In addition to new cybersecurity threats from Russia in conjunction with the war in Ukraine, the FBI is warning consumers and businesses to be on high alert after several new scams were reported over the past few months. The common thread: The tactics are becoming more sophisticated.
"While we have a lot of traditional fraud that still occurs using common tactics, such as social engineering or fraudsters attempting to open bank accounts as someone else, new and more sophisticated ones are being introduced that we're regularly monitoring and addressing," said Josh Garrett, cyber threat analyst at BOK Financial®.
As Garrett explains, social engineering refers to tactics used to manipulate individuals into giving personal or confidential information to someone intent on committing fraud. For example, you receive an email from a criminal that may appear to be a valid request, but when you click on the link, your computer may be infected with malware that can destroy your system or allow your data to be stolen.
Recently, the FBI issued warnings around scammers using:
- Fraudulent QR codes
- Fake Google Voice Authentication
- Cell phone SIM cards
Fraudulent QR codes
The pandemic made Quick Response (QR) codes fashionable again, as restaurants opted against printed menus and asked patrons to get out their mobile phones to access web-based versions. According to the FBI, criminals are intercepting legitimate QR codes used by businesses to redirect potential victims to malicious websites. The sites are designed to steal personal and financial information, prompt users to install malware on their devices, or divert payments to fraudulent accounts.
How to protect yourself:
- Pay special attention to the URL you're sent to after scanning a QR code and make sure it matches the business URL.
- Be cautious when being asked to input your data after scanning a QR code.
- Check to make sure that a physical QR code hasn't been covered by a malicious one, including a sticker.
- Avoid installing third-party QR code apps on your phone; instead, use the ones built into your phone, which provide more security.
Best practices for businesses:
- Regularly check QR codes displayed on tables or in common areas to ensure they haven't been tampered with.
- Present your business logo alongside the QR code to provide more validity for patrons.
- Make sure the URL includes your business name (instead of a bit.ly address, for example).
SIM card swaps
With this kind of scam, criminals impersonate their victims with the phone carrier.
"For example, the criminals call AT&T and tell them you got a new phone or lost your old phone and need to transfer your number over to their SIM card," Garrett said. At this point, the representative would ask for your PIN, and if it's easy to guess, they would be able to access your account and transfer your number to their new SIM card.
"The end game isn't to gain access to your text messages or voicemail – it's to get your multi-factor authentication (MFA) for your accounts," he said. MFA is an authentication method that requires two or more verification factors (like username/password plus a code sent to your phone) and provides an extra layer of security for your accounts.
How to protect yourself:
- According to Garrett, this scam is difficult to block, but one way is to add a PIN to your SIM card.
- Make sure your PIN number or secret phrase isn't something that's easily guessed (avoid combinations like 1234).
- Make it harder for attackers to find information about you, such as names of family or friends, by locking down your social media profiles and monitoring what's available about you online.
- Change your authentication methods. If your MFA is set up using SMS (a text message), attackers will have an easier time accessing your accounts. Consider using another authentication method, such as the Google Authentication app.
Google Voice Authentication
The FBI is also warning about fraudsters targeting people who list their phone numbers publicly on "for sale" sites or other websites with a Google Voice Authentication Scam. In this scheme, scammers reach out to the person who listed their number via text or email showing their interest in an item or service – such as those listed on Craigslist or Facebook Marketplace – and then ask the seller to authenticate themselves by sharing a code from Google.
The scammer sets up a Google Voice number in the person's name and can conduct other scams without getting traced. However, in this scenario, the scammer can also gain access to the person's Gmail account and potentially do even more damage.
How to protect yourself:
- Avoid listing your phone number publicly, especially on social media.
- Never disclose a Google verification code.
- Avoid sharing your email with people doing business over the phone.
- Only use valid payment methods, such as those with added security features, like PayPal, Venmo, Apple Pay, etc., to ensure there are security measures in place to protect your banking information.
Best practices for businesses:
- If you're using Gmail-based workspaces, you should be especially cautious about this scam since the criminals may try to gain access to your main Gmail account to send phishing emails to your business contacts.
- If your business uses a Google Voice account, make sure your Google account has MFA set up.
- Do not share your Google codes for any reason.
- Limit the number of people with access to your Google Voice account.
Boost your security
Whether you're an individual or a business, there are a few best practices you can follow to help thwart would-be scammers and better protect your data.
"When it comes to protecting yourself online specifically, pay attention to where you're going and what you do there. We're seeing so many more ads and 'products' on social media that are masking criminals trying to access your information," Garrett said. "Scrutinize the site and, if it doesn't feel right or legitimate, don't provide any of your personal information."
- Be wary of SMS messages. Unless you're expecting a message from a trusted sender, don't click on links sent via SMS. These links can contain viruses or malware that may lead to your data being stolen.
- Enable MFA across all applications. Your banking apps, email and social media accounts are targets for cybercriminals, so adding an additional layer of protection can safeguard your account if an attacker gains access to your password.
- Use strong passwords. Avoid using the same password for multiple sites and make sure it's not easy to guess. Also, make sure your answers to password recovery questions aren't publicly available (such as your mother's maiden name).
- Leverage a password manager. Storing passwords in your keychain or on your browser is convenient, but criminals can easily bypass these protections to gain access. Consider storing your passwords in a password manager like 1Password, which can auto-generate more secure passwords and alert you if your login information has been compromised.
- Train your employees. There's a lot of technology that can be used to protect your business, but your employees are your first line of defense. Educating employees about what to look for in a phishing or social engineering attempts, and putting policies in place that add extra layers of protection (like calling to verify with a vendor before wiring money) can go a long way in protecting you and your customers.
Cyber warfare: Proactive tips for businesses
Learn more about BOK Financial's online security, or call 844-517-3308 to report suspicious activity on BOK Financial-related (and affiliated) accounts. The Cybersecurity and Infrastructure Security Agency keeps an up-to-date list of current threats as well.
. © 2024 BOKF, NA.