mobile What's Up with WhatsApp Scams?

WhatsApp is an application that allows you to message and call your friends and family worldwide. However, due to a new scam, the next WhatsApp message you receive may come from a cybercriminal instead of a trusted contact.

To start the scam, a cybercriminal will send you innocent WhatsApp messages to earn your trust. After you start talking to the cybercriminal, they will try to convince you to call a phone number that begins with a **67* prefix. If you call this phone number, your mobile carrier will forward your personal phone number to the cybercriminal’s phone.

Then, the cybercriminal can use your phone number to get a temporary WhatsApp password, reset your existing password, and lock you out of your account. Once the cybercriminal has access to your WhatsApp account, they can impersonate you and convince your contacts to send them money. Don’t fall for this scam! Follow the tips below to keep your WhatsApp account secure:

  • Be cautious of who you call on WhatsApp. Only call phone numbers that belong to trusted contacts.
  • Verify that the call forwarding prefix matches the country that your contact is calling from. For example, if your contact has a United States phone number, their phone number should include the American prefix *72.
  • Learn about common social engineering red flags. Educating yourself on common scam tactics can help you avoid social engineering attacks.
Content provided by | 7.14.22

phone Microsoft 365 Users Targeted with Fake Voicemails

Cybercriminals continue to find new ways to trick users and steal their credentials. Sometimes, they even recycle decades-old tools that were never intended to be malicious.

For example, in a new scam, cybercriminals attack Microsoft 365 users with malicious files disguised as voicemails. The scam works by sending an email with a voicemail file attached. The filename ends in “mth.mp3”, appearing to be a legitimate MP3 file. However, the file is actually a malicious HTML file that has been disguised using right-to-left override (RLO) functionality.

RLO was created 20 years ago for languages that read from left-to-right instead of right-to-left. Unfortunately, cybercriminals now use this functionality to make malicious files look safe. For example, in this scam, cybercriminals use RLO to display “mp3.htm” as “mth.mp3”. If you open the file, you will be taken to a fake Microsoft 365 login page instead of a voicemail. Then, any credentials that you enter on the fake login page will go straight to the cybercriminals.

Follow these tips to stay safe from similar scams:

  • Never click links or download attachments in an email that you were not expecting. 
  • Before you share any sensitive information online, make sure that the website is legitimate. For example, an MP3 file should never take you to a login page. If you’re uncertain, navigate to the website directly. 
  • Before you share any sensitive information online, make sure that the website is legitimate. If you’re uncertain, navigate to the website directly before sharing any information. 
  • Remember that cybercriminals can use more than just links within emails to phish for your information. Always think before you click! 
Content provided by | 3.9.22

bell Upgraded Fraud Alert Solution

At the University of Kentucky Federal Credit Union, we take threats involving our members' credit and debit card information very seriously. That’s why we’re beefing up our security with a bigger, better fraud prevention system, launching on February 23rd.

Previously, you would have only received a personal call from a live agent if fraud was suspected. The new system will allow you to receive an automated text message that easily walks you through reviewing suspicious activity on your account. If we miss your text response, you will receive an automated call and email fraud alert to ensure you have been notified.

Enhanced Features

Our enhanced fraud alert solution includes:
• Immediate Alerts
When your account detects suspicious activity, we don't wait for an agent to dial your number - our automated system will contact you by text or phone.

• 2-Way Communication
You can take action the second you receive your alert. All you have to do is text the provided command word or interact with the automated system on the phone. Simply follow the instructions to answer questions regarding your recent card activity.

• Real-Time Support
Our live agents are ready to assist you at any time to ensure you receive the best defense exactly when you need it.

Our new, automated system will reach you faster with the tools and information you need to identify potential fraudulent activity immediately, and stop it in its tracks. To ensure that you receive these important alerts, we recommend you log into Online Banking and confirm that your contact information is updated. For questions or additional information, please call 859.264.4200 or email [email protected].


cursor Hovering Over Links

How can you tell if an email is safe? Even if you catch red flags in an email, such as typos or poor grammar, an urgent demeanor, or even a spoofed domain, how can you truly decipher the safety of an email? An immediate step you can take is to watch out for one of the most critical tell-tale signs of a phishing email—a mismatched or fake URL.

Why is hovering important? What can it do for you?

Hovering not only allows you a moment to think before proceeding, it allows you the opportunity to see where a link is going to redirect you. This is especially important because not all links lead to where they appear, or insinuate they'll go. When you hover, check for the following to ensure you're staying safe and secure:

  • If the email appears to be coming from a company, does the hover link match the website of the sender?
  • Does the link have a misspelling of a well-known website (Such as
  • Does the link redirect to a suspicious external domain appearing to look like the sender’s domain(i.e., rather than
  • Does the hover link show a URL that does not match where the context of the email claims it will take you?
  • Do you recognize the link’s address or did you even expect to receive the link?
  • Did you receive a blank email with long hyperlinks and no further information or context?

If you notice anything about the email that alarms you, do not click links, open attachments, or even reply. If everything seems okay, but you're still not sure–verify! Ask your IT team or leadership if the email is legitimate before proceeding. Remember, you are the last line of defense to prevent cyber criminals from succeeding and making you or your company susceptible to an attack.

Content provided by | 12.28.21

phone Real People in Fake Call Centers

The newest trend in cybercrime is the use of cybercriminal-controlled call centers to trick you into providing your bank or credit card information. Cybercriminals try to use real people in fake call centers to convince you that a scam is legitimate. 

A recent call center scam starts with an email that appears to be an invoice for a very large purchase. It is not clear what company this invoice is from or what was purchased, but the payment amount is listed six times. The email also starts and ends with a line directing you to call their number if you did not authorize the transaction. If you call the number provided, a representative happily offers to refund you. But first, they’ll need your bank or credit card information. Unfortunately, the representative is actually a cybercriminal who plans to use your payment information for their own devious purposes. 

Follow these tips to stay safe from this social engineering attack:

  • The invoice in this attack is specifically designed to cause alarm and frustration. Cybercriminals target your emotions in hopes of tricking you into acting impulsively. Always think before you click. 
  • A valid phone number doesn’t mean that an email is legitimate. Cybercriminals are real people who can lie over the phone, just as they lie in phishing emails. 
  • Instead of calling the provided number, reach out to your bank or credit card company to verify the details of the transaction. If by chance there has been unauthorized usage, your bank or credit card company can help correct the issue. 
Content provided by | 11.4.21

briefcase Phony LinkedIn Job Postings

It was recently discovered that job postings on LinkedIn aren’t as secure as you might expect. Anyone with a LinkedIn profile can anonymously create a job posting for nearly any small or medium-sized organization. The person creating the post does not have to prove whether or not they are associated with that organization. This means that a cybercriminal could post a job opening for a legitimate organization and then link applicants to a malicious website.

Worse still, cybercriminals could use LinkedIn’s “Easy Apply” option. This option allows applicants to send a resume to the email address associated with the job posting without leaving the LinkedIn platform. Since the email address is associated with the job posting and not necessarily the organization, cybercriminals can trick you into sending your resume directly to them. Resumes typically include both personal and professional information that you do not want to share with a cybercriminal.

Follow the tips below to stay safe from this unique threat:

  • Watch out for grammatical errors, unusual language, and style inconsistencies in LinkedIn job postings. Be suspicious of job postings that look different compared to other job postings from the same organization.
  • Avoid applying for a job within the LinkedIn platform. Instead, go to the organization’s official website to find their careers page or contact information.
  • If you find a suspicious job posting on LinkedIn, report it. To report a job posting, go to the Job Details page, click the more icon, and then click Report this job.
Content provided by | 9.16.21

key Piggybacking

To kids, piggybacking is when someone jumps on your back and you carry them around for a while. In the business world, piggybacking is when you let someone that you do not know enter a door that you just opened. A lot of organizations rely on biometrics, key cards, or even regular keys to open locked doors. These could be doors to get into the building, parking garage, a particular office. Piggybacking is when someone you do not know, waits for you to open a locked door, and enters in behind you.

Many people allow this to happen because they want to be nice and courteous and open doors for people, you may even hold the door open for them. While this may be a nice gesture in public places, at the workplace, this could end up costing you. The bad guys, just like they would try and trick you with a fake email, are targeting your good nature, to gain access into a secured building.

If someone you do not know, is trying to enter the door behind you there are a couple of things you can do to still be courteous and follow the rules.

  • Ask them where they are going and who they are there to see, then escort them to the office of the person they are going to see, and verify that they are supposed to be there.
  • Kindly decline to let them in and explain that your organization has a strict no-piggybacking rule.

Once the bad guys have access to your offices, they can plug into any internet outlets. They can also sit down at any open workstation or place infected USB keys around the hallways and bathrooms. Remember, when it comes to piggybacking, kindly decline or insist on escorting them to the person they are there to see.

Content provided by | 7.20.21

email Phony FINRA Phishing

Once again, cybercriminals are impersonating the Financial Industry Regulatory Authority (FINRA), which is the largest brokerage regulation company in the US. Organizations strive to be compliant with regulations, which is why receiving an email that appears to be from FINRA can be quite startling.

In this FINRA-themed phishing email, the sender’s email address uses the domain gateway[dash]finra[dot]org. The email claims that your organization has received a compliance request and it directs you to click on a link for more information. To add a sense of urgency, the message also states “Late submission may attract penalties”. The email even includes a case number, request ID, and a footer with legal jargon to make it feel legitimate. But if you click the link, you will be redirected to a malicious website. Don’t fall for it!

Use the tips below to stay safe from similar attacks:

  • Look for threats of urgency, such as the need to pay a penalty if you don’t act quickly enough. These scams rely on impulsive actions, so always think before you click.
  • Check who sent the email. In this case, while the email address included the name FINRA, it did not use the official domain.
  • If you are worried that the email could be legitimate, reach out to the company another way. Do not click any links or use the contact information provided in an email.
Content provided by | 6.17.21

lock World Password Day 

Today, we're celebrating World Password Day! Every year on the first Thursday in May, World Password Day promotes better cybersecurity habits. 

Take the #WorldPasswordDay Pledge

Take the World Password Day pledge by sharing and practicing the following cybersecurity tips:

  • Change an old password to a long, strong one 
  • Turn on two-factor authentication for your important accounts
  • Password protect your wireless router
  • Don’t store passwords on your computer or phone
  • Log off when you’re done with a program
  • Periodically remove temporary internet files
Content provided by Infotech | 5.06.21

phone Vishing

Cybercriminals don't only use the internet and email to gain access to sensitive information. They also use telephones to their unlawful advantage. Vishing is the term for criminal attempts to influence action or gain confidential information over the phone using social engineering.

How it Works

Criminals have the ability to call from a blocked, “spoofed,” or private number. This makes it easier to pose as a fellow employee, an authority figure, or any person or organization that you would commonly interact with.

Any information regarding the processes or technologies a company uses would assist in a breach of an organization. Information that you may not consider very sensitive, such as employee names, titles, or ID numbers, could certainly help these criminals.

Don’t Fall for These Phony Attempts

Think twice about giving out personal information to someone unless you initiated the call yourself and you are certain the number called was valid. If someone contacts you requesting sensitive information, you can check the caller’s validity by asking to speak to their supervisor. You can also offer to call them back, which will buy you time to investigate the request.

Vishing is not limited to gaining data from your organization, as vishers are also known to prey on your personal information. Remember to stop, look, and think before answering unfamiliar numbers, or before calling phone numbers you see in emails, internet ads, or pop-ups.

Content provided by | 3.29.21

email Phishing with Phony Loans

A year into the pandemic, bad guys continue to target struggling organizations. A recent example is a phishing email targeting those in the United States. Impersonating a bank, the sender offers loans through the Paycheck Protection Program (PPP). The PPP is a real relief fund that is backed by the United States Small Business Administration (SBA), but the email is nothing short of a scam.

The phishing email directs you to click a link to register for a PPP loan. When clicked, the link takes you to a form with an official-looking header that reads, “World Trade Finance PPP 2021 Data Collection”. The form requests a lot of personal information, such as your organization’s name, your business email, and your social security number. Any of the information submitted on this form goes straight to the cybercriminals.

Here’s how you can stay safe from scams like this:
•    Think before you click! Desperate times call for diligent measures. 
•    If you or your organization need financial help, reach out to legitimate and well-known programs—don’t trust an unexpected email. 
•    Stay up-to-date on your country’s relief efforts by following local news and other trusted sources. 

Content provided by 

alert Stay Alert and Protect Your Personal Information

UKFCU encourages you to do a quick check of your financial well-being and make sure not to let your guard down against scammers. UKFCU will not call, email or text you asking for any of your logins, personal information or passwords. UKFCU will never ask you to purchase gift cards on our behalf in lieu of payment. If you suspect fraudulent activity, hang up the phone or don't click that link, and call us directly at 859.264.4200 or 800.234.8528.

alert Scams Continue to be on the Rise

We continue to see an increase in scams and phishing attacks in the form of phone calls, texts and emails. We want to remind our members to be diligent when it comes to their account information. These fraudsters are very sophisticated, and it can appear as if they are calling or messaging from UKFCU.

Please remember, UKFCU employees will not call, text or email you asking for:

  • Account number
  • PIN number
  • Full Debit or Credit Card number
  • Online and Mobile Banking password
  • Social Security Number*
  • Security Codes
*When a member calls into our Call Center, we may ask for your social security number for identity verification purposes.

Streaming Services are being Spoofed in Phishing Attacks

Many streaming services such as Netflix, Spotify and Disney+ are reporting an increase in phishing attacks targeted towards their customers. These attacks range from phony email alerts accusing you of non-payment to offering you free streaming services during the pandemic. Both of these strategies include a link that takes you to a page designed to gather your information and deliver it to the fraudsters.

Remember the following tips to stay safe:

  • Other streaming services may be spoofed as well. Remember that if something seems to good to be true, it probably is.
  • Never click on a link you weren't expecting. Even if it appears to be from a company or service you recognize.
  • When an email asks you to log into an account or service, log in to your account through your browser - not by clicking the link in the email. This way, you can ensure you're logging into the real website and not a phony look-alike.
Content provided by KnowBe4

alert Fraud Alert - Increasing Amount of Scams due to Coronavirus

Some of our members are being targeted with fraudulent text messages. Currently, the scammer indicates they are from our Fraud Department and asks the member if they authorized a certain debit card purchase. If the member replies in any way, they will receive a call which appears to come our call center, 859.264.4200. They will ask if the member made this transaction or not.

Please do not respond to these messages. If you do, and you share any account or sensitive information with the scammer, please contact us directly and cancel your debit card. Or you may need to close your account depending on which account information was given out.

Please remember, UKFCU employees will not text or call you asking for:

  • Account number
  • PIN number
  • Full Debit or Credit Card number
  • Online and Mobile Banking password
  • Social Security Number*
  • Security Codes
*When a member calls into our Call Center, we may ask for your social security number for identity verification purposes.

Please also be on high alert to potential scams based around the government stimulus checks that could be coming in the future. The government will not ask you for your account number nor will they ask you to return a portion of your stimulus check via gift cards or wires.

If you receive a call that shows it's from UKFCU and they ask you for any of this information, hang up immediately and call us at 859.264.4200 or 800.234.8528. If you receive a text of email asking for you to verify this information, please call us.  

cellphone Fraudulent Text Alerts to Members

Some of our members are being targeted with fraudulent text messages. The texts claim that the member's visa card has been "locked", and instructs members to contact an unknown phone number and email. If you receive such a message, do not attempt to contact them and do not click any links that may be present in the communication. 

Call us at 859.264.4200 or 800.234.8528 to verify any suspicious communications you may receive.

alert Tis the Season for Fraudsters

With the holiday season approaching, UKFCU wants to remind our members that we do everything possible to protect your information. There have been reports of fraudsters "spoofing" financial institution phone numbers so it will show up on your caller ID as UKFCU. We will never call you and ask for the following information:

  • Online banking user name and password
  • PIN number
  • Security codes
  • Account number
  • Full Debit or Credit Card numbers
  • Social Security number*
*When a member calls into our Call Center, we may ask for your social security number for identity verification purposes.

If you receive a call that shows it's from UKFCU and they ask you for any of this information, hang up immediately and call us at 859.264.4200 or 800.234.8528. If you receive a text or email asking for you to verify this information, please call us. 

christmastree Don't Get Scammed by Santa

Someone’s been naughty this year-and we’re not talking about you! Those awful scammers don’t take time out for the holidays, and if you don’t know what to expect you can be their next victim.

One of the oldest holiday scams, which is even more prevalent in the age of the internet, is the letter-from-Santa scam.

Here’s all you need to know about this Christmas-themed scheme.

How it plays out

In this ruse, scammers set up bogus websites where parents can order legitimate-looking letters from Santa for their children. The cost is less than $30. All they need to do is share some details about their child along with their credit card information, and the letter is supposedly as good as mailed.

Except that it’s not. Unfortunately, anyone who follows the instructions detailed on the site has just fallen prey to a scam. They’ll never see that promised letter, or the money they paid for the privilege of receiving a note from Santa. Worse, the ring of scammers now has the children’s information and their parent’s credit card details.

This set of circumstances can have all sorts of unhappy endings, from identity theft to emptied accounts. Sometimes, the scammers will go after the child’s credit, which will likely go unchecked for years. When the child is grown up and tries to open a credit card or loan, they may find that their credit score has been destroyed, all without their knowledge.

Some sites will even offer to send the letter at no cost. All you need to do is share some details about your child, like their full legal name, date of birth and home address. Of course, this is also the work of scammers looking to steal your child’s identity.

How can I tell it’s a scam?  

There are legitimate websites where you can order a letter from Santa for your child at no risk of identity theft or a ruined credit history. But how can you weed out the phony sites from the authentic services?

We’ve made it simple. Look for the following red flags, which should alert you to the fact that a site is created by scammers:

  • The fraudster reaches out to you repeatedly. Promotional emails and ads are one thing; targeted marketing that is so aggressive it borders on harassment is another thing entirely. If a company doesn’t stop sending you emails or alerts about its services, you may be dealing with a scam.
  • The site is not secure. As always, check for the lock icon and the ‘s’ after the ‘http’ in the URL; both indicate a site’s security. Also, look for security badges on the bottom of the webpage and click on them to see if they’re actual links to the security company they allegedly represent. Scammers often post static images of well-known security badges, which do fool people into thinking the site is safe.
  • You need to answer too many questions. Yes, a service sending your child a letter from Santa will need to know your child’s name and mailing address. They may even ask your child’s age so they can send an age-appropriate letter. But there’s no need for them to be privy to your child’s exact date of birth, and certainly not their Social Security number. If the questions in an online form are making you uncomfortable, opt out.
  • You can’t reach a representative by phone. Most websites will have the company’s toll-free contact number on the site’s homepage. If you suspect fraud, try the number. If the company is bogus, the number will likely be a fake.
  • You can’t find any positive reviews about the company online. An online search on a legitimate service should bring up basic information and some positive reviews about the service. If a search turns up empty, and of course, if it turns up any reports of past scams, the “company” is run by crooks.

If you’ve recognized a company as a scam, be sure not to click on any links that are embedded in their emails. Flag their emails as spam, and delete every email, message and alert it sends you.

You can still send your child a letter from Santa. Try a legitimate site like Portable North Pole or or better yet, create and send one yourself!

smartphone Robocalls Claiming Your Social Security Number is Suspended

Be on the lookout for a popular robocall scam that is tricking people into believing their Social Security number (SSN) has been suspended. The robocall tells you to call the number provided to speak with a government agent about the issue. Some of the robocalls even threaten to issue an arrest warrant if the victim doesn’t respond.

When you call the number back, you are actually speaking with a fake government agent. This scammer will try to trick you into giving up sensitive personal information like your SSN, birth date, and bank account number.

Always remember the following to stay safe from tricks like this:

  • Your Social Security number can never be suspended.
  • The Social Security Administration will never threaten to arrest anyone.
  • Do not share any type of personal information with anyone you don’t know over the phone.
  • If you get this type of call, hang up the phone immediately and report the call to the appropriate agency.

alert Securing Your New Devices

During the holidays, internet-connected devices also known as Internet of Things (IoT) are often popular gifts—such as smart TVs, watches, toys, phones, and tablets. This technology provides a level of convenience to our lives, but it requires that we share more information than ever. The security of this information, and the security of these devices, is not always guaranteed.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), recommends these important steps you should consider to make your Internet of Things more secure:

Use Strong Passwords:

Passwords are a common form of authentication and are often the only barrier between you and your personal information. Some Internet-enabled devices are configured with default passwords to simplify setup. These default passwords are easily found online, so they don't provide any protection. Choose strong passwords to help secure your device. See Choosing and Protecting Passwords for more information.

Evaluate Your Security Settings:

Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more at risk. It is important to examine the settings, particularly security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See Good Security Habits for more information.

Ensure You Have Up-to-Date Software:

When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding Patches for more information.

Connect Carefully: 

Once your device is connected to the Internet, it’s also connected to millions of other computers, which could allow attackers access to your device. Consider whether continuous connectivity to the Internet is needed. See Securing Your Home Network for more information.

lock Quick Tips on Protecting Your Security

Securing Your Account:

  • UKFCU will never ask you to send us your personal information such as account numbers, card PINs, Social Security numbers*, or Tax IDs over text or email.
  • Enable biometric logins, like finger-print and facial recognition within your phone's settings, for added security within your mobile banking app.
  • Frequently check your accounts, verifying your purchases and withdrawals.
*When a member calls into our Call Center, we may ask for your social security number for identity verification purposes.

Protecting Your Identity:

  • Periodically check through your credit reports to make sure your accounts are secured.
  • Do not carry sensitive information in your wallet like your Social Security card and Medicare card.
  • Keep personal documents in a secure place, and shred sensitive documents when appropriate.

Security Resources:

While the internet and computers offer many opportunities and advancements for business and individuals, it also opens your door to predators and crooks. It is important to pay attention to who you are giving your confidential information to and make sure it is someone you know and trust.

You should NEVER be asked for your confidential information over e-mail. E-mail is not a secure method of transmitting information and the messages can be tapped into and information stolen. If you feel that you have received an e-mail or are suspicious of someone trying to commit Identity Theft, it is very important that you report the scam quickly so that law enforcement agencies can shut the fraudulent operations down.

Falcon Fraud Detection is provided to every UKFCU member with your debit and credit card. Falcon Fraud Detection reviews each suspicious transaction, reviews the cardholder account and calls the cardholder if necessary. The number for Falcon Fraud Center is 1.888.918.7313.

General Identity Theft and Fraud Information

Federal Trade Commission: Scam Alerts

Take the Fraud Awareness Quiz - Are you protecting yourself against fraud?