Scams

What it is:
When someone makes accessible an electronic device such as a USB drive that is preloaded with malware with the intent that you will use the device and allow them access into your computer.

How to protect yourself:
Do not leave your computer unattended and do not use preloaded devices unless you know they are from a trusted source.

What it is:
Botnets are groups of computers (robot networks) that work together without your knowledge to scan computers for vulnerable software holes and access important information. Each computer added to the robot network increases its overall strength.

What it does:
If your computer is vulnerable and becomes part of the botnet, it may attack through keylogging; spam or phishing scams; click fraud (activates viruses through clicking other sites); denial of service (using numerous infected devices to access a single website causing it to become unresponsive); and stealing, storing, or propagating wares (Illegally obtained or pirated software).

 How to protect yourself:
Protect yourself by using updated anti-virus and anti-spyware programs. Disconnect online when you are not using your computer to avoid activity while you’re away. It’s also best not to click on sites you don’t trust, monitor your 'Sent' and 'Outgoing' email boxes for messages you didn’t send, and be cautious about opening email attachments regardless of who they are from.

What it is:
Credential stuffing is an attempt by a fraudster to use previously exposed credentials to attempt to log into your digital banking accounts. These previously exposed credentials are often from other breaches that you may or may not have heard about. Fraudsters collect the lists and create an attack using these credentials in hopes that users have re-used their credentials on multiple platforms.

How to protect yourself:
To help reduce the risk of credential stuffing take the following precautions:

• Don't re-use credentials: The attacks are specifically targeted at people who re-use login credentials (username and passwords) across multiple platforms so having different logins helps lower your risk of being a target.
• Create a complex username: Simple usernames are easier to determine and may be targeted more frequently in stuffing attacks. Consider using a combination of special characters (@, #, $, etc.), numbers, and capitalizations to create a longer (preferably more than 8 characters) and more unique username.
• Change your password frequently: Creating a new password every 3-4 months helps make your account credentials more secure.

What it is:
Keylogging uses a device (hardware) or program (software) to track and record what you type. If it’s in a software program, a file is created and sent to a specified recipient. If it’s in hardware, the person who installed the hardware must retrieve it in order to access the information gathered.

What it does:
Keyloggers are typically used maliciously to gain account numbers, PINs, usernames and passwords. A keylogger can be installed undetected via a virus or spyware, which then uses trojans to execute. The program also can use email to direct you to respond or click on an attachment and enter personal information. Keyloggers sit on various websites waiting to install themselves on unpatched or unsecured machines that hit their site.

How to protect yourself:
In addition to the tips found on the Computers & Laptops section on our Electronic Device Security page, you can protect yourself by doing the following:

• Make sure all the programs running on your computer are ones you recognize. If you do not recognize a program, get advice immediately to determine if it should be uninstalled.
• Be wary of emails from banking or financial institutions (whether it is one you use or not), and Pay Pal. Do not respond if you believe the email is fraudulent – remember never send personal or financial information via email.
• Visually inspect the back of the computer. Look specifically for a small connector device between the keyboard wire and the computer.

A word of note:
Keylogging also has constructive purposes including software development. The examination of keystrokes will indicate any errors, which developers can easily correct. Some employers use keylogging to determine the productivity of employees, or to ensure work computers are used for business purposes. Law enforcement officials may use keyloggers to circumvent applied security measures and obtain passwords or encryption keys. Concerned parents might use them to monitor their children's online activity.

What it is:
An email phishing scam is a fraudulent email message that appears to be from a person or company you know.  It attempts to illegally gather personal and/or financial information from you. 
 
A phishing email typically includes at least one link to a fake website, which may be designed to mimic the site of a legitimate business. The email is designed to entice you into providing information that could be used for identity theft or online financial theft. These scams will often try to scare you into action by threatening to close your accounts if you don't respond.

How to protect yourself:
If you are suspicious of phishing based on the sender or subject details, don't open the email. If you do open it, do not open attachments or click links and don't respond if prompted to verify your information. Remain vigilant, phishers have been known to use real company logos to make their communications appear legitimate and also have used spoofed email addresses, which may be similar to the actual company's address.

To learn more about phishing and other ways to recognize and avoid phishing scams, please visit Norton Security Center.

Common phishing scams:
The Federal Trade Commission (FTC) gives these examples of phishing messages:

• "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
• "During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
• “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”

Click here to read more about what the FTC advises to avoid phishing.

Also be aware:
There is a second type of phishing known as “spear phishing” where a user receives a fake email from a hacker posing as a colleague or friend. The email contains a dirty link or file corrupt with malware. If you receive an email from someone you know that seems out of the ordinary (misspellings when there typically aren’t any, they are not making sense, they make an unusual request, etc.) or an email containing only a link, do not open it or respond. In this type of scam, the fake email may even appear as the exact email you typically receive from this person.

What it is:
While phishing requires victims to voluntarily visit a fraudulent site, pharming simply redirects victims to fraudulent websites without assistance.

How to protect yourself:
Pharming is only successful when software or server vulnerabilities exist; otherwise, the criminal needs an insider to make unauthorized changes in order to redirect site visitors. To prevent these scams, we work diligently to manage and update our server software while maintaining a high standard of security.

What it is:
Smishing uses phishing tactics through SMS (text message) communication and attempts to obtain sensitive information by impersonating a trustworthy source. It is especially dangerous because, on rare occasion, these scams can infect your phone with a virus, too.

How to protect yourself:
If you are suspicious of smishing based on the sender or subject details alone, don’t open the message. If you do open it, do not open attachments, click links or call phone numbers and don’t respond if prompted to verify your information. Use your usual log in processes to check your account and call the company directly.

What it does:
Caller ID spoofing is the process of changing the caller ID to any number other than the calling number. This is done through an online service that, for a fee, creates a conference-type phone call connecting the user with the number they provide. This tactic is often used to impersonate a trusted person or organization in order to gain sensitive information. 

How to protect yourself:
If you experience this situation, remember the following:

• TruStone will not call you and request personal information – if someone does it’s probably a scam. If you receive a suspect call from someone posing as a credit union employee, hang up and call the credit union directly (phone numbers can be found on this website, our digital banking app, or on your statement).
• It’s usually a good practice to never give out any personal information over the telephone.
• When giving out any information, it’s a good practice to verify the person on the other end of the phone before doing so.

What it does:

Trojans attempt to gain information from your computer by disguising as a trusted program. Spyware attempts to gather information about you and your browsing habits in order to send you targeted ads via spam email. Both are often hidden inside other programs (e.g., screen savers, time and date updaters, weather updaters) and infect your computer when the program runs.

How to protect yourself:

Avoid these by being aware of what you install on or download to your computer. If you are unsure of its legitimacy, search for reliable information regarding the program before adding it to your system. Updated anti-virus and spyware detection programs also are helpful in protecting your computer.

If you think you’ve been infected, update all virus definitions and run a full scan with your anti-virus software. If your system still appears compromised, fix it and change your password again. Also, check your online accounts (email, bank accounts) and change those passwords in case they have been compromised.

What it is:
Vishing is the voice version of email phishing and may be paired with VoIP (Voice over IP, i.e., phone calls through web) to gather personal information.

The scammer contacting you is attempting to trick or scare you into handing over sensitive financial or personal information, which may end up being used for identity theft or online financial theft. The scammer may be impersonating a legitimate entity employee (i.e., a TruStone employee) and/or use a local area code when asking you to provide sensitive information.

How to protect yourself:
Be skeptical of anyone contacting you and attempting to obtain your private banking details or any sensitive information about you. Never provide personal information over the phone. If in doubt, hang up, look for the number of the company on their website and call the company directly to ensure it was a legitimate call and request. Never use the phone number the caller provides. When researching this information on the company website, make sure the website is legitimate.

TruStone will never contact you asking for your card number or online banking information.  Contact us immediately if you receive such a request.