Phishing is a common trick bad guys use to "fish" for consumers’ financial information and password data using fake company emails and web sites. The sites ask consumers to enter current financial and personal information such as user IDs, Social Security numbers, bank or credit card account numbers and ATM passwords.
This is the text, or SMS messaging, counterpart to phishing. In a similar fashion, bad guys text consumers, directing them to counterfeit websites in an attempt to get their personal information.
Spoofing is when your caller ID displays a phone number that is not the actual number of the person calling you. Bad guys may use numbers you may recognize to try to get you to answer the phone. They may trick caller ID to show a company phone number, a number like yours or even your own number. Their goal is to make you think it’s legitimate, so you answer the phone, or text, opening the door for their scam.
Slamming and Cramming
These types of fraud both involve unauthorized changes to customers’ phone service. Scammers will call and misrepresent themselves to customers and ask questions about their account information.
International Area Code Scam
In this scam, consumers usually receive a message telling them to call a phone number with an 809, 284 or 876 area code in order to collect a prize or find out information about a sick relative. The area code is actually for a number outside the United States, often in Canada or the Caribbean, which charges the customer for placing the call.
Email Viruses, Worms and Malware
Viruses, worms and malware are computer programs that may arrive in an email attachment and can be destructive to computers. Bad guys can hide these things in attachments or web links, activating as soon as the customer opens the file.
Know the Terms
This glossary defines common terms used in fraud and cybersecurity:
APT (Advanced Persistent Threat):
A targeted attack that penetrates a network without detection and maintains access for a period of time, all while monitoring information or stealing resources. APTs may continue for years.
The process of confirming the identity of a user, most often with a username and password.
Black Hat Hacker:
An individual with extensive computer skills used to breach security of companies for malicious purposes.
A large number of compromised computers unknowingly used to create and send spam or viruses, or flood a network with messages such as in a distributed denial of service (DDoS) attack.
Command and control tools that allow hacker groups to manage huge numbers of compromised systems.
BYOD (Bring Your Own Device):
Bring-your-own-device is a business practice of permitting employees to use their own devices — computers, smartphones, tablets, or other devices — for work.
The area of the internet that is hidden from search engines, accessible only via a special web browser. This is the marketplace for illicit items or services.
A technique used to analyze existing data for enhanced value.
DDoS (Distributed Denial of Service):
A type of attack that makes an online service unavailable by overwhelming it with traffic from multiple compromised systems.
The approach of using multiple layers of security to maintain protection after failure of a single security component.
Broadcasting personal information about a person or group, usually done by internet vigilantes or hacktivists. The term comes from "dropping dox" using the slang term for .DOCX, the file extension used by Microsoft Word.
Translating data into unreadable code to keep that data private. See Public Key Encryption for more information.
Illegal transfer of an organization’s data as the result of a cyberbreach.
A hardware or software system that blocks unauthorized traffic from entering (or leaving) a network.
Collects, analyzes and reports on data to use in the detection and prevention of a breach.
Grey Hat Hackers:
Ethically between black hat and white hat hackers, grey hats exploit system vulnerabilities, which is technically illegal. They tend not to leverage these hacks as a criminal, but sometimes offer to close the security gap for a fee.
Hacker or group that breaches systems for political, rather than monetary, gain.
Porting is transferring a phone number to a different carrier. Bad guys use illegal porting to steal a person’s mobile phone number and transfer it to a device they control. They do this in order to intercept text-authentication messages from your bank, credit card issuer or other companies. Once the bad guy has your number, he will get authentication messages like PIN codes and can use them to get access to your accounts.
IoT (Internet of Things):
Connection of everyday objects with embedded electronics, from smartwatches to pet collars to cars, with each other across modern networks.
Keystroke Logger, Keylogger:
Surveillance software that records every keystroke, including usernames and passwords.
An area of artificial intelligence that focuses on computer programs teaching themselves to uncover ever-more complex cyberthreats.
Any direct interaction over any network of electronically enabled devices, with no human involvement in the communications loop.
A generic term for a number of different types of malicious software. It may be delivered via a virus, an email, or a compromised webpage.
An attacker who secretly intercepts and possibly modifies messages between two parties.
Multifactor Authentication (MFA):
A method of verifying a user’s identity that relies on more than one set of security credentials.
A piece of a message transmitted over a packet-switching network. One of the key features of a packet is that it contains the destination address in addition to the data.
Social engineering through emails using known information about the target to acquire other data such as user names, passwords, or financial information.
Penetration (Pen) Test:
An in-depth test to identify and patch vulnerabilities in an organization’s networks and IT.
Porting allows customers to take their phone number with them when they change phone carriers. The law requires carriers to comply with a request to port a number if the person making the request provides accurate information. Many companies will call or text customers to confirm their identity.
The publicly-disclosed component of a pair of cryptographic keys used for asymmetric cryptography.
Public Key Encryption:
Encryption system that uses two mathematical “keys.” One, the public key, is known to everyone and used to encrypt a message. The second, the private key, is known only to the recipient and used to decrypt a message.
A type of malware that restricts access to data and demands that a payment be made to the attacker to restore access.
A robocall is a phone call initiated by a computerized auto dialer or a call that delivers a pre-recorded message. Some are allowed, including those that you consent to receive, like weather updates from your school district. But some are part of illegal calling schemes that can involve fraud.
Rogue Wi-Fi Hotspot:
An unsecure Wi-Fi network that is often created by bad actors to steal or compromise sensitive data. These networks are easily avoided by using VPNs and end-to-end security.
Ensure that a website is secure by checking to see whether there is an “s” after the http in the address and a lock icon at the bottom of the screen. The URL or domain name should begin with “https” – the “s” signifying a secure site.
A SIM card is a small chip in your phone that acts as the connection between your account and the device. Your phone uses a SIM card to connect with the mobile network. Through the SIM connection, your mobile service provider links the phone to your number and account.
A SIM Swap is a scam that bad guys use to hijack your mobile phone number. If successful, this scam will deactivate your device, sending your calls and texts to a device the bad guy has. With that, the bad guy will receive any authentication messages from accounts tied to your phone and can gain access to your accounts, personal data, and financial information.
The old con game of convincing someone they are someone you can trust or believe, to gain your confidence. Then, they will get information from you they can use to scam you or someone else.
An email scam that uses social engineering to steal information or install malicious software on a system.
A method used to improve security by requiring two separate items for access to a resource. These usually include something the user knows (password or PIN), something a user has (access card), or something attached to the user (fingerprint or retina to scan).
Trojan, Trojan Horse:
Malware that appears to be a benign, useful application to encourage users to run the program, which installs a destructive payload.
White Hat Hackers:
Computer security experts who penetrate networks to warn companies of gaps that a malicious attacker could exploit. They are often employed by the companies themselves to test the durability of their systems.
Zero-day Attack, Zero-day Exploit:
A new type of cyberattack that hasn’t been seen before.