fbpx

Don’t wait any longer. Get started today!

 
 

Directive Blogs

Directive has been serving the Oneonta area since 1993, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

ALERT: SFCU Members are Being Targeted by a Phishing Scam in Oneonta

Alert_Blog_400

Central NY residents who use Sidney Federal Credit Union have been seeing a rash of phishing scams that could put their information and their money at risk. Here’s what we know so far, and how to protect yourself from this targeted scam.

Disclaimer: The following threat isn't Sidney Federal Credit Union's fault, and the local credit union has taken steps to raise awareness to the problem on their website to help their members. Virtually any members of any bank could be targetted by this type of scam; this isn't a reflection on SFCU, but instead it's just showing you how tricky these scammers can get.

Did You Receive a Text from Sidney Federal Credit Union?

Members of SFCU have been reporting texts that look like they come from the local credit union, claiming that they have been charged. 

In the examples we’ve seen, the text reads “SIDNEY FCU: Your Visa has been charged for $350.00 at Las Vegas Saks Not# you? STOP here.”

Then it provides a link to a site with a reference number. The site isn’t Sidney Federal Credit Union’s official website, which instead is https://sfcuonline.org/.

It doesn’t sound like all members received the text, but SFCU has been made aware of the situation and has posted an alert when you log into your account.

 

If you’ve received the text, or any similar text messages about your bank account, even if it isn’t through SFCU, you should always take them with a grain of salt. While banks do sometimes have certain notifications go out via text and email, cybercriminals and scammers will try to game the system by pretending to be these entities to trick you into handing over your credentials.

How Could Someone Steal My Bank Account Info?

Ever watch a magician do a card trick? Usually a good magician will keep you distracted with hand gestures and movements and eye contact so your eyes don’t catch the fact that they are slipping a card between their fingers and behind their hand. They distract you and focus your attention away from the trick. That’s essentially how these scams work too.

They get you to focus on some sort of urgent problem, so you aren’t paying close attention to everything else. In this case, they get your attention by saying your credit card was just charged hundreds of dollars. This naturally triggers an emotional response in most people. It’s suddenly a problem that you have to deal with right away. It’s frustrating, it’s urgent, and it demands action. This puts you just a little bit off guard. You’ll take the fastest, easiest path to solve this issue so you can get back to your normal day.

The scammers know that this works for a large number of people, so they work around it. They provide a link that, at a quick glance, might look like it’s going to take you to your bank and let you deal with the issue.

Unfortunately, anyone can purchase a domain name or spoof a website. It takes very little effort to make a website that looks like your bank, and put in a login form. That login form doesn’t need to work—it just needs to collect whatever information gets entered into it.

They send out a mass text to hundreds, or thousands, or hundreds of thousands of people at once, and see who gets snared in their trap. A percentage of users click the fake link, and find themselves on a site that looks (more or less) like their bank. They fill in their username and password and then the scammer has it.

The scammer can then log into your account, change the email that is associated with it, change the phone number that is associated with it, change your password, or just drain your bank account. While banks have protections in place to protect your money, it’s much harder to do that when the scammer looks, to the bank, to be you.

How Do I Protect Myself from Having My Bank Account (or Any Online Account) Stolen?

Always Use Unique, Secure Passwords

First and foremost, always, ALWAYS use secure passwords that don’t contain personal information. 

  • Your dog’s name, your maiden name, or your date of birth have no business showing up in a password.
  • Passwords should be complex and be several characters long (at least 12-16, but if an account lets you, it doesn’t hurt to make them longer).
  • You should have capital letters, lowercase letters, numbers, and symbols in your passwords.
  • Don’t use single words, or just drop an exclamation point at the end of a password to meet the symbol requirement.
  • Don’t ever use the same password on multiple accounts. Every single account you have needs to have a completely unique, strong, secure password.
  • Change your passwords regularly, especially when you notice weird activity or get targeted for scams, or suspect that you might be compromised.

Use 2FA or MFA Everywhere

Passwords are a good start, but a scam like this involves someone getting your password. Fortunately, there is a way to add an extra layer of security to that, called two-factor or multi-factor authentication (2FA or MFA, respectively).

Most online services support this, including your social media accounts, banking accounts, online stores like Amazon and eBay, PayPal, and email accounts. You should ALWAYS opt to set this up and check any account to make sure that it is enabled.

The best 2FA/MFA features require the use of an authentication app, and have you scan a QR code into the app that generates a 6-digit pin number whenever you want to log into the account. You can use apps like Google Authenticator, Microsoft Authenticator, Duo, or others.

The second best method is using a text message or email for authentication. This works in a pinch, or if the authentication app option isn’t available, but since your email and text messages could technically get compromised a few different ways, it is slightly less secure. It’s still way more secure than nothing, though, and we highly recommend it if it's the only option.

Keep an Eye Out for Fraudulent Links

This is harder to do if you don’t always know the URLs your bank or other companies you work with use, but it’s good to understand how someone can scam you by cleverly manipulating a link to a site.

If the message is from SFCU, a link should lead back to sfcuonline.com. If there is anything strange between “sfcuonline” and the “.com” then something is suspicious. There should also be a forward slash (/) after the .com. If the URL was something like sfcuonline.com.mailru382.co/something, then you are being spoofed. We’re going to use Sidney Federal Credit Union as an example, but some of the link examples below are completely made up just to prove our point:

Everyone handles their domains a little differently, but use this as a general rule of thumb:

  1. sfcuonline.com - Safe.
  2. sfcuonline.com/contact - Safe. Only SFCU could have generated this URL.
  3. business.sfcuonline.com - Safe. Only SFCU could have generated this URL.
  4. business.sfcuonline.com/retail - Safe. Only SFCU could have generated this URL.
  5. sfcuonline.com.activatecard.net - Suspicious! (notice the dot immediately after SFCU’s domain name)
  6. sfcuonline.com.activatecard.net/secure - Suspicious!
  7. sfcuonline.com/activatecard/tinyurl.com/retail - Suspicious! Don’t trust dots after the domain!
  8. Sfcudigital.com - Suspicious! It’s not even the right URL in general!

Don’t Let Your Guard Down

If you receive an urgent text or email, take a deep breath and be skeptical. It might be real, but there is also a chance that it’s not.

Don’t Click on Links in Emails and Texts Unless You Were Expecting Them

It’s a simple habit that will save you a lot of trouble. Sure, there are times when a legitimate link will be sent to you in an email or in a text message. More often than not, something will actually be legitimate and safe, but if you just assume at first blush things aren’t safe, and scrutinize from there, it will go a very long way.

In a case like this, the proper action would be to log into your Sidney Federal Credit Union account the way you normally would, and see if the charge is actually showing up in your account. You could also look up the bank’s number and call them and confirm. Don’t assume that any business is texting you or emailing you from an actual number that gets you in touch with customer support either. Use the typical channels you would use as if you never received the message.

Securing your own digital footprint is just as important as securing your business, and your employees and colleagues should all be taking actions to practice good digital hygiene. If your business needs help securing itself from online threats, be sure to give Directive a call at 607.433.2200. Cyberthreats are only getting worse, more dangerous, and more expensive, so it’s critical to take proper steps to protect yourself.