person holding a cell phone

Security Tips

Consumer Technology Topic of the Month

Account Takeover Attack is a type of identity theft that occurs when a cybercriminal gains access to your online account and changes your login credentials to lock you out. Once you cannot log back in, a cybercriminal will use your identity to steal private information or even scam others. You can prevent account takeover attacks by using strong passwords, enabling Multi-Factor Authentication (MFA) and investing in dark web monitoring. According to a recent report, over 77 million adults have experienced account takeovers, with social media accounts being the most hacked.

What makes account takeovers so dangerous?

Account takeovers are very dangerous for individuals and organizations because they can lead to:

  • Stolen personal information
  • Loss of money
  • Vulnerability to identity theft
  • Damaged reputation
  • Compromised data

If a cybercriminal accesses an online account containing personal or customer information, they could use what they find to log in to additional accounts or sell the data to other cybercriminals on the dark web. Because an account takeover locks the victim out of their account, it becomes difficult for a person or company to regain access, retrieve data, recover finances, and repair their reputation.

How individuals can prevent account takeovers

As an individual, you can protect your information and prevent your account from being taken over by following these tips.

Use strong passwords for every account

Create a strong and unique password for each of your online accounts. A strong password contains over 16 characters and a combination of uppercase and lowercase letters, numbers and symbols. The longer and more random a password is, the more protected your account will be from cyber-attacks. When creating a strong password, avoid using common words or phrases, personal information or sequential numbers.

Enable Multi-Factor Authentication (MFA) whenever it’s available

Multi-Factor Authentication (MFA) is an additional security measure that requires users to provide extra proof of identity beyond a username and password. When you enable MFA, you are required to enter additional verification like a PIN, a code from an authenticator app or your fingerprint. Enabling MFA makes it much harder for cybercriminals to access your accounts since it will require them not only to know your username and password but also an additional way to prove your identity – which only you should have access to.

Learn to spot phishing attempts

Many account takeovers result from people falling for phishing attacks. Phishing occurs when a cybercriminal impersonates a person or company the victim knows to persuade them into sharing private information. Most phishing attempts use urgent language, persuading you to act quickly or threatening you if you don’t follow instructions immediately. Often, phishing messages contain spelling and grammatical errors, which you should be able to spot easily, knowing that most companies review emails multiple times before sending them. Check the sender’s email address to verify that the domain matches a reputable company before believing the sender’s identity.

Never click unsolicited links or attachments

If you ever receive an unsolicited email or text message that contains links or attachments, do not click on or download them. Even if a message appears to come from a company with which you have an account, you should go to the official company’s website or app and log in to your account that way instead. An unsolicited link or attachment could contain malware designed by a cybercriminal to steal your private data once installed onto your device.

You can check if a link is safe by hovering over the link, which will give you a preview of the URL, or copying and pasting the link into a URL checker. Check that an email attachment is safe by double-checking the sender’s email address and using antivirus software to scan any attachments.

Use a dark web monitoring tool

You can use a dark web monitoring tool to see if your personal information is on the dark web as part of the internet where cybercriminals can buy and sell any information obtained through malicious activities.

How organizations can prevent account takeovers

There are several ways you and your organization can prevent account takeovers from compromising data and damaging your company’s reputation.

Employing a business password manager

If your organization is not already using a business password manager, this is your sign to start. A business password manager allows your employees to manage and store their passwords safely in a digital vault. Requiring employees to use a password manager within your company ensures they follow best password practices. A business password manager also allows employees to securely share encrypted passwords to collaborate safely. This ensures that passwords are not intercepted by unauthorized users and that login credentials remain secure in each employee’s encrypted digital vault. Password managers can also help enforce MFA by storing MFA codes within a record and auto filling them when a user needs to enter an MFA code on a website or account. Business password managers make storing and sharing passwords secure and convenient for any employee and organization.

Invest in Dark Web Monitoring

Your organization should invest in dark web monitoring to prevent account takeovers. Manager that constantly checks the dark web to see if any records stored in employee vaults match those on the dark web.

Limit the number of login attempts

Set a limit on how many login attempts someone can make to try and access their account. Brute force attacks occur when a cybercriminal guesses login credentials through trial and error, so if someone is given unlimited login attempts, they might eventually access an employee’s account. Since brute force attacks rely on multiple login attempts, limiting the number of attempts to three or four guesses will give employees enough tries in case they made a typo but will prevent potential cybercriminals from accessing an account.

Set up a Web Application Firewall (WAF)

Your organization can set up a Web Application Firewall (WAF), which helps filter traffic between a web application and the internet. By using WAF, your organization is protecting any web applications from potential cyber-attacks, including account takeovers. WAFs identify and block requests from unauthorized traffic and can even detect when cybercriminals’ bots are trying to infiltrate your accounts.

Implement zero trust

Zero Trust is a security framework that assumes every device and account is capable of being compromised. To combat this, every user – both human and machine – needs to constantly verify their identity within an organization through multiple authentication processes. The three core principles of zero trust are to assume breaches will happen, require everyone to verify their identity to access the organization’s network and data and ensure users have least-privilege access. All employee devices used on an organization’s network should be registered and managed to keep track of who is allowed access.

An important aspect of zero-trust solutions is least privileged access which grants employees only the access necessary to do their jobs, thereby helping prevent a data breach from spreading. That way, if one employee’s account is taken over, their limited access will not give cybercriminals as much access to the rest of the organization. For example, if an employee whose account was taken over had access to not only marketing data but also customer information, transactions and social media accounts, the cybercriminal would have access to much more valuable data.

Educating employees on security awareness

Make your employees aware of potential security risks and threats by running phishing tests, which are simulated phishing emails sent company-wide to see how employees react. These tests can help you determine if your organization is prepared for phishing attacks or if employees need further training on security measures. Educating your employees about security threats will protect you and your organization from cyber-attacks in the future.


Fake checks drive many types of scams- like those involving phony prize wins, fake jobs, mystery shoppers, online classified ad sales, and others. In a fake check scam, a person you don't know asks you to deposit a check-sometimes for several thousand dollars and usually for more than what you are owed- and wire some of the money back to that person. The scammers always have a good story to explain the overpayment- they're stuck out of the country, they need you to cover taxes or fees, you need to buy supplies, or something else. But by the time your bank discovers you've deposited a bad check, the scammer already has the money you sent, and you're stuck paying the rest of the check back to the bank.

The Federal Trade Commission receives tens of thousands of reports each year about fake checks. Over the last three years, the number of complaints has steadily increased, and so have the dollars lost.

The FTC's new info graphic developed with the American Bankers Association Foundation, offers some tip-offs to rip-offs and what to do if you get a check from someone you don't know.

Please share this information with others. Victims may be embarrassed to talk about their experiences, but you can help. A simple phone call, email or text, saying "Look what I just found" and sharing this information may make a difference in someone else's life.
How to Avoid Cryptocurrency Scams!
 
Scammers are always finding new ways to steal your money using cryptocurrency. To steer clear of a crypto con, here are some things to know.

  • ONLY SCAMMERS DEMAND PAYMENT IN CRYPTOCURRENCY. No legitimate business is going to demand you send cryptocurrency in advance- not to buy something, and not to protect your money. That's always a scam.
  • ONLY SCAMMERS WILL GUARANTEE PROFITS OR BIG RETURNS. Don't trust people who promise you can quickly and easily make money in the crypto markets.
  • NEVER MIX ONLINE DATING AND INVESTMENT ADVICE. If you meet someone on a dating site or app, and they want to show you how to invest in crypto, or asks you to send them crypto, that's a scam.
Spot Crypto-Related Scams
 
Here are some common investment scams, and how to spot them.

  • A so-called "investment manager" contacts you out of the blue. They promise to grow your money- but only if you buy cryptocurrency and transfer it into their online account. The investment website they steer you to looks real, but it's a fake, and so are their promises. If you log in to your "investment account", you won't be able to withdraw your money at all, or only if you pay high fees.
  • An online "love interest" wants you to send money or cryptocurrency to help you invest. That's a scam. As soon as someone you meet on a dating app asks you for money, or offers you investment advice advice, know this: that's a scammer. The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
  • Scammers guarantee that you'll make money or promise big payouts with guaranteed returns. Nobody can make those guarantees. Much less in a short time. And there's nothing "low risk" about cryptocurrency investments. So: if a company or person promises you'll make a profit, that's a scam. Even if there's a celebrity endorsement or testimonials from happy investors. Those are easily faked.
  • Scammers promise free money. They'll promise free cash or cryptocurrency, but free money promises are always fake.
  • Scammers make big claims without details or explanations. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details. 
  • IF YOU SEE A TWEET ( OR A TEXT, OR OTHER MESSAGE ON SOCIAL MEDIA) THAT TELLS YOU TO PAY WITH CRYPTOCURRENCY, THAT'S A SCAM!

Tips to Avoid Identity Theft

The best protection against identity theft is to carefully guard your personal information.  For example:

  • Do not share personal information over the phone, through the mail, or over the internet unless you initiate contact or know the person you are dealing with.
  • Be suspicious if someone contacts you unexpectedly online and asks for your personal information. It doesn’t matter how legitimate email or website may look. Only open emails from people or organizations you know and, even then, be cautious if they look questionable. Be especially wary of fraudulent emails or websites that have typos or other obvious mistakes.
  • Don’t give out personal information in response to unsolicited requests. Be particularly careful about to whom you give your Social Security number, financial account information, and driver’s license number.
  • Shred old receipts, account statements, and unused credit card offers.
  • Choose PINs and passwords that would be difficult to guess and avoid using easily identifiable information, such as your mother’s maiden name, birth dates, the last four digits of your social security number, or phone numbers.
  • Pay attention to billing cycles and account statements and contact your bank if you don’t receive a monthly bill or statement. Identity thieves often divert account documentation.
  • Review account statements thoroughly to ensure all transactions are authorized.
  • Guard your mail from theft, promptly remove incoming mail, and do not leave bill payment envelopes in your mailbox with the flag up for pick up by mail carrier.
  • Obtain your free credit report annually and review your credit history to ensure it is accurate. 
  • Use an updated security program to protect your computer.
  • Be careful about where and how you conduct financial transactions. For example, don’t use an unsecured Wi-Fi network because someone might be able to access the information you are transmitting or viewing

 

Tips to Avoid Frauds and Scams

Consumers should always exercise caution when it comes to their personal and financial information. The following tips may help prevent you from becoming a fraud victim.

  • Be aware of incoming email or text messages that ask you to click on a link because the link may install malware that allows thieves to spy on your computer and gain access to your information.
  • Be suspicious of any email or phone requests to update or verify your personal information because a legitimate organization would not solicit updates in an unsecured manner for information it already has.
  • Confirm a message is legitimate by contacting the sender (it is best to look up the sender’s contact information yourself instead of using contact information in the message).
  • Assume any offer that seems too good to be true, is probably a fraud.
  • Be on guard against fraudulent checks, cashier’s checks, money orders, or electronic fund transfers sent to you with requests for you to wire back part of the money.
  • Be wary of unsolicited offers that require you to act fast.
  • Check your security settings on social network sites. Make sure they block out people who you don’t want to see your page.
  • Research any “apps” before downloading and don’t assume an “app” is legitimate just because it resembles the name of your bank or other company you are familiar with.
  • Be wary of any offers that pressure you to send funds quickly by wire transfer or involve another party who insists on secrecy.
  • Beware of disaster-related financial scams.  Con artists take advantage of people after catastrophic events by claiming to be from legitimate charitable organizations when, in fact, they are attempting to steal money or valuable personal information.

 

 

Account Takeover Fraud via Impersonation of Financial Institution Support

The FBI warns of cyber criminals impersonating financial institutions to steal money or information in Account Takeover (ATO) fraud schemes. The cyber criminals target individuals, businesses, and organizations of varied sizes and across sectors. In ATO fraud, cybercriminals gain unauthorized access to the targeted online financial institution, payroll, or health savings account, with the goal of stealing money or information for personal gain.
 
HOW IT WORKS
 
The cyber criminal impersonates the financial institution' staff or website, to obtain access to the account. Cyber criminals usually gain access to accounts through social engineering techniques- including texts, calls, and emails- or through fraudulent websites
SOCIAL ENGINEERING
  • A cyber criminal manipulates the account owner into giving away their login credentials, including multi-factor authentication (MFA) code or One-Time Passcode (OTP), by impersonating a financial institution employee, customer support, or technical support personnel. The cyber criminal then uses login credentials to log into the legitimate financial institution website and initiate a password reset, ultimately gaining full control of the accounts.
  • Social engineering methods include contacting account owners via fraudulent text messages, calls, or emails to trick the email recipient into providing their login credentials. In some instances, the cyber criminal states there are fraudulent transactions on the financial account and may link to a phishing website that the account owner believes will report the fraud or prevent additional fraudulent transactions.
  • In some instances, cyber criminals impersonating financial institutions reported to the account owner that their account information was used to make fraudulent purchases , including firearms The cyber criminal convinces the account owner to provide information to a second cyber criminal impersonating law enforcement, who then convinces the account owner to provide account information.
PHISHING DOMAINS/WEBSITES
  • The cyber criminal uses a phishing website that looks like the legitimate online financial institution or payroll website to trick the account owner into giving away their login credentials. Believing the phishing website is the legitimate one, users enter their login credentials into the fraudulent site, unknowingly providing them to cyber criminals. 
  • Cyber criminals may also use a technique called Search Engine Optimization (SEO) poisoning. SEO poisoning refers to cyber criminals purchasing ads that imitate legitimate business ads to increase the prominence of their phishing websites by making them appear more authentic to customers who use a search engine to locate the business' website. When users click on the fraudulent search engine ad, they are directed to a sophisticated fraudulent phishing site that mimics the real website, tricking users into providing their login information. 
Once the impersonators have access and control of the accounts, the cyber criminals quickly wire funds to other criminal-controlled accounts, many of which are linked to cryptocurrency wallets; therefore funds are disbursed quickly and are difficult to trace and recover. In some cases, including nearly all social engineering cases, the cyber criminals change the online account password, locking the owner out of their own financial account(s).
STAY PROTECTED
Stay vigilant against ATO Fraud attempts by following these tips.
  • Be careful about the information you share online or on social media. By openly sharing information like a pet's name, schools you have attended, your date of birth, or information about your family members, you may give the scammers information they need to guess your password or answer your security questions.
  • Monitor your financial accounts on a regular basis. Watch for irregularities, such as missing deposits or unauthorized withdrawals, wire transfers, or expenditures.
  • Always use unique, complex passwords. Enable two-factor authentication or MFA on any account possible. Never disable it. 
  • Use Bookmarks or Favorites for navigating to login websites. Avoid clicking on Internet search results or advertisements. MFA will not protect you if you land on a fraudulent login page. Carefully examine any email address, URL, or spelling in unsolicited correspondence.
  • Stay vigilant against phishing attempts. Be suspicious of unknown "banking" or "company" employees wo call you; don't trust caller ID. Hang up, verify the correct number and call it yourself. Companies generally do not contact you to ask for your username, password, or OTP.
WHAT TO DO IN CASE OF AN ATO INCIDENT
  1. Contact Your Financial Institution-Contact your financial institution as soon as Fraud is recognized to request a recall or reversal. 
  2. Reset or Revoke Compromised Credentials- Reset all credentials and passwords that may have been exposed during the intrusion, including user and service accounts, compromised certificates, or other "secret" credentials. If you use the compromised password for other online accounts, change your password on those sites too. 
  3. Notify the Impersonated Company- Notify the company that was impersonated of the method the cyber criminals used to target the account owner The company may be able to warn others to watch out for the scam and take proactive measures like requesting phishing pages be taken down.
 
 
 
Smishing: Definition, examples, and how to stay safe
Smishing, short for SMS phishing, is a a type of social engineering scam carried out through text messages. Just like in other types of scams, smishers exploit people's trust and the urgency created by quick, official-looking phone messages. Scam texts are instantly visible, easy to interact with, and leave almost no room to verify the sender before the victim is prompted to click on the malicious link contained within. Once they do, though, their identity and financial information can be stolen and exploited by bad actors.
 
Smishing meaning and definition
What is smishing? Smishing combines SMS (short message service) with phishing to describe a cyberattack delivered as a text message. Instead of phone calls (vishing) or emails (traditional phishing), smishing scams arrive as a phone text impersonating a trusted company or individual- like your bank, a delivery services provider, a government agency, or a friend- to trick you into clicking a malicious link and revealing your sensitive information.
 
A smishing message typically asks you to:
  • Verify suspicious account activity
  • Track or reschedule a "missed" delivery
  • Confirm your shipping address or other personally identifiable information
  • Respond with "yes" or call the sender back
  • Pay unpaid taxes or bills
  • Claim a refund, prize, or reward
How smishing works?
Smishing scams come in different forms, but they all start with an unsolicited urgent text message that may look either personal oro official depending on the purpose.
 
Common smishing stages include:
  • Obtaining the victim's contact details. Most of the time, these can be looked up online on public data brokers and people-search websites, but many scammers go to great lengths to buy leaked datasets on real people from dark web websites.
  • Impersonating trusted institutions or people. Scammers carefully choose whom to impersonate to sound credible. These include banks, government agencies, postal services, or even your employer or business partner.
  • Creating urgency. Smishing messages mimic official and urgent communication from authorized senders that cant be easily ignored and demand prompt action, for example, "Your account will be locked unless you verify immediately".
  • Include a malicious link or phone number to call back. These are used to take the victim to spoofed websites and "call centers" that steal sensitive information, such as payment card details and digital account credentials, or to download malware to the victim's device.
  • Requesting personal information. Whether on a malicious website or on the phone with the scammer,  you'll be required to enter or share your personal information under credible excuses. Once you do this, these  details will be stolen and potentially exploited for the scammer's financial gain.
  • Monetization- The ultimate stage of a smishing attack where scammers exploit your information- withdraw money from your bank account, make fraudulent purchases, commit identity theft, or sell the data to other scammers.
Why smishing is dangerous
There are many contributing factors that make smishing so dangerously effective.
On average, SMS texts have an astounding 98% open rate- much higher than emails, which linger at around 2-3% at best. This makes scammers' exploits all the more effective when done through this medium.
 
At the same time, sending out smishing messages is automated and fairly cheap, so attackers are able to send out massive amounts of fraudulent messages at a low cost. At such a scale, smishing attacks are capable of producing dramatic financial results for minimal cost to the scammer.
 
Because people are used to short informal texts as well as occasional SMS-based communication rom brands, they may overlook red flags that would stand out in an email or phone call. Older and less tech-saavy people are particularly vulnerable to this type of attack, as they might not recognize a threat.
 
Finally, smishing scams are getting more convincing, adapting to what works best with millions of victims worldwide. 
 
How to recognize a smishing scam
If you see an unsolicited text message that raises your suspicion, here are the warning signs to confirm it's smishing:
 
The sender's number is generic, unfamiliar, or looks spoofed. It may display a generic company name like "Delivery Services" or just be a phone number. You can double-check by verifying the official contact details of the sender's alleged company online.
 
There's a link you're prompted to click or a request to respond to the message with "yes" or "no". The link typically disguised via link shortener or has extra characters and words uncommon for the real company's website. In some cases, you'll be asked to copy and past the link URL in your browser.
 
The message creates urgency and asks you to act immediately. Tere might be alarming language, a deadline for your action, and threats in case you don't respond.
 
The message contains typos, weird grammar, or language that feels off for official branded communication.
 
How to protect yourself from smishing
Smishing scammers prey on easy targets that show low cybersecurity awareness, act impulsively, or are driven by fear, curiosity, or greed. 
  • Verify information independently. For example, if you get a fraud alert from your bank, contact the phone number on the back of your payment card to verify if it was compromised.
  • Keep your phone updated and enable spam filters. Install the latest security  patches to make sure no software loophole can be exploited by scammers. Many smartphones and carriers support spam filters that can block smishing text automatically.
  • Never respond to texts with your personal information, be it PINs, one-time verification codes, credit card data, or account credentials.
  • Report suspicious texts to your carrier and/or local regulatory and anti-frau d bodies so they can maintain an up-to-date database of scammers' phone numbers and domains.
What to do if you fall for a smishing scam
If you think you've been scammed by smishers, act immediately to minimize the potential damage. 
  • Stop interacting with the text, don't click any links or reply.
  • Take a screenshot of the text and the sender's ID for further scam reporting.
  • Block the sender and report the text as spam by copying and forwarding it to 7726 (SPAM), then delete the message.
  • If you clicked the link in the smishing message and entered your credentials, change them for all the affected accounts, including reused passwords.
  • If you shared your financial details or banking account login with the scammers, contact your bank to set up fraud alerts and disable and reissue any affected payment cards.
  • If you sent money to the scammers, you may be able to dispute the transaction as fraudulent. 
  • In case the smishing text impersonates a real company, you may contact this company directly and file an impersonation report with them.
  • If your personal data has been stolen, monitor your bank account, email, and credit card for suspicious activity.
  • Run a trusted antivirus to detect any potential malware that could have been installed on your device.
Tips for the Holiday Season
 Pack light, stay secure
 
Secure your devices before you go
Before heading out:
 
Do: Ensure your devices are password-protected, fully updated, and encrypted. Enable multi-factor authentication (MFA) wherever possible.
Don't: Skip those software updates-outdated systems are more vulnerable to cyberattacks
 
Be wary of public Wi-Fi
 
Do: Use a virtual private network (VPN) to encrypt your internet connection.
Don't: Access sensitive data or log in to important accounts over public Wi-Fi without a VPN.
Better yet, consider using your mobile hotspot instead.
 
Watch Out for "Juice Jacking"
Charging your phone at public kiosks can put your data at risk.
 
Do: Carry your own charging cable and use an outlet instead of a public USB port. Portable power banks are another great option.
Don't: Plug your device into unfamiliar USB ports- they can transfer malware or steal data.
 
Be selective about sharing
 
It's fun to post holiday pics, but oversharing can be risky.
 
Do: Wait until you're back home to share your travel adventures. This keeps potential thieves from knowing your home is unoccupied.
Don't: Share sensitive details, like your boarding pass barcode or your travel itinerary, on social media.
 
Keep a close eye on your devices
 
Losing a device is not only inconvenient but also a major security risk.
 
Do: Keep your devices within reach and use a padded, secure case.
Don't: Leave laptops or smartphones unattended in public areas, even for a minute.
 
 
 
 
 
 
Identity Theft
Identity Theft can affect your credit, create fraudulent debt or false medical records, and much more. Learn the steps to prevent identity theft, and if you've become a victim, what steps to take to stop the damage.
 
What is Identity Theft?
Identity theft happens when someone takes your name and personal information and uses it without your permission to do things like open new accounts, use your existing accounts, or obtain medical services. 
 
Warning Signs of Identity Theft
  • Receive credit cards that you did not apply for.
  • Find unauthorized charges on your bank or credit card statements.
  • Receive bills or collection letters from companies that you never heard of or for accounts you don't recognize.
  • Receive rejection letters for loans that you never heard of or for accounts you don't recognize.
  • Receive notices reflecting that you traveled to, lived in or did business in a jurisdiction to which you have no connections.
  • Get calls from debt collectors or businesses about merchandise or services you did not buy.
  • Fail to receive your bills or regular mail. (The ID thief may have changed your billing address)
  • Receive unexpected notices from the IRS about failing to report all your income or informing you that they received more than one income tax return in your name.
What to Do If Your Identity Is Stolen
If your identity has been stolen, it is critical that you act quickly to minimize any damage.
Consider Taking the Following Actions
  • Call or email the fraud department of the companies, banks or credit unions where accounts have been compromised. Explain that someone stole our identity and ask them to close or freeze the compromised account.
  • Contact any of the three credit reporting agencies and ask that a free fraud alert be placed on your credit report. Also ask for a free credit report. You only need to contact one of the three agencies because law requires he agency you call to contact the other two.
    • Equifax
    • Experian
    • TransUnion
Once you have a fraud alert on your credit report, a business must verify your identity before they issue new credit in your name. The alert remains active for a year and can be renewed by you for up to seven years.
  • Change the passwords, pin numbers, and log in information for all of your potentially affected accounts, including your email account, and any accounts that use the same password, pin, or log in information.
  • Contact your police department, report the crime and obtain a police report.
  • Go to the webpage of the Federal Trade Commission, report the ID theft and create an identity  theft recovery plan.
  • Decide whether you want to place a security freeze on your credit report.
A security freeze is different from a fraud alert. Once your report is frozen, the credit reporting agency cannot release it without your prior express approval ( with certain narrow exceptions). Under federal law, a security freeze is free, and obtaining one will not affect your credit score. To obtain a freeze, you must contact each of the credit reporting agencies and comply with their requirements. The agency must place the freeze within one business day, and if you request the freeze be lifted, they must do so within one hour. 
  • Review your credit report to correct any errors and identify any new accounts that were opened in your name, and then contact the business and close those accounts and inform the credit bureau that you did not open those accounts.
  • Review your other credit card and bank statements and take action to remove or dispute unauthorized charges or debits.
  • Consider other steps you may need to take to address specific problems such as reporting a misused Social Security number.
  • Consider a court order to assist you in clearing your name.
 
 
 
ZELLE FRAUD SCHEMES TO AVOID
 
Impersonation Scams:
  • Bank/Zelle Impersonation: Scammers contact individuals via text or email, claiming to be from their bank or Zelle, often stating there's a problem with their account or fraudulent transaction. They might even spoof the financial institution's phone number.
  • Family/Friend Impersonation: Scammers pretend to be friends or family members, claiming to be in an urgent situation and asking for immediate Zelle money transfers.
  • Government/Authority Impersonation: Fraudsters impersonate government agencies like the IRS or law enforcement, demanding Zelle payments to resolve issues like alleged fines or threats of arrest.
  • Business /Company Impersonation: Scammers pose as businesses, such as utility companies, threatening service disruption and demanding payment via Zelle.
Account Takeover Scams:
  • Phishing Links: Scammers send fake links via email or text, mimicking legitimate bank or Zelle login pages. If a user enters their credentials, the scammer gains access to their account and can initiate Zelle transfers.
  • One-Time Code Exploitation: Scammers might ask for a user's one-time code sent to their phone, which they then use to link their own bank account tho the user's Zelle account and steal funds.
Online Marktplace/Rental Scams: 
  • Fake Listings: Scammers post fake listings on platforms like Facebook Marketplace or online classifieds, tricking users into sending Zelle payments for goods, services, or rental properties that don't exist.
  • Overpayment/Advance Payment: Scammers might send a large, unsolicited Zelle payment and then ask the recipient to return the difference, potentially involving stolen fuds or initiating an "account upgrade" scam.
  • Fake Rental Deposits: Scammers posing as landlords demand Zelle deposits for rental properties, especially in competitive markets.
Other Scams:
  • Refund Scams: Scammers impersonate Zelle agents, claiming a fraudulent transaction occurred and tricking the user into sending money as part of a fake refund process.
  • Money Mule Scams: Scammers target jobseekers with fake work-from-home offers, instructing them to deposit fraudulent checks and then use Zelle to send funds to purchase equipment, unknowingly turning them into money mules.
Important Reminders to Avoid Zelle Scams:
  • Treat Zelle like cash: Only send money to people you know and trust, and once the the money is sent, it's difficult to recover.
  • Be wary of unsolicited requests: Don't respond to unexpected emails, texts, or phone calls, especially those demanding immediate action or payments.
  • Verify the recipient: Double-check the recipient's information before sending any money.
  • Never share sensitive information: Don't share your login credentials, PIN, or one-time passcode with anyone, even if they claim to be from your bank or Zelle.
  • Access Zelle through official channels; Use your bank's official app or website to access Zelle, not external links
  • Report suspicious activity. If you encounter a potential scam, report it to Zelle and your bank immediately.



Proudly serving North Texas for over 130 years.

Who We are