemic, bad guys continue to target struggling organizations. A recent example is a phishing email targeting those in the United States. Impersonating a bank, the sender offers loans through the Paycheck Protection Program (PPP). The PPP is a real relief fund that is backed by the United States Small Business Administration (SBA), but the email is nothing short of a scam.
The phishing email directs you to click a link to register for a PPP loan. When clicked, the link takes you to a form with an official-looking header that reads, “World Trade Finance PPP 2021 Data Collection”. The form requests a lot of personal information, such as your organization’s name, your business email, and your social security number. Any of the information submitted on this form goes straight to the cybercriminals.
Here’s how you can stay safe from scams like this:
  • Think before you click! Desperate times call for diligent measures.
  • If you or your organization need financial help, reach out to legitimate and well-known programs—don’t trust an unexpected email
  • Stay up-to-date on your country’s relief efforts by following local news and other trusted sources
February 12, 2021: Smishing with PayPal
A new Smishing (SMS Phishing) attack uses an urgent text message to trick you into clicking a malicious link. The message states “PayPal: We've permanently limited your account, please click link below to verify.” If you click on the link provided, you are taken to a PayPal look-alike page and asked to log in.
 
Bad actors take this scam one step further. If you enter your login credentials on their phony page, you’ll be taken to a second page that asks for your name, address, and bank account details. Everything entered on these pages will be sent directly to the bad guys.
 
While this is an advanced attack, you can still stay safe by practicing the tips below:
  • Check for poor grammar in supposedly-official messages. Did you catch the grammatical error in the example above? It asks you to “click link below” instead of “click the link below”.
  • Question the situation. For example, did you give PayPal your mobile number? And did you ever sign up to receive text notifications?
  • Never trust a link in a text message that you were not expecting. If you think the notification could be legitimate, navigate to the official website and log in there.
February 5, 2021: Advanced Look-alike Login Pages
Here’s a popular phishing scenario: You receive an email with a link. The link takes you to a phony login page with the name and logo of a legitimate website. Once you submit your username and password, the information is sent straight to the bad guys. Cybercriminals love to use these phony look-alike login pages to steal your credentials and access sensitive information.
 
Now cybercriminals have developed a way to make look-alike pages even more convincing. Scammers use a special tool to automatically display your organization’s name and logo on the phony login page. They can even use this tool to populate your email address in the corresponding login field. This creates a false sense of security because many legitimate websites remember your username if you have logged in previously.

While this is an advanced attack, you can still stay safe by practicing the tips below:
 
  • Never click a link in an email that you were not expecting.
  • Remember that any site, brand, or service can be spoofed.
  • When you’re asked to log in to an account or online service, navigate to the official website and log in. That way, you can ensure you’re logging in to the real site and not a phony look-a-like.
January 29, 2021: Romantic Investment Scams
Let’s be honest, the age of social distancing can leave us feeling lonely. To make matters worse, bad guys are leveraging our loneliness for their scams. Romance-related scams are growing more popular and more complex.
 
In the latest romance-related scam, bad guys use a dating app to find their target, build a relationship, and establish trust. Once you trust them, the scammer will share financial tips and invite you to an exclusive investment site—which is actually a scam. Your new “friend” will guide you through opening an account, buying financial products, and building your investments. Then, one day, all communication stops and you’re left wondering where that money has gone.
 
Don’t fall for it! Remember these tips:
 
  • Romance scams aren’t exclusive to dating apps. The technique could easily be used on social media as well. Be skeptical of anyone who contacts you that you don’t know personally.
  • This attack exploits the loneliness of life during a pandemic. Don’t let the bad guys play with your emotions. Think before you click!
  • Remember, if something sounds too good to be true, it is probably a scam.
January 22, 2021: Exploiting the Coronavirus: Financial Assistance Scams
While the world continues to navigate life during a pandemic, countless families and individuals are struggling financially. In a truly malicious response to the situation, scammers are launching phishing attacks that claim to offer financial assistance to those in need.
 
The phishing email impersonates your local government and it states that you are eligible to receive financial aid. You’re directed to click a link in the email for more information. If you click the link, you are taken to a phony government website. The site asks for personally identifiable information, including your social security number. Once you’ve provided this information, the site claims that you will be contacted regarding your aid. Don’t be fooled! Anything you enter here is sent directly to the cybercriminals.
 
Here’s how you can stay safe from scams like this:
 
  • Never click on a link in an email that you weren’t expecting. Even if the sender appears to be a legitimate organization, the email address could be spoofed.
  • Stay up-to-date on response efforts through official government websites and trusted news sources.
  • If you feel the email could be legitimate, use another means of communication to reach out to the sender, such as calling their official phone number—not the one listed in the suspicious email.
January 15, 2021: Watch Out for US Capitol and Parler Scams
Last week, a rally held in the United States Capitol escalated when protestors stormed the Capitol building. This event was later linked to posts on the social media platform Parler. The controversial events at the Capitol and related use of Parler has led both Apple and Google to remove the app from their respective app stores.
 
Cybercriminals use high-profile news stories like this to catch your attention and manipulate your emotions. In the coming weeks, we expect to see cybercriminals referencing this event and the Parler app in their phishing attacks and social media disinformation campaigns.
 
Here are some tips to stay safe:
 
  • Watch out for Parler-related emails—especially those that offer an alternative way to download or install the app.
  • Be suspicious of emails, texts, and social media posts that contain shocking developments to the story. This could be false information designed to intentionally mislead you—a tactic known as disinformation.
  • No matter how shocking the news, always think before you click. Cyber attacks are designed to catch you off guard and trigger you to click impulsively.
January 8, 2021: Man’s Best Friend is a Scammer’s Best Bait
With stay-at-home orders in place across the globe, many people are buying new pets to help them feel more connected. Unfortunately, shoppers who are looking for a furry friend may be in for a big surprise. Cybercriminals are creating phony online pet shops that advertise unbelievable prices on purebred pups.
 
These malicious pet shop sites include poorly-written testimonials from alleged buyers that often don’t make sense. For example, one testimonial claimed that their “German Shepherd baby had hatched”. If you overlook these phony testimonials and click the “Buy Me!” button under the photo of an adorable puppy, you’ll be taken to a contact page to begin your email conversation with the supposed seller. Via email, the scammers will ask you to pay for your pup using Bitcoin or a service provider, such as Paypal. Of course, any money you send goes straight to the bad guys and you’ll never receive your pup.
 
Here are some tips to avoid this ruff scam:
 
  • Always be wary of websites with poorly-written information, including testimonials and reviews from customers.
  • Remember, if a price sounds too good to be true—it is! Purchasing a purebred dog is typically very expensive, so scammers are trying to use low prices to trick you into acting impulsively.
  • If you are in the market for a new pet, be sure to research the rescue shelter, pet adoption agency, or licensed breeder before making a purchase.
January 1, 2021: “Is this a video of you?” Nope, That’s a Phish
It’s no secret that cybercriminals love social media. Bad guys use platforms like Facebook and Instagram to impersonate your real friends and followers. Using this disguise, the scammers try to trick you into sharing sensitive information.
 
Here’s a common scam that is regaining popularity: You receive a message from a friend or follower asking “Is this a video of you?”. The message includes a screenshot of a blacked-out or blurry video. If you click to watch the video, you will be taken to a social media look-a-like login page that is designed to steal your account credentials. If you enter your credentials here, the information will be sent directly to the bad guys and they’ll be able to use your social media account to scam anyone on your friends list.
 
Keep you and your friends safe by following these tips:
 
  • The simple message used in this scam sparks feelings of curiosity, concern, and urgency. Don’t let the bad guys toy with your emotions. Think before you click!
  • Be cautious of messages that are off-topic, unusual, or outlandish. Especially if the message includes a link.
  • Keep your social media accounts private and only accept friend or follow requests from people that you know and trust.

woman using an ATM

Lost your ATM/Debit card? We can help.