Cal Coast Security Center

The latest scam we've been made aware of in our area involves fraudsters pretending to be calling from your financial institution, stating there has been a breach to your account. This is a fraud tactic called spoofing, where the caller ID information is manipulated to trick you. You can read more on phone spoofing on the Federal Communications Commission (FCC) Website. This is not related to an internal breach within the credit union, rather, a common scam that has targeted some members and we want to make you aware so you do not fall victim. 

These fraudsters are asking for Personal Identification Information (PII), such as your banking login credentials, in an effort to commit identity theft or gain access to your account.

California Coast Credit Union will never ask for this type of PII over the phone when contacting you to validate potential fraudulent activity on your account. If you receive a call from someone claiming to be from California Coast Credit Union and requesting PPI, please hang up and call us directly.

If you believe you have been a target of this scam, please contact us immediately. 

We have recently been alerted of an increase of wire transfer scams where con artists try to take advantage of their victims by convincing them to wire money to a stranger, often someone in a foreign country. The hook can come in many forms, but it's important to never wire money to anyone you haven't known for a very long time. The following red flags from the Washington State Office of the Attorney General, should signal a scam: 

• You are asked to wire money.
• You are sent a check in connection with a payment request. Con artists often win their victims’ confidence by sending a fake check for more than the amount of purchase or to cover so-called processing fees, shipping costs or other expenses. It may be a cashier’s check, personal check or money order. They instruct the victim to cash the check or money order and send them a portion of the money by wire. Read more about fake check scams.
• The contact indicates a confirmation code or money transfer control number (MTCN) is needed before your money can be withdrawn. This is a blatant lie. Once you wire money, it can be picked up immediately.
• A caller or email appears to originate from overseas. The email message may be full of typing errors.
• The person communicates via TTY service. TTY is used by the hearing impaired. Cons prefer the service because it disguises thick accents and makes calls untraceable. Follow-up correspondence is by email.

Want to learn more? Download the Beware of Wire Fraud Scams: Five Tips for Consumers from the California Department of Justice. 

California Coast Credit Union has made aware of a new phone scam impacting residents of the San Diego area as of mid December 2020. Fraudsters target customers of financial institutions, contacting them over the phone pretending to be their bank or credit union by spoofing the telephone numbers of financial institutions. Please be aware that these calls may appear to be coming from official Financial Institution phone numbers, but they could be spoofed. The fraudsters then may state that there has been a breach to your account and ask for your customer/member's login credentials or other Personally Identifiable Information (PII). 

We would like to remind members that California Coast Credit Union will never ask for this type of PII over the phone if your account has been breached. 

If you believe that you have been a target of this scam, we advise members to contact the credit union immediately.

The IRS issued a warning about a new phishing scheme involving the impersonation of the FBI or IRS in order to take your computer hostage. This ransomware scam is sent via email using IRS or FBI logos, and asks you to download a fake questionnaire. Clicking on the link will download a form of malware called ransomware, which locks your device unless money is paid to the scammers.

The IRS does not use email, text messages, or social media to discuss personal tax issues, including bills or refunds. If you receive such an email, please do not click on any of the links. Instead, immediately report the email to the FBI at the Internet Crime Complaint Center, and forward IRS-themed scams to phishing@irs.gov.

Please visit the IRS website for more information.

There is a new variation on the classic overpayment scam which is disguised as a job opportunity with stipulations. People may answer an ad posted in the newspaper (including college papers) or post their resume on job sites and fall victim of this newer overpayment scam. 

In these scenarios, people receive a job offer from legitimate companies and are then sent a check and/or money order. They are told that they can deposit the check and keep a certain portion of the amount but are then instructed to wire the remainder.

Keep in mind that it doesn’t matter why you are supposed to send money back. Scammers give many different excuses that seem reasonable. It is best to avoid all overpayment scams by never agreeing to handle financial transactions for people you don’t know or who offer you a job. As a rule, never accept a check or money order and turn around and send part or all of the money to anyone.

If you receive a check in the mail with a letter that says you've won the lottery or a sweepstakes or that you've been selected to participate in a secret shopper program, there's a very good chance the check is counterfeit. If you receive a check in the mail because you've sold something on the internet or signed up to work from home, and the check includes an overpayment that you are supposed to return, there is also a likely risk that the check is counterfeit.

Some of these checks look authentic and include the names and addresses of legitimate financial institutions. In addition to checks, counterfeits can also come in the form of official checks, money orders, business checks or personal checks. If you receive a check from an unknown source, contact the financial institution it's written on to help you verify the validity of it. You can find contact information from a public source such as the institution's website or the phone book. Never rely on the contact information on the check or any letter that accompanied the check.

Legitimate California Coast Credit Union's cashier's checks will never be used to fund secret shopper programs, sweepstakes or other similar transactions where you are asked to send money to claim income or winnings. If you are ever in doubt of the validity of a California Coast Credit Union cashier's check you've received, please contact us immediately at (877) 495-1600.

Here are some other tips that will help you avoid becoming the victim of a counterfeit check scam:

• Shred any offer that asks you to pay for a prize or a gift.
• Know who you're dealing with, and never wire money or send a check to strangers.
• If you're selling something, don't accept a check for more than the selling price, no matter how tempting the offer or how convincing the story. Ask the buyer to write the check for the exact amount. If the buyer refuses to send the exact amount, don't send the merchandise or a refund.
• Resist pressure to act immediately. Any legitimate offer should still be good after the check clears.
• It's best not to rely on money from any type of check unless you know and trust the person you're dealing with or, better yet until your financial institution confirms that the check has cleared. Forgeries can take weeks to be returned through the banking system, and until you have confirmation that the funds from a check have cleared your account, you are responsible for any funds you withdraw against that check, whether or not the financial institution places a hold on them.
• Resist the urge to enter foreign lotteries. If you are notified that you are a winner of a lottery that you didn't enter chances are you are being scammed.

Online banking users should be aware of a new variation of a 'social engineering' attack. Criminals are using a computer virus, called Citadel, to launch this attack in an attempt to steal personal and/or account information, including online banking login passwords. The latest version uses social engineering tools to create fake pop-ups, even on legitimate banking sites. This could trick online users into re-entering their bank and credit union account logins and passwords. That could confuse members making online transactions at their credit union's site. See below example below.

Security advice:

• Avoid using out-of-date software versions that have vulnerabilities easy to exploit. Software companies issue patches and updates; use them. Out of date Java software in particular has been a gateway for the Trojan infection, say researchers;
• Run full-system virus scans at least once a week;
• Use caution when entering user names and passwords and enter these slowly to give time to back out if something seems odd;
• Regularly visit the FBI's Internet Crime Complaint Center for updates about Citadel;
• Have a computer expert remove any malware. Even if you succeed in unfreezing the computer, keyloggers and other malware may still be operating in the background; and
• Never pay money or provide personal information to a suspicious online entity.

A pop-up requesting information could look like this:

What to do if you think your computer has been infected.

 If you suspect your computer is infected, or if you see a screen similar to the one above, do not enter your personal information. Call our Member Service Center immediately, at (877) 495-1600. We suggest that you also contact a qualified computer technician to assist you.

 For more information you can go to this website.  

The National Credit Union Administration (NCUA) has issued an alert about a new scam targeting credit unions members.

The agency warned of fraudulent emails pretending to come from the NCUA and asking credit union member participation in an "Online Survey" or "Member Survey." The emails promise a $40 compensation as an inducement to respond to the email.

The emails are fraudulent, the NCUA warns, and may be an attempt to obtain confidential member information. The agency does not solicit such information from credit union members.

This is a phishing activity with no NCUA activity or approval. If you have received these emails please do not respond. If you have any questions or concerns please email NCUA at pacamail@ncua.gov, or call California Coast Credit Union at (877) 495-1600.

Phishing (pronounced "fishing") attempts are on the rise. Beware of people requesting information over the phone, by text message or by email. Phishing scams involve criminals who try to trick people into providing personal information (such as credit card numbers, PINs, financial account or other sensitive information).

California Coast Credit Union will never send you an email or text message requesting account verification or personal information. If you are ever in doubt of the validity of someone requesting personal account information, please contact California Coast Credit Union immediately at (877) 495-1600.

The criminals who "phish" get more creative all the time! It's important to be aware of the common traits of phishing attempts so you'll recognize them as they evolve. Here are a few to consider:

• They usually involve requests using the name of business or a person who you would trust.
• Using a scenario that is intriguing and/or creates a sense of urgency to respond (i.e. will be asked to help solve a crime or win a prize).
• They often involve consequences such as losing access to your financial accounts, your eBay account or getting arrested because you failed to show up for jury duty.
• Many phishing attempts have misspellings or grammatical errors, but may look and sound professional. They may even illegally use a company's logo.

Phishing emails are designed to load malicious software on your computer to gather information or just to do damage to your hard drive. The best ways to avoid compromising your computer's security is to ensure that you keep updated anti-virus software on your computer and avoid opening emails unless you know the sender. Be particularly careful of emails that contain attachments.

Zeusbot - Recent Scam (ZeusBot)

Online banking users should be aware of a new variation of a 'phishing' attack. Criminals are using a computer virus, called ZeusBot or Zbot, to launch this attack in an attempt to steal personal and/or account information, including online banking login passwords. This virus is widespread, but at this time does not affect Mac (Apple) computers.

This virus operates by opening a tab or window in your browser that will appear to be part of the login process for online banking or e-commerce sites (such as eBay, Amazon, etc.). This window will ask for login passwords or credit card information, as if confirming the users' identity. If such an unsolicited window appears on your PC, especially during an online banking session, do not enter information into that window.

The only way to log into Cal Coast Online, California Coast's online banking system, is using the login fields on the www.calcoastcu.org home page. California Coast will not present an additional screen to enter your password into Cal Coast Online.

Please note that after you have entered your password into the home screen of www.calcoastcu.org, you may be presented with questions to verify your identity. This is normal, but the questions will only be the ones that you set up yourself during the enrollment process and will never ask for credit card information or PIN numbers.

This virus can infect your PC by visiting an infected website, not related to your online banking provider. Once a PC has been infected, it will continue to collect personal information such as passwords and card numbers, even if you are entering them into legitimate sites. You do not have to enter this info into the virus' pop-up window to be affected. The only way to know if your PC is infected is if your anti-virus detects the virus, or if you see one of the unsolicited pop-up windows. Please be aware that not all anti-virus programs have yet been updated to detect or clean this virus.

The fraudulent screens may appear similar to the one below, which may ask for your login information (user name and password) or other personal information.

Vishing is the criminal practice of using social engineering (using the phone) and/or Voice IP (calling through a computer) to gain access to private personal and financial information for the purpose of committing fraud.

These are disguised as legitimate calls from fraud prevention departments requesting or verifying your personal or financial information. Do not give out your information. Instead, if you have questions, please call California Coast Credit Union or the financial institution that issued the card.

What to do if you think your computer has been infected.

 If you suspect your computer is infected, or if you see a screen similar to the one above, do not enter your personal information. Call our Member Service Center immediately, at (877) 495-1600. We suggest that you also contact a qualified computer technician to assist you.

If you see similar screens on other financial institutions or secured websites where you might make online purchases, do not proceed and report the issue to the owners of those sites.

• Contact your financial institution immediately if a bank account or credit card statement does not arrive on time. 
• Review your bank account and credit card statements promptly and immediately report any discrepancy or unauthorized transaction.

• Store your checks, deposit slips and credit union statements in a secure and locked location. Never leave your checkbook in your vehicle. 
• Never give your account number to individuals you do not know, especially over the telephone, through email or on the Internet. Be particularly aware of unsolicited phone sales. Fraud artists can use your account without your authorization and you could be held responsible. 
• When you receive your check order, ensure that all checks are present and that none are missing. If you believe your checks are missing, report it to the credit union immediately. If you fail to receive your order by mail, notify the credit union because checks could have been stolen or lost in transit. 
• If your home is burglarized, check your supply of checks to determine if any have been stolen. Look closely, because thieves will sometimes take only one or two checks from the middle or back of the checkbook. The longer it takes to realize that your checks have been stolen, the more time the criminal has to use them. 
• Limit the amount of personal information on your checks. For example, do not include your social security number or drivers' license number. A criminal can easily use this type of information to steal your identity. 
• Do not leave blank spaces on the payee and amount lines. Draw a line or line through any empty spaces. 
• Use dark ink that cannot be easily erased or written over. Based on recent studies, the ink found in gel pens, has been the only ink found to be counterfeit proof. 
• It's safest to purchase your supply of checks from the credit union or from a reputable check reorder company. 
• At California Coast Credit Union our e-Statements allow you to view your confidential California Coast Credit Union financial records without the paper trail so you won't have to worry about identity theft or financial fraud. When you sign up for our e-Statements, you can view all your transactions from the privacy of your home or work computer, no more waiting for your statement to arrive in the mail. And best of all, it's FREE! 

Home Computer

Maintaining your computer with the latest updates is one of the most effective security precautions that you can take. As vulnerabilities in software are discovered, the software companies release updates, or patches, to address these issues. Many of these programs can be configured to automatically check for updates over the Internet.

Adobe

Adobe has recently released several updates to their products.

• Adobe home page: http://www.adobe.com
• Adobe Reader updates are available at: http://get.adobe.com/reader/ 

Microsoft

Microsoft releases updates for their Windows operating systems and their MS-Office suite on a weekly basis. It is highly recommended that your home PC is maintained with these updates on a regular basis. Your home PC should also have an anti-virus program installed. This program requires daily or weekly updates to be effective. 

The latest Microsoft updates are available at: http://update.microsoft.com

Home Internet Router

A home internet router should have the administrator password changed from the default password that comes from the factory. Routers have firmware that may be updated as released by the manufacturer of the device. These firmware updates may contain security updates.

Mobile Phones

Android Smartphones

Avoid Android malware using these precautions: 

• Install apps only from trusted play stores like Google Play
• Keep the option to "Install Apps from Unknown Sources" unchecked in System Settings
• Keep the option to "Verify Apps" checked in System Settings
• Keep both options under "Verify Apps" checked in Google Settings > Security
• Keep an eye on the permissions requested from untrusted and unknown apps, and disallow any suspicious requests
• Secure your Wi-Fi network and be cautious when you connect to untrusted public Wi-Fi in airports and coffee shops
• Upgrade, if possible, to the latest version of Android operating system
• Install anti-virus and other mobile security apps for Android
• Enable "Remote Wipe" feature, in case your device is ever lost

Apple iPhones & iPads

Apple releases updates for their iOS operating system on a periodic basis. These updates odten contain fixes for security vulnerabilities. It is highly recommended that your iPad and iPhone are maintained with the latest iOS version.

The update screen can be found under: Settings > General > Software Update.

• Protect your card(s) by activating them immediately upon receipt by calling the phone number indicated on your card. If you fail to receive your new card(s) in the mail within 10 business days, notify the credit union immediately. The card(s) may have been stolen from your mailbox or lost in transit. 
• Keep your card(s) in a secure and locked location when not in use. Do not leave your card(s) in your vehicle. 
• Retain copies of all sales receipts, merchant and ATM receipts until you receive your monthly statement, at which time you should verify that the transactions/charges are accurate. If you discover any errors, unauthorized transactions, payments or alterations, notify the credit union immediately. 
• Cancel all cards that you do not use. 
• Sign new cards as soon as you receive them. 
• Report lost or stolen cards immediately. 
• If you notice anything suspicious when approaching an ATM, return later or use another ATM. Consider having another person accompany you to the ATM. 
• Have your ATM card ready to avoid searching through your purse/wallet at the ATM site. 
• Stand close to the ATM and block it with your hand to avoid detection of your PIN and other account information, and ensure doors are locked and keep the engine running when using drive-up ATMs. 
• Put your cash away as soon as the transaction is complete. Count the cash later in the safety of your vehicle or home. 
• If you notice anything suspicious while you are transacting business, immediately cancel your transaction, put your ATM card away and leave. 
• Be aware of individuals who pose as credit union staff trying to get information from you. Never give information to strangers at the ATM, over the phone or on the Internet. 
• The credit union strives to ensure ATM facilities are safe and convenient. Please tell us if you are aware of any problems with a California Coast Credit Union ATM, such as a light that is not working or there is any damage to an ATM facility. 
• Limit the number of credit, debit and ATM cards that you carry. 
• Memorize your Personal Identification Number (PIN). Do not write the number on your card or keep it in your wallet. 
• Never give your PIN to anyone, not even your financial institution. 
• Always be aware of your surroundings and look for well-lit, visible ATMs, especially when transacting at night.

• Order a copy of your credit report annually and review it for accuracy. 
• Check your credit report for unauthorized bank accounts, credit cards and purchases. 
• Look for anything suspicious in the section of your credit report that lists who has received a copy of your credit history. 

• Store extra checks, credit cards, documents that list your Social Security number, and similar items in a safe place. 
• Shred all credit card receipts and solicitations, ATM receipts, bank account and credit card statements, canceled checks, and other financial documents before you throw them away. 

• Promptly remove mail from your mailbox. 
• Deposit outgoing mail in a post office collection box, hand it to a postal carrier, or take it to a post office instead of leaving it in your doorway or home mailbox, where it can be stolen.

Each year scam artists and identity thieves steal billions of dollars from unsuspecting consumers. These criminals use the phone, email, text messaging, postal mail and the internet to steal your information or trick you into handing over your money. Learn how to recognize common scams, take action if you think you are a victim of fraud, and what you can do to protect your finances from fraud.

Learn more

• Never use the same password on multiple systems. If your password is compromised on one system, this will grant access to other systems. 
• Never share your password with anyone else. 
• Select strong passwords, which means: 
• Use a password that is easy to remember yet complex enough that it cannot be easily guessed. 
• Avoid using dictionary words in your password that may be subject to dictionary attacks. 
• Use a combination of upper and lower case characters from the alphabet plus numbers and special keyboard characters such as !#$%. 
• Some computer systems have limitations to the allowed length, number of characters, or types of special characters allowed. Use the strongest password that the system will allow. 
• Generally, the longer and more complex a password is, the harder it is to compromise. 
• Avoid writing down your passwords. If a password is written down, always keep it in a secure location. 
• Never store a PIN in the same place as the associated credit or debit card. 
• Never write your password on a post-it note on your computer monitor or under your keyboard. 
• Multifactor authentication is based on "what you have" (a card or device) and "what you know" (a password). If the card or device is compromised, the second factor of a strong password becomes even more important. 
• If a system does not require period password changes, it is a good practice to periodically change your password anyway. 
• If you suspect that your password to a credit union system has been compromised, immediately contact the credit union. 

• Always protect personal identifying information, such as your date of birth, Social Security number, credit card numbers, bank account numbers, Personal Identification Numbers (PINs) and passwords. 
• Do not give any of your personal identifying information to any person who is not permitted to have access to your accounts. 
• Do not give any of your personal identifying information over the telephone, through the mail or online unless you have initiated the contact or know and trust the person or company to whom it is given.

• Memorize your PINs and passwords and keep them confidential. 
• Change your passwords periodically. 
• Avoid selecting PINs and passwords that will be easy for an identity thief to figure out. 
• Do not carry PINs and passwords in your wallet or purse or keep them near your checkbook, credit cards, debit cards or ATM cards.

Protect yourself and your money from fraudsters

It’s a high-tech spin on an old-fashioned scamming scheme, yet social engineering is a powerful technique that can be used to trick you into cooperating with scam artists and identity thieves. These fraudsters can use various scare tactics to trick you into providing your financial institution’s login credentials and card data or paying for unnecessary technical support services or other items.

This can be done through a phone call, where a scam artist pretends to represent a credit union, a fraud department, a software company like Microsoft, or a popular anti-virus company. They may spoof the caller ID so that it displays a legitimate phone number from a company, and then ask you to install an application and provide them with the code that gives them remote access to your computer. 

Text messaging is another method that scam artists will use to fool you. These attacks can occur as SMishing (SMS text phishing) and Vishing (Voice phishing). SMishing and Vishing occurrences usually involve a member receiving a text message or phone call that is asking about suspicious transactions. However, the real information the fraudster is looking for is your card number, CV2 code, PIN number, or other information that could compromise your account.

Below are a few red flags that can help you identify if the text you received might be a SMishing attempt. Be wary if you receive a text about a suspicious transaction that contains any of these:

• Requests for card numbers, PIN numbers, CV2 codes or expiration dates.
• References to merchants that are vague or nondescript. Legitimate transactions should contain detailed information.
• Links to unknown websites
• Hyperlinked phone numbers

A fraudster may also display a fake message on a website, or a pop-up message that won't go away. Messages like this, known as “scareware”, may indicate a virus or other malware. These messages are fake, and are designed to trick you into calling a phone number staffed with fake technical support.

When you engage with these fraudsters, they will offer fake solutions and ask for payment in the form of a one-time fee, subscription service, or gift card. 

Protect yourself from social engineering using these tips:

• Be cautious when responding to unsolicited text messages and voice calls, even if they appear to be from the credit union.
• If you have questions, always hang up and call back the credit union at a reliable, known phone number to inquire about the messages you might have received.
• Never provide personal information in response to SMS messages or phone calls that are supposed to be from the credit union.
• Be cautious when clicking links in text messages. Most legitimate card activity validation requests will require a simple “YES” or “NO” response, and will not include hyperlinks or a member’s personal information.
• Do not provide your credit or debit card information to these fraudsters.
• Do not give a gift card number or PIN on the back of a gift card to settle a demand for payment. Scammers will typically request popular gift cards such as Amazon, Google Play, iTunes, Steam, and MoneyPak, among others. You can visit the Federal Trade Commission’s site to learn more about gift card scams and how to report them.
• Most companies do not send unsolicited email messages or make unsolicited phone calls to request personal or financial information, or to provide technical support to fix your computer.
• Any customer identifying communication with most companies must be initiated by you.
• If a notification appears with a phone number, don’t call the number.
• Do not give remote access of your computer to a fraudster.
• If you need technical support, you should initiate contact with a reputable company that you have researched first.

• Be suspicious of any offer made by telephone, on a Web site or in an email that seems too good to be true. 
• Before responding to a telephone or Internet offer, determine if the person or business making the offer is legitimate. 
• Do not respond to an unsolicited email that promises some benefit but requests personal identifying information. 
• California Coast Credit Union never requests a customer’s bank card number, account number, Social Security number, Personal Identification Number (PIN) or password through email. If you should receive an email requesting such information that appears to be from California Coast Credit Union, do not respond to the email and contact California Coast Credit Union immediately at 1-877-495-1600.

• Do not carry more checks, credit cards, debit cards, ATM cards and other bank items in your wallet or purse than you really expect to need. 
• Do not carry your Social Security number in your wallet or purse.

Cyber attacks, identified as a Distributed Denial of Service (DDoS), have recently been in the news. The intent of such an attack is to prevent Internet access. What this could mean for our members would be the inability to access the credit union's website and services such as online banking.

We cannot know if or when these this event will actually occur. However, aside from the inconvenience of a potential disruption of online service, be assured that your member information will remain secure and protected.

Internet down? We’re still here for you.

• Member Service Center at (877) 495-1600 is available Monday - Friday, 7:30 am - 6 pm, and Saturday 9 am - 2 pm
• Deposit your checks with our free Cal Coast mobile deposit application using your iPhone^®, iPad^® iPod^® or Android^TM phone or tablet
• Visit our network of over 20 branches and 60 additional shared branching locations in San Diego and Southern Riverside counties
• Access accounts through 30,000 fee-free CO-OP^® ATMs nationwide, including many in 7-Eleven locations, with nearly 70 ATMs locally