Skip Navigation Download Acrobat Reader 5.0 or higher to view .pdf files.
Merchants Bank of Commerce
picture of locks on a screen

Alerts & Scams

Identity theft occurs when someone uses your personally identifying information, like your name, Social Security number, credit or debit card number, without your permission, to commit fraud or other crimes. Identity theft can happen to anyone, but there are steps you can take to minimize your risk of becoming a victim. 
Scam of the Week - The information provided below belongs to and is provided by KnowBe4 and is intended for informational purposes only
February 19, 2021: Phishing with Phony Loans
A year into the pandemic, bad guys continue to target struggling organizations. A recent example is a phishing email targeting those in the United States. Impersonating a bank, the sender offers loans through the Paycheck Protection Program (PPP). The PPP is a real relief fund that is backed by the United States Small Business Administration (SBA), but the email is nothing short of a scam.
 
The phishing email directs you to click a link to register for a PPP loan. When clicked, the link takes you to a form with an official-looking header that reads, “World Trade Finance PPP 2021 Data Collection”. The form requests a lot of personal information, such as your organization’s name, your business email, and your social security number. Any of the information submitted on this form goes straight to the cybercriminals.
 
Here’s how you can stay safe from scams like this:
  • Think before you click! Desperate times call for diligent measures.
  • If you or your organization need financial help, reach out to legitimate and well-known programs—don’t trust an unexpected email
  • Stay up-to-date on your country’s relief efforts by following local news and other trusted sources
February 12, 2021: Smishing with PayPal
A new Smishing (SMS Phishing) attack uses an urgent text message to trick you into clicking a malicious link. The message states “PayPal: We've permanently limited your account, please click link below to verify.” If you click on the link provided, you are taken to a PayPal look-alike page and asked to log in.
 
Bad actors take this scam one step further. If you enter your login credentials on their phony page, you’ll be taken to a second page that asks for your name, address, and bank account details. Everything entered on these pages will be sent directly to the bad guys.
 
While this is an advanced attack, you can still stay safe by practicing the tips below:
  • Check for poor grammar in supposedly-official messages. Did you catch the grammatical error in the example above? It asks you to “click link below” instead of “click the link below”.
  • Question the situation. For example, did you give PayPal your mobile number? And did you ever sign up to receive text notifications?
  • Never trust a link in a text message that you were not expecting. If you think the notification could be legitimate, navigate to the official website and log in there.

February 5, 2021: Advanced Look-alike Login Pages
Here’s a popular phishing scenario: You receive an email with a link. The link takes you to a phony login page with the name and logo of a legitimate website. Once you submit your username and password, the information is sent straight to the bad guys. Cybercriminals love to use these phony look-alike login pages to steal your credentials and access sensitive information.
 
Now cybercriminals have developed a way to make look-alike pages even more convincing. Scammers use a special tool to automatically display your organization’s name and logo on the phony login page. They can even use this tool to populate your email address in the corresponding login field. This creates a false sense of security because many legitimate websites remember your username if you have logged in previously.

While this is an advanced attack, you can still stay safe by practicing the tips below:
 
  • Never click a link in an email that you were not expecting.
  • Remember that any site, brand, or service can be spoofed.
  • When you’re asked to log in to an account or online service, navigate to the official website and log in. That way, you can ensure you’re logging in to the real site and not a phony look-a-like.
January 29, 2021: Romantic Investment Scams
Let’s be honest, the age of social distancing can leave us feeling lonely. To make matters worse, bad guys are leveraging our loneliness for their scams. Romance-related scams are growing more popular and more complex.
 
In the latest romance-related scam, bad guys use a dating app to find their target, build a relationship, and establish trust. Once you trust them, the scammer will share financial tips and invite you to an exclusive investment site—which is actually a scam. Your new “friend” will guide you through opening an account, buying financial products, and building your investments. Then, one day, all communication stops and you’re left wondering where that money has gone.
 
Don’t fall for it! Remember these tips:
 
  • Romance scams aren’t exclusive to dating apps. The technique could easily be used on social media as well. Be skeptical of anyone who contacts you that you don’t know personally.
  • This attack exploits the loneliness of life during a pandemic. Don’t let the bad guys play with your emotions. Think before you click!
  • Remember, if something sounds too good to be true, it is probably a scam.
January 22, 2021: Exploiting the Coronavirus: Financial Assistance Scams
While the world continues to navigate life during a pandemic, countless families and individuals are struggling financially. In a truly malicious response to the situation, scammers are launching phishing attacks that claim to offer financial assistance to those in need.
 
The phishing email impersonates your local government and it states that you are eligible to receive financial aid. You’re directed to click a link in the email for more information. If you click the link, you are taken to a phony government website. The site asks for personally identifiable information, including your social security number. Once you’ve provided this information, the site claims that you will be contacted regarding your aid. Don’t be fooled! Anything you enter here is sent directly to the cybercriminals.
 
Here’s how you can stay safe from scams like this:
 
  • Never click on a link in an email that you weren’t expecting. Even if the sender appears to be a legitimate organization, the email address could be spoofed.
  • Stay up-to-date on response efforts through official government websites and trusted news sources.
  • If you feel the email could be legitimate, use another means of communication to reach out to the sender, such as calling their official phone number—not the one listed in the suspicious email.
January 15, 2021: Watch Out for US Capitol and Parler Scams
Last week, a rally held in the United States Capitol escalated when protestors stormed the Capitol building. This event was later linked to posts on the social media platform Parler. The controversial events at the Capitol and related use of Parler has led both Apple and Google to remove the app from their respective app stores.
 
Cybercriminals use high-profile news stories like this to catch your attention and manipulate your emotions. In the coming weeks, we expect to see cybercriminals referencing this event and the Parler app in their phishing attacks and social media disinformation campaigns.
 
Here are some tips to stay safe:
 
  • Watch out for Parler-related emails—especially those that offer an alternative way to download or install the app.
  • Be suspicious of emails, texts, and social media posts that contain shocking developments to the story. This could be false information designed to intentionally mislead you—a tactic known as disinformation.
  • No matter how shocking the news, always think before you click. Cyber attacks are designed to catch you off guard and trigger you to click impulsively.
January 8, 2021: Man’s Best Friend is a Scammer’s Best Bait
With stay-at-home orders in place across the globe, many people are buying new pets to help them feel more connected. Unfortunately, shoppers who are looking for a furry friend may be in for a big surprise. Cybercriminals are creating phony online pet shops that advertise unbelievable prices on purebred pups.
 
These malicious pet shop sites include poorly-written testimonials from alleged buyers that often don’t make sense. For example, one testimonial claimed that their “German Shepherd baby had hatched”. If you overlook these phony testimonials and click the “Buy Me!” button under the photo of an adorable puppy, you’ll be taken to a contact page to begin your email conversation with the supposed seller. Via email, the scammers will ask you to pay for your pup using Bitcoin or a service provider, such as Paypal. Of course, any money you send goes straight to the bad guys and you’ll never receive your pup.
 
Here are some tips to avoid this ruff scam:
 
  • Always be wary of websites with poorly-written information, including testimonials and reviews from customers.
  • Remember, if a price sounds too good to be true—it is! Purchasing a purebred dog is typically very expensive, so scammers are trying to use low prices to trick you into acting impulsively.
  • If you are in the market for a new pet, be sure to research the rescue shelter, pet adoption agency, or licensed breeder before making a purchase.
January 1, 2021: “Is this a video of you?” Nope, That’s a Phish
It’s no secret that cybercriminals love social media. Bad guys use platforms like Facebook and Instagram to impersonate your real friends and followers. Using this disguise, the scammers try to trick you into sharing sensitive information.
 
Here’s a common scam that is regaining popularity: You receive a message from a friend or follower asking “Is this a video of you?”. The message includes a screenshot of a blacked-out or blurry video. If you click to watch the video, you will be taken to a social media look-a-like login page that is designed to steal your account credentials. If you enter your credentials here, the information will be sent directly to the bad guys and they’ll be able to use your social media account to scam anyone on your friends list.
 
Keep you and your friends safe by following these tips:
 
  • The simple message used in this scam sparks feelings of curiosity, concern, and urgency. Don’t let the bad guys toy with your emotions. Think before you click!
  • Be cautious of messages that are off-topic, unusual, or outlandish. Especially if the message includes a link.
  • Keep your social media accounts private and only accept friend or follow requests from people that you know and trust.
December 25, 2020: Last-Minute Holiday Shipping Scams
The holiday season is a time for love, joy, togetherness—and last-minute online orders! We’ve all been there: anxiously awaiting a package and hoping you didn’t forget anyone on your shopping list. The holidays have a way of creeping up on us, so expect scammers to be creeping into your inbox as well.
 
Fake shipping notifications are especially popular during the holiday season. These can come in the form of an email (Phishing) or a text message (Smishing). Typically, the message will offer an urgent update about your package, such as a shipping delay, and you will be directed to click a link for more information. If you click the included link, you’ll be taken to a malicious website that asks for login credentials or other sensitive information. Any information entered on this page will be a gift from you to the cybercriminals!
 
Here are some tips to keep you safe from shipping notification scams:
 
  • This attack exploits the stress and excitement of the holiday season. Don’t let the bad guys play with your emotions. Think before you click!
  • Legitimate shipping notifications will include specific order information, such as your shipping address, an item description, or the name of the sender.
  • Stay up-to-date on your orders by visiting the retailer’s official website. If you receive an unexpected notification, be sure to visit their website using your browser—not by clicking the link in the email.
December 18, 2020: Exploiting the Coronavirus: Phony Form from HR
For many months, organizations across the globe have been working remotely due to the coronavirus pandemic. In a new phishing attack, the bad guys target your feelings of stress or excitement about returning to the office.
 
The phishing email resembles something that your human resources department might send about returning to the office. Attached to the email is an HTML file that includes your name in the file name. If you download and open this attachment, you’ll be taken to a file that is hosted on the file-sharing site, Microsoft SharePoint. According to the document, you must acknowledge the return to office policy by providing your username and password. If you enter your credentials here, the information will be sent directly to the bad guys and they’ll have the same access to your organization as you do.
 
Don’t fall for this trick! Remember these tips:
 
  • This attack tries to exploit the uncertainty of going back to work in the office. Don’t let the bad guys toy with your emotions. Think before you click!
  • Never impulsively click on a link or download an attachment that you weren’t expecting, even if it appears to be from your own organization.
  • When in doubt, reach out to the sender by phone to confirm the legitimacy of the email before clicking a link or downloading an attachment.
December 11, 2020: Fake Video Calls Are a Quick Score for Scammers
With so many organizations still working remotely, bad guys continue to target you by spoofing popular video conferencing software, such as Zoom and Microsoft Teams. Video-conference themed phishing attacks can come in all shapes and sizes. For example, you may receive a phony welcome email that asks you to set up your new account. Or, you could receive an email claiming that you need to reschedule a missed meeting. As a more alarming example, you may receive a fake notice that your account has been suspended and you cannot join a meeting without first clicking the link in the email.
 
No matter what tactic the bad guys use, stay safe from video-conference themed scams by following these tips:
 
  • Never impulsively click on a link within an email that you weren’t expecting.
  • Check the from and reply-to email addresses. Watch out for domain misspellings such as “Zooom” or “Teans”, as this is a common trick used by scammers.
  • When you’re asked to log in to an account or online service, navigate to the official website and log in. That way, you can ensure you’re logging in to the real site and not a phony look-alike.
December 4, 2020: Tricky Tags in Google Drive Phishing Attack
Phishing emails are often designed to trick you into clicking a malicious link. Most email clients, such as Microsoft Outlook and Gmail, have filters that add warning messages to emails with suspicious-looking links. Unfortunately, the bad guys are always finding new ways to bypass these security filters.
 
The latest way that scammers sneak past your email security is by taking advantage of the collaboration tools available for the Google Drive platform. The platform allows you to tag any user in a file by using their Gmail address. Once tagged, the user will receive a notification directly from Google. This means that if a bad guy tags you in a Google document, you will receive a legitimate notification from Google that includes a link to the bad guy’s file. If you view the file, you’ll likely find that it directs you to click another link. This second link is actually a malicious attempt to steal your sensitive information.
 
Don’t fall for this trick! Remember:
 
  • Always be suspicious of emails or notifications from someone you do not know.
  • Never click on a link within an email that you weren’t expecting—even if it came from a legitimate website. 
  • If you receive a suspicious email or notification, contact your IT department or follow the specific procedure for your organization.
November 27, 2020: Top 10 Cybersecurity Tips for Holiday Shopping
For most of us, the holiday season is about friends, family, food—and shopping! Black Friday and Cyber Monday fall just after Thanksgiving in the U.S., but internationally, they are two of the busiest shopping days of the year. Unfortunately, while you’re looking for holiday deals, the bad guys are looking for ways to scam you any way they can.
 
Follow these tips to stay safe this holiday season:
 
1. Keep your smartphone, computer, and other devices updated. This helps ensure that your device has the latest security patches.
2. Only use trusted Wi-Fi connections and be suspicious of any network that does not require a password to connect.
3. Take the time to change any outdated or simple passwords. Use strong, unique passwords on all of your accounts.
4. Be careful not to overshare on social media. Consider anything you post to be public information.
5. Keep an eye on the activity in your banking and credit card accounts. Also, be sure to monitor your credit report on a regular basis.
6. Be suspicious of emails you receive about online purchases. Check the status of your order directly on the website that you purchased from.
7. If you receive a holiday greeting card in your inbox, verify the sender before clicking the link to view the card.
8. If you’re traveling for the holidays, be sure to keep your devices stored safely at all times.
9. Pay close attention to the websites that you order from. Only shop on websites that you know and trust.
10. Watch out for giveaways and contests. Remember that if something seems too good to be true, it probably is.
 
November 20, 2020: Pfizer’s Vaccine is Fresh Phish Bait
Last week, pharmaceutical company Pfizer announced that long-term trials of their COVID-19 vaccine have been highly successful. This exciting development is a huge step towards ending the pandemic, but experts say we are still far from a publicly available vaccine.
 
Unfortunately, good news like this is often used by cybercriminals to catch your attention and manipulate your emotions. Expect to see mentions of a COVID-19 vaccine in phishing attacks and social media disinformation campaigns.
 
Here are some tips to stay safe:
 
  • Be suspicious of emails, texts, and social media posts that contain exciting or alarming information about a vaccine. This could be false information designed to intentionally mislead you—a tactic known as disinformation.
  • Always think before you click. Cyber attacks are designed to catch you off guard and trigger you to click impulsively. 
  • Stay informed by checking official government websites or following trusted news sources for information on vaccine developments.
November 13, 2020: Bad Guys Teach You How to Enable Macros
One of the most common ways that bad guys sneak malware onto your computer is through macro-enabled Excel files. A macro (short for macroinstruction) is a set of commands that automate a process in Excel. When you open an Excel file that includes macros, you’ll see a security banner with the option to activate macros by clicking “Enable Content”.
 
Typically, malicious Excel files are attached to a phishing email. If you choose to open the attachment and enable macros, the file will automatically install the cybercriminal’s malware.
In a recent phishing attack, the macro-enabled Excel attachment is designed to look like a Windows Defender help page. The spoofed help page provides easy-to-follow instructions on how to click the “Enable Content” button. To establish additional credibility, the file includes logos of well-known security vendors like McAfee. If you fall for this trick and enable macros, a dangerous piece of malware is installed onto your computer and cybercriminals will have complete access to your system.
 
Follow these tips to stay safe:
 
  • Never download an attachment from an email that you weren’t expecting.
  • Don’t let your eyes deceive you. Bad guys use familiar logos from real businesses to appear more legitimate.
  • Before enabling macros for an Excel file, contact the sender using an alternative line of communication—such as by phone or text message. Verify who created the file, what the file contains, and why macros are necessary.
November 6, 2020: Watch Out for Sean Connery Related Scams
Over the weekend, news broke that actor Sean Connery, who is known for portraying James Bond and countless other roles, passed away at the age of 90. Bad guys will be sure to exploit this celebrity death in a number of ways, so be extra cautious of any mention of Sean Connery in emails, text messages, and social media posts.
 
Remember these tips:
 
  • Always think before you click. Cyber attacks are designed to catch you off guard and trigger you to click impulsively.
  • Watch out for sensational headlines regarding the late actor. This could be false information designed to intentionally mislead you—a tactic known as disinformation.
  • If you receive a suspicious email, remember to follow the reporting procedure for your organization.
October 30, 2020: Blue Checkmarks are the Perfect Phish Bait
Have you ever noticed the blue checkmark on your favorite celebrity’s social media profile? This checkmark shows that the person has provided documentation to verify their identity. Verification helps you know a real account from a fake—but this tool isn’t just for celebrities. Whether you have a personal social media account or manage one for your organization, being verified can be a great benefit.
 
To become verified, you are required to provide sensitive information which, unfortunately, makes this process the perfect bait for a phishing attack. Cybercriminals spoof popular social media platforms like Twitter, Instagram, and YouTube by sending out fake verification emails. The emails include a link that, when clicked, takes you to a convincing verification form. Here you’ll be asked for things like your username, organization, password, gender, and more. Anything entered on this page is sent directly to the bad guys.
 
Stay safe from this fake verification scam with these tips:
 
  • This attack exploits the feelings of excitement and validation that comes with becoming verified. Don’t let the bad guys play with your emotions. Think before you click!
  • Never click on a link within an email that you weren’t expecting.
  • When an email asks you to log in to an account or online service, log in to your account through your browser—not by clicking the link in the email. That way, you can ensure you’re logging into the real website and not a phony look-alike.
October 23, 2020: Smishing Gains Popularity with Bad Guys
Many services, from grocery pickup to credit score updates, offer notifications via text messages or short message service (SMS). Typically, these notifications are short, vague, and include a link—which makes them great for spoofing! Bad guys use fake notification messages for SMS Phishing, or Smishing attacks.
 
In a recent smishing attack, the bad guys spoof shipping companies and send multiple fake text message notifications. The text messages state that you have an urgent notification regarding the delivery of a package. Each notification includes a link for more information. Clicking this link takes you to a phony Google login page that is designed to steal any information you enter.
 
It can be tricky to spot smishing attacks, but like a traditional phishing attack, there are steps you can take to keep your information safe. Follow these tips:
 
  • Think before you click. Were you expecting this message? When did you give this company your phone number? Did you sign up for text notifications?
  • Be cautious of a sense of urgency. The bad guys send multiple texts and use words like “urgent” to try and trick you into impulsively clicking a malicious link.
  • Never trust a link in a text message that you were not expecting. If you think the notification could be legitimate, contact the company another way, such as by visiting their official website.
October 16, 2020: Prime Target—Bad Guys Prep for Prime Day Scams
Once a year, Amazon, the world's largest online retailer, hosts a massive sales event called Prime Day. Usually set in July, the highly awaited two-day event was postponed until October 13th and 14th this year. While you get ready to shop Prime Day deals, the bad guys are getting ready to scam you any way they can.
 
There has been a large spike in phony websites using the Amazon brand. One example is a site that looks exactly like Amazon.com and claims to help with refunds and order cancellations. All you have to do is provide your order number and credit card information—or so they say. In reality, anything you enter on this page is delivered directly to the bad guys.
 
Follow these tips to safely shop the Prime Day event:
 
  • Go directly to Amazon.com to shop. This is the only way to be sure you are shopping on the real Amazon.
  • Never trust a link in an email that you were not expecting. The bad guys will be sending sneaky phishing emails that direct you to these phony Amazon pages.
  • Look for anything out of the ordinary. For example, Amazon will never ask you to re-enter saved payment information.
October 9, 2020: Watch Out for Trump-themed Cybercrime
Last week, the President of the United States, Donald Trump, announced that he and the first lady tested positive for coronavirus. This announcement and the status of President Trump’s health is currently dominating the media—both in the US and around the world.
 
Cybercriminals use high-profile news stories like this to catch your attention and manipulate your emotions. In the coming weeks, we expect to see cybercriminals referencing President Trump's health in their phishing attacks and in their social media disinformation campaigns.
 
Here are some tips to stay safe:
 
  • Be suspicious of emails, texts, and social media posts that contain shocking developments to the story. This could be false information designed to intentionally mislead you—a tactic known as disinformation.
  • No matter how shocking the news, always think before you click. Cyber attacks are designed to catch you off guard and trigger you to click impulsively.
  • Stay informed by following trusted news sources and do some research to check the accuracy of sensational headlines.
October 2, 2020: Infamous Twitter Hack Inspires a New Phishing Attack
This past July, Twitter fell victim to an infamous social engineering attack. The attack gave hackers control of over one hundred high-profile accounts—from politicians to celebrities. The hackers used these accounts to scam Twitter followers out of money. Now, cybercriminals are using this event as bait for a convincing phishing scam.
 
The phishing email uses text that is very similar to the official statement that Twitter made in response to the July attack. The email claims that due to a security breach, you must confirm your identity by clicking on a link in the email. If you click the link, you are redirected to a site that looks very similar to the real Twitter login page. The site is actually a look-alike designed to steal your login credentials. Any information that you enter on this page is delivered straight to the bad guys.
 
Don’t be fooled! Follow these tips:
 
  • Never click on a link within an email that you weren’t expecting.
  • When you’re asked to log in to an account or online service, navigate to the official website and log in. That way, you can ensure you’re logging in to the real site and not a phony look-alike.
  • Email security filters can only do so much to protect you from malicious emails. Stay alert and help create a human firewall for your organization.
September 25, 2020: Trusted Third Parties Used as Phish Bait
Working with a third-party organization can be a great help, but what happens if that third party falls victim to a cybersecurity attack? Not only could your organization’s shared data be exposed, but you may become the target of a very unique phishing attack.
 
Once a scammer has access to a third party’s email account, they can use it to send phishing emails from a legitimate and familiar email address. Some cybercriminals take this attack a step further by forwarding or replying to real emails that were already in the third party’s inbox. Posing as the original sender, the bad guy sends a simple message such as “Here’s that document you needed.” and includes their own malicious link or attachment. Typically, the phishing email is completely unrelated to the original email but the attack can still be convincing because it appears to be part of a previous conversation.
 
Don’t be fooled! Here’s how to stay safe from third-party phishing attacks:
 
  • Never click a link or download an attachment from an email that you weren’t expecting—even if it appears to be from someone you know.
  • Read the prior conversation and compare it to the newest email. If you find that the information is unrelated or if the sender never mentioned a link or an attachment previously, this could be a phishing attack.
  • If you’re unsure whether or not an email is legitimate, reach out to the sender by phone. One quick call could save your organization from a potential data breach.
September 18, 2020: Training Notifications from Our Evil Twin
In early September, a phishing attack surfaced that imitates one of our security awareness training email notifications. The phishing email comes from our evil twin (the cybercriminals behind this attack) and claims that your training assignment will expire within 24 hours. You are directed to click a link to complete your training.

The link in the email shows the name of your training platform, but if you hover over this link with your mouse, you'll see that the destination domain is actually “msk.turbolider.ru”. Clicking on this disguised phishing link takes you to a phony Microsoft Outlook login page. If you enter information on this page, it will be sent directly to the bad guys.
How do you tell if an email came from the good twin or the evil twin? Follow these tips:

  • Remember that any site, brand, or service can be spoofed. Always think before you click, especially if you were not expecting the email.
  • Before you click, always hover over a link to preview the destination—even if you think the email is legitimate. Pay close attention to URL misspellings or unusual domain names.
  • If you are suspicious of an email that claims to be a training notification, reach out to your manager or training coordinator for help. They can find out if the notification is legitimate.
September 11, 2020: Scam of the Week: “New Approved Vaccines” Infect Your System with Malware
The COVID19 pandemic has led to many creative phishing attacks such as phony offers for free testing, claims that you have come in contact with an infected person, and even accusations that you have violated health and safety protocols. Scammers have come up with yet another Coronavirus-themed attack. This time, they are taking advantage of the worldwide race to develop a vaccine.

The phishing email uses the subject line “URGENT INFORMATION LETTER: COVID-19 NEW APPROVED VACCINES”. Within the email, you are directed to download an attachment to view this letter. The attachment itself is named “Download_Covid 19 New approved vaccines.23.07.2020.exe”. If you were to download and open this file, you would find that it is actually a piece of malicious software designed to gather data such as usernames, passwords, and other sensitive information.

Don’t be fooled! Remember these tips:

  • Watch for sensational words like “URGENT”. Remember, the bad guys want you to panic and click without thinking.
  • Never download an attachment from an email you weren’t expecting.
  • Don’t trust an email. Instead, visit an official government website or a trusted news source for information on vaccine developments.
September 4, 2020: Scam of the Week: Simple, yet Effective Vishing Scams
Voice phishing, or “Vishing”, is a phishing attack conducted by phone. This is a classic tactic that bad guys typically use to collect your credit card or financial data, along with other personal information. Here’s an example: You receive a call from someone claiming to be a customer service representative for a specific retailer. They say your order could not be processed because your credit card was declined. But not to worry! They are happy to help correct the issue. The caller claims that they need your credit card number, expiration date, and code on the back.

While this scheme is simple, it is also surprisingly effective. The bad guys catch victims off-guard with a pressing issue, like a declined payment. The victim is then relieved when the scammers offer an easy and immediate solution. If you don't take the time to stop and think about the situation, you could give away your personal data before you realize what is really happening.

Remember to stop, think, and follow these tips:
  • Don’t trust the caller ID. Phone numbers can be spoofed to look like a familiar or safe caller.
  • Never provide personal information over the phone, unless you are the one who initiated the call.
  • If you receive a suspicious phone call, hang up, and use the company's official phone number to call them directly.
August 28, 2020: Scam of the Week: “Are you human?” New Attack Uses a CAPTCHA as Camouflage
Have you ever found yourself staring at a wobbly letter trying to decide if it is an X or a Y, just to prove to a website that you’re not a robot? This funny little test is called a CAPTCHA and it is used to help prevent automated malicious software, known as “bots”, from accessing sensitive information. Unfortunately, cybercriminals are now using CAPTCHAs as a way to make their phishing scams seem more legitimate.

In a recent Netflix-themed attack, scammers are sending a phishing email that claims "your payment did not go through and your account will be suspended in the next 24 hours". To resolve the issue, you're instructed to click on a link in the email to update your information. If you click the link, you’re taken to a CAPTCHA page. Once you pass the CAPTCHA, you’re redirected to an unrelated webpage that looks like a Netflix login page. Here you’re asked to enter your username and password, your billing address, and your credit card information. Don’t be fooled! Anything entered here is sent directly to the cybercriminals.

Remember these tips:

  • Phishing emails are often designed to create a sense of urgency. In this case, “your account will be suspended in the next 24 hours”! Think before you click, the bad guys rely on impulsive clicks.
  • When an email asks you to log in to an account or online service, log in to your account through your browser and not by clicking the link in the email. That way, you can ensure you’re logging into the real website and not a phony look-alike.
  • Remember, anyone can create a CAPTCHA webpage, so don't fall for this false sense of security.
August 21, 2020: Scam of the Week: Cybercriminals are Getting Creative with Canva
Cybercriminals often use legitimate websites in their phishing attacks as a way to get around the security systems that your organization has in place. A recent example of this is the use of Canva, a popular graphic design platform. Canva provides users with a variety of ways to create and share visual content. Cybercriminals are using Canva to create an official-looking document that contains a clickable, malicious link. Creating and storing this document on Canva allows the attackers to get through security measures because Canva is a legitimate website.

Once the scammers have created and stored their file on Canva, they will send you an email that includes a link to this malicious file. The email claims the link leads to an important document that needs your attention. However, if you click this link, you are taken to the Canva file and prompted to click another link in order to view the document mentioned in the email. Clicking this second link will redirect you to a phony login page for your email provider. Any information entered on this page will be sent directly to the scammers. Don’t be fooled!

Remember these tips:

  • Never click a link in an email that you were not expecting.
  • Call the sender to be sure the email and link are legitimate. Do not call the phone number provided within the email as it may be a fake number.
  • When you’re asked to log in to an account or online service, navigate to the official website and log in. That way, you can ensure you’re logging in to the real site and not a phony look-a-like.
August 14, 2020: Scam of the Week: Financial Relief Scam Targeting Organizations
The coronavirus pandemic continues to impact organizations across the globe. This hardship gives cybercriminals the perfect bait: a promise of financial relief. Currently, cybercriminals are impersonating the United States Small Business Administration (SBA) with a very convincing phishing email. While this specific scam targets organizations in the US, this tactic could be used in any country, for any kind of relief fund.

The phishing email states that your loan application has been approved and it includes a link to “start the funding process”. If you click this link, you are taken to a phony login page that is nearly identical to the SBA's official website for the relief fund. The bad guys are phishing for these specific login credentials to gain access to sensitive data, such as your organization’s federal tax ID and banking information. This type of information, in the hands of a cybercriminal, would be a disaster.

Here’s how you can stay safe from scams like this:

  • Never click on a link in an email that you were not expecting.
  • When an email asks you to log in to an account or online service, log in to your account through your browser and not by clicking the link in the email. That way, you can ensure you’re logging in to the real website and not a phony look-alike.
  • Call the organization in question. Just be sure to look up the official phone number—do not call the phone number provided within the email.
woman using an ATM

Lost your ATM/Debit card? We can help.