Wire Fraud Advisory
The following best practices are based on FBI alerts and conversations with financial institutions that have successfully detected the Business Email Compromise (BEC) scam. BEC is a sophisticated financial fraud that can result in actual and attempted losses. Most businesses cannot practically implement all of the below listed recommendations, however, implementing those that are most practical for any given business operation will increase awareness and decrease the risk of falling victim to BEC.
The vulnerability, known as Shellshock (CVE-2014-6271), could allow an attacker to remotely execute malicious instruction to susceptible operating systems hosted on servers, vendor appliances, and workstations.
The LANB Information Security Team has performed an assessment to all our systems and has taken the following action to ensure that customer information and financial transactions are protected.
Systems containing customer information has been tested for Shellshock vulnerability and only a single exception was found at the mobile banking web-site (mobile.lanb.com) and has been remediated as of 10/19/2014.
Security relating to all of the bank’s information systems remains a top priority for us. Our security team continues to monitor vulnerabilities from disrupting our systems or becoming a potential threat to our environment.
LANB takes security very seriously and remains vigilant of existing and up and coming vulnerabilities. Heartbleed is the latest widespread security flaw to catch the attention of the media. This flaw allows the exploit of OpenSSL; SSL stands for Secure Socket Layer which is the technology for establishing an encrypted link between a Web server and a browser. The Open just means the code is freely available. This link ensures that all data passed between the Web server and browsers remain private, however there is a weakness in the OpenSSL implementation which allows anybody who knows how to exploit the weakness to decrypt the encrypted traffic.
LANB has researched, tested and validated that all security certificates and current release of SSL software in use are not and were not susceptible to this exploit. Your Online Banking log in information continues to be secure; there is no need to change your password at this time, although it is best practice to regularly update your passwords. If you would like an added level of security, please inquire about the use of Token for Online Banking.
Fraudulent Medicare Calling Scam
A phishing e-mail has been circulating New Mexico of late pretending to be from Los Alamos National Bank. This phishing e-mail might include false information that your account has been suspended or is in jeopardy due to incorrect information. The e-mail has a PDF attachment which then instructs you to click on a link that leads to a false website that asks for your personal information. Do not click on the link and if you do please do not insert any personal information.
Fraudulent Phishing E-mail Alert.
A phishing e-mail has been circulating New Mexico of late pretending to be from Los Alamos National Bank.
This phishing e-mail might include false information that your account has been suspended or is in jeopardy due to incorrect information. The e-mail has a PDF attachment which then instructs you to click on a link that leads to a false website that asks for your personal information. Do not click on the link and if you do please do not insert any personal information.
Fraudulent Phishing E-mail Alert
A fraudulent phishing e-mail has been circulating New Mexico of late pretending to be from Los Alamos National Bank.
This phishing e-mail might include false information that your account has been suspended or is in jeopardy due to incorrect information. It then instructs you to click on a link that leads to a false website that asks for your personal information.
PLEASE DO NOT CLICK ON THIS LINK OR ANY OTHER LIKE IT!!
It is the policy of Los Alamos National Bank to never ask for a customers’ personal or private information over an Internet form or any other non-personal form of communication. If there is even any emergency issue with your accounts you will be contacted via phone or some other person-to-person communication.
Also, please remember to watch the address bar in your browser when you click on links. If the address does not begin with www.lanb.com it is most likely a false website.
We apologize for any inconvenience and if you have any questions or concerns please call the LANB hotline at 505-662-5171.
New Phishing E-mail Scam
A phishing scam (A fraudulent e-mail) has been circulating through New Mexico targeting LANB customers.
This e-mail informs a customer that their account has been suspended due to an accounting error. It then instructs the customer to click on a link that takes them to a webpage that then requests a huge amount of personal and bank account information to include logins, passwords, family information, and more.
PLEASE DO NOT CLICK ON THIS LINK OR ANY OTHER LIKE IT!!
If you have clicked on this link and have provided information to this site PLEASE CONTACT LANB IMMEDIATELY at 505-662-5171 for assistance. This number has been extended until 8:30 pm tonight for anyone who wishes to call after normal lobby hours. If you call after these hours and leave a message someone from LANB will contact you first thing in the morning.
We wish to remind our customers that LANB will NEVER send an e-mail to request any personal, security or bank information. If you do receive an e-mail like the one above please do not click on it, forward it or respond to it. Please contact LANB using any method you wish with questions or concerns.
Please also refer to any of the security links on the left navigation if you wish to know more about online and web security.
New Internet Banking Scam
You’ve heard of the traditional email phishing and computer malware scams that attempt to steal customer bank information, but now there is a new player in town and this one is convincing. Scammers are now using what is called the chat box scam to steal information from online banking customers. Here is how it works.
The victim unknowingly downloads a piece of malware onto the computer by downloading an infected attachment or clicking a bogus web link. The malware then waits for the victim to visit his or her online banking website. (This scam is so convincing because it happens while you are visiting your actual bank’s website not a fake website created to look like the bank’s site.) Once the victim is on the site, a message flashes saying it is running a security check. Then, the customer receives this or a similar bogus pop-up message.
“The system couldn't identify your PC You will be contacted by a representative of bank to confirm your personality. Please pass the process of additional verification otherwise your account will be locked. Sorry for any inconvenience, we are carrying about security of our clients.”
The poor grammar in this message should be a red flag to customers, but most people won’t notice it. Instead, they will worry about being locked out of their account and proceed to follow the instructions. This is when a chat box appears stating that someone will be with you shortly , just like the ones customers are accustomed to seeing on retail websites. During the live chat, the victim will be asked to provide personal banking information to verify his or her identity, but really the victim is providing the sensitive information to a scammer who will use the information to illegally access the victim’s account. It is also possible for the malware to simultaneously complete a purchase or an unauthorized transfer to another account as the victim is keying in account information. Also of notable concern is that this type of attack could conceivably be used against businesses and their employees, with the attacker posing as an IT help desk technician.
It is essential that banks inform customers of this scam. Make sure they know that your bank does not have a live chat option on the website and that a legitimate customer service person would never ask for the customers’ passwords or account numbers. Also, encourage customers to keep their internet security software up-to-date. This will help protect them from such malware.
Possible Phishing E-mail Scam: "ACH Transfer Rejected"
A possible e-mail phishing scam is working it's way around the web with the subject line of "ACH Transfer Rejected" It comes from the "The Electronic Payments Association (NACHA)". NACHA is a real institution but would NOT be sending out these types of e-mails. There is also a link to a document or another website that SHOULD NOT BE CLICKED ON. Note, any cancelled ACH transfer would be first coming through your financial institution and NOT NACHA.
Information about the scam: http://www.nacha.org/news/newsDetail.cfm/RecentBusinessNewsID/236
Office of the Comptroller of the Currency (OCC) Special Alert
Masquerading Web site: "Helpwithmybank.com"
The Office of the Comptroller of the Currency (OCC) has been informed that the above-mentioned Web site, “helpwithmybank.com,” is attempting to masquerade as the legitimate Web site, “helpwithmybank.gov,” and contains potentially damaging malware. The illegitimate site redirects the user to the legitimate site “helpwithmybank.gov” in an attempt to convince users that they are connecting to a legitimate site. Attempts to connect to the fake Web site could expose the user to harmful malware. Any information that you may have concerning this matter should be brought to the attention of:
Office of the Comptroller of the CurrencyEnforcement & Compliance Division,
MS 8-10250 E St. SW,
Washington, DC 20219
Fax: (202) 874-5301
Richard C. Stearns
Director for Enforcement & Compliance
Federal Deposit Insurance Corporation Issues Special Alert
Special Alert SA-21-2011 has been issued by the FDIC regarding numerous reports it has received of fraudulent emails and wire transfers that appear to have been sent from the FDIC. The fraudulent messages indicate the customer’s ability to conduct ACH and wire transactions has been suspended and direct customers to click on a link to download an update which will restore the functions.
ALERT Epsilon Interactive Announces Data Security Breach
Los Alamos National Bank does not use Epsilon Interactive for any services and customer information at LANB has not been compromised. What happened? Epsilon Interactive announced on April 1st that unknown intruders had broken into one of its email servers and accessed the names and email accounts of some of its 2,500 corporate customers. Epsilon has not disclosed how many accounts in total were exposed in the breach. Some say it is the largest breach ever involving that kind of data, meaning that tens of millions of email addresses were likely compromised. More info.
3/02/11 Consumer Advisory
Avoiding Mortgage and Foreclosure ScamsThe OCC has issued a Consumer Advisory, CA-2011-1, containing information for consumers on avoiding mortgage modification scams and foreclosure rescue scams. The advisory describes common foreclosure scams, suggests ways homeowners can avoid them, outlines new federal rules to protect homeowners from such schemes, and lists 10 warning signs homeowners can use to identify foreclosure scams.’
2/17/11 Fraudulent Email Consumer Alert
The FDIC has issued a Consumer Alert regarding fraudulent emails that appear to be sent from the FDIC. The subject line of the e-mail states: "Important information for depositors of Federal Deposit Insurance Corporation.” The e-mail informs recipients that “this message was sent to you as you had indicated this e-mail address as a contact, by opening an account in your bank department.”
2/09/11 Fraudulent Text Message
We are hearing from customers that they received the following text message
email@example.com // Sandia FCU DebitCard Frozen. Dial 3105987340
Please do not dial this number. As always please do not give your personal information over the phone.
1/26/11 Phone Phish
Residents of Los Alamos and surrounding areas have received phone calls asking them to enter their credit card number. LANB is taking the appropriate measures to the phone phish.
As always please do not give your personal information over the phone. If you receive a call hang up immediately. If you have given out any personal information (account #, SSN) please contact a customer/account service representative or the fraud dept immediately. If you have given out your social security number you should also check www.idtheft.gov.
10/22/10 Phony Debt Collectors
Residents of Los Alamos and surrounding areas have received phone calls from phony debt collectors. These scammers are masquerading as debt collectors, attorneys or law enforcement officials in an effort to get the recipient to give out personal information, including checking account and/or debit or credit card numbers. The scammers may have some personal information (last 4 digits of SSN, DOB or physical address) . The caller usually speaks with a heavy foreign accents and are known for repeatedly calling people at home and at work. They are known to threaten arrest if the supposed debts are not repaid -- debts that don't actually exist.
The BBB offers these tips:
- Ask the debt collector to provide official documentation which substantiates the debt.
- Do not provide or confirm any bank account, credit card or other personal information over the phone until you have confirmed the legitimacy of the call.
- File a complaint with the Federal Trade Commission online if the caller is abusive, uses threats or otherwise violates federal telemarketing laws or the Fair Debt Collection Practices Act.
- File a complaint with the Better Business Bureau online if you believe a debt collector is trying to scam you.
Below is a good article with additional information :
09/02/10 Fraudulent Phone Calls Consumer Alert
The FDIC has issued a Consumer Alert concerning the receipt of numerous reports of fraudulent suspicious telephone calls where the caller claims to represent the FDIC and is calling regarding the collection of an outstanding debt. Consumer Alert 9/02/10.
06/25/10 Credit - Debit Card Phone Scam Continues
Residents of Los Alamos and surrounding areas are receiving automated calls to their cell phones claiming to be from their financial institution. These automated phone calls are a scam. The automated call indicates that your account has been suspended or compromised and then asks for the customer's ATM or debit card number and PIN. The phone calls are NOT from a financial institution. You should never provide personal information or account numbers over the phone unless you originate the call and know to whom you are speaking.If you received a call and provided any information please contact your financial institution or the card provider whose phone number may be listed on the back of your card.
05/03/10 Fraudulent Email Consumer Alert
The FDIC has issued a Consumer Alert regarding fraudulent emails that have the appearance of being sent from the FDIC and entice the recipients to take a survey to have $50 credited to their account. warning. Full alert
Mystery/Secret Shopper Employment FBI E-Scams WarningA warning has been issued by the FBI regarding email and U.S. mail scams involving employment schemes pertaining to mystery/secret shopper positions. As part of the scheme, the shopper receives a check to be deposited into the employee's bank account and funds are then wired to the employer. The check is a counterfeit and the shopper is responsible for the loss. Warning
Random individuals and/or companies may have received a falsified e-mail with the subject title "Rejected ACH Transaction." This e-mail appears to be from NACHA - The Electronic Payments Association telling them that there is a problem with an ACH transaction they have originated. The e-mail includes a link which redirects the individual to a fake web page which appears like the NACHA website and contains a link which is almost certainly executable virus with malware. See sample below.
Please alert any financial institution and/or company who have questions about this site and inform them that the e-mail did not originate from NACHA, the website is not that of NACHA's, and inform them to not click on the link.
= = = = = = = Sample E-mail = = = = = = =
From: nacha.org [mailto:firstname.lastname@example.org]
Sent: Thursday, November 12, 2009 10:25 AM
To: Doe, John
Subject: Rejected ACH transaction, please review the transaction report
Dear bank account holder, The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:
Unauthorized ACH Transaction Report (this is the how the link is presented)
Our Customer Contact Center has received several calls from people reporting suspicious voice mail. The messages say "your credit card has been deactivated". Do not return these phone calls. Please remember when answering the phone, you should never give personal information to anyone, unless you have initiated the call and know who you are talking to.
Fraudulent Email Special Alert:
E-mails fraudulently claiming to be from the FDIC are attempting to trick recipients into installing unknown software on personal computers. These e-mails falsely indicate that recipients should download and open a "personal FDIC insurance file" to check their deposit insurance coverage. The "insurance file" may actually be a form of spyware or malicious code and may collect personal or confidential information.
: The link to the left of this icon points to an external website. Los Alamos National Bank is not responsible for the privacy, security or content of this site, including the accuracy, completeness, reliability or suitability of its information. Los Alamos National Bank does not endorse or guarantee the products, information, or recommendations provided by the site and is not liable for any failure of products or services advertised on the site.