Skip to content Skip to left sidebar Skip to right sidebar Skip to footer

Cybersecurity

Vishing Scams: Who is Really Calling You?

What’s Happening?

Law enforcement continues to receive reports of fraudulent phone calls in vishing scams. Typically, threat actors (hackers) acquire publicly available information found online and impersonate specific organizations or individuals. They contact the recipient to extort money or convince their targets to divulge sensitive information, grant access to their accounts or devices, or purchase fraudulent goods or services. In one report, an educational institution received repeated suspicious phone calls from different phone numbers, including spoofed official ones, to appear legitimate. The threat actors claimed to be “Online IT Training” and asked for the head of the information technology department. When questioned, the threat actors could not respond “off script.”

Threat actors are increasingly leveraging voice cloning and artificial intelligence (AI) technologies to carry out impersonation and extortion scams. They can find and capture snippets of a person’s voice online, through social media platforms, in outgoing voicemail messages, or when the recipient caller answers a call. They can weaponize AI technology with the captured audio to clone a person’s voice and create fraudulent schemes, such as family emergencies, kidnappings, robberies, or car accidents. In one reported vishing scam, the threat actors impersonated the target’s daughter, claiming to be involved in a car accident. A male voice was also on the line, claiming to be a local law enforcement officer and reporting that the daughter supposedly admitted to using her cell phone while driving. He indicated that she was being held for charges of injuring the other driver, who was pregnant. The purported officer stated that a bail bond agent would contact them to post bail. Minutes later, a male caller posing as a bail bond agent contacted the target to indicate bail was set at $15,000 cash only, and threatened not to tell anyone because it would go on the daughter’s permanent record. After hanging up with the threat actors, the target called their daughter to confirm the call’s legitimacy before going to the bank. The daughter revealed she was not on the call or involved in a car accident.

What Should We Do?

  • Refrain from answering unexpected calls from unknown contacts.
  • When receiving unsolicited phone calls, do not respond to any requests for sensitive information, access, or money.
  • If suspicious inquiries are made by individuals claiming to represent a trustworthy organization, hang up and call the organization back using the official phone number found on their website.
  • Block and delete unsolicited or suspicious phone numbers received on cell phones and other devices.
  • Establish a unique password or passphrase with important contacts, such as loved ones, employers, and coworkers, and request it if suspicious inquiries are made by individuals claiming to represent them.
  • Report vishing scams and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.
  • If you or someone you know is being physically threatened, then contact the police department or dial 9-1-1 immediately.

Cybercriminals Impersonate NJ MVC in Recent SMS Text Phishing Messages

Over the last week, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) received several incident reports from NJ residents regarding an SMS text phishing (SMiShing) scam impersonating the Department of Motor Vehicles (DMV).

These messages claim that the user has an outstanding traffic ticket and payment is due. If not paid by May 29, the user will have their vehicle registration and driving privileges suspended, receive a toll booth charge increase, and their credit score will be impacted. The URL displayed in the message includes “ezpassnj” and “.gov” in an attempt to appear legitimate. The message itself does not allow the user to click the included link directly but instead instructs them to reply to the message with “Y” and reopen the message to click the link or to copy the URL to their browser. These links lead to fraudulent websites that attempt to extract personally identifiable information, financial details, or account credentials.

This SMiShing scheme is similar to others that have circulated impersonating NJ toll services and EZ-Pass claiming the user has an outstanding toll that needs to be paid to avoid a late fee.

  • NJ MVC – The NJ MVC only sends text messages to remind residents about scheduled MVC appointments. It does not send text messages regarding driver’s licenses or vehicle registration status.
  • New Jersey E-ZPass – NJ E-ZPass does not send unsolicited text messages to collect payments. If your account is in collections and being handled by Credit Collection Services, you may receive text messages from Credit Collection Services regarding your account. Their text message will list a phone number, their website www.ccspayment.com, and reference a file number.
This image is a screenshot illustrating how cybercriminals attempted to impersonate the New Jersey Motor Vehicle Commission.

Division of Consumer Affairs Fraud Alert

The Division of Consumer Affairs (DCA) is warning all licensed professionals about individuals impersonating DCA staff and investigators as part of an extortion scheme.

The impersonators are contacting licensees by telephone, via a phone number spoofed to appear as if you are receiving a call from your respective licensing board. The impersonators advise that you are under an investigation, and direct you to pick up a faxed letter from a local UPS store. The letter, which is made to appear as if it sent by DCA, falsely advises the licensee that their license has been suspended due to violations of federal drug trafficking laws. The impersonators then demand money to resolve the matter. Below is a copy of the fraudulent letter, which can also be found here.

Please be advised that while there may be times that you may be contacted telephonically by your board or DCA’s Enforcement Bureau investigator, DCA staff will never contact you by phone to demand money, advise that your license has been suspended, or ask you to receive or obtain a faxed letter. DCA correspondence is sent out via email, from a DCA email address, or via regular or certified mail.

Anyone receiving a telephone call from a person purporting to be any of the above-mentioned individuals seeking money should refuse the demand and report the call to DCA at askconsumeraffairs@dca.njoag.gov or 973 504 6200. You may also report the call to the Division of Criminal Justice at dcjtipline@njdcj.org or 800 277 2427, or to the Federal Trade Commission (FTC) at ReportFraud.ftc.gov.

Sincerely,

Division of Consumer Affairs
Office of the New Jersey Attorney General

Temporary Drone Flight Restrictions in Effect in Linden

The FAA has issued new drone flight restrictions additional New Jersey towns due to recent unexplained drone sightings that have raised security concerns. The restrictions, which include sections of Linden, NJ aim to protect critical infrastructure. Below are links to see which parts of Linden have this temporary restriction in effect.

  • Linden – FAA drone flight restriction in effect from December 30, 2024 – January 18, 2025.
  • Linden – FAA drone flight restriction in effect from December 25, 2024 – January 19, 2025.
  • Linden – FAA drone flight restriction in effect from December 23, 2024 – January 19, 2025.
  • Linden – FAA drone flight restriction in effect from December 23, 2024 – January 19, 2025.

Click here for the full list of all locations in in which temporary flight restrictions are in effect.

Alert – Phone Scam Impersonating Police Officers

Residents in multiple New Jersey municipalities have reported receiving suspicious phone calls from individuals impersonating police officers. These suspects are spoofing the phone number they are calling from, and displaying the respective police department’s phone number.

Reports state that the suspects have a thick accent and are using officer names obtained by searching municipal websites. 

As a reminder, never give personal information over the phone, by fax, through the mail, or on the Internet unless you have initiated the contact or you are sure you know who you are dealing with.

If you receive an unsolicited phone call from an individual claiming to be a Linden Police Officer, obtain the caller’s name and disconnect the phone call. Then, call the Linden Police Department directly at (908) 474-8500 to verify the call was legitimate.

If you have fallen victim to this scam and provided your personal information or are a victim of identity theft, please contact the Linden Police Department to file a police report.

Neither the Linden Police Department, nor any police union or organization associated with the Linden Police Department will ever solicit over the phone.

Beware of Utility Scams!

Hi Fellow Linden Residents, 

As you may know, many business and residential utility customers are targeted daily by impersonation scams. Scammers impersonate the utility company (such as PSE&G, Comcast, Verizon, NJ American Water and others) through in-person, phone, and online tactics, claim the utility bill is past due, and threaten to disconnect services unless a payment is made immediately. Customers are pressured to make payments via prepaid debit cards (such as Green Dot, MoneyPak, or Vanilla), wire transfers, cash apps (such as Venmo or Zelle), gift cards, or cryptocurrency (such as Bitcoin). Additionally, scammers may claim that the regular payment portal for the utility company is currently offline, but the target can submit payment through another portal via a link or QR code. This fraudulent payment portal creates a false sense of legitimacy by using spoofed domains, impersonation, and stolen branding. Phishing and smishing tactics attempt to convince the target to immediately take action, such as responding or calling a fraudulent phone number, disclosing sensitive information, or making payment. 

In Person

Scammers may visit the target’s home or place of business in person, claim to be a utility company collector, present fraudulent identification, and ask for personal information, including account number or Social Security number. However, legitimate employees wear a uniform, visibly display a company ID badge, drive a company car with the utility company’s logo, and visit during a pre-scheduled appointment with the customer. 

Calls

Additionally, if customers receive an urgent call from their utility company’s trusted customer service number claiming termination of services for non-payment and that someone will arrive in 15 minutes to disconnect service, slow down the conversation before making any quick decisions and verify the information through official sources, as the phone number may be spoofed (faked)!

Web Searches

Hackers are targeting customers who use search engines to contact their utility companies. The search engine results may contain fraudulent websites with fake phone numbers that, if called, will put unsuspecting customers at risk for threat actors to collect personal and financial information. Furthermore, service disconnections are not immediate; there is a multi-step process, including payment arrangement options and multiple notifications to the customer, typically by mail and noted on their regular monthly bill.

QR Codes

Traditional attack techniques of malicious links or attachments are often detected by email security, forcing threat actors to pivot to QR codes as the primary attack method in various schemes. QR codes, sent through unsolicited communications or posted in publicly accessible locations, may appear to be associated with a reputable brand or organization and could direct targets to phishing websites, fraudulent payment portals, and unsuspecting malware downloads. In one campaign, the threat actors persuade their victims to withdraw money from their financial accounts and transfer it to them using a QR code and cryptocurrency ATM to avoid service disconnection. Once the funds are deposited into the ATM to purchase cryptocurrency, the QR code with the embedded address is scanned, and the money is transferred to the scammers.

Please make sure to be vigilant of these and similar impersonation scams. Refrain from answering unsolicited or unexpected communications, especially those containing QR codes. Additionally, do not provide personal or financial information or transfer money, especially in cryptocurrency, to unverified entities. If you need help with this or another type of scam, please call my office at (908) 474 8493 so that I can help. 

Mayor Derek Armstead

Cybersecurity Warning for Linden Residents; Beware of Gift Card Scams

During the holiday season and all-year round, it is common for consumers to purchase gift cards for themselves, for family members and friends. Hackers seek to exploit this common purchase in the form of gift card scams.

How does this happen?

Hackers will initiate fraudulent requests by spoofing a known or trusted person – such as a person in leadership or a position of authority within an organization, a friend, or a loved one – to make the request appear legitimate. They also create a sense of urgency with a fake story or emergency to convince the recipient to act quickly without verifying. These fraudulent requests may be sent through email, SMS text messages, and social media platforms.

Authorities continue to receive reports of gift card scams from New Jersey residents and organizations. For example, an employee received an email sent from an external account purportedly from the CEO, who was attending a meeting out of state. The CEO requested their phone number to perform a task. The employee provided their phone number and then communicated through SMS text messages. The request was to purchase two $500 Apple gift cards, to which the victim complied and submitted the back of the gift cards. The request was was only identified as a scam when the victim was asked for the remaining balances.

Example of a real attempt to defraud.

In the above campaign, the hackers stated that they are traveling and having an issue purchasing a $500 Apple gift card for their niece’s birthday. They request the recipient to purchase the gift card and will pay them back as soon as they get back. Other campaigns may, for example, apologize for bothering the potential victim and inquire if they have an Amazon account or order from them.

What should we do?

Refrain from responding to unsolicited communications, clicking links or opening attachments from unknown senders, and exercise caution with communications from known senders. If you are unsure of am email’s legitimacy, then contact the sender via a separate means of communication, such as by phone, before taking action. Call the sender from a phone number that you already have, and NOT from a phone number provided in the email requesting the gift cards.

Refrain from complying with requests to purchase gift cards and sending the numbers to someone without first verifying the request via a separate means of communication. These are unusual requests or demands, typically portraying a sense of urgency, and should be handled with suspicion.

What should I do if this is happening or already happened to me?

  • If gift card information was already sent, then immediately contact the company who issued the gift card to inquire if the funds are still on the gift card and can be frozen.
  • Incidents should be reported on https://www.cyber.nj.gov/report (the NJCCIC Cyber Incident Report Form), and https://www.ic3.gov (the FBI Internet Crime Complaint Center), and to the Linden Police Department at 908 474 8502.

Let’s all remain vigilant of these and similar scams.

Cybersecurity Warning for Linden Residents; Active Info-Stealer Campaigns Are Targeting Facebook Users

Cybercriminals are using Facebook ads to distribute malware and hijack users’ social media accounts, researchers have discovered.

What’s an info-stealer?

Info-stealers are malware that enable hackers to steal victims’ browser cookies and take over Facebook accounts. Once inside the account, hackers can change passwords and activate additional security measures on accounts to completely deny access to the legitimate owner, allowing cybercriminals to commit fraud.

How does this happen?

This happens when hackers exploit legitimate tools for online ad distribution and insert infected links into typical advertisements. To entice users into clicking, campaigns often offer “provocative enticements”, which in this case, contained lewd images. Each click on the ad instantly downloads the malicious file to the victim’s device. Researchers estimate that nearly 100,000 users downloaded the malware in just 10 days.

What should we do?

Be extra vigilant when using any social media platforms, and make sure to connect only with people you know. Be weary of friend requests and messages from unknown people, especially when they ask you to click on a link or download a file. Before clicking on any ads, go to the company’s website to verify ad claims, such as discounts or special offers.

Let’s all remain vigilant of these and similar scams. Please refrain from answering unsolicited or unexpected communications. Additionally, do not provide personal or financial information or transfer money, especially in cryptocurrency, to unverified entities.

What should I do if I am hacked?

Incidents should be reported on https://www.cyber.nj.gov/report (the NJCCIC Cyber Incident Report Form), and https://www.ic3.gov (the FBI Internet Crime Complaint Center), and to the Linden Police Department at 908 474 8502.

Are You Cyber Secure?

Please register to attend this free webinar on Wednesday October 25th, from 1pm until 2pm to learn simple actions to help keep your workplace, home, you and your family cyber-secure!

In honor of National Cybersecurity Awareness Month, a dedicated month for the public and private sectors to work together to raise awareness about the importance of cybersecurity, the Region 2 National Preparedness Division is hosting this seminar that encourages four simple steps every American can take to stay safe online. Joining the seminar will be Rich Richard, Cyber Security Advisor for the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).

To register for this free webinar, please click here.

  • Who – This event is for individuals, families, the whole community, community-based and faith-based organizations, small businesses, federal, state and local government.
  • What – Free cybersecurity webinar that encourages four simple steps every American can take to stay safe online.
  • When October 25, 2023 from 1pm until 2pm EST.
  • Where – Online.
  • Why – To protect your workplace, home, you and your family cybersecurity threats.
  • How To register for this free webinar, please click here.

Cyber Tip – Using Strong Passwords and a Password Manager

Many users connect to the internet and access multiple accounts and services for business, including email platforms, applications, and vendor websites. The increased use of online accounts and services, combined with users engaging in risky password management practices, puts both themselves and their employers at risk of account compromise and data breaches. Therefore, it is important to practice good password hygiene to protect accounts and data.

Strong, unique passwords for each account help prevent password reuse attacks in which threat actors obtain the password for one account and use it to compromise an additional account using the same credentials. Threat actors succeed when users reuse credentials across multiple accounts, use easy-to-guess or simple passwords, and do not enable multi-factor authentication (MFA). Strong, unique passwords help secure information, networks, servers, devices, accounts, databases, files, and more against cyberattacks.

Password managers are an effective method to assist users in creating strong, unique passwords and storing them securely. These accounts should be secured with unique and complex master passwords and multi-factor authentication (MFA) using an authentication app or hardware token. Password managers contain sensitive data and, therefore, require implementing the strongest possible security measures. Users are encouraged to research password manager providers thoroughly prior to use.