Fraud & scam awareness

What to look for

Email and phone call scams are not new. Cyber criminals have been attempting to fool people for years. In these types of scams, cyber criminals do not know whom they are targeting. They simply create a generic message and send it out to millions of people.

To avoid scams, you can monitor your SMUD account activity on a regular basis. Use tools to mitigate risk when checking your account on your desktop, smartphone or tablet. And remember these helpful tips:

• We will never ask you for personal information, such as your passwords
• We will not ask you to download software in an email
• Do not respond to any email that asks you to update your personal information online or by dialing a telephone number
• Use only the customer service numbers listed on our web page

Suspicious calls

If you receive a suspicious call from someone claiming to be a SMUD representative who requests account information (usually credit card) or security credentials, hang up.

• If you provided any personal identifiable information, alert customer service at 1-888-742-7683.
• If you did not provide personal information, email SMUD and report the phone number and message details.

Suspicious emails

If you receive an email stating it's from SMUD and it looks suspicious, don't click on any links in the email.

• If you provided any personal identifiable information, alert customer service at 1-888-742-7683.
• Forward the suspicious email to SMUD.

Personalized scams are when cyber criminals find or purchase information about millions of people and then use that information to personalize their attacks. They are becoming more common, so the more you know about these scams, the easier it is for you to spot and stop them.

How they work

In traditional scams, cyber criminals send generic messages that are usually easy to spot. A personalized scam is different; the cyber criminals do research first and create a customized message for each intended victim.  

One common trick cyber criminals use is fear or extortion to force you into paying them money. They find or purchase information on people’s logins and passwords obtained from hacked websites, social media sites and in publicly available government records. They send an email with some personal details about you, including the original password you used on the hacked website. The criminal refers to your password as “proof” of having hacked your personal computer or device, which is of course not true. The criminal then threatens that if you do not pay an extortion fee, they will share information about your online activities with family and friends.

In almost every situation like this, the cyber criminal never hacked your system. They don’t even know who you are or which websites you’ve visited. The scammer is simply attempting to use the few personal details they have about you to scare you into believing they hacked your computer or device and to trick you into paying them money. Remember, bad guys can use the same techniques for a phone call scam, too.

What to do

Recognize that emails or phone calls like these are a scam. The attack is part of an automated mass-scale campaign, not an attempt to directly target you. It is becoming much easier for cyber criminals today to find or purchase personal information, so expect more personalized scams like these in the future. Following are some clues to look for:

• Whenever you receive a highly urgent email, message or phone call, be very suspicious. If someone is using emotions like fear or urgency, they are trying to rush you into making a mistake.
• Someone is demanding payment in Bitcoin, gift cards or other untraceable methods.
• When you get a suspicious email, search on Google to see if other people have reported similar attacks.

Ultimately, common sense is your best defense. However, we also recommend you always use a unique, long password for each of your online accounts. Can’t remember all your passwords? Use a password manager. In addition, enable two-step verification whenever possible.

Even the smartest smartphone is susceptible to attack. Securing your mobile devices can reduce the likelihood of access to your personal and financial information, photos, texts and email if your device is lost or stolen.

Jailbroken and Rooted Devices

Avoid putting your device at risk. “Rooting" (for Android) and "jailbreaking" (for Apple), is getting system level access and removing software restrictions, which expose your information to untrusted software. Only install software from authorized locations such as the Apple App Store or Google Play.

What to do

• Maintain physical control of your device.
• Use a passcode or PIN to help protect your device.
• Enable remote wipe and location features to help ensure that your personal information is protected if your device is lost or stolen.
• Set up biometrics (fingerprint ID or facial recognition) on your mobile device to add an extra layer of security when logging on to your device.
• Keep your operating system and applications up to date.
• Don't use a link from sources you don't trust, including emails and social media posts.
• Use trusted networks and avoid accessing sensitive information, like banking.
• Turn off unnecessary services like Wi-Fi, Bluetooth and location apps when you're not using them.
• Encrypt your Data. If your mobile device supports it, use encryption to help protect sensitive information.
• Inspect the permissions when installing applications or external accessories.
• Install and use anti-virus software and browser protection tools.

You can learn more about capabilities offered by individual mobile anti-virus vendors by visiting their websites, some of which are referenced below.

• AVG
• Avast!
• Norton
• Trend Micro

Notice: Mobile anti-virus products are offered by individual vendors and not by SMUD. SMUD makes no representations, warranties, promises or guarantees regarding these or any other mobile anti-virus products. The links provided above and reference to any specific product, process, service, trade name or corporation name are for convenience and education only, and do not constitute endorsement or recommendation by SMUD. SMUD encourages members to use personal due diligence when selecting and using technical and security products.

The simple activities you perform on your computer can expose your personal and financial information to attack. Searching the Internet, sharing information on social media, downloading software or even checking your email without appropriate protection can lead to an infected computer.

What to do

• Install antivirus software like Microsoft Security Essentials (free).
• Keep your computer's operating system up to date.
• Keep your web browser software up to date.

Additional protection

• Back up your data regularly.
• If you use removable storage to back up your data, make sure you store it in a separate location from your computer.
• If you use online or cloud storage, be sure you understand its privacy and security policy and keep your access codes safe.
• When using Wi-Fi at home, use WPA2 or stronger security to protect your wireless network and avoid the outdated WEP security option.
• Avoid the Wi-Fi at coffee shops and other locations, which usually don't provide secure wireless networks.

Scammers often update their tactics, but there are some signs that will help you recognize a phishing email or text message.

Phishing emails and text messages may look like they’re from a company you know or trust. They may look like they’re from a bank, a credit card company, a social networking site, an online payment website or even from SMUD.

Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. They may:

• say they've noticed some suspicious activity or log-in attempts
• claim there's a problem with your account or your payment information
• say you must confirm some personal information
• include a fake invoice
• want you to click on a link to make a payment
• say you're eligible to register for a government refund
• offer a coupon for free stuff
• threaten to shut off your power

Phishing emails can have real consequences for people who give scammers their information. Cyber attackers use social engineering to gain your trust so you will give them information they can use to compromise data security. If you are contacted by phone, email or text by an individual asking for information that they should already know, verify their identity using contact information that you know is legitimate. The same is true for anyone asking for confidential information.

What to do

SMUD will never ask you for this information over the phone or through email. If you get a notice that appears to come from SMUD, you can forward that to SMUD. SMUD will never threaten to turn off your power or force you to make a credit card payment over the phone.