How to Spot and Avoid Common Scams
Have you ever gotten an email from someone claiming to be royalty? In their email they tell you that they will inherit millions of dollars, but need your money and bank details to get access to that inheritance. You know this email isn’t legitimate, so you delete it, yet there are many more scams being perpetrated by criminals that sound more believable and aren’t as easy to spot. Learning to identify and avoid these scams is the first step in protecting yourself from these schemes. Senior Citizens are often particularly vulnerable to some of these fraud campaigns. The world today is full of cybercriminals launching both phishing emails, and the tried and true phone scams that never fell out of fashion. Protecting not only your finances, but also your data from these scams is more important now than ever.
Scammers who operate by phone can seem legitimate and are typically very persuasive! To draw you in to their scam, they might:
- Sound friendly, call you by your first name, and make small talk to get to know you
- Claim to work for a company or organization you trust such as: a bank, a software or other vendor you use, the police department, or a government agency
- Threaten you with fines or charges that must be paid immediately
- Mention exaggerated or fake prizes, products, or services such as credit and loans, extended car warranties, charitable causes, or computer support
- Ask for login credentials or personal sensitive information
- Request payments to be made using odd methods, like gift cards
- Use prerecorded messages, or robocalls
If you receive a suspicious phone call or robocall, the easiest solution is to hang up. You can then block the caller’s phone number and register your phone number on the National Do Not Call Registry (https://www.ftc.gov/donotcall).1
Phishing emails are convincing and trick many people into providing personal data. These emails tend to be written versions of the scam phone calls described above. Some signs of phishing emails are:
- Imploring you to act immediately, offering something that sounds too good to be true, or asking for personal or financial information2
- Emails appearing to be from executive leadership you work with requesting information about you or colleagues that they usually do not request (for example, W2s)
- Unexpected emails appearing to be from people, organizations, or companies you trust that will ask you to click on a link and then disclose personal information.3 Always hover your mouse over the link to see if it will direct you to a legitimate website
- Typos, vague and general wording, and nonspecific greetings like “Dear customer”3
Beware that many scam and phishing emails look legitimate! An email pretending to be a company might contain pictures or text mimicking the company’s real emails. If you’re unsure about an email you received, there are some steps you can take to protect yourself:
- Do not click links or open attachments in emails you were not expecting3
- Do not enter any personal, login, or financial information when prompted by an unsolicited email3
- Do not respond to or forward emails you suspect to be a scam3
- If in doubt, contact the person or organization the email claims to have been sent by using contact information you find for yourself on their official website3
If you get scam phone calls or phishing emails at home, hang up or delete the emails. If you get scam phone calls or phishing emails at work, let your organization’s security or Information Technology team know so they can help protect others from these scams! Additionally, please educate your parents and grandparents on these scams, as they are becoming only more and more common.
Staying Safe from Tax Scams
As people seek to file their tax returns this year, cybercriminals will be busy trying to take advantage of this with a variety of scams. Citizens may learn they are victims only after having a legitimate tax return rejected because scammers already fraudulently filed taxes in their name. According to the Internal Revenue Service (IRS), there was a 60% increase in 2018 in phishing scams that tried to steal money or tax data. The IRS identified 9,557 fraudulent tax returns as of only February 24th, 2018 for the last filing season. As everyone aims to file their returns among all this fraud, the following advice will explain how tax fraud happens and provide recommendations on how to prevent it from happening to you or how to get help if you are unfortunately affected by a tax scam!
How is tax fraud perpetrated?
The most common way for cybercriminals to steal money, financial account information, passwords, or Social Security Numbers is to simply ask for them. Criminals will send phishing messages often impersonating government officials and/or IT departments. They may tell you a new copy of your tax form is available. They may include a link in a very official looking email that goes to a website that uses an official organization’s logo and appears legitimate, yet is fraudulent. If you attempt to login into the false website, or provide any personal information, the criminals will see what you type and try to use it to compromise your other accounts and file a false return in your name.
Additionally, much of your personal information can be gathered online from sources like social media or past data breaches. Criminals know this, so they gather pieces of your personal information from a variety of sources and use the information to file a fake tax refund request! If a criminal files a tax return in your name before you do, you will go through the arduous process of proving that you did not file the return and subsequently correcting the return.
Criminals also impersonate the IRS or other tax officials, demanding tax payments and threatening you with penalties if you do not make an immediate payment. This contact may occur through websites, emails, or threatening calls or text messages that seem official but are not. Sometimes, criminals request their victims to pay “penalties” via strange methods like gift cards or prepaid credit cards. It is important to remember that the IRS lets citizens know it will not do the following:
- Initiate contact by phone, email, text messages, or social media without sending an official letter in the mail first.
- Call to demand immediate payment over the phone using a specific payment method such as a debit/credit card, a prepaid card, a gift card, or a wire transfer.
- Threaten you with jail or lawsuits for non-payment.
- Demand payment without giving you the opportunity to question or appeal the amount they say you owe.
- Request any sensitive information online, including PIN numbers, passwords or similar information for financial accounts.
How can you protect yourself from tax fraud?
- File your taxes as soon as you can…before the scammers do it for you!
- Always be wary of calls, texts, emails, and websites asking for personal or tax data, or payment. Always contact organizations through their publicly-posted customer service line. If they contact you end the call and call the organization on the phone number on their website. As mentioned previously, the IRS will initiate contact on these issues by mail through the postal service.
- Don’t click on unknown links or links from unsolicited messages. Type the verified, real website address into your web browser.
- Don’t open attachments from unsolicited messages, as they may contain malware.
- Only conduct financial business over trusted sites and networks. Don’t use public, guest, free, or insecure Wi-Fi networks.
- Use strong, unique passwords for all your accounts and protect them. Reusing passwords between accounts is a big risk that allows a breach of one account to affect many of them!
- Shred all unneeded or old documents containing confidential and financial information.
- Check your financial account statements and your credit report regularly for unauthorized activity. Consider putting a security freeze on your credit file with the major credit bureaus. This will prevent identity thieves from applying for credit or creating an IRS account in your name.
If you receive a tax-related phishing or suspicious email at work, report it according to your organization’s cybersecurity policy. If you receive a similar email on your personal account, the IRS encourages you to forward the original suspicious email as an attachment to its email@example.com email account, or to call the IRS at 800-908-4490. More information about tax scams is available on the IRS website and in the IRS Dirty Dozen list of tax scams.
If you suspect you have become a victim of tax fraud or identity theft, the Federal Trade Commission (FTC) Identity Theft website provides a step-by-step recovery plan. It also allows you to report if someone has filed a return fraudulently in your name, if your information was exposed in a major data breach, and many other types of fraud.
January 28th is National Data Privacy Day
Safeguard your data and your privacy!
In the past year, we saw a significant number of data breaches impacting the privacy of individuals. According to the Privacy Rights Clearinghouse, in 2018, 807 publicly disclosed breaches exposed 1.4 billion records. While this is a decrease from 2017’s 2 billion records exposed, the problem remains enormous because so many websites, social media outlets, and devices contain our information.
With January 28th being National Data Privacy Day, take some time to consider what types of personal information you should be protecting, and how to do so in a few different ways.
General Personally Identifiable Information
Personally identifiable information or (PII) can be any data that identifies you as a specific individual. This information should be kept private and not shared with others. Examples of PII include your Social Security Number, or your name in combination with your date or place of birth.
Recommendations: Be aware of what you post publicly or submit through applications or services. Consider with whom you share your PII, and give extra scrutiny and consideration as to whether you really need to share this information. If someone contacts you requesting PII through email, social media, or a phone call, do not provide the information. If it is a phone call that you think is legitimate, hang up and call the organization back through a publicly listed telephone number so you can verify the caller is who they say they are.
Security Questions and Social Media
Security questions are a way to authenticate your identity and are an extra layer of security on accounts, which makes it extra important to not post these answers on social media. Posting a picture or writing a post about your first car’s make and model, or color of your car, childhood address, favorite ice cream flavor, mother’s maiden name, or elementary school is a bad idea. These are common security questions and by posting this information, you give away the answers, allowing cybercriminals to potentially access your accounts.
Recommendations: When on social media, be aware of what you post (including pictures!) and how it relates to the security questions you selected for your various accounts.
Information About Your Location
Giving out your location when away from home on social media is a privacy risk. This practice can result in your home being targeted for burglary. Additionally, your family and friends may be targeted by scammers seeking financial assistance on your behalf to help with a non-existent “travel emergency.” Three popular methods of this type of location sharing are geotagging (adding a location tag to a social media post or picture), posting a photo in which the background can be easily identified (like Times Square or the Eiffel tower), or “checking in” at a business.
Allowing apps to use your phone’s location services has its own privacy concerns, as the app is likely recording or using that data, and may automatically add geotagging to social media interactions in that app as a result!
Recommendations: Customize your location settings to minimize sharing your location with websites and applications, especially on your mobile devices. You can geotag social media posts, pictures, or videos after returning from vacation, going out to eat, or that business trip. Also, check the privacy settings of apps to make sure they don’t need access to your location. At a minimum, ensure your social media settings are set to only show your posts and profile to friends.
Website/Application Privacy Settings and Permission
All websites and applications have privacy settings. These settings help you control what others are allowed to see, as well as manage your online experience. You should be familiar with these privacy settings and customize them to protect your information. Additionally, when creating an account on a website or application and agreeing to their services, understand what you are giving them permission to do with the data you provide.
Protecting your privacy starts with you. Website owners, websites, and service providers have a responsibility to protect your privacy. However, it is up to you to understand the privacy settings on social media, online accounts, and your devices. Knowing these settings, you will be able to customize them for greater security.
Take ownership of your privacy and read privacy policies and end user license agreements on websites (including social media), and update your settings whenever new privacy features are available.
Security and Privacy in the Connected Home
Stay cyber-safe with your Internet of Things (IoT) devices!
Did you ever wonder what it would be like to have smart home? You could remotely change the temperature in your house, you could tell your lights to come on, or ask your refrigerator if you need to get milk at the grocery store, all from your smart home device or smartphone. You could play video games and access all your streaming services from one device, or know who is at your door from your connected doorbell.
The Internet of Things (IoT) is introducing these features into our homes by rapidly applying connectivity to everyday appliances and home features. As IoT devices become a part of our daily lives, and likely will become part of many more homes as holiday gifts, we need to take a look at the security risks and privacy concerns this smart technology introduces into our lives.
Personal Digital Assistants
Many people have a personal digital assistant like an Amazon Echo or Google Home. These devices analyze your past commands to try to anticipate your needs. These may also be linked to accounts used to purchase goods or services; make changes in your house such as turning off alarms, turning on the lights, or adjusting the temperature; or be linked to other accounts so they can tell you your schedule or read your email. Amazon Echo even has the ability to provide a pet-sitter with instructions, which is a give-away that you are not home.
Keeping these devices secure is especially important given that they may allow someone with access to the device to complete purchases using the owner’s accounts, identify key information, or find out more about you.
Smart Thermostats and Other Smart Home Devices
Many homeowners are beginning to opt for a digital thermostat that allows them to control the temperature in their home remotely using an app. While digital thermostats do come at a premium, the vendor also makes money on data it collects on usage and habits. Smart light bulbs and smart doorbells also allow for great levels of data collection by the manufacturer.
IoT manufacturers entice consumers with convenience and functionality by promising the world of the future through devices like those listed above. All the while, cybercriminals are finding that they can use these devices as pathways into your home network to steal your data and find out more about you. And yes, that includes using digital information to determine if the house is unoccupied and safe to rob.
Sony PlayStation 4, Microsoft Xbox One, Nintendo Switch, and many other gaming consoles are in millions of homes across the United States. These devices rely on Internet connectivity to provide different forms of entertainment and include streaming video, interactive gaming, voice chat features, and apps that keep both the system and applications up-to-date. One major risk is that many gaming consoles require subscriptions and user accounts for accessing online content such as games and streaming services. This makes the console another device associated with an account that holds your personal and payment information for the purposes of renewing these subscriptions.
Here are a few tips to follow in building your smart home with IoT devices:
- If you don’t need to connect a device to the Internet, don’t. If a device isn’t connected, it isn’t as big of a cybersecurity risk.
- Isolate IoT devices from other devices on your network by creating a separate Wi-Fi network just for them. This protects your other devices if your connected IoT devices are compromised.
- Research the privacy, security, and accessibility options that are available for customizing your device. You may find some options that provide greater security and privacy if you opt in. One example is that a device may offer multi-factor authentication (MFA) where you use your traditional password and username combination with the added step of receiving a verification code or providing a fingerprint through a scanner. If MFA is available, it’s worth using.
- Always update your devices and apply patches when available. When selecting which IoT devices to purchase, ensure they offer patching and updates from the manufacturer to keep them up-to-date. Enable auto-updates on any IoT devices that support them.
- Setup a separate unique, strong password for every device. Don’t share credentials across devices.
- Replace devices when they are no longer supported by the vendor, as security flaws will remain unpatched.
- Turn off Universal Plug and Play if it is available on the device. You don’t want the device having this ease of connectivity with so little control.
- When requested to provide information to use a device, do not provide personally identifiable information (PII), like Social Security Numbers and dates of birth. If you must share PII to use the device, you may want to consider a different make or model or keeping it off your home network.
Remember these tips over the holidays as you receive and give gifts. This will ensure you don’t give cybercriminals the holiday gift of your sensitive data!
Staying Secure While Shopping Online
Making #CyberMonday #CyberSecure
It is that time of year where so many people prepare to purchase gifts for friends, family, and loved ones. Though it can be convenient to avoid the lines and rush for that latest Black Friday deal by shopping online, this also carries some risk. Cybercriminals are always working to steal your personal and payment information and the holiday shopping season is the perfect opportunity for this to happen. By following a few key practices, you can greatly lower your chances of becoming a victim of identity theft or fraud.
Choose Trusted Online Retailers and Apps
Always shop only with trusted online retailers. That means using a retailer you already know or one that is verified through another trusted entity. If you find a new possible shop to do business with, but are unsure about its reputation, try to find reviews from trusted sources such as the Better Business Bureau. It is important to stick to trusted review sources because there are several ways to fake online reviews, and there are places where cybercriminals can pay other criminals to post positive reviews. Even though an untrusted site might have the best prices, it is worth it to use a trusted online shop that is known to safeguard your information and purchases.
The same advice applies when downloading apps to help with your online shopping. Whether you are downloading a store app to get a coupon, a deal aggregator app to comparison shop, or a reward app that ensures you get points or cashback, it is important to stick to trusted apps from known developers. Unfortunately, fake apps appear in the app stores, purporting to be from a trusted source while other apps exist to capture your data without providing the services they claim to support. You can avoid many malicious apps by downloading your apps from Google Play, Apple App Store, Microsoft Store, or another trusted platform, selectively choosing which apps to download, and making sure you carefully read the permissions and app reviews.
Secure your Device, Connectivity, and Accounts
Keep your devices up-to-date, especially those you shop and bank with – Simply updating the device that you use for conducting your online shopping is a key cybersecurity practice. By keeping the device up-to-date with current patches and software, you ensure you have the manufacturer’s latest security fixes in place.
Never use a public computer when shopping or banking – Using a public computer, like those found at libraries, can expose you to greater risk. It is best to use a trusted home device and network for anything involving financial transactions.
Never shop or conduct banking on unencrypted or public Wi-Fi – It is best to always conduct financial transactions or log on to sensitive accounts via a trusted Wi-Fi networks. Ideally, this should be from your home network, which should require a password and use WPA2 encryption.
Look for the lock icon on your browser - When a site has a lock icon on the browser window, or in the URL bar, it indicates that your communications with the site are encrypted. If you do not see a lock, look for “https” at the beginning of the URL, as this is the same thing as the lock.
Check out as a guest – By checking out as a guest, you prevent the online retailer from storing your personal account and financial information. This minimizes the amount of information that could be lost if the retailer is compromised. If you have or need an account with a retail website:
- Use a strong password – Be sure to use a strong, unique password. Always use more than ten characters, with numbers, special characters, and upper and lower case letters.
- Don’t save your payment information with retailers – If you have an established account with a retailer, do not store your payment information with them. In the case of an account compromise, stored payment information may allow a criminal to make purchases using your financial information.
Be Wary of Fraudulent Emails and Advertisements
Look out for suspicious or unexpected emails – A common tactic of cybercriminals year round is to send fraudulent emails seeking to get you to click a link or open an attachment. When it comes to this time of year, they may make an email look like it contains tracking information for a shipment or a promotion for a store. The link or attachment might download malware or try to get you to enter your user credentials in a convincing, yet fraudulent login screen, so they can steal your password. Always avoid clicking direct links in emails, and if you receive an email with a tracking number in it, head to the shipping carrier’s website in your browser and copy and paste the tracking number itself into the site.
Avoid clicking advertisements or pop-up windows of any kind – Advertisements embedded in websites and pop-ups have been known to be compromised by cybercriminals to distribute malware. It is best to avoid clicking them altogether. To close pop-ups, press Control + F4 on a Windows computer and Command + W on a Mac.
Avoiding Many Types of Malware
Every day as we use our devices, browse the Internet, and open emails, we are also exposing those devices to potential malware (malicious software). Malware is any software that is designed to cause damage to and/or unauthorized access to devices or networks. Malware comes in many forms, all of which can have negative effects on your device and for you. With a little extra vigilance, and some good habits and practices, you can greatly reduce your likelihood of having a device infected with malware and can minimize the impact to your device, data, and life, in the event that it does become infected. Below we will explore a few common types of malware and their impacts, as well as some tips and practices that can help you as you go about your connected life.
Common Types of Malware and Their Effects
Ransomware – Ransomware is malware that stops you from being able to access your files, usually by encrypting them, and then requests payment to decrypt the files, restoring your access. Most commonly, ransomware asks for payment in bitcoin, which is a popular cryptocurrency. Unfortunately, paying the ransom does not guarantee restoring access to your files.
Trojan Horses (a.k.a. trojans) – This malware takes its name from the classic story of the Greek army sneaking soldiers into the city of Troy hidden inside a large wooden horse. Trojans of the malware variety behave in much the same way, by appearing to be legitimate apps or software that you want to install. Some trojans allow an attacker full access to your device, others steal banking and personally sensitive information, and others are simply used to download additional malware, like ransomware.
Keyloggers – This type of malware records your keystrokes and sends them to a cyber threat actor, giving them access to your usernames, passwords, and any other sensitive information you have entered using your keyboard. With this information, the cyber threat actor can access your online accounts or commit identity theft.
Tips and Practices for Avoiding and Surviving a Malware Infection
- Update and patch your devices and software. Vendors release updates and patches in order to fix security issues, not just to fix functionality! Many types of malware can be foiled by keeping your software up-to-date by accepting the updates when you get a notice about them.
- Never click suspicious or untrusted links. Even if the URL comes from a company or person you know, it is always safest to manually type in their URL. At the least, hover over the link to discover where it’s really sending you, as some malicious actors send emails that look convincing. This advice is also true for links in emails, documents, and on social media platforms, as malicious links are commonly posted to such sites. For more information on spotting suspicious emails and checking URLs, head to our past newsletter on this topic.
- Only download from trusted sources. When looking to download an app or software, only do so from a trusted vendor or source. On mobile devices, ensure that you only download apps from the Google Play store and Apple App Store, which are the trusted sources for Android and iOS devices.
- Backup your data and be sure the backups are good! Backing up your data, whether by doing a complete backup of your whole device or just key files, is the best way to protect those important files and pictures against ransomware and other data loss. For best practices and more information on backups, please reference our recent newsletter on this topic.
- Use antivirus and other protective software on your device. If your computer or router has built-in protections like antivirus or a firewall, ensure you have those enabled. Otherwise, buy or download an antivirus product from a trusted vendor. This is important for both your computers and your smartphones!
- Configure your devices with some security in mind. By setting up your devices with some basic security settings enabled, you will not only protect against some malware, but against other forms of malicious activity and access.
Want to keep your data? Back it up!
We all know it happens – computers crash, malware infects them, or somebody downloads that cool, new program that crashes everything! While there are many tips and tricks of great value for preventing your devices and data from being compromised, it is important to also have a backup of your information in case something goes wrong!
Backups are copies of key information or data that are stored separately from your device. By storing these separately, you can restore your data or device using these backups and get right back to full working order. With threats of Ransomware, which encrypts and renders your personal files inaccessible, this is a real concern. Below we will explore some key concepts on creating and will provide resources that assist you in making decisions on how to best create this essential type of redundancy in your life.
Choosing what to backup
When thinking about a backup system the first thing to decide is how much you want to backup. Are you okay storing key documents, pictures, and files or do you want your full system backed-up? If you’re concerned about rebuilding a full system, and a having all the license information to make it functional, then you probably want a more complete backup option. If you just want to protect important files, then a system where you choose what to save would work well.
How can you create a backup of just key files?
If you are looking to store copies of your important files, you can copy them to your preferred method of backup periodically. This is accomplished by selecting the folders or files you want to backup, and copying them to the storage device or media. This is made especially easy if you make a habit of organizing your important files into just a few folders. This is a very simple and easy approach, and guarantees that your tax documents, digital receipts, pictures, and other important records remain available.
How can you create a complete backup of your device’s data?
If you are looking to create a more comprehensive backup, your devices likely have utilities built in that allow for easy creation of backups. These may allow you to set a complete copy of your device’s data aside that would allow you to restore it to full working order following an infection or issue. Seek out guidance or tips from your device’s vendor to determine what utilities are available to you for creating backups. The Stay Safe Online guide linked below has links to top vendors backup guides that can assist you through the process.
Choosing where to store your backed-up data
Regardless of what you want to save, one of the key ways to keep your backed-up data safe, is to disconnect the storage media after you make the backup. This is important in the event that you are infected with malware, as you do not want the copies of data to also be infected. (Ransomware does look for backups to infect!) This also helps in case your computing device or where you store it is lost, stolen, or physically destroyed. Keeping a separate backup on a different physical storage device, or in the cloud, is a way to better secure your data from this type of problem.
Cloud services for storing backups can be a convenient solution, though they may come at a cost and some individuals may not like the fact that they will not have a copy in hand on physical storage media. Having the backup outside your immediate possession can be helpful if you are concerned about a physical problem, such as loss or damage. Some of these services save multiple versions of your backup, which better secures against infected files corrupting the cloud backup.
External hard drives or removable media (DVDs, USB drives, etc.) are the other most common option. You simply need to copy the data you want to save to the external hard drive or media. Consider keeping the external drive disconnected from your devices while not making backups, as this insures against malware getting on the backup copy.
How often should you back up files and systems?
The frequency with which you back up your data or systems is an important component of this process. Consider making your backups on a weekly basis, with a minimum frequency of monthly backups.
In conclusion, spend time considering how vital the data on each of your devices is. Then consider the best type of backup strategy for your needs and base a timeline of how frequently you make the copies off those needs as well. By adding this simple process to your safe computing habits, you can build in more reliability and recoverability. If you are ever the victim of a malware infection or cyber attack, you will surely be glad you took the time to make backups!
Sun, Sand, and Cybersecurity
Whether you are out exploring or relaxing, it is important to strive to be as secure as possible with your digital devices and information. Unfortunately, travel can open you up to different points of vulnerability compared to normal everyday use at home, and we don’t just mean accidentally going swimming with your cell phone. You see, while traveling you are operating outside of your normal, safe routines. This means using your devices on different networks and putting them down in different locations, including under your beach towel while swimming. By following some smart practices, you can connect with greater confidence during a summer escape.
Getting Ready to Go:
Avoid mayhem and make magical family memories by taking a few simple cyber safety steps before you head out of town. The goal here is to prepare your devices for travel and to keep them from being used against you.
- Keep a clean machine: Before you hit the road, make sure all security and critical software is up-to-date on your mobile devices and keep them updated during travel. These protections are your best line of defense against viruses and malware.
- Lock down your login: Your usernames and passwords are not enough to protect key accounts like those you use for email, banking, and social media. Fortify your online security by turning on multi-factor authentication, commonly referred to as two-factor authentication, when available. This typically pairs your username and password (i.e. something you know) with a message sent to your phone (i.e. something you have) or your fingerprint (i.e. something you are).
- Password protect: Use a passcode or security feature like a finger swipe pattern or fingerprint to lock your mobile device. Also set your screen to lock after a short period of time by default. If you do choose to use a finger swipe, make sure it has at least one turn (preferably two) and that a pin code has at least 6 numbers!
- Think before you use that app: New apps are tempting! It is important to always download new apps from only trusted sources like the Apple App Store or the Google Play Store. Additionally, consider limiting your apps access to services on your device, like location services.
- Own your online presence: Set the privacy and security settings on social media accounts, web services, and devices. It is okay to limit how and with whom you share information – especially when you are away.
While on the Go:
Once you and your gang are at your destination, you are in new territory and are facing new potential cyber threats. Here are some ways you can keep up secure practices while out and about.
- Get savvy about what you do on other peoples’ Wi-Fi and systems: Do not transmit personal info or make purchases on unsecure or public networks. Instead, use your phone carrier internet service for these needs. For laptops/tablets, it is easy to use your phone as a personal hotspot to surf more securely using carrier data. Also, never use a public computer or device to shop, log in to accounts, or do anything personal.
- Turn off Wi-Fi and Bluetooth when idle: When Wi-Fi and Bluetooth are on, they may connect and track your whereabouts. Only enable Wi-Fi and Bluetooth when required, and disable your Wi-Fi auto-connect features.
- Protect your $$$: Be sure to shop or bank only on secure sites. Web addresses with ‘https://’ and a lock icon indicate that the website takes extra security measures. However, an “http://” address indicates your connection is not secure (not encrypted) and you should not transmit payment or sensitive information over to such a site.
- Share with care: Think twice before posting pictures that signal you are out of town. Knowing you are away from home is a great piece of information for a criminal to have and they may target your home for physical crime. Also consider limiting your social media apps’ access to location services on your device, and omit location information while making your posts and sharing your pictures.
- Keep an eye on your devices: Laptops, smartphones, and tablets are all portable and convenient, making them perfect for a thief to carry away! Keep your devices close to you and hold onto them if strangers approach you to talk, as a common scam consists of a stranger distracting you and placing a map or newspaper over your device and walking away with it when finished talking.
- Know your destination’s laws: If you are heading out of the country, check up on any specific laws on internet and device usage. Additionally, bring as few devices as possible and consider using a device specifically purchased for international travel.
Armed with these tips and practices, you should have a happy and cyber safe vacation ahead of you.
How to Spot Phishing Messages Like a Pro
The Federal Trade Commission’s definition of phishing is “when a scammer uses fraudulent emails or texts, or copycat websites, to get you to share valuable personal information.”1 When a user falls for a phishing message, the malicious actor achieves their purpose of getting the victim to hand over sensitive information such as login names and passwords. Though we count on technologies and controls to minimize threats, phishing exploits users through social engineering, which allows the malicious actors to side step these protections. This is why it is important that everyone learn to spot these fraudulent messages. Let’s take a look at some example emails of phishing messages.
Subject: Low Cost Dream Vacation loans!!!
We understand that money can be tight and you may not be able to afford to go on vacation this year. However, we have a solution. My company, World Bank and Trust is willing to offer low cost loans to get your through the vacation season. Interest rates are as low at 3% for 2 years. If you are interested in getting a loan, please fill out the attached contact form and send it back to us. We contact you within 2 days to arrange a deposit into your checking account.
Please email your completed form to VacationLoans@worldbankandtrust.com.
Your dream vacation is just a few clicks away!
Dr. Stephen Strange
World Bank and Trust
177a Bleecker Street, New York, NY10012
What did you notice in message #1?
In this message, you can see that the phisher wants to give us a low cost loan with no credit check. They say we just need to send them our information and they will give us money, right? Not only does it seem too good to be true, but also when you hover the cursor over the email address to examine it further, you see that the link actually has a different destination. It is the email address of the attacker. Lastly, as much as you might like Dr. Strange, he’s probably not working for a bank part-time.
Subject: Free Amazon Gift Card!!!
You name has been randomly selected to win a $1000 Amazon gift card. In order to collect you prize, you need to log in with your Amazon account at the link below and update your contact information so we can put your prize in the mail. This is a limited time offer, so please respond to the request within 2 business days. Failure to respond will forfeit your prize and we will select another winner.
What did you notice in message #2?
Aside from this seeming too good to be true, you can see that “Amazon” is misspelled as “Amozan” on the link provided. If you read this quickly, you may think you are responding to the real company to get your gift certificate. In reality, you are providing your information to the attacker. For the purposes of this example, the link actually navigates to the Center for Internet Security, which is a trustworthy site.
Subject: Urgent – Take Action Before Your Email Account is Deactivated
Subject: Urgent – Take Action Before Your Email Account is Deactivated
Following changes to our Microsoft email systems, each user must authenticate their account to prevent it from being deactivated. You can accomplish this by heading to the link below and entering your Microsoft Outlook email account credentials, and then we will know your account is active and should remain so.
Helpdesk Support Team
What did you notice in message #3?
This email is fairly well crafted without errors. Note that it establishes a sense of urgency that the malicious actor hopes will cloud your judgement and threatens the deactivation of your email account. Additionally the link at the bottom looks like a link to Microsoft, yet it is in fact heading somewhere else! Luckily, for the purposes of this example, that link simply leads to the Center for Internet Security, which is a legitimate site.
With these three examples considered, here are some basic recommendations to help protect you from becoming a phishing victim:
- If it seems too good to be true, it probably is;
- Hover your cursor over links in messages to find where the link is actually going;
- Look for misspellings and poor grammar, which can be good signs a message is a fraud;
- And, never respond to an email requesting sensitive personal information (birthday, Social Security Number, username/password, etc.).
Additional information and a phishing game can be found on the FTC’s website, https://www.ftc.gov/.
Reducing your Information Footprint
While spring cleaning your home and, if you’re like me, the top of your desk, consider also cleaning up your information footprint. Your information footprint is how much information about you is recorded and available in both digital and paper formats. Cleaning up your footprint can mean examining social media, online accounts, and even paper records containing sensitive information. While we may use a few key digital devices and services on a regular basis, they often contain more information about us than is necessary. It’s also likely that devices and services we don’t use anymore may still contain information. You might have that pile of paper you’ve been meaning to shred for a while, making this an opportune time to spring clean your information footprint. By spending a little bit of time and effort, you can better secure your information to safeguard against various forms of identity theft.
Disks, Hard Drives, and USB drives, Oh My!
Over the years, it’s easy to accumulate a mass of CD’s, DVD’s, hard drives, and USB drives that are no longer needed or with data that is no longer needed stored on them. If you have hard drives or USB drives with old data but want to continue to use them, consider following US-CERT’s guidance on how to securely clean the data off of these items before properly recycling them. Many shredders, including those rated for home use, can shred CDs and DVDs. If your shredder can’t handle them, check your local community for shredding days as many towns, schools, and office supply businesses will sponsor shredding events.
Clean Up Your Paper Trail
Many of us have a large quantity of paper documents that may contain sensitive information about ourselves, financial accounts, government identification information, tax returns, and more. Take some time to go through these documents this spring and check whether it is something you truly need to hold onto. If the answer is no, be sure to securely dispose of it by shredding it and recycling the shredded pieces. Simply ripping up sensitive documents is not enough to guarantee your information is unreadable.
Not sure how long you should hold on to those old documents? The Federal Trade Commission (FTC) has a handy website – “A Pack Rat’s Guide to Shredding” with information on how long you should hold on to those documents!
Closing Old Online Accounts
It is common for people to use many different shopping sites, social media outlets, online storage, clubs, and other online outlets that require you to enter, store, and sometimes share information from or about you. If you are no longer using any of these accounts, consider removing information that may be sensitive and consider closing them out if you do not plan to use them again. Sometimes, it is easiest to check out as a guest when shopping online at a place that you rarely, if ever, patronize. Checking out as a guest should minimize the data retained about you.
Old Social Media Accounts
Remember MySpace? LiveJournal? Do you still have that old email account or an account on an old dating website? As we move from Myspace to Facebook to Twitter, Instagram, and the other latest and greatest social media platforms, our old accounts and information are left behind, filled with personal details. Consider closing out social media accounts that you no longer use, as it will reduce your digital footprint. Keep in mind that all social media platforms have different policies when deleting old accounts and content. Be sure to read the policy. And, don’t forget to remove the app from your smartphone, too!
Oversharing on Social Media That You Do Use
If you frequently use a social media or online account but it contains lots of personal details or information that you now think should be safeguarded more closely, consider removing it from your profile or deleting the posted content. Think about if the information you continue to share could be used against you or combined with other information to be used against you. Enough pieces of personal information combined together can be very useful to cybercriminals.
Being aware of any information that you share that could be used to respond to “Challenge” questions, which are frequently used to reset passwords. What does that mean? How could information be combined to be used against you? Think about your online bank account. If you forget your password what types of questions do they ask? Probably something about the color of your car, your mother’s maiden name, your birthday, or pets’ names. Did you post a picture of your new car? Friend your mother or her brother on social media? Answer a meme about your birth month and day? Share adorable pictures of Fluffy? If you did, you’ve helped someone find out the answers to your bank’s security questions!
This is the case for many of the pieces of information you may share online and many online accounts that use challenge questions to reset passwords. Information commonly used for challenge questions include the above examples and other details, such as your favorite sports team, vacation spot, fruit, ice cream, type of reading material, youngest sibling, elementary school name, and so on. As you clean up your data think about what information could be used to answer your security questions and try to remove that data from your social media accounts.
In closing, these short tips can make a world of difference in lowering your information’s exposure to others. By questioning if you need to share or provide certain information online as you move forward, you can save yourself from many of the unnecessary overexposures we discuss here. Additionally, by taking a look at both your digital and paper trails to do these activities on a routine basis, you can be sure to keep overexposure in check.
I’m connected. You’re connected. We’re all connected!!
We are more connected than ever before. According to ABI Research, there will be over 30 billion devices connected to the Internet by 2020. Today, our everyday devices are connected to the world including laptops, mobile phones, fitness trackers, smart televisions, home security systems, thermostats, and refrigerators. Additionally, let us not forget the devices that connect everything else together, such as routers, access points, and modems.
Many people may not consider their connected devices to be a security threat, but they absolutely can be. One of the issues with such devices is that many of them do not come configured with security in mind and connecting an unsecure device to your network is like leaving the back door to your house unlocked as it gives attackers access to your personal information. Manufacturers develop products to be more accessible, more user-friendly, and to make our lives more integrated. However, that also means we are less secure if these devices are not properly configured. Unfortunately, some devices completely lack the option or ability to be configured, making it nearly impossible to secure them. Unsecure devices also give threat actors the means to propagate their attacks onto others by using your insecure devices to attack other networks and devices. Therefore, not only can your unsecure devices present a risk to you, but they can also become a risk to others who can be victims of an attack from your compromised devices.
Do Your Research
You should do your research before purchasing a connected device, especially a device that may allow someone access into your home, such as a surveillance camera or home security system. Check the online reviews and look at the company’s website to determine if there are warnings about the security of the device and if the company issues updates/patches to fix security concerns.
What Can You Do to Secure Your Devices?
So, what can you do to enjoy the functionality of your connected devices and remain more secure at the same time?
When you first receive your device, check the default settings and choose the more secure options, such as enabling a password or changing the default password to something only you know. Below is a list of these basic recommendations and some effective ones that may be less obvious choices.
- Network access or Internet access may be enabled on a device by default. Disable network/Internet access for devices that do not need it.
- Update the device operating system or firmware. The default operating software installed on a device may be out of date and/or contain many vulnerabilities. Updating or patching your device’s software will reduce the chances of a successful attack.
- Wireless access points (APs) are oftentimes configured to broadcast the SSID, or network name, Consider changing these settings to turn this feature off, which can better secure your WiFi network.
- Create two different WiFi networks on your wireless router, if your router supports it. Creating separate WiFi networks, using different SSIDs, allows for the ability to separate smart devices from other networked computers, smartphones and tablets. The goal of the separation is to limit the impact a compromised smart home device will have on the rest of the devices on the network.
- Oftentimes, Wireless access points or routers are set up by default to not use encryption and to not require a password. It is always recommended to turn on WPA2 encryption for your wireless networks and to establish a strong password with our next recommendation in mind.
- Change passwords on all network devices, especially from default “admin” accounts, and be sure to use strong passwords of at least 8 characters including uppercase and lowercase letters, special characters, and numbers.
- Many mobile devices have no PIN or unlock pattern (where you swipe your finger in a specific pattern on the screen) enabled when sold. Be sure to enable PINs or unlock patterns for all your mobile devices to secure them from unwanted entry by others.
- Automatic updates are often disabled by default. Be sure to turn on this setting to ensure your device receives important security updates when they are released.
- Many mobile devices support remotely wiping the device if the device is lost or stolen. Be sure to enable the remote wipe functionality in case the device is ever lost or stolen.
- Turn off location services if not needed.
- Cameras and audio input may be enabled by default on certain devices and applications, giving an attacker access to surveillance. Disable these features if not needed.
- Replace unsecure devices with more secure ones.
Staying Safe from Tax Scams
Though Benjamin Franklin is often quoted as saying “in this world, nothing can be said to be certain, except death and taxes,” an updated version for the current day would need to include tax scams. As people nationwide seek to file their tax returns, cybercriminals attempt to take advantage of this with a variety of scams. Hundreds of thousands of U.S. citizens are targeted by tax scams each year, often only learning of the crime after having their legitimate returns rejected by the Internal Revenue Service (IRS) because scammers have already fraudulently filed taxes in their name. The IRS reported a 400% rise in phishing scams from the 2015 to the 2016 tax season. In the state, local, tribal, and territorial government sector during 2017, approximately 30% of all reported data breach incidents were related to the theft of W-2 information, which was likely used for tax fraud.
Another way criminals gather your information is through the W-2 variant of the Business Email Compromise scam. Criminals using this scam trick others into providing your personal information.
How is Tax Fraud Perpetrated?
Unfortunately, much of your personal information can be gathered from multiple locations online with almost no verification that the right person is receiving the information. Criminals know this, so they use this trick to get your personal information from a variety of websites and use the information to file a fake tax refund request! If a criminal files a tax return in your name before you do, they will file it with false information to get a large refund, forcing you to go through the arduous process of proving that you did not file the return and subsequently correcting the return. Once they have your personal information, criminals can continue to commit identity theft well beyond the tax season.
Another favorite technique used by criminals during the tax season is sending phishing messages indicating that a new copy of your tax form(s) is available. These emails often impersonate state, local, tribal, and territorial government comptroller and/or IT departments. They might include a link to a phishing website that uses your organization’s logo and the email might even have the right signature line. If you fill out or attempt to login into the phishing website, the criminals will be able to see your login name and password, which they can then use to try and compromise your other accounts. The more information they gather from you, the easier it is for them to use the information to file a fake tax return in your name.
Tax fraudsters also impersonate the IRS and other tax officials to threaten taxpayers with penalties if they do not make an immediate payment. This contact may occur through websites, emails, or threatening calls and text messages that look official but are not. Sometimes, criminals request their victims pay the “penalties” via strange methods like gift cards or prepaid credit cards. It is important to remember:
- The IRS will not initiate contact about payment with taxpayers by phone, email, text messages, or social media without sending an official letter in the mail first.
- The IRS will not call to demand immediate payment over the phone using a specific payment method such as a debit/credit card, a prepaid card, a gift card, or a wire transfer.
- The IRS will not threaten to immediately notify local police or other law-enforcement agencies to have you arrested for not paying.
- The IRS will not demand that you pay taxes without giving you the opportunity to question or appeal the amount you owe.
What Can You Do?
Here are some basic tips to help you minimize the chances of becoming a victim of a tax scam:
- If you haven’t already, file your taxes as soon as you can…before the scammers do it!
- Be aware of phone calls, emails, and websites that try to get your information, or pressure you to make a payment. If something seems suspicious, contact the organization through a known method, like their publicly posted customer service line.
- Ignore emails and texts asking for personal or tax information. Be cautious as to whom you provide your information, including your Social Security Number and date of birth.
- Don’t click on unknown links or links from unsolicited messages. Type the verified, real organizational website into your web browser.
- Don’t open attachments from unsolicited messages, as they may contain malware.
- Only conduct financial business over trusted websites. Don’t use public, guest, free, or insecure Wi-Fi networks.
- Remember, the “HTTPS” does not mean a site is legitimate.
- Shred all unneeded or old documents containing confidential and financial information.
- Check your credit report regularly for unauthorized activity. Consider putting a security freeze on your credit file with the major credit bureaus if you suspect you have been targeted for identity theft.
If you receive a tax-related phishing or suspicious email at work, report it according to your cybersecurity policy. The IRS encourages taxpayers to send suspicious emails related to tax fraud to its firstname.lastname@example.org email account or to call the IRS at 800-908-4490. More information about tax scams is available on the IRS website and in the IRS Dirty Dozen list of tax scams.
If you suspect you have become a victim of tax fraud or identity theft, the Federal Trade Commission (FTC) Identity Theft website will provide a step-by-step recovery plan. It also allows you to report if someone has filed a tax return fraudulently in your name, if your information was exposed in a major data breach, and many other types of fraud.
Spotting and Avoiding Olympic Scams
In February, the best athletes from around the world will gather in PyeongChang to test their skills against one another at the Winter Olympics. Entire countries will wait with excitement to see the outcomes of individual competitions and count the medals. However, as with any high-profile event, cybercriminals and scammers will also focus on the Games, using your interest in the Olympics to try to trick you into visiting malicious websites, opening malicious spam, downloading malware, and falling for scams. Below we will explore these tactics and techniques, and provide recommendations on how to spot and avoid them, so you can safely enjoy the Games!
Malicious Olympic Websites and Apps
Cybercriminals commonly create convincing but fraudulent websites as a means to distribute malware or gather information about you. This year there will also likely be many suspicious and, possibly, malicious Olympic-themed mobile apps intended to compromise your smartphones and tablets. Whether you’re looking to find out the current medal count, who won the bobsled race, see an amazing figure skating routine, or find out what curling is, these malicious websites and apps will be there for you.
You can start protecting yourself by being careful what websites you visit and emails you open. As with any high-profile event, it’s always safest to get your news from websites you already know and trust. When you get that email with the link to the video you just have to see or the fascinating story of the amazing win, remember to Hover to Discover. This means to hover your mouse over the link and see where the link is really sending you. If you don’t recognize the website, don’t click on the link. Instead, go to the official Olympics website or another online website that you trust and look for the video or news there.
You can also like/friend/follow the official Olympics accounts on your favorite social media platforms (Google+, YouTube, Twitter, and Facebook) and get the news directly from the source, instead of waiting for potentially suspicious links to appear later. As the Games get closer, many social media apps will also likely role out news feeds and other special features, related to the Games. Keep an eye out for those so you can safely stay in the know!
Of course, there’s also an official Olympic app for your smart device! The Olympics website says the app will contain real-time updates and news, as well as images, videos, and the medal count. The app is available in the Google Play Store and iOS App Store. Since there are a-lot of other Olympic apps, some of which are malicious, make sure you’re careful to download the right one! You can check the app against the app images on the Olympics.org website.
Olympic Games Related Scams
When it comes to high-profile events like the Olympics, cybercriminals always seek to trick you with scams, too. Many of these scams may involve websites that sound and look legitimate. This is because criminals often register these domains with names similar to the event, so that the website name adds credibility to their scams. Two very common Olympic scams are:
Trip and Lottery/Sweepstakes Scams
With this year’s Winter Olympics occurring in PyeongChang, South Korea, it is a bit pricey to head over to view the Games in person. Scammers commonly send phishing emails during and leading up to Olympic Games identifying the recipient of the email as the winner of a sweepstakes or lottery for tickets to the Games and travel arrangements. You just have to pay a “fee” or “tax” first and provide a few details… maybe including your Social Security Number or credit card number. Whether they seek your payment information to take your money or your personally identifiable information for identity theft, these notices are always false and should be avoided, as you cannot win a lottery that you have not entered!
Olympic Merchandise Offers
As with lots of other events, there will be Olympic merchandise for sale so you can display your pride and support your favorite athletes. This is great, just be careful where you buy from as you may receive emails or see online advertisements enticing you to purchase fraudulent or counterfeit items from less than reputable vendors. At best, by clicking on these advertisements and offers you will open yourself to the risk of purchasing counterfeit merchandise and at the worst, you open yourself to the risk of having your payment information or identity stolen. Display your team pride by ignoring these suspicious offers and purchasing your merchandise through a known, trusted, and authorized retailer.
It’s also a good idea to make all online purchases through an alternative or more secure payment system, such as Visa Checkout, Mastercard Securecode, or PayPal. Otherwise consider using one credit card (not a debit card!) for all online purchases. As always, remember to look for the “HTTPS” in the URL and the little lock icon in the browser bar to ensure your communication with the trusted vendor is safe. If you don’t see these, don’t submit sensitive information to that website. Lastly, remember to always make your purchases on a trusted, secure network, never through public, unsecured Wi-Fi.
We hope you safely enjoy the 2018 PyeongChang Winter Olympics.
Go Team USA!
Online Dating Scams
With Valentine’s Day around the corner, we want to make our customers aware of Online Dating Scams.
Scammers know millions of people use online dating services. They are there, too, hiding behind profiles.
Top Signs of an Online Dating Site scam:
- Professes love quickly;
- Claims to be from the U.S., but is overseas for business or military service;
- Asks for money and lures you off the dating site;
- Claims to need money for emergencies (hospital bills or travel);
- Plans to visit but can’t because of an emergency.
In 2016, there was 14,456 reports filed in the United States, with losses of around $220 million. Online Dating Scams have more than tripled over the last 5 years!
What should you do if you think you are being scammed?
- Slow down – and talk to someone you trust. Don’t let a scammer rush you.
- Never wire money – put money on a gift card or cash reload card or send cash to an online love interest. You won’t get it back.
- Contact your bank right away if you think you’ve sent money to a scammer.
- Report your experience to:
National Data Privacy Day, January 28th
January 28th is National Data Privacy Day, an educational initiative focusing on raising awareness among businesses and individuals about the importance of protecting the privacy of personal information. With more and more information being collected by companies, websites, and social media, this is something everyone should consider.
To understand the importance of Data Privacy day, it is vital to understand Personally Identifiable Information (PII) and exactly what privacy is. PII is any combination of data points that can lead to the identification of a specific individual (you). This can mean things such as your name or email address, but most times PII refers to “sensitive PII” such as Social Security, driver’s license, state identification, or financial account numbers. Sensitive PII can also exist if PII is combined with another piece of information about you such as a birthdate, medical information, or even passwords. The more pieces of data combined about an individual, the more valuable and sensitive the body of information becomes.
Privacy is often considered to be the concept of confidentiality, which is keeping information secret from those that should not see it. While that is an aspect of privacy, often called “need to know,” privacy is much more. Privacy is a larger concept centering on you as the individual to whom the information refers. It is about your rights to access, correct, and control the information that another entity has about you.
Organizations that honor your privacy will not only protect confidentiality, but should follow a set of principles related to how they manage your information, including:
- Not collecting more information than they need to conduct their business with you;
- Informing you of what they will do with the information that they collect and not doing more with it than they have promised;
- Retaining the information for only as long as it is needed and then properly destroying the information;
- Not sharing your information with others without your permission, except as required by law;
- Allowing you to review and correct information if necessary.
To understand your privacy rights it is essential that you read the privacy policies of any organization to whom you provide information, especially PII. This includes websites, health care providers, insurance companies, and financial institutions. If you do not agree with how they intend to protect your privacy, consider not using their service.
Privacy is a Shared Responsibility:
Identity Theft Protection:
Despite many organizations best efforts in handling and using your private information properly, the countless breaches of PII by cyber criminals in the past few years have resulted in the exposure of information about millions of people. One reaction to such breaches can be to provide credit monitoring for one year. This is a very short amount of time to have such a protection. Those that have stolen the information, or those to whom they have passed it on, may hold it for much longer than a year before using it to steal your identity, commit credit card fraud, or worse in your name. If you have been a victim of a breach, check out some of the FTC’s resources on starting a credit freeze to protect yourself.
If you are considering Identity Theft protection services, research the firms that you are considering engaging and ensure you understand the services they will and will not provide. Also, read their privacy policies, because for them to deliver these services you must provide them with varying amounts of PII.
Protecting privacy is both your responsibility and that of those individuals and organizations that have information about you. Do everything in your power to be aware of how you personally can compromise your privacy and hold those organizations that you engage with accountable for their management, or mismanagement, of your personal information.
For More Information:
US-CERT Data Privacy Day Events
Online Trust Alliance Data Privacy & Protection website.
Stay Safe Online website. National Cyber Security Alliance
Forbes, Data Privacy Day: Easy Tips to Protect Your Privacy
Avoiding Holiday Scams
The holiday season is a great time to make charitable gifts to support the causes you care about, and charities often run end-of-year fundraising campaigns. However, criminals take advantage of this fact and run scams and frauds of their own to fool consumers into giving them money instead. Below are some common scams and frauds used by cybercriminals and some tips on how to avoid them. If you can spot these seasonal tricks, you are more likely to ensure your donation goes where you intend it to go.
Fake Charity Websites
One of the most convincing ways for cybercriminals to exploit charitable giving is by creating convincing charity websites. These websites are in fact fraudulent and may copy an existing charity’s site or use the charity’s name and branding. While few techniques are fool proof for detecting fake or malicious websites, try to follow these recommendations:
- Whenever possible, browse directly to the charity by entering the charity’s URL directly into your browser’s address bar.
- If you are not sure of the charity’s URL, an Internet search can help, but instead of automatically clicking on the first link, look at the top few links. If the top link is what you want, great, but if you see several very similar links this could indicate one of them is a potentially fraudulent website.
- Carefully study the website’s URL for typos, such as two “v” characters in place of a “w” or an “i” instead of an “l.” If you’re not sure about a potential typo, try changing to all capitals or a different font.
- Fraudulent charity websites frequently use domain names and email addresses that sound legitimate. You can do a little research into what the correct domain name and email address should be by looking into the organization using resources recommended by the Federal Trade Commission in their charity guide, or through resources like GuideStar, Charity Navigator, and Charity Watch.
Social Media Donation Pleas
Scammers commonly impersonate staff from major charities via social media channels, as this makes it easier for them to impersonate someone else. Avoid making donations through social media and never send your personal or payment information in a social media message. Instead, consider heading directly to a charity’s established website.
In addition to traditional charity scams at this time of year, social media is also susceptible to the spread of a variety of pyramid schemes and other charity scams. Pyramid schemes involve the simple but unsustainable premise of receiving more than you give. One of the most common schemes on social media right now involves 7 bottles of wine. You receive the message indicating that to participate you should send one bottle of wine to the person who tagged you and post the message, tagging 6 other people who will each send you a bottle. Another scheme purports to be from a sick child who wants something – holiday cards for example and asks you to send a card and share the post with all your friends so that they will send a card, too. If you come across one of these viral posts, let it stop with you! Don’t share it, repost it, or send anything along, and do take a moment to educate your friends!
When donating to a charity, make sure that the charity is a registered charity under U.S. or international tax law. U.S. 501 charities have to make certain information public and you can look the charity and its information up under any of the several charity tracking websites
Shopping Safely Online
Making #CyberMonday #CyberSecure
As Cyber Monday and the season for online shopping quickly approaches, it’s worth taking a few moments to ensure you’re not giving the gift of your personal or financial information to online criminals! Identity theft, scams, frauds, and malware infections are serious problems that target shoppers during the holiday season and can arise from using your devices to find the perfect gift. Below, we will explore some key tip
Create and maintain your online shopping accounts safely
- Establish a strong password for each online shopping account. Always use more than ten total characters consisting of upper case letters, lower case letters, numbers, and special characters to create a strong password.
- Use different passwords on each of your online accounts. If one retailer experiences a data breach in which your credentials are leaked, using the same password between accounts makes it quick and easy for criminals to exploit you and your information. If you have trouble remembering all your unique passwords, consider using a pattern for your password or a password manager.
- Check out as a guest to avoid saving payment information online. The inconvenience of having to enter your credit card information each time keeps you safer because a data breach at a retailer will not expose your financial information. It also means your payment information is not saved or ready to be used by anyone who gets access to your account.
- Use one credit card online or pay through a secure online mechanism. By using only one credit card online you’re limiting the damage that can happen if malicious actors gain that information. Alternatively, use one of the online payment mechanisms, such as PayPal.
Shop with trusted online retailers while browsing safely
- Use well-known online retailers that have an established reputation for cybersecurity. Verify that they have good contact information listed on their site, and check with the Better Business Bureau or the FTC if you have questions or concerns.
- Look for the lock symbol at the top of your browser or “https” in your URL bar. These mean that your communications with the website are encrypted and safe from prying eyes.
- Never shop or login to personal accounts when on public Wi-Fi or a public device. Public Wi-Fi can make all the personal information that you transmit visible to criminals. Public, shared devices, such as kiosks or library computers, can be infected with malware that will steal your information.
- Do not leave your browser open on a shopping site for long periods of time. Websites that use advertising feeds have occasionally had them hijacked by cyber criminals, who are then able to put malware on your device. This malware can steal your personal information or encrypt your device and demand a ransom to return it to your control.
- Keep your devices up-to-date. Always apply updates to your devices and software when they are available. Keeping devices up-to-date means you have applied all the available fixes for known problems and vulnerabilities. This makes you more secure.
Be smart when it comes to email confirmations and tracking information
- Be careful which links you click in your emails. At this time of a year a favorite trick among cyber criminals is to send emails purportedly from the major shipping companies with a link to track your package. These may be a scam to download malware. They count on the fact that you’ve ordered many things online and are waiting for a package. Instead, cut and paste the tracking number into the shipping company’s website in order to track it. Additionally, always head directly to the site of the company you want to shop with by entering the URL into your browser when aiming to log in. Avoid clicking links directing you to log in, as they may send you to a malicious site that looks real, but can just steal your information.
- Do not use your work email address for retail accounts. By using one of the free webmail accounts, such as Gmail or Hotmail, it will be much easier to identify a potentially malicious email coming to your work email, since the online retailers should not know that email address. This can also help you prevent criminals from knowing where you work, which is information they can potentially use to hack into your work account!
National Cyber Security Awareness Month
National Cyber Security Awareness Month (NCSAM) is now its 14th year. This annual month-long event dedicates October to reminding all digital citizens and businesses that protecting our computers and networks is “Our Shared Responsibility” and that everyone plays a critical role in promoting safe computing. The NCSAM is led by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS). The month’s primary goal is to provide Internet users and businesses with the information and tools they need to be safer and more secure online, including education about how to protect personal information in today’s highly connected world. Everyone can join in and be a part of the something big by becoming a NCSAM 2017 Champion. Hundreds of organizations and individuals have officially signed on as Champions to support the month. NCSAM Champions strengthen and boost the greater effort by spreading the word and host NCSAM Partner Events about online safety at home, at work, and in the community.
NCSAM 2017 kicked off on October 1st with a strong reminder for all digital citizens to
STOP: make sure security measures are in place
THINK: about the consequences of your actions and behaviors online
CONNECT: and enjoy the Internet.
Cybersecurity in the Workplace is Everyone’s Business
Whatever your place of work ? whether it’s a large or small organization, healthcare provider, academic institution or government agency – creating a culture of cybersecurity from the breakroom to the board room is essential and a shared responsibility among all employees. NCSA’s advice, based on national standards, recommends that organizations have a plan in place to identify your digital “crown jewels,” protect your assets, be able to detect incidents, have a plan for responding, and quickly recover normal operations. You can help your organization do this: take part in cybersecurity discussions, learn how to protect the digital “crown jewels,” and what to do if you detect an incident. Then expand this to your home: identify what you would hate to lose, and ensure that information is protected with antivirus software and backed up somewhere else. Be sure everyone in your family knows how to detect and recover from an incident.
NCSA and DHS are highlighting particular themes as we continue through the month. We invite you to join in each coming week, with the following user-friendly, actionable advice:
Today’s Predictions for Tomorrow’s Internet
Take a look into our future through the lens of the connected Internet and identify strategies for security, safety, and privacy while leveraging the latest technology. With the explosion of digital interconnectivity, it is critical to explore everyone’s role in protecting our cyber ecosystem. NCSA’s top tips include:
- Learn how to safeguard your Internet of Things (IoT) devices: Protecting devices like wearables and smart appliances can be different than securing your computer or smartphone. Research how to keep an IoT device secure before you purchase it and take steps to safeguard your device over time.
- Pay attention to the Wi-Fi router in your home: Use a strong password to protect the device, keep it up-to-date and name it in a way that won’t let people know it belongs to you.
- Delete when done: Many of us download apps for specific purposes or have apps that are no longer useful or interesting to us. It’s a good security practice to delete apps you no longer use.
The Internet Wants You: Consider a Career in Cybersecurity
A key risk to our economy and security is the shortage of cybersecurity professionals to protect our extensive networks. Growing the next generation of a skilled cybersecurity workforce ? along with training those already in the workforce ? is a starting point to building stronger defenses. Here are a couple of to-dos for parents or anyone interested in a cybersecurity career of their own:
- Volunteer at schools, after-school programs, boys and girls clubs, and community workshops to teach kids about online safety and cybersecurity careers. Check out NCSA’s online safety resources for ideas on what to cover and materials you can use.
- Learn more about starting your own path to a cybersecurity career by checking out the National Initiative for Cybersecurity Education (NICE) Framework. The framework provides information on what knowledge, skills, and abilities are valued by employers for different cybersecurity jobs.
Equifax Data Breach – Frequently Asked Questions
I’ve been hearing about the Equifax breach in the news. What happened?
Equifax, one of the three major credit bureaus, experienced a massive data breach. The data breach at the company may have affected 143 million Americans. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people.
In a press release, Equifax said it discovered the “unauthorized access” on July 29, after which it hired an outside forensics firm to investigate. Equifax said the investigation is still ongoing. Equifax said the attackers were able to break into the company’s systems by exploiting an application vulnerability to gain access to certain files. It did not say which application or which vulnerability was the source of the breach.
Equifax will be sending direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted.
Was my information stolen?
If you have a credit report, there’s a good chance it was. Go to a special website set up by Equifax to find out: https://www.equifaxsecurity2017.com/. Scroll to the bottom of the page and click on “Potential Impact,” enter some personal information and the site will tell you if you’ve been affected. Be sure you’re on a secure network (not public wi-fi) when you submit sensitive data over the internet.
How can I protect myself?
- Enroll in Equifax’s services.
Equifax is offering one year of free credit monitoring and other services, whether or not your information was exposed. You can sign up at https://www.equifaxsecurity2017.com/.
- Monitor your credit reports.
In addition, you can order a free copy of your credit report from all three of the credit reporting agencies at annualcreditreport.com. You are entitled to one free report from each of the credit bureaus once per year.
- Monitor your bank accounts.
We also encourage you to monitor your financial accounts regularly for fraudulent transactions. Use online and mobile banking to keep a close eye on your accounts.
- Watch out for scams related to the breach.
Do not trust e-mails that appear to come from Equifax regarding the breach. Attackers are likely to take advantage of the situation and craft sophisticated phishing e-mails.
What is First State Bank & Trust Company doing to protect my information?
In order to provide our customers with efficient service while preventing unauthorized access to your account information, staff at First State Bank & Trust Company may ask additional questions about your account for verification during telephone inquiries, beyond the information that could have been compromised in the breach. These additional inquiries may include information about the opening of the account or information on recent transactions.
You may also ask a customer service representative to establish an Identity Theft Question that must be answered before any information will be given on your account.
Should I place a credit freeze on my files?
Before deciding to place a credit freeze on your accounts, consider your personal situation. If you might be applying for credit soon or think you might need quick credit in an emergency, it might be better to simply place a fraud alert on your files with the three major credit bureaus. A fraud alert puts a red flag on your credit report which requires businesses to take additional steps, such as contacting you by phone before opening a new account.
How do I contact the three major credit bureaus to place a freeze on my files?
Equifax: Call 800-349-9960 or visit its website.
Experian: Call 888-397-3742 or visit its website.
TransUnion: Call 888-909-8872 or visit its website.
Where can I get more information about the Equifax breach?
You can learn more directly from Equifax at https://www.equifaxsecurity2017.com/. You can also learn more by visiting the Federal Trade Commission’s web page on the breach at https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do. To learn more about how to protect yourself after a breach, visit https://www.identitytheft.gov/Info-Lost-or-Stolen.
Free Credit Reports:
You are entitled by law to a free credit report from each of the Big 3 once a year. This means you can check your credit 3 times a year (once every 4 months with each of the bureaus). The only site you need to obtain this free copy is annualcreditreport.com, or by phone at 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring. There are lots of look-alike sites out there (like freecreditreport.com) that are not the real, government-mandated service.
Your free credit report will show all your lines of credit and other debt obligations, along with lots of data. However, it won’t show your FICO score, it usually costs money to get your FICO score.
Connected Home Devices: The Internet of Things
What is the Internet of Things (IoT)?
We have become more connected than ever before. A little over ten years ago, we only accessed the Internet through a laptop or a desktop computer. Then, we added phones and tablets to our list of connected devices. Today, we have even smaller connected devices, such as fitness trackers and smart watches. According to ABI Research, there will be over 30 billion devices connected to the Internet by 2020. The list of Internet connected devices, or “things”, keeps growing. Kevin Ashton, cofounder and executive director of the Auto-ID Center at the Massachusetts Institute of Technology (MIT), first mentioned the term Internet of Things (IoT) in 1999, but the first device to be connected to the Internet was actually a Coke machine at Carnegie Mellon University in the early 1980s. Programmers could connect to the machine over the Internet, check the status of the machine, and determine whether there would be a cold drink waiting for them. Today, IoT consists of everyday devices that are connected to the Internet, such as fitness trackers, vehicles, smart televisions, doorbells, light bulbs, home security systems, thermostats, and refrigerators. Basically, if it is not a computer, smartphone or tablet, and it connects to the Internet, it can be called an IoT device.
What are the issues with IoT devices?
Many people know they should install anti-virus (AV) software on their computers and be careful of what websites they visit or software they download. Unfortunately, most people probably do not consider their IoT devices to be a security threat. These devices are more accessible and make our lives more integrated, but many of the companies behind these new devices are not designing them with security in mind. For example, many IoT devices have default passwords that are well known and cannot be changed, or cannot be changed easily. They also can be difficult or impossible to update to mitigate known vulnerabilities, or have no settings to customize security.
Our dependence on Internet-connected devices has grown faster than the means, and/or awareness, to secure them. Leaving IoT devices unsecured, as with any Internet connected device, is like leaving the back door to your house unlocked. It gives attackers access to your personal information and the potential to further compromise other devices on your network. It also gives attackers the means to propagate their attacks onto others by using your insecure devices to attack other networks and devices.
How can you secure your IoT device?
So, what can you do to enjoy the functionality of IoT devices and remain more secure at the same time? The following tips may help you in these endeavors:
- Know what IoT devices are connected to your network. It is possible that there are devices connected to your network that you do not know about.
- Consider only purchasing devices that you need to use. Some Internet-capable devices may be nice to have, but provide limited benefit and reduce your security.
- Isolate IoT devices from other devices on your network by creating a separate Wi-Fi network just for them. This protects your other devices if your connected IoT devices are compromised.
- Update the device’s software, if possible. If you update your device regularly, this will reduce the chances of a successful attack.
- Replace default passwords with unique and strong ones of your choosing. Passwords should have upper and lower case characters, numbers, and special characters, with at least 10 total characters.
- Configure security and privacy options, such as enabling encryption and limiting the information your devices share.
- Replace insecure IoT devices with more secure ones. Seek out reviews on these devices that address security features and patching support to determine which ones may have a reasonable baseline of security.
Identifying and Reporting Common Scams
On July 6, 2017 the Federal Trade Commission (FTC) issued an alert on scammers posing as FTC officials who contact individuals and claim they have won prizes from a charity contest. The scammers ask for money to cover taxes or insurance costs associated with the prize. While this is a new malicious campaign, scammers use these basic tactics time and time again with slightly different wording to take advantage of unsuspecting individuals. It may seem like a day doesn’t go by without scammers contacting you online or by phone seeking money and/or personal information. Since this is so commonplace, it is worth exploring how to identify these schemes, and how to go about reporting them in the event that scammers target you.
Identifying the scam
Two common financial schemes involve coercing individuals into paying money to prevent a negative outcome, such as a tax audit or police investigation, or asking the individual to pay a fee up front to claim a prize. A third type of scam seeks individuals’ personally identifiable information (PII), such as Social Security numbers and birthdates, to commit identity theft. Individuals providing information to scammers may suffer large financial losses, as well as negative impacts to their credit. It is important that you know how to spot these scams so you can easily ignore them.
It's most likely a scam if you...
- have to pay money to claim a “prize” or “winnings”
- are asked for money to stop or prevent a police, FBI, or other federal investigation
- have to provide your bank account number and information
- are specifically asked to purchase any form of prepaid gift card to be used as payment
- are approached with no prior contact to give out your date of birth, social security number, password, username or other personal sensitive information online or over the phone
- are approached online or by phone in an unprovoked manner and asked for payment or personal information by someone claiming to be a government employee on official business
One final thing to be aware of is that scammers create convincing emails that may look like official communication from your bank, credit card issuer, or a retailer. These emails often include a link to a very convincing, yet fraudulent website that will ask you to log in with your username and password. If you provide your credentials, the criminal can then use them to gain access to your legitimate account. From there, they can steal your personal information or generate fraudulent transactions. If you ever receive an email asking you to click a link to log in and update your account or change your information, be safe and use your browser to directly type in the legitimate website address for that account in order to complete this request. By doing this, you will always be sure you are on the right website.
Scammers constantly target individuals by email, false advertisements, and phone calls to bring these types of scams to fruition. Being wary of any communication that meets any of the above criteria will go a long way in keeping your information and money safe!
Finally, it is very important that targets of online or phone scams report this to the proper authorities. Although it can be a bit embarrassing to have been hit by such a crime, reporting is the only way to direct investigators and regulators to pursue the criminals behind the scam or identity theft. Aside from reporting the scam to law enforcement, it is important to work with your bank, credit card issuer, or the business where your account was compromised to take the necessary steps in preventing further financial loss.
If you are the target of a financial scam, report it to the FTC at www.ftc.gov/complaint. If this scam was via email or over the Internet, also file a complaint with the FBI’s Internet Crime Complaint Center at www.ic3.gov/complaint.
Targets of identity theft can also file a report at www.identitytheft.gov and receive a recovery plan detailing how to move forward based on the type of scam committed.
Are You Really Being Secure Online?
Browsing the web and interacting with websites in a secure fashion is immensely important in today’s connected world. Everyday things like online banking, shopping, and submitting your taxes involve sharing financial and sensitive information online. This makes browsing securely something that everyone should consider more closely. Below we will explore some ways to connect to the Internet and browse websites securely, as well as how you can double check that you are being secure.
Use a Secured Wi-Fi Network
Wi-Fi access is widely available, but many of the free connections are to unsecured public Wi-Fi that will leave your information travelling openly! On an unsecured public Wi-Fi network, cyber criminals can easily access the data you are transmitting due to the fact that your information is not encrypted.
A more secure public Wi-Fi network requires a password or credentials to gain access that are provided by someone acting in an official capacity for the local business and the use of encryption. When looking for an available and more secure wireless network, you will see ones using encryption marked with a small lock symbol next to the name of the network. Some hotels and shops that provide free Wi-Fi to customers provide access to their secure networks by providing you with credentials or an access code when checking in, making a purchase, or on request.
If you opt to use a public Wi-Fi connection, make sure you understand the risk – others may be able to see what you do. Keep this in mind and do not conduct sensitive transactions or log in using your credentials on any sites. Not all apps and sites support encryption and other good security practices, which leaves you much more open to many types of cyber-attacks when on a public Wi-Fi connection.
Secure Your Information in Transit
Keep an eye out for that little lock icon on your browser, or the “https” in the URL! Sites that are taking security seriously will encrypt the sensitive information you are exchanging with the site. This is a strong way to ensure that your online activities like shopping or submitting personal information are protected.
The small lock icon or “https” at the beginning of the URL are indicators that encryption is currently in use. The lock icon is commonly found in the address bar on the most popular browsers, including Chrome, Firefox, Safari, Edge, and Internet Explorer.
Verify the Website
When you are looking for information or products online, make sure you are on the website you intended to visit, or are going to the correct site.
One particular sneaky technique used by cyber criminals is called typosquatting. Typosquatting is when someone purposely owns a website that is similar to a trusted website but with a typo in the address. For instance, the website “thisissafe” might be trusted, but the website “thisisafe” could be a malicious website using typosquatting. People are often linked to these incorrect, but very closely named websites through phishing emails sent out by malicious actors. Many websites look the same, and sometimes criminals or other unscrupulous folks use the names and logos of trustworthy companies to mislead you. In some forms of attack, a user being led to a false, but convincing copy of a known website will be prompted to enter their legitimate credentials, which are stolen by the malicious actor who set up this ruse.
A good practice is to not click a link that is provided in your emails, and to instead go type the intended website’s address directly into your browser to ensure you get to the right place.
May 8, 2017 - Skimmer identified on two First State Bank & Trust ATMs
Fremont, Neb. – First State Bank and Trust Company of Fremont learned this weekend that an ATM skimming device had been placed on the outdoor ATM at our 1005 East 23rd Street location. This device was found by a user of the machine, was removed and turned into local law enforcement. In investigating this matter, it came to the bank’s attention that a device had been used at our 1965 East Military location.
First State feels confident that users of the 23rd Street machine will not be impacted since the device on this location was captured. We have identified bank customers whose cards may have been skimmed at the Military location and have flagged their cards in our system. We are reaching out to those affected customers. It appears only those who used the ATM at the Military branch in Fremont on Friday, May 5th -Saturday, May 6th are potentially impacted. All consumers are fully protected by the bank against fraudulent transactions. As always, we strongly encourage our customers to monitor their transaction history in online banking or through our mobile app.
If you are a non-customer who used our Military branch location and see unusual activity, please contact your bank directly for assistance. You are also fully protected against fraudulent charges, but the process does need to begin with your own financial institution.
“We take a situation like this very seriously. We are working with local and federal law enforcement on this matter and are reaching out to all identified customers. We are doing everything we can to resolve this situation quickly for those affected,” states Chuck Johannsen, President of First State Bank & Trust Company.
Here are some tips from the Office of the Comptroller of Currency/U.S. Department of the Treasury to protect your financial information:
- Walk away from an ATM if you notice someone watching you or if you sense something wrong with the machine; immediately report your suspicions to the company operating the machine or a nearby law enforcement officer.
- Before using an ATM, examine nearby objects that might conceal a camera; check the card slot for a plastic sheath before inserting your card.
- Never keep a written copy of your PIN in your wallet or purse as it could be stolen; instead memorize your PIN and keep a paper record hidden at home.
- When entering your PIN, stand close to the machine and hold your hand over the keypad or screen to make it more difficult for a person or camera to watch you.
- Beware of strangers offering to help you with an ATM that appears disabled and notify someone responsible for the security of the machine.
- Regularly review your account statements, either online or on paper, and check for unauthorized withdrawals and purchases. If you find one, immediately contact your bank or credit card provider, as this will limit your financial liability for fraudulent charges.