Criminals Take Advantage of Every Situation and Our Health Crisis is No Exception.
Recently, the cybercriminal group, FIN7, known for targeting US businesses through phishing emails, deployed an additional tactic of mailing USB devices via the United States Postal Service (USPS). The mailed packages sometimes include items like teddy bears or gift cards to employees of target companies working in the Human Resources (HR), Information Technology (IT), or Executive Management (EM) roles. The enclosed USB device is a commercially available tool known as a “BadUSB” or “Bad Beetle USB” device. After the USB device is plugged into a target system, the USB device automatically injects a series of keystrokes in order to download and execute a unique malware payload commonly known as the GRIFFON malware, which is also a payload observed in several variations of FIN7 phishing emails.
Please do not plug an unknown USB device into any computer system. And always be wary of packages coming from someone unknown to you or of a package coming from someone that seems out of the normal routine. Call to verify before inserting anything in your computer system.
Educating Your Cardholders on Phishing
Early indications are that fraudsters may be increasing phishing attacks in an effort to exploit the current COVID-19 pandemic. The Risk Office has observed fraudster emails and voice mails sent directly to cardholders asking for personally identifiable information (PII) and impersonating the Financial Institutions (FI), health groups, and federal government agencies.
Additionally, criminals in possession of card details and other forms of PII are spoofing the phone number from financial institutions to fool cardholders into thinking that text messages and phone calls are actually from the fraud department of their financial institution.
It makes a difference when you and your cardholders remain vigilant. If something sounds suspicious, question it. As a reminder to your cardholders, it’s important that they remain diligent in reviewing their accounts daily and quickly report any unauthorized activity.
Please remind your cardholders that there is a lot that they can do to protect their own financial accounts and information in order to avoid compromising their own information. Here are some of the points you can make to help educate your cardholders:
Neither Pinnacle Bank nor the fraud department will ever ask over the phone for PIN, CV2 codes or Expiration Dates.
A text alert warning of suspicious activity on a card will NEVER include:
- A link to be clicked. Cardholders should never click on a link in a text message that is supposedly from us.
- Vague reference to a “Merchant” transaction; details should be included
- Requests for cardholder data such as card numbers, PINs, CV2 Codes, Expiration Date
- A text alert from us will always be from a 5-digit number and NOT a 10-digit number resembling a phone number.
A VALID notification will provide information about the suspicious transaction and ask the cardholder to reply to the text message with answers such as ‘yes,’ ‘no,’ ‘help,’ or ‘stop.’
- A phone call from one of our Call Center agents will only include a request for the cardholder zip code, and no other personal information, unless the cardholder confirms that a transaction is fraudulent.
- Only then will the cardholder be transferred to an agent, who will ask questions to confirm the cardholder’s identity before going through the transaction history. If at any point the cardholder is uncertain about questions being asked or the call itself, they should hang up and call us directly.
- If a call is received by the cardholder claiming to be your Call Center and asking to verify transactions, no information should have to be provided by the cardholder other than their zip code, and a ‘yes’ or ‘no’ to the transactions provided.