Information Hub‎ > ‎The Bad Guys‎ > ‎

Financial Scams

Updated 10-10-2016

   Financial fraud is rampant on the
  Internet as the "Bad Guys" can hide
  their identity with little risk of any
  exposure thus low risk, big reward.

  Learn from the examples below of
  actual attacks and see how easily
  they can be spotted and crushed. 


  FINANCIAL INSTITUTIONS SCAM #1 
For your protection, all links and attachments have been removed!  If you find any, don't use them!
 

TO:         YourEmailAddress@whatever.net; on behalf of; 'Bank of America' 
               bankofamerica@secureserver.com <sometimes the e-mail address is repeated here>
               bankofamerica@secureserver.com <sometimes the e-mail address is repeated here>

SUBJECT: Recent suspicious activity on your online account

ATTACH: ID Confirmation.html (31 KB)

Dear Customer,

 

We have recently detected that a different computer user has attempted gaining access to your online account, and multiple passwords were attempted with your user ID.

 

Hence, your account requires a complete profile update and it is now necessary to re-confirm your account information to us.

 

If this process is not completed within 24-48 hours, we will be forced to suspend your account online access as it may have been used for fraudulent purposes.

 

Please update your profile immediately by downloading the attached file.

 

Bank of America, N.A. Member FDIC. Equal Housing Lender

 

© 2015 Bank of America Corporation. All rights reserved.


===============


So what's happening here?

    1.  Why would a large company use an e-mail domain name of "secureserver.com"?
       Certainly  they can afford one using their own name, right?  The reason:  They want to build  confidence  this is "the real deal" and make you think it actually IS a Secure Server.  Don't take  any bets it  is secure!

    2.  They generate fear your financial security is at risk; that you must act immediately, do not  stop to think, do what we tell you because we are not the bad guys.  So turn your mind off,  do what you are told to do and be our robot.  And people actually become their robot!

    3.  IF YOU WERE THE TARGET OF AN ATTACK OR WERE ACTUALLY ACCESSED,
       it is unlikely a complete File update is needed ... like you're going to change you name or  something like that?  The  dream is to get you to provide full details about yourself for their  future use including sale to  others. 

      Keep in mine two other things:
           a)  the form may be a form or it may launch malware into your computer
           b)  if it is a form, asking for medical information dramatically increases the value of
                your data to them and makes identification of yourself more complicated.


    4.  The EXPLICIT SENSE OF URGENCY TO ACT NOW before you ask "WHAT AM I DOING?"
       When people panic often the wrong things are done and they are guiding you to those
       things.


       NOTE: This is only one example of many similar fraudulent notices reported to be from other
                  large and well known institutions.  The reason?  Many people have accounts there and
                  some  of them may get this note and do what they are told to do.  Phishing Attacks
                  (getting people  to something they should not do by using fear, persuasion,
                  compassion, etc.) are a numbers  game.  Make it appealing to the most number of
                  people and you maximize your take.

                  With your profile they can THEN drain your bank account and open new accounts and
                  over  run the authorized balances there as well.


    5.  WHAT IF YOU ARE UNSURE?
       If you have a card from them, call the number listed and talk to a Representative.
       If you sent the bad guys your profile, put a freeze on your information with Credit Reporting
       Bureaus to prevent someone from opening new accounts or trying to change information.
       These include
       http://transunion.com/, http://experion.com/, http://equifax.com/
       If you not have a card, look their number up in the telephone book or on-line.
       It is unlikely that a group would hack a corporate web site to change a phone number.



  FINANCIAL INSTITUTIONS SCAM #2 
For your protection, all links and attachments have been removed!  If you find any, don't use them!
 

TO:         YourEmailAddress@whatever.net; on behalf of; 'Wells Fargo Alert' 
               wellsfargo@e-alert.com <sometimes the e-mail address is repeated here>
               wellsfargo@e-alert.com <sometimes the e-mail address is repeated here>

SUBJECT: Unauthorized activity on your online account


Case ID: 2452741

 

Wells Fargo's Digital Channels Group Fraud Operations would like to verify some recent activity on your account.

 

To help protect your Wells Fargo account(s) from unauthorized access, we have restricted your online access, which will remain in effect until you complete a verification proccess with us.

 

Please, In order to verify your account download the attached file, fill out the required information and save your profile.

 

We are sorry for any inconveniences this may have caused on you.

 

Thank you for being a valued Wells Fargo Online(R) customer.

 

Sincerely,

 

Wells Fargo CIS Team (Customer Information Service)

 

(C) 2015 Wells Fargo Bank, N.A.  All rights reserved. Member FDIC



===============


So what's happening here?
  • First RED FLAG:  The bad guys forgot to include the required attachment.
    Note how this is a variation of Financial Accounts 1 (except they remembered the attachment)?

  • To verify activity, why do you need to complete a verification process by providing your information, which they already have, to them.  Would they not be calling you?

  • There is no sense of urgency which is very uncommon.  Most scams are active only for a few days before they shut everything down and move to a new location to prevent capture, arrest or being surrounded by some of their victims.  They need you to act promptly to get your information.

  • WHAT IF YOU ARE UNSURE?
    If you have a card from them, call the number listed and talk to a Representative.
    If you sent the bad guys your profile, put a freeze on your information with Credit Reporting Bureaus to prevent someone from opening new accounts or trying to change information.
    These include http://transunion.com/http://experion.com/http://equifax.com/
    If you not have a card, look their number up in the telephone book or on-line.
    It is unlikely that a group would hack 
    a corporate web site to change a phone number.



  FINANCIAL ACCOUNTS SCAM #1  
The e-mail text and formatting below is from an actual e-mail.
Can you find the 9 flags of potential fraud in this e-mail?

SUBJECT:  Irregular Check Card Activity  (also seen with subject about On Line Account Activity)

Dear Customer,

 

We have recently detected that a different computer user has attempted gaining access to your online account, and multiple passwords were attempted with your user ID.

 

Hence, your account requires a complete profile update and it is now necessary to re-confirm your account information to us.

 

If this process is not completed within 24-48 hours, we will be forced to suspend your account online access as it may have been used for fraudulent purposes.

 

Please update your profile immediately by downloading the attached file.

 

Bank of America, N.A. Member FDIC. Equal Housing Lender

 

© 2015 Bank of America Corporation. All rights reserved.

--

Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo.



WARNING SIGNS IN THIS E-MAIL

  • The salutation is wrong.  They know it's my account yet they don't know my name?

  • First sentence could be true but a different computer can also be detected which is more likely.  Why is it a different user versus me not remembering my password?  It adds to the fear factor.

  • You should never need to do a complete profile update over potential hacking.

  • Attempts to access your account calls for potentially changing your User ID but absolutely says to change your Password to meets the basics:
    a)  it cannot be found in any dictionary of any language including Klingon from Star Trek
    b)  it contains upper and lower case characters adding complexity against brute force cracking
    c)  it contains numbers and special characters adding complexity against brute force cracking
    d)  it should be at a minimum 8 items in length and the greater the length the better the
         security

  • 24-48 hours is key as that is about how long these people stay in business in one place.  They move often to reduce the risk of capture and arrest.

  • All they want is your personal information by using an attached document or link.  Did you see it?

  • A repeated message about the urgency you act, ideally before thinking about what you're doing.

  • Copyright notices are common to build trust this is authentic.

  • Note this English language e-mail includes a line of Spanish to build confidence?  The bad guys made this glaring "tattle tale" mistake along with not providing the referenced attachment.
A nearly identical e-mail regarding an on-line account at Bank of American is also being circulated.  While they did remove the Spanish language line, they also failed to include the critical attachment.

If you have questions regarding any account use the phone number on your last statement from the company or printed on your credit cards to insure you are getting to the right people.  They may request you send the e-mail to them and often will provide specific steps for you to take to send that to them.  This is to capture as much of the original e-mail as possible for tracing and prosecution purposes. 


  FINANCIAL ACCOUNTS SCAM #2 
With minimal effort, you can make money from the comfort of your Jacuzzi ... except you may have to sell the Jacuzzi and the house if you take this deal.  This smacks of the "minimal effort, maximum reward" job that hour only down side is zero income, loss of all funds in your bank, extreme cell phone charges (and not limited to calls either), plus damage to your reputation and credit worthiness and, most likely, the first paycheck never arrives.

Here are some things to consider:
  1. "Dear LinkedIn User,"  This is clearly not a professional organization from the start.
    Indicates they have no information as to whom you are.

  2. Google "Ciber Outsourcing AB" and see what comes back ... nothing tied to this group.
    One might think after 40 yours in IT they would have some electronic footprint on the Internet.


  3. Yes, you in whatever country you may be in, will be our Representative to the Philippines.  Why?

  4. You give them your bank account information, customers send you payments directly, you keep 10% but when and where to you forward money to them?  You'll never know.  But no worries!  The only thing you are likely to experience is the sound of money rushing out of your account.

  5. Of course you will need to open an account with the ChinaBank or RCBC (Rizal Commercial Banking Corporation, a bank in the Philippines with significant presence in the Filipino-Chinese community).  Any guesses what country your dollars end up in?

  6. Notice they do not want a land line telephone number.  You can't charge things to a land line but in other countries you can charge to a cell phone number well beyond just long distances costs.

  7. Their address in Stockholm seems to be dining establishments, hotels and one casino.
    The London address is reported by Google as a different company.


  8. And one little other thing?  If you don't have your e-mail address visible on your LinkedIn Profile, LinkedIn keeps it private.  So where did they get your LinkedIn e-mail address from?  Most likely not from LinkedIn!
So in a few minutes you can raise serious questions about the offer just by running a few Google searches.  There is always a chance this is totally 100% legitimate ... what do you think?

Below is the actual e-mail text sent:

==========

Dear Linkedin User,

See below Vacancy/Contract Request from Ciber Outsourcing AB.

DETAILS:

Ciber Outsourcing AB, is a global information technology company with 40 years of proven IT experience, world-class credentials and a wide range of technology expertise. We help clients discover and harness the competitive advantages that are possible in an increasingly digital, networked world.

Due to recent orders and ongoing expansion of our services in Philippines, we are in need of individuals who will work as representatives.

KEY RESPONSIBILITIES: 

You will be required to work as a representative of Ciber Outsourcing AB. from Philippines. Your responsibility will be to receive payment from our clients. Such payment will come as Local Transfers and Wire Transfers, paid directly to your bank account. You will get up to 10% Commission on every payment and a monthly salary of USD $3,500 will be paid on the 28th of every month. This job is part time and will not require much of your time as you are only working as a payment agent.

Details:

    • You are required to have a basic knowledge of English
    • You will receive a Monthly Salary of USD 3,500
    • You will get 10% of every payment you receive on behalf of the company.

Kindly email us the following details to apply.

Your Full Name : 
Contact Address :
Your Mobile Phone Number :
Bank Name:
Account Number:

NOTE: We currently only accept CBC (ChinaBank) and RCBC accounts.

The payment process will proceed as soon as your application has been received. We will also have our agent call you to give you more details on incoming payments and also inform you what is required of you after payment has been made.

Kindly reply to this email and we shall get your email and get back to you.

Regards,

Paul E. Musson
Ciber Outsourcing AB.
Vasaplan 2833, Stockholm SE-101 37 , Sweden.

London Office:
393 Jermyn Street London. SW1Y 6DN United Kingdom




  FINANCIAL ACCOUNTS SCAM #3 
The e-mail text and formatting below is from an actual e-mail.
Can you find the 12 warning flags of potential fraud in this e-mail?
Never open any attachment until you have confirmed the attachment(s). 
Companies, as a general practice, do not send attachments via e-mail due to
the potential for fraud or attacks.


    SUBJECT:  Important Alert Notifiation: Requirement Regardng Your Card

                   Your Account Number Beginning: -37XX 

Dear Esteemed Client,

We advice all Valid Users to follow our new system procedures for on-line access,
Kindly follow the given instructions in order to comply with our new system requirements.  By passing back and forth secret information that only you and us know, you can feel even more secure with your online banking experience.  We recognize you and you recognize us.

You are reuqired to review your account information to preclude a recurrence of any future attention with your card on-line access.

To Proceed, Please find attached HTML Web Page.

    • See Attached for HTML Web Page
  • Download and Save it to your Device Desktop
  • Go to Device Desktop to open the HTML Web Page
  • Continue by Filling your Information
                      Thank you for being our Valid Cardmember. We look forward to serving you best.
           
           Sincerely,

         American Express Card Services



Privacy Statement           
Add Us to Your Address Book

This customer service email was sent to your email adrress on file with American Express. You may receive customer service emails even if you have requested not to receive marketing emails from American Express.

Copyright 2013 American Express Company. All rights reserved.


GENEVAZR0001703                                   

==========

WARNING SIGNS IN THIS E-MAIL

  • While it did not make this copy, the image of the American Express card was an of incorrect dimensions and distorted from repeated copies and size changes over time.  This a major corporate image that no corporation would allow to be release when it was not pristine in appearance. 

  • The subject line has words "beginning" and "regarding" misspelled.

  • Why do they say account number beginning then show the ending digits (from the hyphen)?

  • The salutation is inappropriate.  They say the know my account number yet don't know my name?

  • The first sentence, at the end of the line has a common but the next word is capitalized incorrectly.

  • The second line has the word "system" misspelled.  Later they use "reclude" versus preclude.

  • "We advise all Valid Users" is not common business language to customers and would they give guidance to invalid users?  Instructions for new systems are nearly always posted on the web site of the company to protect customers from phishing attacks similar to this one.  It is also a lower cost, faster distribution, and easier to find later means than anything else.

  • "You are required to review your account information to reclude a recurrence of any future attention with your card on-line access."  American Express is strongly recognized for outstanding Customer Service.  A statement like this would be unthinkable coming from American Express.

  • "To Proceed, Please find" ... neither "P" should have been capitalized.

  • Why would American Express need to you provide you information, that they hold, to them that they already have?

  • Why would this carry a copyright notice from 2013?

  • Why would this have a code starting with "GENEVA" when American Express is a US Corporation?

  • If you have questions regarding any account use the phone number on your last statement from the company or printed on your credit cards to insure you are getting to the right people.  They may request you send the e-mail to them and often will provide specific steps for you to take to send that to them.  This is to capture as much of the original e-mail as possible for tracing and prosecution purposes.