Subject: CFPB alleges 3 banks failed to protect consumers from Zelle fraud
Source: NPR
https://www.npr.org/2024/12/20/nx-s1-5235238/cfpb-sues-zelle-fraud-jpmorgan-chase-bank-of-america-wells-fargo
The Consumer Financial Protection Bureau sued the operator of Zelle, as well as Bank of America, JPMorgan Chase and Wells Fargo “for failing to protect consumers from widespread fraud” at the payment provider, according to a statement on Friday.
CFPB, the government’s consumer financial watchdog agency, alleges customers of the top three banks lost more than $870 million over the seven years that Zelle has been in existence due to the banks’ failures to protect them.
Among the CFPB allegations are that Zelle and the banks failed to implement proper fraud prevention safeguards, allowing scammers to proliferate, and that banks failed to properly investigate customer complaints about Zelle.
“This is about financial institutions fulfilling their basic obligations to protect customers’ money and help fraud victims recover their losses,” said CFPB Director Rohit Chopra. “These banks broke the law by running a payment system that made fraud easy, and then refusing to help the victims.”
[but … ]
JPMorgan Chase said the CFPB was “now overreaching its authority by making banks accountable for criminals, even including romance scammers.” “It’s a stunning demonstration of regulation by enforcement, skirting the required rulemaking process,” JPMorgan Chase added.
…
Tagged:
From consumerfinance.gov:
Topics
Source: KnowBe4
https://blog.knowbe4.com/james-bond-style-scamming-profits-explode
The victim then hands the cash off to someone waiting on the street (usually in a car or truck who then speeds away). The victim thinks they have saved their money from either being stolen or being used by terrorists to fund terrorism.
But it is all a hoax, and the victim loses everything they have handed over. There is no chance of recovery. I have not heard of anyone conducting these scams being arrested, at least not yet.
Here are some example incidents over the last few months:
- https://www.washingtonpost.com/business/interactive/2024/fbi-imposter-scam-victim-elder-fraud/
- https://www.nytimes.com/2024/07/29/business/retirement-savings-scams.html
- https://www.foxnews.com/media/finance-columnist-flabbergasted-fell-amazon-scam-cost-50000-savings
- https://www.washingtonpost.com/business/interactive/2024/scam-elderly-tax-issues-victim-aid-congress/
- https://www.msn.com/en-us/health/other/scam-victims-often-feel-shame-this-support-group-helps-them-heal/ar-AA1vr0am
…
Potential victims need to verify that the person calling them is really working for who they say they are. You MUST be able to call a publicly recognized number for that vendor or agency and confirm the person’s identity. If they tell you that you must call a particular private number to reach them, that is a potential red flag.
Anyone who asks you to lie to bank officials or keep a secret such as activating a cell phone microphone session on your body while going to the bank is for sure a thief.
I know it is hard to accept that these victims did and accepted all those “red flags.” They are ashamed of falling prey to the scam. But most of these victims would have likely avoided the scam if they were just made aware of them. Training and awareness really work to reduce human risk.
Source: KnowBe4
https://blog.knowbe4.com/mobile-phishing-attacks-use-new-tactic-to-bypass-security-measures
ESET has published its threat report for the second half of 2024, outlining a new social engineering tactic targeting mobile banking users.
Threat actors are using Progressive Web Apps (PWAs) and WebAPKs to bypass mobile security measures, since these files don’t require users to grant permissions to install apps from unknown sources.
“The initial phishing messages were delivered through various methods, including SMS, automated voice calls, and social media malvertising,” ESET says.
“Victims received messages or calls suggesting the need to update their mobile banking applications or informing them of potential tax refunds. These messages, sent to presumably random numbers, contained links directing victims to phishing websites mimicking legitimate banking sites. Malvertising on Facebook and Instagram promoted a fake banking app, falsely claiming that the official app was being decommissioned.”
The apps are designed to trick users into entering their banking credentials, and they can also intercept multi-factor authentication codes.
“Once installed, the malicious apps ESET researchers analyzed behave like standard mobile banking malware and present fake banking login interfaces, prompting victims to enter their credentials,” the researchers write. “The stolen credentials, including login details, passwords, and two-factor authentication codes, are then transmitted to the attackers’ command and control servers, so that the attackers can gain unauthorized access to victims’ accounts.”
Source: Malwarebytes
https://www.malwarebytes.com/blog/news/2024/12/task-scams-surge-by-400-but-what-are-they
Once you know the red flags, it is easier to shy away from task scams.
- Do not respond to unsolicited job offers via text messages or messaging apps.
- Never pay to get paid.
- Verify the legitimacy of the employer through official channels.
- Don’t trust anyone who offer to pay for something illegal such as rating or liking things online.
It’s also important to keep in mind that legitimate employers do not ask employees to pay for the opportunity to work. And as with most scams, if it sound to good to be true, it probably is.
If you run into a task scam, please report them to the FTC at ReportFraud.ftc.gov.
Source: tech.co
https://tech.co/news/cybersecurity-experts-top-predictions-2025
Cybersecurity is evolving in 2025, with AI functions, Zero Risk architecture, and risk quantification all making a mark.
Major companies are losing millions to ransomware or, in T-Mobile’s case, a $30 million settlement for exposing customer data. One US cybersecurity firm even accidentally hired a North Korean hacker.
As we reach a full quarter-century into the new millennium, the landscape of online security will continue to shift under our collective feet. How can you ensure that you stay aware of the latest trends? By taking a spin through the guide below — we’ve combed through dozens of cybersecurity experts’ predictions, cautions, and forecasts to collect the cream of the crop.
Here’s what to expect from the world of cybersecurity across the new year.
The Biggest Cybersecurity Predictions for 2025:
- Boosted Security for the Internet of Things
- Zero Trust Architecture Expands Beyond Devices
- Risk Quantification Becomes a Core Security Tool
- A Focus on Mid-level Cyber Skills Gaps
- AI Tools Will Further Integrate into Companies’ Security Protocol
- Be Wary of Undermanaged Assets
Source: WIRED
https://www.wired.com/story/you-need-to-create-a-secret-passphrase-with-your-family/
AI voice cloning and deepfakes are supercharging scams. One method to protect your loved ones and yourself is to create secret code words to verify someone’s identity in real time.
Add to that impersonation scams, where a criminal pretends to be someone known to their target and extracts money. There have been increasing calls for people, and particularly families, to create passphrases or passwords with each other. At the start of December, the FBI issued a recommendation that people create a “secret word or phrase with your family to verify their identity,” and British bank Starling has also published guidelines on creating safe phrases with others.
The calls to create family passwords or passphrases have come because scammers are increasingly adopting AI. Machine learning has allowed criminals to create deepfake videos impersonating people and to clone voices with only a few seconds of audio. Scammers have used these voice clones to pretend family members have been kidnapped and demand ransom payments for their release.
“I also hear about a few families every day who have received AI phone-call attacks voice-cloning a nephew, grandchild, or sibling in hysterics about being kidnapped or being involved in a car accident where they hit someone pregnant and need money for legal fees and bail,” Tobac says.
…
Source: VICE
https://www.vice.com/en/article/anom-phone-arcaneos-fbi-backdoor/
Clicking the calculator doesn’t open a calculator—it opens a login screen.
“Enter Anom ID” and a password, the screen reads. Hidden in the calculator is a concealed messaging app called Anom, which last month we learned was an FBI honeypot. On Anom, criminals believed they could communicate securely, with the app encrypting their messages. They were wrong: an international group of law enforcement agencies including the FBI were monitoring their messages and announced hundreds of arrests last month. International authorities have held press conferences to tout the operation’s success, but have provided few details on how the phones actually functioned.
Motherboard has obtained and analyzed an Anom phone from a source who unknowingly bought one on a classified ads site. On that site, the phone was advertised as just a cheap Android device. But when the person received it, they realized it wasn’t an ordinary phone, and after being contacted by Motherboard, found that it contained the secret Anom app.
Source: gHacks Tech News
https://www.ghacks.net/2024/12/27/how-to-block-chrome-from-signing-you-into-a-google-account-automatically/
If you are using Google Chrome, you may have noticed something strange. When you sign-in to a Google service, like Gmail or Google Drive, you get signed-into the browser automatically as well.
While some users may prefer that, as it ensures that features such as sync or personalization options are enabled, others may dislike it.
Here are a few reasons:
- You may not want Google Account-specific features in Chrome and prefer to stay signed-out because of that.
- You may want to use different accounts for different Google sites.
- For privacy.
The default setting in Chrome signs you into a Google Account in the browser whenever you sign-in on a Google-owned website.
Tip: check out our guide on disabling toast popups in Google Chrome as well.
…
Filed: https://www.ghacks.net/category/google-chrome-browsing/
Source: The Hacker News
https://thehackernews.com/2024/12/north-korean-hackers-deploy-ottercookie.html
North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie.
Contagious Interview (aka DeceptiveDevelopment) refers to a persistent attack campaign that employs social engineering lures, with the hacking crew often posing as recruiters to trick individuals looking for potential job opportunities into downloading malware under the guise of an interview process.
This involves distributing malware-laced videoconferencing apps or npm packages either hosted on GitHub or the official package registry, paving the way for the deployment of malware such as BeaverTail and InvisibleFerret.
It’s worth noting at this stage that Contagious Interview is assessed to be disparate from Operation Dream Job, another long-running North Korean hacking campaign that also employs similar job-related decoys to trigger the malware infection process.
“North Korea’s illegal cyber activities are not only criminal acts that threaten the safety of the cyber ecosystem, but also pose a serious threat to international peace and security as they are used as funds for North Korea’s nuclear and missile development.”
Source: Newser
https://www.newser.com/story/361656/migrants-about-to-be-detained-theres-an-app-for-that.html
Mexico is developing a cellphone app that will allow migrants to warn relatives and local consulates if they think they’re about to be detained by the US immigration department, a senior official said Friday. The move is in response to President-elect Trump’s threats to carry out mass deportations after he takes office on Jan. 20, per the AP. The app has been rolled out for small-scale testing and “appears to be working very well,” said Juan Ramon de la Fuente, Mexico’s secretary of foreign affairs.