- April 19, 2024
- Posted by GECU Voices
- 4 read
Your Spoofing FAQs, Answered by GECU’s Top Security Experts
Spoofing is like the tech version of putting on a disguise to trick someone. There are different types of spoofing, but email spoofing is a common tactic utilized by many of today’s scammers. This involves manipulating email addresses and headers to mislead recipients into believing a message is from a legitimate source. For example, a scammer may take Duke Energy’s customer service email address and change out a letter. They’re counting on the recipient barely scanning the email and divulging the information they need without using a discerning eye. It's like cyber-mischief, trying to fool people for not-so-friendly reasons. Staying savvy about these spoofing tactics is crucial in the digital age to keep our online spaces safe and sound.
We brought in two General Electric Credit Union (GECU) security experts, Bill Lantry and Austin Vaive, to help our members better understand spoofing and how to protect themselves.
What experience do you have with spoofing in your role at the Credit Union?
Bill: I was a police officer for 30 years. When I started in ‘86, things were a lot different. We didn't even have cell phones. Computers were just on the horizon as far as being used daily. There was still spoofing but it came in the form of a really poorly written letter or a phone call.
As Vice President of GECU’s Fraud Department, a role I’ve held for over eight years, we see the same types of scams—they are just more high-tech and can reach more people. Scammers are also largely focused on elderly people because they tend to be more trusting. They still answer the phone, even if it's an out-of-state number.
Austin: I've been with GECU for five years in the Information Security department. I have a bachelor's degree from the University of Cincinnati in Cyber Security. Part of my role as Information Security Manager at GECU is dealing with spoofing attempts targeting our team members.
How significant of a threat is spoofing to the everyday member?
Bill: It's a real threat. I'm like a broken record because I really want to protect our elderly members—they’re the target with these types of scams because spoofers know they're not as sophisticated on the computer and generally have a decent amount of money in their accounts. They've worked their whole life and may have their entire life savings in their accounts here.
Austin: Spoofing is one of the most common types of information security or cyber security attacks due to how effective it is and how low effort it is for cyber criminals and fraudsters to execute. The stereotypical depiction of a hacker is someone who's highly skilled in computer engineering and hacking—but in reality that’s not always the case. It’s a lot easier to trick someone and get them to disclose information than to actually break into their accounts manually.
We've seen an increase in this, I think partly due to artificial intelligence (AI), which people can use to craft more convincing scams. They don't necessarily have to write their own script anymore. The technologies are out there now to spoof legitimate phone numbers, too, so a call shows up and the caller ID shows it as a contact you trust.
What spoofing attempts have you witnessed over the years, and what was the impact?
Bill: We've really seen an uptick in spoofing over the last six months. We’ve had cases where the scammer is spoofing our contact information, so a call or text will come through the victim’s phone and looks like it’s a call or text from GECU.
Once they make contact, they’ll say, “Hey, this is the Credit Union Fraud Department.” Scammers rely on the terror factor to scare you into thinking, “Oh, I need to protect my money.” They’ll solicit personal identifying information (PII), like your account number or your member number.
The impact is twofold. Obviously, there can be a loss of money. If you have millions and you lose $5,000 you can absorb that. But if you've got $50,000 and you're on a fixed income and you lose $10,000, that really hurts. One time I was talking to a gentleman who’s retired, and he and his wife have health problems. He lost over $9,000 in a scam. And that's the other part of the equation. The damage is emotional. These people lose trust, they lose faith in society. Now they're scared to even answer their phone or get on their computer.
Austin: One common tactic I see involves gift cards. A scammer, impersonating a legitimate source, will request a payment in the form of a gift card. Once purchased, they’ll ask for the numbers on the back. This gives them quick access to funds. It’s a very easy way to extract money from someone without having to go through traditional banking transfers. The scammer can go and redeem the gift cards, and then they’re essentially off scot-free.
How can members best protect themselves against spoofing?
Bill: In this day and age, you have to be proactive and change the way you live your life to a certain degree. I just tell people, “This is the world we live in, and this is what you need to do to protect yourself.” I have an 89-year-old father and I programmed everybody I can think of into his phone. I tell him if it's not in your contacts and their name doesn't pop up don’t answer it. If it's important, they'll leave a message.
One major thing you can do is freeze your credit with the three main credit bureaus. That way, if your identity is compromised, the person can’t go out and open accounts or make a major purchase. You can unfreeze it at any time if you need to purchase a car or get a loan.
A lot of folks are anti-computers and anti-technology. They don't want to have anything to do with Online Banking. I try to get all our members enrolled in Online Banking so they don’t rely on their paper statement every 30 days, because there's a lot that can happen between that last statement you received and the one you're waiting to get.
Before you go to bed, you can look at your accounts. “Oh, everything's there. Everything's fine. Nothing to worry about.” If you do see anything or any abnormalities, you can call us immediately and we can investigate it.
Austin: Verify the legitimacy of whatever it is you're receiving. Spoofing can look very, very real and very legitimate. With phishing emails, it’s a good idea to read the email address the message came from. You may find the address has nothing to do with the person or organization they’re claiming to be. There may also be misspellings that tip you off to a source not being a legitimate, professional entity.
Phone calls are a little bit more difficult because, like I mentioned, they are spoofing the caller ID so it appears a call is coming from a legitimate organization. The best thing you can do is not give out information or contact information if you did not initiate the phone call or an email is not in response to a request you sent.
For example, if someone claiming to be from GECU calls a member and says, “Hey, it's the Fraud Team. We need your account information,” the best course of action is to hang up and call us directly. Don’t use the number the person on the other end gave you.
What should a member do if they encounter spoofing?
Bill: Reach out to GECU. We’ll suspend Online Banking if your account has been compromised. If your computer itself has been compromised, we need to lock it down right away. Most scammers are not in the area and the majority are not even in the country. The computer and internet have shrunk the world and now you can steal from someone that lives on another continent.
We can also put a verbal password on accounts. It's probably the simplest tactic to use, but it's very effective to keep people from either walking into our branch or calling in and pretending to be our members. If they don’t have the password, they won’t be able to make transactions on any accounts.
Austin: Contact the Credit Union. Bill's team will lock down your accounts. You should immediately change your password, too. If you’re concerned about an online account at a different financial institution or website, or something you don't have a good contact method for, it's again best practice to change your password.
Additionally, you should enable multi-factor authentication options when available. In doing so, you’ll get a text message or code when you sign into an account. Even if someone gets your password, they won't be able to log into your account without the code. If someone on the phone is asking for a multi-factor authentication code, don't give it up.
How does GECU protect members?
Bill: We have an internal system that identifies abnormal behavior on an account, and we’ll reach out to our members to confirm, “Hey, are you doing this? Is this something you authorized?” The unfortunate part is they don't know if we’re the real Fraud Department or if the spoofer is. So oftentimes we'll ask our members to come into a branch and talk to us face-to-face. Sometimes that's the only way you can be sure who you're talking to is really GECU.
I've hired a couple of former law enforcement people and have an entire team that genuinely cares about protecting our members, and that's why I'm so proud of this group. We go way above and beyond what other financial institutions do.
Too many companies, especially the bigger ones, don't involve themselves at all. They just take the loss, write it off, close the account, and they're done. And we feel just the opposite. We need to protect not just our current members, but future members and the elderly especially. And we’re extremely proactive in that regard. But we live in a world where you as an individual also have to be proactive. You can't sit back and just wait for your monthly statement or just think it's never going happen to you—because it can happen to anybody.
GECU is committed to Improving the Quality of Financial Lives—and that includes helping you avoid spoofing, and responding to it quickly when you fall victim to it. Learn more about spoofing and other types of fraud online, and be sure to contact the Credit Union if you ever suspect fraudulent activity.