‘Tis the Season for Holiday Scams

Busy and distracted online shoppers are prime targets for cyber scams. This season’s stressors include supply chain issues and shipping delays along with low stock and rising prices fueled by increased consumer demand. Predictably, cyber criminals will capitalize on these factors, and their social engineering methods are becoming more sophisticated.

Hybrid Phishing

Cyber criminals are increasingly conducting multi-step phishing scams. Phishing emails or SMiShing texts are being sent as pretexts for vishing.
Avanan reported scammers are attempting to obtain credit card or banking details by spoofing an Amazon order notification page:
  • Scam begins with an email that imitates a legitimate Amazon order confirmation for a high-priced item meant to compel the recipient to act. A contact telephone number is included. The email comes from a Gmail account, which is a clue that it is a scam.
  • Clicking the link takes the consumer to the actual Amazon site, but the telephone number listed is not associated with Amazon. When called, a ring-no-answer is encountered.
  • Several hours later the target receives a callback from a hacker-controlled call center in India though the caller id likely shows a United States area code.
  • The hacker claims they need a credit card and CVV (card verification value) number to cancel the order.
  • If successful, the attacker makes some money and harvests the telephone number for future vishing or SMiShing cons.
Krebs On Security reports that fraudsters are sending text messages regarding suspicious bank transfers as pretexts for vishing:
  • Target receives a text from their bank asking if they had authorized a payment from their account and requesting that they reply “Yes” or “No,” or 1 to decline future fraud alerts.
  • After the reply is received, hacker immediately places a call to the target using a spoofed caller id of the financial institution. They claim to be from the fraud department and request information to confirm that they are speaking with the account owner not a scammer.
  • Presumably, the information collected is being used to set up new financial accounts in the victims’ names for large wire transfers of stolen funds.
If you find yourself in a similar situation, do not respond to unexpected texts and always contact the organization with a telephone number obtained from the actual website.

Holiday Ploys

Threat actors will undoubtedly take advantage of supply chain issues by creating fake websites and selling non-existent merchandise. Inventory issues are being compounded by Grinch bots, software programs that quickly fill out purchase forms and buy up hot holiday items quicker than a human. Many of these items are re-sold at higher prices by third parties.
Fake shipping notifications are an annual holiday tradition. Krebs On Security reported an elaborate SMiShing scam that spoofs FedEx to steal personal and financial information:
  • A text message containing a phishing link is sent indicating a package could not be delivered. On mobile devices the link is directed to an authentic-looking FedEx page with a phishing link button – “Schedule new delivery.”
  • When the button is clicked, name address, phone number, and date of birth are requested.
  • When the “Next Step” button is clicked, a request for a payment card to cover a redelivery fee appears.
  • When the “Pay Now” button is clicked, the visitor is prompted to verify identity by providing SSN, Driver’s License Number, email address, and email password. Scrolling down on the page revealed working links to real FedEx website resources including security and privacy policies.
  • After clicking the “Verify” button, the scammers re-direct the target to the real FedEx website.
Be cautious of phishing and SMiShing scams with fake shipping notifications and tracking alerts. Instead of clicking on a link go to the merchant’s website and follow the tracking link or search the tracking number to determine if it’s valid. And carefully inspect “Missed Delivery” tags to ensure they are authentic. Fake tags requesting a telephone call to reschedule delivery may be a ploy to collect personal information.

Proof of Vaccination Attacks

survey conducted by Tessian found that 35% of United States citizens had received a proof of vaccination phishing email this year. Email subject lines included “IMPORTANT” or “OFFICIAL” to convey a sense of urgency. Clicking on a link or attachment directed victims to a web page requiring PII (personally identifiable information) along with credit card or banking details to obtain proof of vaccination.
Be Wary of All Unexpected Communications
The Federal Bureau of Investigation (FBI) recently acknowledged a hacker had exploited a software misconfiguration, and thousands of phony emails warning of a cybersecurity attack were issued directly from its email servers. PII was not accessed or compromised according to the FBI.
Security Best Practices
As you can see, tactics constantly evolve. Good cyber hygiene is critical every day not just during the holidays. Hopefully, many of these basic practices have become habits:
  • Be suspicious of all unsolicited emails, text messages, or voice messages. Do not respond to them.
  • NEVER click on links in emails or text messages.
  • ALWAYS open a browser and hand-type the website address.
  • Carefully check app names, website addresses, and email addresses, which may be slightly modified to look legitimate and redirect people to malicious websites.
  • Shop online from home, and verify your wireless network is protected.
  • Verify your connection is secure when making a purchase by confirming the address bar of your browser begins with https:// (not “http://”). The s stands for secure and indicates the data being transmitted is encrypted. Beware that the small lock icon on your browser does not necessarily mean the site is secure. Cyber criminals are increasingly adding it to scam websites in their efforts to deceive people.
  • Confirm retailers are legitimate, shop at websites you trust, and bookmark them.
  • Use a credit card instead of a debit card. Most credit cards have built-in fraud protection; however, any suspicious activity should be reported immediately.

A Guide to Winterizing Your Boat

As we edge closer to the winter months, this is the perfect time for boat owners to start thinking about how to properly safeguard their vessel from cold weather. Winter can cause damage to marine property if the right precautions aren’t taken. So, get ready to winterize even if you are in an area that experiences milder winters. The process will protect the engine, electronics and all the other components of the craft.


There are mainly three ways to store boats. Out of the following methods, the best option is indoors as it is climate-controlled, but if that isn’t an option for you, other methods can be equally safe if done right. Mariner Exchange offers some great tips on storing a boat:

    1. At the Marina – whether the vessel is stored on the marina, a boatyard or outside your home, a sufficient support system is essential. Be careful where you store your boat, avoiding trees, sloping roofs, inclines, etc.
    2. On the Water – to keep water out, close all thru-hull openings, gate valves and seacocks, and make sure all water is drained from the hose. Using dock lines and spring lines, tie the boat to pilings.
    3. Indoors – you can store in a storage facility, garage, or a shed. Make sure a dry storage rack can properly support the vessel keeping in mind the hull design. Ensure the area is temperature regulated and sealed to avoid pests like mice.


Regardless of the storing method, a boat cover should be a good fit, well supported and installed to avoid damage to the boat. Such damages can include rubbing, shredding, tearing and collapsing. Stay away from homemade tarps. Consider the boat design when selecting a boat cover – plastic tarp, generic/custom synthetic or canvas cover or shrink wrapping. Refer to Mariner Exchange’s article on things to keep in mind while using a cover.


Engines are particularly at risk of freezing, leading to a cracked engine block or a cracked oil cooler. Change the oil and filter, fill the fuel tanks to 95%, add fuel stabilizer, fill water strainers and antifreeze, and replace batteries on the marine charger.

Boat ownership is a big investment, and we don’t want you to have any unpleasant surprises come springtime!


The Rise of Synthetic Content and Deepfakes

What is Synthetic Content?

The Federal Bureau of Investigation defines synthetic content as a broad spectrum of generated or manipulated digital content that includes images, video, audio, and text. In other words, it is content that has been automatically created.

Advances in AI (artificial intelligence) and ML (machine learning) have led to the creation of programmed content that seems to be real or manually created. For instance, each time the website ThisPersonDoesNotExist is refreshed, a very realistic image of a person who does not exist is generated by AI!

Generally, this content is considered as protected speech under the First Amendment. The FBI recently issued a notification that it anticipates malicious synthetic content attributed to foreign actors or cybercriminals which may result in an investigation.

Deepfake Technology

Deepfakes are videos or audio recordings that are digitally altered by AI. Deepfakes are becoming more difficult to detect. It is expected that high quality videos will soon be inexpensively created using downloaded software and apps by individuals with minimal technical knowledge. Combined with the virality of the internet, believable fake videos have the potential to compromise privacy, harm corporations, spread societal and political discord, and propagate disinformation. (Disinformation is false information that is meant to mislead; whereas misinformation is false information provided without malice.)

Deepfake video and audio can be used maliciously in emails, texts, and phone calls to convince recipients that the information is real. Reportedly in 2020, a Hong Kong bank manager authorized $35 million in transfers based on a call he believed to be from the director of a company with whom he’d previously spoken. It was a fraudster using AI to spoof the director’s voice.

Beneficial Uses

Deepfake technology also has a positive side. It is used as a tool to enhance communications during training, marketing, news reporting, and video chat bots. Some additional constructive uses include:

  • Education: bring historical figures to life
  • Language Translation: inexpensively generate high-quality videos in multiple languages to disseminate advertisements or corporate messages
  • Healthcare: voice replacement to emulate the voice of a person who can no longer speak
  • Entertainment: content creation, editing without a re-shoot; gaming technology
  • Increase Revenue: enable people to authorize use of their images and get paid for “appearances” without traveling

Reuters has collaborated with Synthesia, a UK-based startup, to create automated personalized news reports for viewers. EY, formerly known as Ernst & Young, is exploring Synthesia’s technology for AI-created avatars to send videos instead of emails to clients. Refer this article to learn 15 ways to spot deepfake videos.

Avatars will become more lifelike with technology advances. Incidentally, Swedish pop group ABBA is building a special venue where members will be performing digitally via avatars with a live band in 2022.

Potentially Dangerous Repercussions

Deepfake technology will transform audio and video productions, but the ethical and legal considerations are immense. Recently, the documentary “Roadrunner: A Film About Anthony Bourdain” is based on remembering chef Anthony Bourdain and includes his synthetic audio, which was not initially disclosed and has triggered questions about ethical boundaries.

Deepfakes can be a threat to anyone depicted in such videos or audio content. Conversely, authentic content can be labelled as deepfakes to propagate distrust, create confusion and lead people to question reality. Some examples of potential risks include:

  • Biometric Spoofing – for example, trick family members via vishing to send funds, authorize access to sensitive information, or distribute funds to hackers. Pay close attention to phone calls or voice messages that ask for funds.
  • Bullying, Harassment
  • Adult Content Videos
  • Spear Phishing Attacks
  • Impersonate Executives to get employees to commit fraud
  • Fake Promotional Material
  • Attempt by Competitors to Damage Reputation/Negatively Impact Shares of Public Companies
  • Manipulate Money Markets or Stocks
  • Re-frame History
  • Election and Evidence Tampering
  • Conspiracies by Foreign Adversaries
  • Distort Emergency Alert Warnings/Public Service Announcements
  • News Reporting of Disinformation
  • Incite Violence

Future Safeguards

Companies continue to develop technologies to identify deepfakes. In June 2010 the best algorithm in Facebook’s Deepfake Detection Challenge accurately determined if a video was real or fake with 65% accuracy. In September 2021 M12, Microsoft’s venture capital fund, invested in deepfake verification startup Truepic.

In August 2021 the U.S. Senate Committee on Homeland Security and Governmental affairs voted unanimously to advance the bi-partisan Deepfake Task Force Act, which would establish a team with representatives from the Federal Government, higher education, and private or nonprofit organizations to investigate policy and technology strategies for limiting the damage of deepfake technology. The DEEPFAKES Accountability Act was introduced in June 2019.

News From the Vault: How your customers are becoming victims of wire fraud

Incidents continue to be reported to banks and their insurers involving data compromises that occur at the bank customer’s location. Banks are saddled with a dual duty when it comes to wire transfers – securing against wire fraud through your own policies and procedures, and helping customers secure themselves against data compromise.

In our latest News from the Vault article, Craig Collins of Intact Financial Services shares some of the most common and evolving methods of data compromise. Read the complete article on our website.

Veterans Day: Honoring All Who Served

Today we pause to honor and give thanks to all who have served our country.  As you know, Veteran’s Day is celebrated on November 11 in honor of the “eleventh hour of the eleventh day of the eleventh month” that marked the end of World War I. Originally known as Armistice Day, this day of commemoration was renamed Veteran’s Day in 1954 by President Eisenhower.

To those of you who are veterans or whose family members served, we appreciate your generous spirit and commitment.

Happy Veteran’s Day 2021!