Full Notification

The San Marino Police Department would like to share a fraud scheme that is becoming more prevalent. 

This scheme targets victims’ existing online accounts including 401(k), pension, health savings, and flexible spending accounts.  Reports show criminals are using stolen Personal Identifying Information (PII) to create new accounts or access exiting victim accounts.  The criminals are also breaching multiple employee accounts which were managed by the employee or a third-party plan administrator.  This is done by e-mail “phishing” or pretending to be an employee of the company in order to gain access to information or payment.   Other methods used are malicious software (virus) or exploit a security weakness in the company’s infrastructure. 

Methods used to gain access to victim’s accounts include, obtaining PII and changing victim’ e-mail addresses, phone numbers, home addresses, security questions and answer, and banking information to gain complete control of the victim’s accounts.  Using this same information, criminals also create new accounts using victim information.  After gaining control of these accounts, funds are transferred to fraudulent accounts by:

• Initiating loans from accounts
• Transferring / withdrawing funds
• Initiating distribution of retirement accounts
• Re-directing recurring deposits of retirement or health spending accounts
• Diverting existing 401(k) or pension payments
• Submitting fraudulent claims for health spending account payments / reimbursements. 

 
Recommendations:
 

• Establish company polices to contact the owner of the account to verify if any changes to existing account information.  Apply heightened scrutiny to bank information initiated by account holders seeking to update or change direct deposit credentials. 
• Educate employees on scrutinizing links contained in e-mails, and not opening attachments in unsolicited e-mails.
• Establish multi-factor authentication when creating new online accounts and when making account changes, such as password or bank account information. 
• Ensure employees are aware of social engineering and phishing attacks (i.e., via phone or e-mail) by cyber criminals attempting to obtain user credentials.
• Instruct employees to refrain from providing log-in credentials for PII in response to any e-mail or phone call.
• Alert workforce personnel to this scheme and actively monitor accounts for unauthorized access, modification, and anomalous activities.

 
For more information regarding scams and to report scams online, contact the FBI Internet Crime Complaint Center (IC3) at http://www.ic3.gov