By Menah Strong
With the rise of any natural disaster or emergency, fraudsters see opportunities — chances to exploit others by conning them into handing over personal information and money, sometimes right down to their last dollar. For Americans affected by COVID-19 — physically, mentally and/or economically — criminals found ways to steal over $145 million through pandemic-related scams, according to data from the Federal Trade Commission.
The FTC recently issued a fraud report, citing close to 206,000 claims from Jan. 1 to Sept. 22, all tied to coronavirus. Some were connected to federal stimulus payments, paycheck protection and other government relief; others to falsified purchases of protective equipment; and still others to unemployment and health benefits. Also included were vaccine and romance scams (yes, criminals went so far as to lure in those who were isolated and lonely and in search of relationships during the pandemic).
With scams on the rise, it is important to be on alert. But I maintain it’s important to always be on alert, because fraud happens every single day, not just during a pandemic or an emergency. Bank professionals work tirelessly to protect customers from scams and to help customers who have been victims of fraud, but scammers are getting more convincing. One way to stay ahead of them is to pay attention to the details.
As someone who has worked in the banking industry for 23 years, I have become what I like to call a “professional skeptic.” As such, I read all my texts and emails and listen to people who call me, with an eye and ear for the details. I recommend everyone do the same.
As an example, let’s look at a business email compromise scam, where a scammer highjacks a business email account and sends out an email on behalf of the company, with false instructions on how to wire funds into a fraudulent account. Let’s say you’re a business owner or employee and you receive an email from one of your trusted vendors with “new” instructions for wiring money. The email appears to be legitimate. What should you do?
Before you do anything, call the vendor directly. Don’t use the number at the bottom of the email; use a number that is already known to you, from a business card, an invoice or the vendor’s official website. Call the vendor and read them the instructions exactly as they appear in the email, item by item, line by line. The vendor will be able to tell you if the instructions are correct. And if you’re the vendor, listen to the instructions carefully, especially to the account numbers. Again, details are critical, because once funds are wired, the money is gone. The consequences can be tragic.
Americans lost $1.9 billion to fraud in 2019, according to the FTC, and they stand to lose a lot more this year. Much of the fraud is phishing, and in many instances, phishing emails appear to come from financial institutions. That’s why, as part of National Cyber Security Month, financial institutions across the U.S. have joined the American Bankers Association (ABA) for a “Banks Never Ask That” campaign to educate consumers about the persistent threat of phishing schemes.
According to the ABA, “phishing is when you get emails, texts or calls that seem to be from companies or people you know, but they’re actually from scammers. They tempt you to click on a link or share personal information (like a password or social security number) so they can use that information to steal your money and/or identity.”
Banks will never reach out to you via phone, email or text to ask for the following:
• Account number.
• Username or password.
• Social Security number.
• PIN number.
• The answers to your security questions.
• A one-time code.
If you receive suspicious texts, emails or phone calls, especially from a financial institution, asking for any of the above information, delete the text, trash the email or end the call, because “banks never ask that!”
It is important to note that you may be asked to verify confidential information if you call your bank, but rarely the other way around. Like I mentioned above, “If you’re ever skeptical that a bank call or email is legitimate, or if a caller is pressuring you or telling you something bad will happen if you don’t give them money or information, hang up and call your bank to talk to a real bank employee.”
To provide some additional tips, I enlisted Dan Anthony, Bank of Utah’s information security officer, to help. He said one of the most important things you can do is secure your email and other communication accounts.
He explained how common password reuse is across the world — common, and unfortunately, dangerous. Novice hackers can cheaply purchase massive databases of stolen email addresses and passwords. If you’re using the same password or a slight variation of that password for email and online banking, the question is not if your accounts may be compromised, it’s when.
Dan recommends the following:
1. When available, enable multi-factor authentication (MFA) for all of your accounts, such as your email, PayPal and Amazon accounts, etc. Think of MFA like adding a deadbolt. It requires you to input your password and a random code on your phone. The extra work required is a great deterrent.
2. Use a passphrase — a sentence or random series of words — where possible. Length is key, the longer the better.
3. Always use unique passphrases. A few dollars a month spent on a credible password manager, such as LastPass, Keeper or 1Password, is a great investment. Bonus: you only need to remember one passphrase.
4. Combine all of the above for the best results.
And remember, contact your financial institution if you suspect you’re being, or have been, scammed. It’s always better to be safe than sorry.
For more information and tips from the ABA’s National Cyber Security Month campaign, visit www.BanksNeverAskThat.com.
Menah Strong is a senior vice president and chief administrative officer for Bank of Utah in Salt Lake City.