The Latest Scams

The Latest Scams


As financial planners, we are trusted with some of Clients’ most personal information, and we consider it a serious responsibility to keep that information secure. Because of this, we’re committed to keeping ourselves and our Clients abreast of common scams. We use this space to keep you up-to-date on the latest scams that we’re learning about from our trusted partners in cybersecurity so you can stay protected.


Tax Attacks

As millions of Americans prepare to file their tax returns, cybercriminals are prepared to interrupt the busy season with scams to obtain your personal information and/or assets. The experts at KnowBe4, our strategic partners in cybersecurity, have shared details about a scam their seeing this tax season. Here are the details:

“In this scam, cybercriminals are taking advantage of tax season by trying to trick you into opening an email and downloading a malicious PDF attachment. The email they send looks like a government form and includes a link to download the PDF attachment. The scammers even include helpful instructions for pasting the web page URL into your browser in case the link isn’t working.

Clicking the link will redirect you to a fake webpage and initiate a file download. Malware is installed on your computer once the file downloads. Remember, cybercriminals don’t only want your money—they also want your data! And they can use this malware to steal your user credentials and other personal data.”

What can you do to protect yourself?

Follow these tips to avoid falling victim to a tax scam:

  • The latest software versions for devices often contain security updates. Make sure that your devices are running the latest software updates.
  • Be skeptical of unsolicited emails from the government or other financial entities. Always double-check with the organization that sent the form if you have doubts about its authenticity.

Search Engine Optimization (SEO) Scams

Our team at Schwab has informed us of a scam targeting Schwab Clients via a search engine optimization (SEO) scam. SEO is a process aimed at improving a website’s visibility in search engines, like Google, to increase the number of users visiting the site. According to Schwab, “Scammers are using search engine optimization (SEO) to create fake websites that appear in search results for trusted institutions like Schwab. When clients visit these sites, they are exposed to phishing attacks aimed at stealing their information and assets.” This tactic is extremely dangerous and requires users to have an ever-heightened awareness of the links they’re clicking and the websites they’re visiting.

Here’s a bit more from Schwab about how these scams work:

  • Knowledgeable fraudsters use sophisticated techniques to create websites that appear in search engines when clients are looking for Schwab or other trusted institutions.
  • The websites are designed to look legitimate, and their position in the search results trick users into believing the top search hits are the most credible. This phishing tactic is very effective: after all, not every user will scrutinize every search result to ensure the link they’re about to click is legitimate.
  • Once the client clicks on the phishing website and attempts to log in with their credentials, they receive an error message stating there’s a login issue and to contact a hotline number noted in the message for further assistance.
  • When the client contacts the fraudulent number, the bad actor posing as a Schwab employee states that there’s been a security breach, and someone is attempting to steal money from their account.
  • Then, the bad actor attempts to convince the client to download software to their device.
  • The overall goal is to gain access to the device and continue to facilitate additional fraud attacks, which can ultimately lead to unauthorized activity and ID theft.

The images below provide two real examples of this SEC scam in action.

What can you do to protect yourself?

To access your account information via the Schwab Alliance website (or any other banking or financial institutions you use), type the known website into your browser or use the mobile app rather than searching for the login sites via Google, Safari, or Firefox. You can also save all of your favorite websites’ correct addresses to your browsers’ bookmarks, so you can feel confident that you’re accessing the correct website each time.

Callback Phishing

The experts at KnowBe4, our strategic partners in cybersecurity, have shared an advisory from the FBI about a dangerous campaign called callback phishing. According to KnowBe4, callback phishing “is usually a phishing email that arrives into a user’s email inbox, containing some sort of usual phishing message requiring the user’s urgent response. But unlike traditional email phishing, it does not contain a URL linked to a malicious site or content. Instead, it contains a phone number that the user is prompted to call.”

Here are two examples courtesy of KnowBe4:

KnowBe4 continues, “In both cases, the sender is attempting to scare the user into making the call so that their credit card will not be charged for these made-up charges. When the user calls, they are normally sent to an overseas call center. As with typical callback scams, the hacker wants to induce the user into installing new software. The installed program is likely to be a legitimate (or semi-legitimate) remote access program that legitimate admins and users might use to manage computers they are authorized to use. But in the callback scams, the legitimate software is used so that the remote attacker can install more malicious programs, scripts and watch the user’s screen.”

What can you do to protect yourself?

KnowBe4 offers: “Be super suspicious of any email that contains only a single picture file, a repeated phone number and no clickable links.” Specifically, “be wary of any incoming message with these two traits: 1. The message arrives unexpectedly (you were not expecting it) or 2. It is asking you to do something you have never been asked to do before (at least by that sender). To confirm whether or not an email is legitimate, use some other alternative method before taking action (i.e., call the company directly using a known good phone number, go directly to the legitimate website, etc.).

Additional Resources

Find more information about the latest cybersecurity trends and best practices here on our website.