The following scam recap was provided by an employee of ELGA Credit Union.

Recently I purchased several items from Amazon (unfortunately an all to frequent occurrence). A few days later, while at work, I received a call that stated they were calling from Amazon regarding a few suspect transactions on my Amazon account. They stated there was an order placed for a iPhone 12 to be delivered to Maryland. Obviously I’m in Michigan so product delivery to Maryland would raise some flags for Amazon.  As I had recently placed an Amazon order, I was taken aback and concerned.  I stated I did not place this order, and the caller proceeded to state he would block the order.  He then asked several relevant questions as far as if I had responded to any recent emails or calls stating they were Amazon, knew of anyone that could have used my Amazon account to place the order, etc. – all of which I answered No to.  He then stated it was important to block the fraud account that had been created with my information, which he would assist me with over the phone.  He then requested I have my phone available and on speaker.  He then directed me to go to the App store and search for an app called GoToAssist.  Essentially this app is used by many legitimate companies for many legitimate reasons, and allows a remote user access to your phone.  At this point I did end the call as I was aware it was a scam and an attempt to gain access to my phone.  

As part of my employment with ELGA, I was familiar with this type of ‘hijack’ scam.  Even so, for much of the beginning of the call I was concerned there had been a legitimate compromise of my Amazon account and wanted to be sure to protect myself.  These calls play on your fear and a little bit of panic in being told there is a large dollar order being place on your account.  Any one of us can fall victim to one of these scams! The caller did not ask for my card # or any personal information and asked relevant questions regarding the supposed fraud transaction.  Only when he directed me to access the app store was I 100% certain this was a scam call.  These fraudsters are very good at presenting themselves as a support person, someone there to help protect you, and a reputable associate of a legitimate business (Amazon in this case).   Don’t fall for it!    As soon as anyone asks you to download any sort of software – it is suspect, especially if it’s a remote access app.  Once they get access to your phone, very often they download additional apps or software, or can access any other apps you have on your phone (perhaps a cash app? With your password saved?) (your ELGA online banking app?)   If you are ever unsure, call the vendor direct with their publically posted contact information (do not use a number provided to you by an unknown person).  

Stay safe!

You may have heard about the Grandson Scam…an unknown person, usually male, calls an elderly person and pretends to be their grandson, in jail, and needing money or gift cards immediately.  There is a new twist to this scam showing up in Genesee County. They are now asking for money and then sending someone to the house to get the cash. 

There has been one successful incident recently where an elderly female was asked to withdraw 18k cash.  Once she did, she was given a confirmation number and bail number over the phone by the “Attorney.”  Shortly after, a U-Haul box truck pulled into her driveway.  A male driver got out, identified himself as “Robert Garcia,” and then collected the cash from the victim.  He was described as mid-30’s, dark hair, stocky build, 5’8”, 220 lbs., possibly Hispanic or Middle-Eastern.

The next day, another victim was called about the same thing and once she got the 9k cash, she was told 2 Bail Bondsmen would be sent to her house shortly.  The victim questioned if this was all just a scam and they hung up without calling back and their phone number could no longer be called.

If anyone hears about a situation like this please do not hesitate to reach out to SGT Jillian Macey of the Elder Abuse Victim agency of Genesee County (810-424-4403). 

Reports are being shared with credit unions that Zelle users have been experiencing fraudulent texts and calls. This article explains the scam and what you can do to protect yourself. 

Zelle is a preferred target because of the speed in which the transfers are made, which is usually done within hours, and not days. Other person-to-person (P2P) vendors have been targeted as well with the same process.

Here’s how the scam works:

• Fraudsters send text alerts that appear to come from the financial institution warning of suspicious debit card transactions
• Fraudsters call when you respond to the text, often spoofing the financial institution’s phone number and claiming to be from the fraud department.
• To verify your identity, the fraudster asks for your online banking username and tells you that you will receive a passcode via text or email that you then need to provide to the fraudster. It’s actually the fraudster initiating a transaction that will send the verification to you.
• Providing the code to the fraudster will allow them to log into the account using a device not recognized by the system. 
• Once they are logged in, the fraudster will change online banking passwords and use Zelle to transfer funds to others.

Even with the more sophisticated out-of-band authentication with transaction details that Zelle provides, the fraudsters have a work around. They keep you on the phone even after getting your passcode and have you wait for the additional message, telling you that you need to reply Yes to the message to reverse the fraudulent transaction.

What you need to do to protect yourself:

1. Be wary of texts or calls regarding Zelle coming from any financial institution. 
2. Never provide personal information in response to a text message or a call placed to you from a financial institution.
3. Make sure that any call you make to a financial institution is using a reliable and published phone number.
4. If you suspect fraudulent texts or calls from ELGA Credit Union, please report them by calling (810) 715-3542 and talking to a call center agent.

Once again, scammers are upping their game. It typically starts as someone contacting you to solve a technology problem that you may not even know you had and offering assistance that (in the end) you may not even need. They start by requesting remote access to your computer to determine what the problem is, and that is when the trouble can start.

Below is an outline of things that can happen when a scammer gains access to a computer:

• You may be asked to purchase software or a fix. They will request your credit card information.
• Software may be installed that is hidden from the user and not authorized by you.
• Screen scrapers (software that records and transmits what is displayed on your screen) and key loggers (software that records and transmits what you type) may be used to help them gain credentials (user names and passwords). At this point they could get access to everything to which you have access.  
• If they are able to get a password to online banking, scammers may attempt to transfer a small amount of money between accounts to see if it works before attempting “transfer to any account” and draining all available. These test transfers are usually for a $1 or less. Since the scammers have access to email accounts on that computer, they can receive your email verification code to complete the transaction.

Here are some things you can do to protect your accounts:

• Set up an online banking alert to message you for any of the following:
  • Unauthorized Change in your Contact Info
  • Login Credential Change
  • Unauthorized Password change or Reset Request
• Keep an eye on your account for small transfers that you did not originate.
• Avoid setting up an automatic login to accounts.
• Only allow computer updates and fixes from verified sources.
• Never give credit card or personal information to someone who calls you.  It’s best if you look up the support number or verify their contact information. Be cautious if they will not allow you to contact them.

Protect the Confidentiality of Your Login ID and Password

There are three very simple steps you can take to keep your online banking account secure.

#1 – Create a unique login name that is only used for your ELGA account
#2 – Create a good, strong password
#3 – Never share the above information.

Here are additional tips you can follow to prevent unwanted access to your accounts:

• Memorizing your password is the best protection. Never store account information with your login name or password.
• Do not set your internet browser to remember your login ID and/or your password.
• Do not share your password with anyone. Sharing your password with someone else is the same as giving that individual authority to use your name in a transaction.
• Make sure you log out when you’re done using online or mobile banking. Closing the browser is a good practice after you log out.

These are 30 of the most used passwords in the world. Please don’t use any of these.

It’s a good time to check your mobile devices for upcoming subscription services that will automatically deduct money from your account. These are apps that you’ve agreed to pay a monthly or annual fee to use. It’s easy to forget they exist.

Fleeceware apps have been found on Android and Apple IoS devices. Fleeceware apps are not malicious but they do set themselves up for recurring payments, typically after you’ve accepted a trial version. Deleting the app does not always cancel the subscription.

How to cancel mobile app subscriptions

This is how to do it on iOS devices (as described in this Apple support page):

1. Open the Settings app.
2. Tap your name, then tap Subscriptions.
3. Tap the subscription that you want to manage. Don’t see the subscription that you’re looking for?
4. Choose a different subscription option, or tap Cancel Subscription. If you don’t see Cancel Subscription, the subscription is already canceled and won’t renew.

Steps needed on Android devices (based on this Google Play Store support page):

1. Open the Play Store.
2. Check if you’re signed in to the correct Google Account.
3. Tap the hamburger menu icon ​​ Subscriptions.
4. Select the subscription you want to cancel.
5. Tap Cancel subscription.
6. Follow the instructions.

Scammers are taking advantage of fears surround the Coronavirus.  The Federal Trade Commission has put together some tips to help avoid scams.  It’s important to remain diligent in protecting yourself from being taken advantage of.  

Important Tips from the Federal Trade Commission

• Hang up on robocalls. Don’t press any numbers. Scammers are using illegal robocalls to pitch everything from scam Coronavirus treatments to work-at-home schemes. The recording might say that pressing a number will let you speak to a live operator or remove you from their call list, but it might lead to more robocalls, instead.

• Ignore online offers for vaccinations and home test kits. Scammers are trying to get you to buy products that aren’t proven to treat or prevent the Coronavirus disease 2019 (COVID-19) — online or in stores. At this time, there also are no FDA-authorized home test kits for the Coronavirus. Visit the FDA to learn more.

• Fact-check information. Scammers, and sometimes well-meaning people, share information that hasn’t been verified. Before you pass on any messages, contact trusted sources. Visit What the U.S. Government is Doing for links to federal, state and local government agencies.

• Know who you’re buying from. Online sellers may claim to have in-demand products, like cleaning, household, and health and medical supplies when, in fact, they don’t.

• Don’t respond to texts and emails about checks from the government. The details are still being worked out. Anyone who tells you they can get you the money now is a scammer.

• Don’t click on links from sources you don’t know. They could download viruses onto your computer or device.

• Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts saying they have information about the virus. For the most up-to-date information about the Coronavirus, visit the Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO).

• Do your homework when it comes to donations, whether through charities or crowdfunding sites. Don’t let anyone rush you into making a donation. If someone wants donations in cash, by gift card, or by wiring money, don’t do it.

For more information visit https://www.consumer.ftc.gov/features/coronavirus-scams-what-ftc-doing. 

There are a number of peer-to-peer payment apps, also known as P2P, available to make it easy to transfer funds from one person to another. These are a few of the most popular:

• Venmo
• Cash App
• Paypal Friends and Family
• Square Cash
• Zelle 
• Facebook Messenger
• Apple Pay
• Google Pay

P2P is similar to using cash, without actually touching the money. You take funds from an account where you have money and transfer it to another person. Because it’s easy, and because you don’t have to be physically present to make the transaction, this convenience becomes a breeding ground for scams. 

The most common types of P2P scams occur with online ads for merchandise, tickets to concerts and sporting events, puppy scams, fake check scams, and romance scams. What’s common among them is that they claim making a P2P payment is the only option to get the item or service.

Important things you should know about P2P transactions:

• The application is only responsible for transferring of funds. The company backing the application is not responsible for the merchandise.
• These purchases are not able to be disputed, you are fully responsible for any loss you may incur.

Tips to protect yourself:

• Don’t use P2P to purchase products 
  If an online retailer requires payment via a P2P payment service, it’s probably a scam.
• Double check the address, username or phone number of the person you are trying to send money 
  If you make a mistake and send the money to the wrong person, it can be very difficult, or even impossible, to get the money back. If you’re worried you may have the wrong person, send a small amount first to confirm that your intended recipient received it.
• Opt-in for stronger security 
  Almost every popular P2P platform offers the ability to create a personal identification number (PIN). Once that PIN is created, it will be required before any money can be transferred. This extra layer of security protects your money should your phone fall into the wrong hands.
• Send money only to people you know 
  Many peer-to-peer transactions are irreversible, a fact scammers know and exploit.
• Don’t use P2P services for business purposes
  Most of the P2P apps have terms of service which prohibit commercial use, such as using the P2P service to get paid for selling goods or services.

Big events bring out scammers. Here’s what to be aware of going into Super Bowl Weekend:

Summary: One of the most-anticipated sporting events of the year is almost here. Like any popular event, the Super Bowl can be a fertile breeding ground for various malicious actors looking to scam you out of your hard-earned money or your personal data. A wide variety of scams targets both spectators who are watching from the comfort of their living rooms and those cheering for their teams in the stadium. Here are some ways you can tackle security offenses that may be targeted against you.

The Big Three!

• Streaming from unverified sites
• Tickets from unofficial sources
• Special apps and hotspots

Read more on how to protect yourself here: Don’t get sacked!

Beware the false sense of urgency many phishing attacks cause.

The ongoing PayPal attack sends emails camouflaged as ‘unusual activity’ alerts warning you of suspicious logins from unknown devices. This campaign attempts to gather all your credentials and financial info. The newest phishing attack and how it works is explained here.
The following information is taken from the linked site.

PayPal lists the following signs you can look for to identify phishing messages easier:

• Impersonal, generic greetings are used; such as “Dear user” or “Dear [your email address]”
• Asks you to click on links that take you to a fake website
• Contains unknown attachments
• Conveys a false sense of urgency
• “Your account is about to be suspended,” “You’ve been paid,” or “You have been paid too much” warnings

Customers who have spotted a phishing message in their inbox posing as an official email sent by PayPal are asked to report it as soon as possible by forwarding it spoof@paypal.com and to delete it as soon as possible.

As always, the safest way to get to a site is to write the address of the site manually in the web browser or use a previously created bookmark if available to avoid being redirected to sites designed to collect your info or infect your computer with malware.