Online Security Updates
Below are links to the latest updates we routinely send our Online Banking customers about a variety of online security topics.
Password Recovery Scam Targets Email Users
A simple, yet effective, social engineering scam is being used to take control of users’ email accounts. The scam uses the “password recovery” feature offered by most email providers to trick users into letting the attacker take control of their account. The only things the attacker needs for the scam are both your email address and cell phone number, which can be easily obtained if you regularly post private information on social media websites or other online sources.
How the scam works:
The scammer goes to the login page of a user’s email provider to initiate the password recovery process. If the user has registered for the option to have the email provider send a verification code sent in an SMS text message, the attacker selects that option and the user receives the message almost instantly. The attacker then sends the user a follow-up SMS text message like, “we have detected unusual activity on your account. Please respond to this message with the verification code sent to your mobile device to stop unauthorized activity.”
When the user responds with the verification code, the attacker uses it to get a temporary password and gain access to the email account. Once they have access, they can set up an alternate email address and have copies of all incoming and outgoing messages forwarded to it. The attacker then sends the new password they established to the user in an SMS text message that says something like, “Thank you for verifying your account. Your temporary password is (xxx).” The user believes that the correspondence is legitimate and that the account is now secure.
What makes this type of attack alarming is that it requires no hacking skills. Anyone can accomplish it by having an email address and cell phone number. Attackers use the email messages to gather information about their targets. It is likely that they use the email account to gain access to other accounts tied to it.
How to protect yourself from a password recovery scam:
- Remember, legitimate password recovery services will only send you a verification code if you request it and will not ask you to respond in any way.
- Never respond to verification code that was sent to you out of the blue.
- Never provide account access credentials of any sort to anyone.
- Never post your cell phone number on social media websites.
Thank you for being a Third Federal customer.
Back to Listing