What You Need to Know About COVID-19 Scams
Taking advantage of current events is a common tactic that cybercriminals use to fuel their malicious activities. With the global pandemic of COVID-19 and an overwhelming desire for the most current information, it can be difficult for users to ensure they are clicking on reliable resources. So far, the MS-ISAC has seen malicious activity come through just about every channel: email, social media, text and phone messages, and misleading or malicious websites.
The range of current malicious activity attempting to exploit COVID-19 worldwide varies. A few common examples include:
- Fake tests or cures. Individuals and businesses have been selling or marketing fake “cures” or “test kits” for COVID-19. These cures and test kits are unreliable, at best, and the scammers are simply taking advantage of the current pandemic to re-label products intended for other purposes. For more information on fraudulent actors and tests, check out resources from the U.S. Food and Drug Administration (FDA).
- Illegitimate health organizations. Cyber criminals posing as affiliates to the World Health Organization (WHO), the Centers for Disease Control and Prevention (CDC), doctor’s offices, and other health organizations will try to get you to click on a link, visit a website, open an attachment that is infected with malware, or share sensitive information. This malicious activity might originate as a notice that you have been infected, your COVID-19 test results came back, or as a news story about what is happening around the world.
- Malicious websites. Fake websites and applications that claim to share COVID-19 related information will actually install malware, steal your personal information, or cause other harm. In these instances, the websites and applications may claim to share news, testing results, or other resources. However, they are only seeking login credentials, bank account information, or a means to infect your devices with malware.
- Fraudulent charities. There has been an uptick in websites seeking donations for illegitimate or non-existent charitable organizations. Fake charity and donation websites will try to take advantage of one’s good will. Instead of donating the money to a good cause, these fake charities keep it for themselves.
Government Efforts to Reduce COVID-19 Malicious Activity
The Department of Justice (DOJ) is actively seeking to detect, investigate, and prosecute cyber threat actors associated with any wrongdoing related to COVID-19. In a memo to the U.S. Attorneys, Attorney General William Barr said, "The pandemic is dangerous enough without wrongdoers seeking to profit from public panic and this sort of conduct cannot be tolerated." Individually, most state law enforcement agencies and other judicial officials are also treating these malicious actions as a high priority. More information can be found at https://www.justice.gov/coronavirus.
Additionally, the FDA has been taking action to protect consumers from fraudulent and deceptive actors who are taking advantage of COVID-19 by marketing tests that pose risks to patient health. If you are aware of any fraudulent test kits or other suspect medical equipment for COVID-19, you can report them to the FDA by emailing FDA-COVID-19-Fraudulent-Products@fda.hhs.gov. The FDA is now aggressively monitoring and pursuing those who place the public health at risk and are holding these malicious actors accountable.
Exercise extreme caution in handling any email with COVID-19-related subject lines, attachments, or hyperlinks in emails, online apps, and web searches, especially unsolicited ones. Additionally, be wary of social media posts, text messages, or phone calls with similar messages.
Be vigilant, as cyber actors are very likely to adapt and evolve to the nation’s situation and continue to use new methods to exploit COVID-19 worldwide. By taking the four precautions below, you can better protect yourself from these threats:
- Avoid clicking on links and attachments in unsolicited or unusual emails, text messages, and social media posts.
- Only utilize trusted sources, such as government websites, for accurate and fact-based information pertaining to the pandemic situation.
- Federal Emergency Management Agency (FEMA) recommends only visiting trusted sources for information such as coronavirus.gov, or your state and local government’s official websites (and associated social media accounts) for instructions and information specific to your community.
For More Information
If you think you’re a victim of a scam or attempted fraud involving COVID-19, or you think you know of a scam or fraud, you can report it without leaving your home:
- Contact the National Center for Disaster Fraud Hotline via email at email@example.com at 866-720-5721 or the FEMA Disaster Fraud Hotline at 866-720-5721 to report frauds and scams, including personal protective equipment (PPE) hoarding or price gouging;
- Report scams and frauds to the Cybercrime Support Network; and
- File a complaint for criminal activity by contacting your local law enforcement agency.
CDC, FEMA, and White House | COVID-19
CDC | COVID-19-Related Phone Scams and Phishing Attacks
CDC | Know the facts about coronavirus disease 2019
CISA | Security Tip: Using Caution with Email Attachments
CISA | Risk Management for Novel Coronavirus
CISA | Information & Updates on COVID-19
FBI | FBI Exec Discusses COVID-19-Related Schemes
FEMA | Coronavirus Rumor Control
U.S. DOJ | Coronavirus
Social Media: The Pros, Cons and the Security Policy
Risks & rewards of social media
Social media is a great tool in your organization’s communications toolbox. Many Americans have accounts on at least one platform and expect to find pages for their favorite brands and communities. If used correctly, it can have many benefits:
- Providing real-time information. Social media enables organizations to provide information in real-time. This is especially useful if your organization needs to communicate important information quickly. For example, if your organization experiences a time sensitive incident, such as a data breach, you can use social media to share pertinent information and provide steps your followers can take to remediate the damage. Government entities can use social media to disseminate information about programs and public meetings, changes in schedules, road work, and other information that constituents need to know about.
- Answering questions. Social media allows consumers to ask organizations questions and provide feedback. This means you know what information and product features they want, what you are doing well, and where you can improve. You can change your customer service processes, add new products or change existing ones, or keep doing what you do well. Most importantly, you can be responsive to your customers, which will help grow your image and your business.
- Humanizing your organization. Consumers can get to know your brand and the people behind it, and vice versa. Because the conversation is person-to-person and not bot-to-person, a company can reach customers using social media in ways that other marketing and advertising can’t. For example, you can adopt a more human voice through social media than you would through traditional advertising. Even a simple “Please PM your information so we can look into your concern” can go a long way toward keeping a current customer happy and maybe getting some new ones.
Of course, the unicorn is the post that goes viral for the right reasons. However, not everything looks rosy when it comes to organizations using social media.
Building a security-focused social media plan
Privacy and security risks associated with social media platforms only increase as the number of users and platforms grow. Cybercriminals mine social media accounts to get valuable intelligence that they can use in malicious campaigns. All organizations should develop a social media policy that takes cybersecurity and privacy into account. The first step is to develop a social media policy that includes what can be posted, who can post, and on what devices (e.g., can they use their personal device, or does it have to be a company-owned device?), and who is responsible for keeping and changing passwords. These are just some of the things that should be addressed; there are guides that will help you write a detailed plan.
Below are a few tips for developing a secure social media plan in your organization:
- Establish a social media team headed by a senior person. This person will be responsible for implementing and enforcing your company’s social media policy, as well as issuing access to those who need it. The team should include someone from the IT department who can consult on risk mitigation and who can assist if security issues arise.
- Use role-based email addresses instead of employee addresses. Using email addresses like firstname.lastname@example.org and email@example.com makes it harder to break into a network. A cybercriminal needs two email addresses to figure out your company’s email assignment scheme, which is a valuable piece of information needed to break into your network or your building.
- Your plan should include a way to insulate employees who choose to participate in your social media campaign. They should consider setting up separate social media accounts for work that are not linked to their personal accounts.
- Unless the employee has agreed to participate in a social media campaign and has taken steps to insulate themselves, try not to identify employees by more than one identifier, such as name and department, or name and email address. For example, if you post a photo of an employee who has earned an award, avoid identifying them as Jane Smith from Accounting. A criminal can use this information to get into the building (“I’m here to see Jane Smith from Accounting”) or find her and her email address in the company directory.
- Any employee photos on social media (or any public-facing website) should be taken in a closed conference room or some other area away from active workspaces. This will prevent confidential information, employee names, or information on screens or desks from inadvertently being photographed.
- Consider a policy of zero trust and require that all posts be vetted by the social media team for content prior to publishing.
- Review your social media policy at least quarterly. Go over the privacy settings for each platform and make any necessary changes. Make sure only the people who need access and publishing privileges have them, remove anyone who does not, and change privileges as needed. Sit down with your IT experts and discuss the latest threats to make sure you’re covered. Finally, take a look at your overall social media policy to ensure that it’s the best for your organization and make any necessary changes.
Securing our connected future
Social media has proven to be a powerful communications tool for both business and government organizations, but its powers can be used to harm as well as help. A solid social media policy and security plan that is implemented with care, will vastly improve your social media strategy and protect employees’ privacy.
Cyber Threat Actors Expected to Leverage Coronavirus Outbreak
Cyber threat actors (CTA) leverage interest during public health threats and other high-profile events in order to conduct financial fraud and disseminate malware. We expect that this trend will continue with the emergence of new and recycled scams involving financial fraud and malware related to the coronavirus outbreak.
Malicious actors are likely to post links to fake charities and fraudulent websites that solicit donations for relief efforts or deliver malware. The MS-ISAC observed similar scams and malware dissemination campaigns in response to previous high-profile events including Hurricane Harvey, the Boston Marathon bombing, the Royal Wedding, and the Tennessee wildfires. Its highly likely that more scams and malware will follow over the course of the response period. Internet users should exercise caution before opening related emails, clicking links, visiting websites, or making donations to coronavirus relief efforts.
As of February 1, 2020, the MS-ISAC had observed the registration of names containing the phrase “coronavirus.” The majority of these new domains include a combination of the words “help,” “relief,” “victims,” and “recover.” Most of the domains appear to be currently under development. However, as a few appear malicious and the domains themselves appear suspect, these domains should be viewed with caution. More domain registrations related to the coronavirus are likely to follow in the coming days.
The potential of misinformation during times of high-profile global events and public health threats is high and users should verify information before trusting or reacting to posts seen on social media. Malicious actors often use social media to post false information or links to malicious websites. The MS-ISAC observed similar tactics in the days following Hurricane Irma’s landfall and other natural disasters.
It is likely that CTAs will also capitalize on the outbreak to send phishing emails with links to malicious websites advertising relevant information. It is possible these websites will contain malware or be phishing websites requesting login credentials. Other malicious spam will likely contain links to, or attachments with, embedded malware. Victims who click on links or open malicious attachments risk compromising their computer to malicious actors.
How to Avoid Being the Victim:
The MS-ISAC recommends that users adhere to the following guidelines when reacting to high-profile events, including news associated with the coronavirus, and solicitations for donations:
- Users should exercise extreme caution when responding to individual pleas for financial assistance such as those posted on social media, crowd funding websites, or in an email, even if it appears to originate from a trusted source.
- Be cautious of emails or websites that claim to provide information, pictures, and videos.
- Do not open unsolicited (spam) emails or click on the links or attachments in those emails.
- Never reveal personal or financial information in an email or to an untrusted website.
- Do not go to an untrusted or unfamiliar website to view the event or information regarding it.
- Malicious websites often imitate a legitimate website, but the URL may use a variation in spelling or a different domain (e.g., .com vs .org).
The MS-ISAC recommends that technical administrators adhere to the following guidelines when reacting to and protecting their networks and users during high-profile events, including news associated with coronavirus:
- Warn users of the threats associated with scams, phishing, and malware associated with high-profile events and train users about social engineering attempts.
- Implement filters at your email gateway to filter out emails with known phishing attempt indicators and block suspicious IPs at your firewall.
- Flag emails from external sources with a warning banner.
- Implement DMARC to filter out spoofed emails.
New Year, New You… Same W-2 Tax Scams
Tax season is in full swing, which means criminals will go to great lengths to separate you from your money, your identity, or anything of value that is within their reach. They may offer seemingly legitimate "tax services" that are actually designed to steal your identity and your tax refund. Often times, criminals will lure you in with an offer of larger write-offs or refunds. Such scams might include fake websites and tax forms that look like they belong to the Internal Revenue Service (IRS) in order to trick you into providing your personal information.
Due to the rise in data breaches, you should always take steps to minimize your risk of identity theft and other online-related crimes; this is especially important this time of the year. Below are some warning signs to look for and basic precautions you can take to minimize risk and avoid becoming the next victim!
Warning Signs of an Online Tax Scam:
- An email or link requesting personal and/or financial information, such as your name, social security number, bank or credit card account numbers, or any additional security-related information.
- Emails containing various forms of threats or consequences if no response is received, such as additional taxes or blocking access to your funds.
- Emails from the IRS or federal agencies. The IRS will not contact you via email.
- Emails containing exciting offers, tax refunds, incorrect spelling, grammar, or odd phrasing throughout.
- Emails discussing "changes to tax laws." These email scams typically include a downloadable document (usually in PDF format) that purports to explain the new tax laws. However, unbeknownst to many, these downloads are almost always populated with malware that, once downloaded, will infect your computer.
How to Avoid Being the Victim:
- Never Send Sensitive Information in an Email: Information sent through email can be intercepted by criminals. Make sure to consistently check your financial account statements and your credit report for any signs of unauthorized activity.
- Secure Your Computer: Ensure your computer has the latest security updates installed. Check that your anti-virus and anti-spyware software are running properly and receiving automatic updates from the vendor. If you haven't already done so, install and enable a firewall.
- Carefully Select the Sites You Visit: Safely searching for tax forms, advice on deductibles, tax preparers, and other similar topics requires great caution. NEVER visit a site by clicking on a link sent in an email, found on someone's blog, or in an advertisement. The websites you land on might look like legitimate sites, but can also be very well-crafted fakes.
- Be Wise with Wi-Fi: Wi-Fi hotspots are intended to provide convenient access to the internet, however, this convenience can come at a cost. Public Wi-Fi is not secure and is susceptible to eavesdropping by hackers, therefore, never never use public Wi-Fi to file your taxes!
- Look for Clear Signs: Common scams will tout tax rebates, offer great deals on tax preparation, or offer a free tax calculator tool. If you did not solicit the information, it's likely a scam.
- Be on the Watch for Fake IRS Scams: The IRS will not contact you via email, text messaging, or your social network, nor does it advertise on websites. Additionally, if an email appears to be from your employer or bank claiming there is an issue that requires you to verify personal information, this is most likely a scam as well. Don’t respond to these types of emails; always contact the entity directly.
- Always Utilize Strong Passwords: Cybercriminals have developed programs that automate the ability to guess your passwords. To best protect yourself, make your passwords difficult to guess. Passwords should have a minimum of nine characters and include uppercase and lowercase letters, numbers, and symbols.
If you receive a tax-related phishing or suspicious email at work, report it according to your organization’s cybersecurity policy. If you receive a similar email on your personal account, the IRS encourages you to forward the original suspicious email (with headers or as an attachment) to its firstname.lastname@example.org email account, or to call the IRS at 800-908-4490. More information about tax scams is available on the IRS website and in the IRS Dirty Dozen list of tax scams.
10 Tips to Securely Configure Your New Devices
The holiday season is upon us, which means shopping for the latest gadget is in full swing. With the massive number of discounts that are available this year, it makes sense for you to buy that latest smart device, right? However, as impressive as the latest iPhone or gaming computer might be, ensuring you’re able to properly secure these devices is more important than ever! Any device that connects to the internet is potentially vulnerable and could become compromised.
Here are several tips to keep in mind that can help you securely configure your new devices:
Adjust Factory-Default Configurations on Hardware and Change Default Passwords
Passwords are a common form of authentication and are often the only barrier between cybercriminals and your personal information. Some internet-enabled devices are configured with default passwords to simplify setup. But did you know those passwords can easily be found online? To better secure your digital devices it’s important to change the factory-set default password. Be sure to replace it with a strong and unique password or passphrase for each account.
Secure your Wi-Fi Network with Encryption
Your home’s wireless router is the primary entrance for cybercriminals to access your connected devices. To enhance your defenses, use Wi-Fi Protected Access 3 (WPA3). WPA3 is currently the strongest form of encryption for Wi-Fi. Other methods are outdated and more vulnerable to exploitation.
Double Your Login Protection
Enable multi-factor authentication (MFA) to ensure that only the person who has access to your account is you. If MFA is an option, enable it by using a trusted mobile device such as your smartphone, an authenticator app, or a secure token. For instance, with an iPhone you can utilize your screen lock feature with a pin or password.
Disable Location Services and Remote Connectivity
Location services might allow anyone to see where you are at any given time. Consider disabling this feature when you are not using your device to further secure your private information. Additionally, most mobile devices are equipped with wireless technologies such as Bluetooth that can be used to connect to other devices or computers. Consider disabling these features when not in use as well!
Safeguard Against Eavesdropping
Disconnect digital assistants, such as your Amazon Alexa, when not in use. Limit conversation near baby monitors, audio recordable toys, and digital assistants. Be sure to cover cameras on toys, laptops, and monitoring devices when they are not in use.
Don’t Broadcast Your Wi-Fi Network Name
To prevent outsiders from easily accessing your network, avoid publicizing your Wi-Fi network name, or service set identifier (SSID). All Wi-Fi routers allow users to disable broadcasting their device’s SSID. Doing so will make it more difficult for attackers to find a network. At the very least, change your SSID to something unique. Leaving it as the manufacturer’s default could allow a potential attacker to identify the type of router and possibly exploit any known vulnerabilities.
Install a Network Firewall
Install a firewall at the boundary of your home network to defend against external threats. A firewall can block malicious traffic from entering your home network and alert you to potentially dangerous activity. Most wireless routers come with a configurable, built-in network firewall that includes features such as access controls, web-filtering, and denial-of-service (DoS) defense, that you can tailor to fit your networking environment. Keep in mind that some firewall features, including the firewall itself, may be turned off by default. Ensuring that your firewall is on and all the settings are properly configured will strengthen the security of your network.
Please Note: Your internet service provider (ISP) may be able to help you determine whether your firewall has the most appropriate settings for your particular equipment and environment.
Install Firewalls on Network Devices
In addition to a network firewall, consider installing a firewall on all computers connected to your network. Often referred to as host or software-based, these firewalls inspect and filter a computer’s inbound and outbound network traffic based on a predetermined policy or set of rules. Most modern Windows and Linux operating systems come with a built-in, customizable, and feature-rich firewall. Additionally, most vendors bundle their antivirus software with additional security features such as parental controls, email protection, and malicious website blocking.
Remove Unnecessary Services and Software & Install Antivirus Software
Disable all unnecessary services to reduce the attack surface of your network and devices, including your router. Unused or unwanted services and software can create security holes on a device’s system, which could lead to an increased attack surface of your network environment. Additionally, a reputable antivirus software application is an important protective measure against known malicious threats. It can automatically detect, quarantine, and remove various types of malware, such as viruses, worms, and ransomware. Many antivirus solutions are extremely easy to install and intuitive to use, allowing for automatic virus definition updates to ensure maximum protection against the latest threats.
Update and Patch Regularly
Manufacturers will issue updates as they discover vulnerabilities in their products. The perfect example being all of the update notifications you receive on your iPhone! Configuring your device to receive automatic updates makes this easier for many devices, such as computers, phones, tablets, and other smart devices. However, if you need to manually update your device, make sure you are only applying updates directly from the manufacturer (i.e. Apple), as third-party sites and applications are unreliable and can result in an infected device.
8 Shopping Tips for the Holiday Season
It’s that time of year again, holiday shopping has begun! Everyone is looking for those unique gifts, hot toys and cool electronics. Whether it is a hard-to-find toy for kids or the latest 4K smart TV. Black Friday sales seldom fail to pique the interests of even the most casual shoppers. Yet even after the chaos of Black Friday lies both Small Business Saturday and Cyber Monday. While it’s clear that businesses are after your dollars during the holidays, you should be aware that cybercriminals are on the lookout, too.
When it comes to holiday shopping, you need to be careful that you don’t fall prey to these criminals. Here are some tips to following for your holiday shopping:
- Do not use public Wi-Fi for any shopping activity. Public Wi-Fi networks can be very dangerous, especially during the holiday season. Public Wi-Fi can potentially grant hackers' access to your usernames, passwords, texts and emails. For instance, before you join a public Wi-Fi titled "Apple__Store," make sure you first look around to see if there's actually an Apple Store in your vicinity, and thus, confirm that it is a legitimate network. To help stay secure, you should always be on the lookout for the lock symbol on your webpage.
- Look for the lock symbol on websites. When visiting a website look for the “lock” symbol before entering any personal and/or credit card information. The lock may appear in the URL bar, or elsewhere in your browser. Additionally, check that the URL for the website has “https” in the beginning. These both indicate that the site uses encryption to protect your data.
- Know what the product should cost. If the deal is too good to be true, then it may be a scam. Check out the company on “ResellerRatings.com”. This site allows users to review online companies to share their experiences purchasing from those companies. This will give you an indication of what to expect when purchasing from them.
- One-time use credit card numbers. Many banks are now offering a single use credit card number for online shopping. This one-time number is associated with your account and can be used in place of your credit card number. This way, if the credit card number becomes exposed, it cannot be used again. Check with your credit card company to see if they have this option available.
- Keep your computer secure. When using your computer to do your holiday shopping, remember to keep your Anti-virus software up to date and apply all software patches. Never save usernames, passwords or credit card information in your browser and periodically clear your offline content, cookies and history. You will want to keep your computer as clean as possible for online shopping. The world of online shopping can bring lots of new products to your door step and can prove to be a lot of fun finding that special gift. Just remember to be careful so that you don’t make your data a special gift to cybercriminals.
- Always use credit cards for purchases. Avoid using your ATM or debit card while shopping. In the event that your debit card is compromised, criminals can have direct access to the funds from your bank account. This could cause you to miss bill payments and overdraw your account. When using a credit card, you are not using funds associated with your bank account. This means you are better protected by your credit card company’s fraud protection program. If you pay off the credit card balance each month, you won’t pay interest and your banking information will be protected.
- Don’t leave purchases in the car unattended. Criminals can be watching and will consider breaking into your car to get the merchandise you just purchased. If you must leave some items in your car, consider leaving them in the trunk or glove compartment rather than in a visible location.
- Beware of “porch pirates.” When shopping online and receiving purchases by mail, make sure you are always tracking your packages. The US Postal Service, FedEX and UPS all have systems to track your packages, and all three utilize tracking numbers that can be used to figure out where your item is and when it should be delivered to your home. However, the only surefire way to thwart porch pirates is to not have packages delivered to your home at all. Consider having your holiday packages delivered to a family member, your workplace, or a trusted neighbor!
Remember, always trust your instincts. If an email or an attachment seem suspicious, don't let your curiosity put your computer at risk! ~ Happy Holidays and safe shopping!
Own IT. – Secure IT. – Protect IT.
The 16th annual National Cybersecurity Awareness Month (NCSAM) is in full swing! Held every October, NCSAM has been a collaborative effort between government and industry to raise awareness about not only the importance of cybersecurity, but also ensure that everyone has access to the appropriate resources they need to be safer and more secure online.
Since NCSAM’s inception (under the leadership of the U.S. Department of Homeland Security and the National Cyber Security Alliance, or NCSA), it has vastly accelerated, reaching a multitude of consumers, both small and medium-sized businesses, corporations, educational institutions and an exponential amount of young people across the country.
Following the success of the ‘Our Shared Responsibility’ theme last year, CISA and NCSA have now shifted towards a more personalized approach, gearing their message towards individual accountability. This year’s overarching message – Own IT. Secure IT. Protect IT. – has been designed to not only encourage personal accountability and proactive behavior in digital privacy, but also promote security best practices, consumer device privacy, e-commerce security, as well as various cybersecurity focused careers. Below are some of the highlighted calls to action and their key messages:
We live in a world in which we are constantly connected, so cybersecurity cannot be limited to the home or office. When you’re traveling, it is always important to practice safe online behavior and take proactive steps to secure your smart devices. With every social media account you sign up for, every picture you post, and status you update, you are sharing information about yourself with the world.
- Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you.
- Update your privacy settings: Set the privacy and security settings to your comfort level for information sharing. Keep tabs on your apps and disable geotagging (which allows anyone to see where you are).
- Connect only with people you trust: While some social networks might seem safer, always keep your connections to people you know and trust.
Have you noticed how often security breaches, stolen data, and even identity theft, are front-page headlines nowadays? Cybercriminals attempt to lure users to click on a link or open an attachment that may infect their computers. These emails might also request personal information such as bank account numbers, passwords, or Social Security numbers. When users respond with the information or click on a link, these attackers now possess access to their personal accounts.
- Avoid using common words in your password: Substitute letters with numbers and punctuation marks or symbols. For example, @ can replace the letter “A”.
- Be up to date: Keep your software updated to the latest version available. Turn on automatic updates so you don’t have to think about it!
- Think before you act: Be wary of communications which implore you to act fast. Many phishing emails create urgency, instilling fear that your account or information is in jeopardy.
Today’s technology allows us to connect around the world through banking, shopping, streaming, and more. This added convenience undoubtedly comes with an increased risk of identity theft and scams. More and more home devices (such as thermostats, door locks, etc.) are now connected. While this may save us time and money, it poses new security risks.
- Secure your Wi-Fi network: Your home’s wireless router is the primary entrance for cybercriminals to access all of your connected devices, and you can better secure your Wi-Fi network and devices by changing the factory-set default password and username for each one.
- Know what to look for:
- Identity Theft – bills for products or services you did not purchase, suspicious charges on your credit cards, or any changes to your accounts that you did not authorize.
- Imposter Scams – an imposter may contact you saying they are from a trusted organization informing you that your SSN has been suspended, or your account has been locked, while asking for your sensitive information or payment to fix the issue.
- Debt Collection Scams – scammers may attempt to collect on a fraudulent debt. Debt collector scammers typically request payment by wire transfers, credit cards, or gift cards.
Visit to learn more:
Cybersecurity Tips for K-12 Kids, Family, and Friends
Every child should be taught how to be safe online. In the new digital world, there are technological wonders, which often introduce cyber threats of many kinds. The online world can be a place of inappropriate conduct and content, where kids may feel anonymous. There are bullies, predators, hackers, and scammers that may pose a threat to your children. These factors can make it challenging for parents to guide their children today on interacting with others through technology. Providing this important guidance on online safety and privacy begins with talking about it and encouraging safe and smart decisions about online activity. Let’s explore some concepts and tips that apply to keeping everyone safe online, regardless of age!
What are the risks?
The online world has many cyber risks and concerning activities for kids and parents to recognize. The following are some of the cyber risks:
- Cyberbullying is bullying that happens online. It can happen in an email, a text message, an app, an online game, or on a social networking site.
- Phishing/Identity Theft is when a scam artist sends text, email, or pop-up messages in a browser to get people to share their personal information. They can then use that information to commit identity theft.
- Sexting is the sending or forwarding of sexually explicit photos, videos, or messages from a mobile phone. In addition to risking their reputations, friendships, and safety, this could be illegal activity.
- Social Networking can help kids connect with family and friends, but it can invite danger if not used appropriately. Sharing too much information, posting pictures, videos, or words can damage reputation, hurt someone else, or invite a predator to contact the user. Once something is online, it may not easily be removed. Oversharing may be leveraged by online criminals to facilitate identity theft.
What can you do?
- Start at an early age! As soon as children can use a computing device, it is time to talk to them about using it safely. Parents and family have the best opportunity to teach children!
- Know what your kids are doing. Consider having a common area in the house for the family to do online activity, where children can feel independent, but not alone.
- Keep an open and honest environment. Let your children know they can come to you with any concerns or questions about their online experience.
- Protect your children’s information. Don’t over-share information about your children, and teach them this principle. Set social media accounts so only approved friends can see their content.
- Respond appropriately to cyberbullying. Tell children to ignore or block bullies, unless it becomes threatening. Report abuse to the website where it is taking place, or if you fear for your child’s safety, report it to the authorities.
- Configure the security and privacy features on devices. Change default settings on your devices and enable security features like strong passwords, auto-updates, etc.
- Keep all your computers and mobile computing devices up to date with the latest security patches and anti-malware software.
- Consider installing or enabling parental controls on devices.
- Teach kids to be cautious of suspicious messages. Forward phishing emails to email@example.com and firstname.lastname@example.org.
Staying Cyber-safe on a Summer Vacation
Typical travelers heading out on their summer vacation check that they have the right supplies and clothes for their trip before they hit the road. Expert travelers will be also checking to ensure they are educated and prepared to be cyber-safe with their devices and data while on the road! Thinking of your smartphones and devices as being just as important as your wallet is a proper step in the right direction. These devices contain everything from your banking and payment information to your treasured family photos, and ensuring they are secure and protected when away from home is paramount. In partnership with the National Cybersecurity Alliance (NCSA), we have put together some key tips, strategies, and resources to aid you in being secure during your travels.
To do before your trip:
Update your devices: One of the most simple and effective ways to stay cyber-secure is to continuously update your devices. Those updates don’t just contain new features, but fix security flaws and keep you protected!
Password/Passcode protect your devices: Always establish a strong passcode with at least 6 numbers or a swipe pattern with at least 1 turn of direction when protecting the lock screen of your smartphone. On laptops, a minimum of 8 character password or phrase is recommended including uppercase and lowercase letters, special characters, and numbers.
Set your device to lock after an amount of time: Once you have the passcode, password, or swipe pattern established, you should set an automatic device lock prompting for the access code after a specified time of inactivity. This will prevent a criminal from getting onto your device if you accidentally leave it unlocked.
Book your trip with trusted sites: When planning your trip and booking transportation, lodging, and experiences, it is important to complete those transactions with trusted, known businesses. If possible, double check the reviews and reputation of a site you are unfamiliar with, but are considering to use for your booking. By sticking to reputable sites, you guarantee a higher standard of security for your data and transaction.
Staying secure and connected during your trip:
Keep track of your devices: Not only are your devices themselves worth a great deal of money, but your sensitive information that is accessible by that device is also valuable. Ensure that you keep your devices close at hand or secured away safely when not in use. Theft of mobile devices, from smartphones to tablets and laptops, is all too common and can spoil a fun trip to a great extent.
Limit your activity on public Wi-Fi networks: Public Wi-Fi that does not require credentials or logging in is not protected by encryption, so browsing and activity is not secure from prying eyes. To ensure your information is not put at risk, avoid logging into your personal accounts or making transactions while on public or hotel networks.
Don’t overshare on social media: Consider posting updates about your trip after you return. Criminals may see that you are away from home based on social media content and attempt to steal from your home! If you also share too many details about where you are on your trip, some scammers may attempt to contact your family and friends with a variety of scam tactics. Additionally, consider setting your social media accounts to only allow friends to view your posts and content. Tips on privacy for safe social media use can be found with more detail in our prior newsletter.
By following these tips and being a cyber-safe traveler, you will have a smooth and enjoyable vacation!
New Internet Banking Interface Coming Soon!
First State Bank & Trust Company is pleased to announce an upcoming enhancement to our NetFirst Internet Banking product. On June 17th, you will be greeted by a new, modern, streamlined experience designed to make you more productive and help you get to what you need faster.
What has changed?
The biggest change you'll notice is the Move Money area. This new section brings together all of the services that were previously under their own tabs. Internal transfers, loan payments, loan advances, Bill Pay, and external accounts are all here! All of your available internal accounts are ready for immediate access with bill pay payees and external accounts moved over with easy accessibility to add new payees and external accounts. Don't have Bill Pay yet? There will be an option there waiting for you to help you get started.
To move money, it's a simple as choosing where the money is coming from, where should it go to, and choosing the available delivery options. It's really that easy!
Helping you find more
Certain features have been moved to a more prominent location. Card management, previously on its own at the top of the page, is now a menu option along with messaging with a more noticeable unread message indicator. eStatements are now also a menu option called Documents, instead of burined within the details of the account. Stop Payments show up as an option right when you click on the account. Alerts is also a menu option giving you easy access to the emails we send you and the ability to modify your Visa Debit card alerts as well.
Have you struggled with the site displaying only the most recent transactions for your account? Now, the page will continuously load transactions as long as you keep scrolling down the page (up to 2 years). You no longer need to guess the timeframe you're looking for, you just keep scrolling. You can also add notes and photos to all posted transactions. So you can attach an image of a bill you recieve with the method you used to pay it, the receipts or your purchases, a photo of the purchased items, or whatever else helps you keep track of your finances.
Back to business
Business customers using cash management features will love this upgrade. Right upfront, you will see a dashboard giving you an overview of any outstanding ACH batches, wire transfers, or positive pay exceptions needing approval so you can get right into what needs to get done.
ACH batch creation has been vastly simplified. Now, sending an ACH batch is as simple as entering the information for the batch, adding the people involved, and scheduling the batch in a nice, clean, easy-to-follow flow. Once you've sent a batch, you can use your history to create a new batch with the same information so you spend less time configuring your batches and more time getting to work. You can also create batch templates for faster access to your ACH batches, similar to wire templates.
Wires have also been streamlined a bit too using the same easy-to-follow process. Any existing wire templates will be carried over to the new system automatically. Reasearching wire history has also been greatly decomplicated and is much easier to find and use.
What do I need to do?
Absolutely nothing! Later this spring, you will be taken automatically to the new interface when you log in. If you have the bank's homepage, www.fsbtfremont.bank, saved as a favorite, you shouldn't need to have to adjust anything to keep your access. Your username, security questions, and password will remain the same; only the look and feel of the site will change. We will provide you with more information as soon as it is available.
If you have any questions about the new interface, please feel free to call 402-721-2500 and ask for the eCommerce Department.
To preview what the new interface will look like and how it will operate, click one of the links below to give it a try:
Securing Online Accounts with Multi-factor Authentication
Have you noticed how often security breaches, stolen data, and identity theft are consistently front-page news these days? Perhaps you, or someone you know, are victims of cyber criminals who stole personal information, banking credentials, or more. As these incidents become more prevalent, you should consider using multi-factor authentication, which is often also called strong authentication, or two-factor authentication. This technology may already be familiar to you, as many banking and financial institutions require both a password and one of the following to log in: a call, email, or text containing a code. By applying these principles of verification to more of your personal accounts, such as email, social media, and more, you can better secure your information and identity online!
What it is
Multifactor authentication (MFA) is defined as a security process that requires more than one method of authentication from independent sources to verify the user’s identity. In other words, a person wishing to use the system is given access only after providing two or more pieces of information which uniquely identifies them.
How it works
There are three categories of credentials: something you either know, have, or are. Here are some examples in each category.
|Something you know||Something you have||Something you are|
Security Token or App
Verification Text, Call, Email
In order to gain access, your credentials must come from at least two different categories. One of the most common methods is to login using your user name and password. Then a unique one-time code will be generated and sent to your phone or email, which you would subsequently enter within the allotted amount of time. This unique code is the second factor.
When should it be used?
MFA should be used to add an additional layer of security around sites containing sensitive information, or whenever enhanced security is desirable. MFA makes it more difficult for unauthorized people to log in as the account holder. According to the National Institute of Standards and Technology (NIST) MFA should be used whenever possible, especially when it comes to your most sensitive data – like your primary email, financial accounts, and health records. Some organizations will require you to use MFA; with others it is optional. If you have the option to enable it you should take the initiative to do so to protect your data and your identity.
Activate MFA on your accounts right away!
To learn how to activate MFA on your accounts, head to the Lock Down Your Login site, which provides instructions on how to apply this fantastic form of security to many common websites and software products you may use. Lock Down Your Login is a resource created by the National Cyber Security Alliance and the U.S. Department of Homeland Security through their Stop Think Connect campaign to empower citizens with cybersecurity knowledge and practices.
If any of your accounts are not listed on that resource site, look at your account settings or user profile and check whether MFA is an available option. If you see it there, consider implementing it right away!
To activate MFA on your First State Bank & Trust Company NetFirst login, please contact our eCommerce Department and ask to enable enhanced security for your login.
User name and password are no longer sufficient to protect accounts with sensitive information. By using multifactor authentication you can protect these accounts and reduce the risk of online fraud and identify theft. Consider also activating this feature on your social media accounts!
Share Your Information With Care
It is very easy to find any information you need in today’s connected world. Have you ever Googled yourself to see what information about you is online? A search can often provide your address history, phone number, age, birthdate, employment information, public records, and social media accounts. Consider what can be done with Personally Identifiable Information (PII) from the perspective of a cyber-criminal looking to commit identity theft or other crimes.
Children, teens, and senior citizens are all groups who especially may not realize how vulnerable they are to being a victim of cyber-crime. Senior citizens may be more trusting of the material that is presented to them online. Children and teens are growing up with technology, and may be using it to communicate with each other with only a recreational level of understanding. They may not realize that once you post online, it rarely goes away.
In order to keep information safe or private, we need to take care in sharing it, and teach cyber hygiene to those who may not understand its importance. Here are examples of how we are asked to provide information, or how people share information that should be kept private:
Store loyalty and other accounts online
Cyber criminals will offer false and unbelievable deals to get you to click on a link and provide them with your information. You may hear about a loan offer, or a notification that your order shipped and that you need to log in by clicking their link to track it. Criminals seek your information in an effort to steal your identity and use it to open up fraudulent accounts in your name. Always shop with trusted vendors, and never follow an unsolicited link in an email asking you to log in to an account. Instead head to the website you normally use by typing it into your browser to check on your account.
Fraudulent phone calls (Vishing)
Criminals may call saying they are from Microsoft or another device/software company, telling you that your software has expired or your device is infected with malware. They may ask for money to renew a license, as a method to complete the fraudulent activity. Other criminals may pose as the IRS, pressuring you into paying taxes. Never offer payment information or personal information to someone calling you unsolicited. Always end the call and attempt to contact the organization through a publicly listed phone number that is legitimate, then see if you need to work with them on a problem.
Social Media Sites
These sites provide a relaxed atmosphere where you can chat with friends and family. The issue is that anything you post or share is likely a permanent submission that many others can access online. Oversharing on social media may lead to you voluntarily giving up answers to account security questions, like the color of your car or the town where you were born. Also, posting about being on vacation sends a signal to criminals that your home may be unoccupied and a great target for a robbery! With all this information about you on social media, be sure to set your account privacy settings so only friends can view your content. Lastly, consider deleting old, unused social media accounts to cut down on your digital footprint.
Whenever communicating with people or posting online, avoid sharing too much. When receiving emails, mail or calls asking for sensitive information (birthdate, social security number, credit card, etc.), always contact them at the legitimate address or phone number you normally use for that organization. Do not share information if you do not initiate the communication!
Below are resources on protecting privacy and identity along with practices for online security. These help you to protect yourself, your children, and your elders from being victims of a crime.
Federal Trade Commission:
Stay Safe Online:
Family Online Safety Institute:
Protect Seniors Online:
How to Spot and Avoid Common Scams
Have you ever gotten an email from someone claiming to be royalty? In their email they tell you that they will inherit millions of dollars, but need your money and bank details to get access to that inheritance. You know this email isn’t legitimate, so you delete it, yet there are many more scams being perpetrated by criminals that sound more believable and aren’t as easy to spot. Learning to identify and avoid these scams is the first step in protecting yourself from these schemes. Senior Citizens are often particularly vulnerable to some of these fraud campaigns. The world today is full of cybercriminals launching both phishing emails, and the tried and true phone scams that never fell out of fashion. Protecting not only your finances, but also your data from these scams is more important now than ever.
Scammers who operate by phone can seem legitimate and are typically very persuasive! To draw you in to their scam, they might:
- Sound friendly, call you by your first name, and make small talk to get to know you
- Claim to work for a company or organization you trust such as: a bank, a software or other vendor you use, the police department, or a government agency
- Threaten you with fines or charges that must be paid immediately
- Mention exaggerated or fake prizes, products, or services such as credit and loans, extended car warranties, charitable causes, or computer support
- Ask for login credentials or personal sensitive information
- Request payments to be made using odd methods, like gift cards
- Use prerecorded messages, or robocalls
If you receive a suspicious phone call or robocall, the easiest solution is to hang up. You can then block the caller’s phone number and register your phone number on the National Do Not Call Registry (https://www.ftc.gov/donotcall).1
Phishing emails are convincing and trick many people into providing personal data. These emails tend to be written versions of the scam phone calls described above. Some signs of phishing emails are:
- Imploring you to act immediately, offering something that sounds too good to be true, or asking for personal or financial information2
- Emails appearing to be from executive leadership you work with requesting information about you or colleagues that they usually do not request (for example, W2s)
- Unexpected emails appearing to be from people, organizations, or companies you trust that will ask you to click on a link and then disclose personal information.3 Always hover your mouse over the link to see if it will direct you to a legitimate website
- Typos, vague and general wording, and nonspecific greetings like “Dear customer”3
Beware that many scam and phishing emails look legitimate! An email pretending to be a company might contain pictures or text mimicking the company’s real emails. If you’re unsure about an email you received, there are some steps you can take to protect yourself:
- Do not click links or open attachments in emails you were not expecting3
- Do not enter any personal, login, or financial information when prompted by an unsolicited email3
- Do not respond to or forward emails you suspect to be a scam3
- If in doubt, contact the person or organization the email claims to have been sent by using contact information you find for yourself on their official website3
If you get scam phone calls or phishing emails at home, hang up or delete the emails. If you get scam phone calls or phishing emails at work, let your organization’s security or Information Technology team know so they can help protect others from these scams! Additionally, please educate your parents and grandparents on these scams, as they are becoming only more and more common.
Staying Safe from Tax Scams
As people seek to file their tax returns this year, cybercriminals will be busy trying to take advantage of this with a variety of scams. Citizens may learn they are victims only after having a legitimate tax return rejected because scammers already fraudulently filed taxes in their name. According to the Internal Revenue Service (IRS), there was a 60% increase in 2018 in phishing scams that tried to steal money or tax data. The IRS identified 9,557 fraudulent tax returns as of only February 24th, 2018 for the last filing season. As everyone aims to file their returns among all this fraud, the following advice will explain how tax fraud happens and provide recommendations on how to prevent it from happening to you or how to get help if you are unfortunately affected by a tax scam!
How is tax fraud perpetrated?
The most common way for cybercriminals to steal money, financial account information, passwords, or Social Security Numbers is to simply ask for them. Criminals will send phishing messages often impersonating government officials and/or IT departments. They may tell you a new copy of your tax form is available. They may include a link in a very official looking email that goes to a website that uses an official organization’s logo and appears legitimate, yet is fraudulent. If you attempt to login into the false website, or provide any personal information, the criminals will see what you type and try to use it to compromise your other accounts and file a false return in your name.
Additionally, much of your personal information can be gathered online from sources like social media or past data breaches. Criminals know this, so they gather pieces of your personal information from a variety of sources and use the information to file a fake tax refund request! If a criminal files a tax return in your name before you do, you will go through the arduous process of proving that you did not file the return and subsequently correcting the return.
Criminals also impersonate the IRS or other tax officials, demanding tax payments and threatening you with penalties if you do not make an immediate payment. This contact may occur through websites, emails, or threatening calls or text messages that seem official but are not. Sometimes, criminals request their victims to pay “penalties” via strange methods like gift cards or prepaid credit cards. It is important to remember that the IRS lets citizens know it will not do the following:
- Initiate contact by phone, email, text messages, or social media without sending an official letter in the mail first.
- Call to demand immediate payment over the phone using a specific payment method such as a debit/credit card, a prepaid card, a gift card, or a wire transfer.
- Threaten you with jail or lawsuits for non-payment.
- Demand payment without giving you the opportunity to question or appeal the amount they say you owe.
- Request any sensitive information online, including PIN numbers, passwords or similar information for financial accounts.
How can you protect yourself from tax fraud?
- File your taxes as soon as you can…before the scammers do it for you!
- Always be wary of calls, texts, emails, and websites asking for personal or tax data, or payment. Always contact organizations through their publicly-posted customer service line. If they contact you end the call and call the organization on the phone number on their website. As mentioned previously, the IRS will initiate contact on these issues by mail through the postal service.
- Don’t click on unknown links or links from unsolicited messages. Type the verified, real website address into your web browser.
- Don’t open attachments from unsolicited messages, as they may contain malware.
- Only conduct financial business over trusted sites and networks. Don’t use public, guest, free, or insecure Wi-Fi networks.
- Use strong, unique passwords for all your accounts and protect them. Reusing passwords between accounts is a big risk that allows a breach of one account to affect many of them!
- Shred all unneeded or old documents containing confidential and financial information.
- Check your financial account statements and your credit report regularly for unauthorized activity. Consider putting a security freeze on your credit file with the major credit bureaus. This will prevent identity thieves from applying for credit or creating an IRS account in your name.
If you receive a tax-related phishing or suspicious email at work, report it according to your organization’s cybersecurity policy. If you receive a similar email on your personal account, the IRS encourages you to forward the original suspicious email as an attachment to its email@example.com email account, or to call the IRS at 800-908-4490. More information about tax scams is available on the IRS website and in the IRS Dirty Dozen list of tax scams.
If you suspect you have become a victim of tax fraud or identity theft, the Federal Trade Commission (FTC) Identity Theft website provides a step-by-step recovery plan. It also allows you to report if someone has filed a return fraudulently in your name, if your information was exposed in a major data breach, and many other types of fraud.
January 28th is National Data Privacy Day
Safeguard your data and your privacy!
In the past year, we saw a significant number of data breaches impacting the privacy of individuals. According to the Privacy Rights Clearinghouse, in 2018, 807 publicly disclosed breaches exposed 1.4 billion records. While this is a decrease from 2017’s 2 billion records exposed, the problem remains enormous because so many websites, social media outlets, and devices contain our information.
With January 28th being National Data Privacy Day, take some time to consider what types of personal information you should be protecting, and how to do so in a few different ways.
General Personally Identifiable Information
Personally identifiable information or (PII) can be any data that identifies you as a specific individual. This information should be kept private and not shared with others. Examples of PII include your Social Security Number, or your name in combination with your date or place of birth.
Recommendations: Be aware of what you post publicly or submit through applications or services. Consider with whom you share your PII, and give extra scrutiny and consideration as to whether you really need to share this information. If someone contacts you requesting PII through email, social media, or a phone call, do not provide the information. If it is a phone call that you think is legitimate, hang up and call the organization back through a publicly listed telephone number so you can verify the caller is who they say they are.
Security Questions and Social Media
Security questions are a way to authenticate your identity and are an extra layer of security on accounts, which makes it extra important to not post these answers on social media. Posting a picture or writing a post about your first car’s make and model, or color of your car, childhood address, favorite ice cream flavor, mother’s maiden name, or elementary school is a bad idea. These are common security questions and by posting this information, you give away the answers, allowing cybercriminals to potentially access your accounts.
Recommendations: When on social media, be aware of what you post (including pictures!) and how it relates to the security questions you selected for your various accounts.
Information About Your Location
Giving out your location when away from home on social media is a privacy risk. This practice can result in your home being targeted for burglary. Additionally, your family and friends may be targeted by scammers seeking financial assistance on your behalf to help with a non-existent “travel emergency.” Three popular methods of this type of location sharing are geotagging (adding a location tag to a social media post or picture), posting a photo in which the background can be easily identified (like Times Square or the Eiffel tower), or “checking in” at a business.
Allowing apps to use your phone’s location services has its own privacy concerns, as the app is likely recording or using that data, and may automatically add geotagging to social media interactions in that app as a result!
Recommendations: Customize your location settings to minimize sharing your location with websites and applications, especially on your mobile devices. You can geotag social media posts, pictures, or videos after returning from vacation, going out to eat, or that business trip. Also, check the privacy settings of apps to make sure they don’t need access to your location. At a minimum, ensure your social media settings are set to only show your posts and profile to friends.
Website/Application Privacy Settings and Permission
All websites and applications have privacy settings. These settings help you control what others are allowed to see, as well as manage your online experience. You should be familiar with these privacy settings and customize them to protect your information. Additionally, when creating an account on a website or application and agreeing to their services, understand what you are giving them permission to do with the data you provide.
Protecting your privacy starts with you. Website owners, websites, and service providers have a responsibility to protect your privacy. However, it is up to you to understand the privacy settings on social media, online accounts, and your devices. Knowing these settings, you will be able to customize them for greater security.
Take ownership of your privacy and read privacy policies and end user license agreements on websites (including social media), and update your settings whenever new privacy features are available.
Security and Privacy in the Connected Home
Stay cyber-safe with your Internet of Things (IoT) devices!
Did you ever wonder what it would be like to have smart home? You could remotely change the temperature in your house, you could tell your lights to come on, or ask your refrigerator if you need to get milk at the grocery store, all from your smart home device or smartphone. You could play video games and access all your streaming services from one device, or know who is at your door from your connected doorbell.
The Internet of Things (IoT) is introducing these features into our homes by rapidly applying connectivity to everyday appliances and home features. As IoT devices become a part of our daily lives, and likely will become part of many more homes as holiday gifts, we need to take a look at the security risks and privacy concerns this smart technology introduces into our lives.
Personal Digital Assistants
Many people have a personal digital assistant like an Amazon Echo or Google Home. These devices analyze your past commands to try to anticipate your needs. These may also be linked to accounts used to purchase goods or services; make changes in your house such as turning off alarms, turning on the lights, or adjusting the temperature; or be linked to other accounts so they can tell you your schedule or read your email. Amazon Echo even has the ability to provide a pet-sitter with instructions, which is a give-away that you are not home.
Keeping these devices secure is especially important given that they may allow someone with access to the device to complete purchases using the owner’s accounts, identify key information, or find out more about you.
Smart Thermostats and Other Smart Home Devices
Many homeowners are beginning to opt for a digital thermostat that allows them to control the temperature in their home remotely using an app. While digital thermostats do come at a premium, the vendor also makes money on data it collects on usage and habits. Smart light bulbs and smart doorbells also allow for great levels of data collection by the manufacturer.
IoT manufacturers entice consumers with convenience and functionality by promising the world of the future through devices like those listed above. All the while, cybercriminals are finding that they can use these devices as pathways into your home network to steal your data and find out more about you. And yes, that includes using digital information to determine if the house is unoccupied and safe to rob.
Sony PlayStation 4, Microsoft Xbox One, Nintendo Switch, and many other gaming consoles are in millions of homes across the United States. These devices rely on Internet connectivity to provide different forms of entertainment and include streaming video, interactive gaming, voice chat features, and apps that keep both the system and applications up-to-date. One major risk is that many gaming consoles require subscriptions and user accounts for accessing online content such as games and streaming services. This makes the console another device associated with an account that holds your personal and payment information for the purposes of renewing these subscriptions.
Here are a few tips to follow in building your smart home with IoT devices:
- If you don’t need to connect a device to the Internet, don’t. If a device isn’t connected, it isn’t as big of a cybersecurity risk.
- Isolate IoT devices from other devices on your network by creating a separate Wi-Fi network just for them. This protects your other devices if your connected IoT devices are compromised.
- Research the privacy, security, and accessibility options that are available for customizing your device. You may find some options that provide greater security and privacy if you opt in. One example is that a device may offer multi-factor authentication (MFA) where you use your traditional password and username combination with the added step of receiving a verification code or providing a fingerprint through a scanner. If MFA is available, it’s worth using.
- Always update your devices and apply patches when available. When selecting which IoT devices to purchase, ensure they offer patching and updates from the manufacturer to keep them up-to-date. Enable auto-updates on any IoT devices that support them.
- Setup a separate unique, strong password for every device. Don’t share credentials across devices.
- Replace devices when they are no longer supported by the vendor, as security flaws will remain unpatched.
- Turn off Universal Plug and Play if it is available on the device. You don’t want the device having this ease of connectivity with so little control.
- When requested to provide information to use a device, do not provide personally identifiable information (PII), like Social Security Numbers and dates of birth. If you must share PII to use the device, you may want to consider a different make or model or keeping it off your home network.
Remember these tips over the holidays as you receive and give gifts. This will ensure you don’t give cybercriminals the holiday gift of your sensitive data!
Staying Secure While Shopping Online
Making #CyberMonday #CyberSecure
It is that time of year where so many people prepare to purchase gifts for friends, family, and loved ones. Though it can be convenient to avoid the lines and rush for that latest Black Friday deal by shopping online, this also carries some risk. Cybercriminals are always working to steal your personal and payment information and the holiday shopping season is the perfect opportunity for this to happen. By following a few key practices, you can greatly lower your chances of becoming a victim of identity theft or fraud.
Choose Trusted Online Retailers and Apps
Always shop only with trusted online retailers. That means using a retailer you already know or one that is verified through another trusted entity. If you find a new possible shop to do business with, but are unsure about its reputation, try to find reviews from trusted sources such as the Better Business Bureau. It is important to stick to trusted review sources because there are several ways to fake online reviews, and there are places where cybercriminals can pay other criminals to post positive reviews. Even though an untrusted site might have the best prices, it is worth it to use a trusted online shop that is known to safeguard your information and purchases.
The same advice applies when downloading apps to help with your online shopping. Whether you are downloading a store app to get a coupon, a deal aggregator app to comparison shop, or a reward app that ensures you get points or cashback, it is important to stick to trusted apps from known developers. Unfortunately, fake apps appear in the app stores, purporting to be from a trusted source while other apps exist to capture your data without providing the services they claim to support. You can avoid many malicious apps by downloading your apps from Google Play, Apple App Store, Microsoft Store, or another trusted platform, selectively choosing which apps to download, and making sure you carefully read the permissions and app reviews.
Secure your Device, Connectivity, and Accounts
Keep your devices up-to-date, especially those you shop and bank with – Simply updating the device that you use for conducting your online shopping is a key cybersecurity practice. By keeping the device up-to-date with current patches and software, you ensure you have the manufacturer’s latest security fixes in place.
Never use a public computer when shopping or banking – Using a public computer, like those found at libraries, can expose you to greater risk. It is best to use a trusted home device and network for anything involving financial transactions.
Never shop or conduct banking on unencrypted or public Wi-Fi – It is best to always conduct financial transactions or log on to sensitive accounts via a trusted Wi-Fi networks. Ideally, this should be from your home network, which should require a password and use WPA2 encryption.
Look for the lock icon on your browser - When a site has a lock icon on the browser window, or in the URL bar, it indicates that your communications with the site are encrypted. If you do not see a lock, look for “https” at the beginning of the URL, as this is the same thing as the lock.
Check out as a guest – By checking out as a guest, you prevent the online retailer from storing your personal account and financial information. This minimizes the amount of information that could be lost if the retailer is compromised. If you have or need an account with a retail website:
- Use a strong password – Be sure to use a strong, unique password. Always use more than ten characters, with numbers, special characters, and upper and lower case letters.
- Don’t save your payment information with retailers – If you have an established account with a retailer, do not store your payment information with them. In the case of an account compromise, stored payment information may allow a criminal to make purchases using your financial information.
Be Wary of Fraudulent Emails and Advertisements
Look out for suspicious or unexpected emails – A common tactic of cybercriminals year round is to send fraudulent emails seeking to get you to click a link or open an attachment. When it comes to this time of year, they may make an email look like it contains tracking information for a shipment or a promotion for a store. The link or attachment might download malware or try to get you to enter your user credentials in a convincing, yet fraudulent login screen, so they can steal your password. Always avoid clicking direct links in emails, and if you receive an email with a tracking number in it, head to the shipping carrier’s website in your browser and copy and paste the tracking number itself into the site.
Avoid clicking advertisements or pop-up windows of any kind – Advertisements embedded in websites and pop-ups have been known to be compromised by cybercriminals to distribute malware. It is best to avoid clicking them altogether. To close pop-ups, press Control + F4 on a Windows computer and Command + W on a Mac.
Avoiding Many Types of Malware
Every day as we use our devices, browse the Internet, and open emails, we are also exposing those devices to potential malware (malicious software). Malware is any software that is designed to cause damage to and/or unauthorized access to devices or networks. Malware comes in many forms, all of which can have negative effects on your device and for you. With a little extra vigilance, and some good habits and practices, you can greatly reduce your likelihood of having a device infected with malware and can minimize the impact to your device, data, and life, in the event that it does become infected. Below we will explore a few common types of malware and their impacts, as well as some tips and practices that can help you as you go about your connected life.
Common Types of Malware and Their Effects
Ransomware – Ransomware is malware that stops you from being able to access your files, usually by encrypting them, and then requests payment to decrypt the files, restoring your access. Most commonly, ransomware asks for payment in bitcoin, which is a popular cryptocurrency. Unfortunately, paying the ransom does not guarantee restoring access to your files.
Trojan Horses (a.k.a. trojans) – This malware takes its name from the classic story of the Greek army sneaking soldiers into the city of Troy hidden inside a large wooden horse. Trojans of the malware variety behave in much the same way, by appearing to be legitimate apps or software that you want to install. Some trojans allow an attacker full access to your device, others steal banking and personally sensitive information, and others are simply used to download additional malware, like ransomware.
Keyloggers – This type of malware records your keystrokes and sends them to a cyber threat actor, giving them access to your usernames, passwords, and any other sensitive information you have entered using your keyboard. With this information, the cyber threat actor can access your online accounts or commit identity theft.
Tips and Practices for Avoiding and Surviving a Malware Infection
- Update and patch your devices and software. Vendors release updates and patches in order to fix security issues, not just to fix functionality! Many types of malware can be foiled by keeping your software up-to-date by accepting the updates when you get a notice about them.
- Never click suspicious or untrusted links. Even if the URL comes from a company or person you know, it is always safest to manually type in their URL. At the least, hover over the link to discover where it’s really sending you, as some malicious actors send emails that look convincing. This advice is also true for links in emails, documents, and on social media platforms, as malicious links are commonly posted to such sites. For more information on spotting suspicious emails and checking URLs, head to our past newsletter on this topic.
- Only download from trusted sources. When looking to download an app or software, only do so from a trusted vendor or source. On mobile devices, ensure that you only download apps from the Google Play store and Apple App Store, which are the trusted sources for Android and iOS devices.
- Backup your data and be sure the backups are good! Backing up your data, whether by doing a complete backup of your whole device or just key files, is the best way to protect those important files and pictures against ransomware and other data loss. For best practices and more information on backups, please reference our recent newsletter on this topic.
- Use antivirus and other protective software on your device. If your computer or router has built-in protections like antivirus or a firewall, ensure you have those enabled. Otherwise, buy or download an antivirus product from a trusted vendor. This is important for both your computers and your smartphones!
- Configure your devices with some security in mind. By setting up your devices with some basic security settings enabled, you will not only protect against some malware, but against other forms of malicious activity and access.
Want to keep your data? Back it up!
We all know it happens – computers crash, malware infects them, or somebody downloads that cool, new program that crashes everything! While there are many tips and tricks of great value for preventing your devices and data from being compromised, it is important to also have a backup of your information in case something goes wrong!
Backups are copies of key information or data that are stored separately from your device. By storing these separately, you can restore your data or device using these backups and get right back to full working order. With threats of Ransomware, which encrypts and renders your personal files inaccessible, this is a real concern. Below we will explore some key concepts on creating and will provide resources that assist you in making decisions on how to best create this essential type of redundancy in your life.
Choosing what to backup
When thinking about a backup system the first thing to decide is how much you want to backup. Are you okay storing key documents, pictures, and files or do you want your full system backed-up? If you’re concerned about rebuilding a full system, and a having all the license information to make it functional, then you probably want a more complete backup option. If you just want to protect important files, then a system where you choose what to save would work well.
How can you create a backup of just key files?
If you are looking to store copies of your important files, you can copy them to your preferred method of backup periodically. This is accomplished by selecting the folders or files you want to backup, and copying them to the storage device or media. This is made especially easy if you make a habit of organizing your important files into just a few folders. This is a very simple and easy approach, and guarantees that your tax documents, digital receipts, pictures, and other important records remain available.
How can you create a complete backup of your device’s data?
If you are looking to create a more comprehensive backup, your devices likely have utilities built in that allow for easy creation of backups. These may allow you to set a complete copy of your device’s data aside that would allow you to restore it to full working order following an infection or issue. Seek out guidance or tips from your device’s vendor to determine what utilities are available to you for creating backups. The Stay Safe Online guide linked below has links to top vendors backup guides that can assist you through the process.
Choosing where to store your backed-up data
Regardless of what you want to save, one of the key ways to keep your backed-up data safe, is to disconnect the storage media after you make the backup. This is important in the event that you are infected with malware, as you do not want the copies of data to also be infected. (Ransomware does look for backups to infect!) This also helps in case your computing device or where you store it is lost, stolen, or physically destroyed. Keeping a separate backup on a different physical storage device, or in the cloud, is a way to better secure your data from this type of problem.
Cloud services for storing backups can be a convenient solution, though they may come at a cost and some individuals may not like the fact that they will not have a copy in hand on physical storage media. Having the backup outside your immediate possession can be helpful if you are concerned about a physical problem, such as loss or damage. Some of these services save multiple versions of your backup, which better secures against infected files corrupting the cloud backup.
External hard drives or removable media (DVDs, USB drives, etc.) are the other most common option. You simply need to copy the data you want to save to the external hard drive or media. Consider keeping the external drive disconnected from your devices while not making backups, as this insures against malware getting on the backup copy.
How often should you back up files and systems?
The frequency with which you back up your data or systems is an important component of this process. Consider making your backups on a weekly basis, with a minimum frequency of monthly backups.
In conclusion, spend time considering how vital the data on each of your devices is. Then consider the best type of backup strategy for your needs and base a timeline of how frequently you make the copies off those needs as well. By adding this simple process to your safe computing habits, you can build in more reliability and recoverability. If you are ever the victim of a malware infection or cyber attack, you will surely be glad you took the time to make backups!
Sun, Sand, and Cybersecurity
Whether you are out exploring or relaxing, it is important to strive to be as secure as possible with your digital devices and information. Unfortunately, travel can open you up to different points of vulnerability compared to normal everyday use at home, and we don’t just mean accidentally going swimming with your cell phone. You see, while traveling you are operating outside of your normal, safe routines. This means using your devices on different networks and putting them down in different locations, including under your beach towel while swimming. By following some smart practices, you can connect with greater confidence during a summer escape.
Getting Ready to Go:
Avoid mayhem and make magical family memories by taking a few simple cyber safety steps before you head out of town. The goal here is to prepare your devices for travel and to keep them from being used against you.
- Keep a clean machine: Before you hit the road, make sure all security and critical software is up-to-date on your mobile devices and keep them updated during travel. These protections are your best line of defense against viruses and malware.
- Lock down your login: Your usernames and passwords are not enough to protect key accounts like those you use for email, banking, and social media. Fortify your online security by turning on multi-factor authentication, commonly referred to as two-factor authentication, when available. This typically pairs your username and password (i.e. something you know) with a message sent to your phone (i.e. something you have) or your fingerprint (i.e. something you are).
- Password protect: Use a passcode or security feature like a finger swipe pattern or fingerprint to lock your mobile device. Also set your screen to lock after a short period of time by default. If you do choose to use a finger swipe, make sure it has at least one turn (preferably two) and that a pin code has at least 6 numbers!
- Think before you use that app: New apps are tempting! It is important to always download new apps from only trusted sources like the Apple App Store or the Google Play Store. Additionally, consider limiting your apps access to services on your device, like location services.
- Own your online presence: Set the privacy and security settings on social media accounts, web services, and devices. It is okay to limit how and with whom you share information – especially when you are away.
While on the Go:
Once you and your gang are at your destination, you are in new territory and are facing new potential cyber threats. Here are some ways you can keep up secure practices while out and about.
- Get savvy about what you do on other peoples’ Wi-Fi and systems: Do not transmit personal info or make purchases on unsecure or public networks. Instead, use your phone carrier internet service for these needs. For laptops/tablets, it is easy to use your phone as a personal hotspot to surf more securely using carrier data. Also, never use a public computer or device to shop, log in to accounts, or do anything personal.
- Turn off Wi-Fi and Bluetooth when idle: When Wi-Fi and Bluetooth are on, they may connect and track your whereabouts. Only enable Wi-Fi and Bluetooth when required, and disable your Wi-Fi auto-connect features.
- Protect your $$$: Be sure to shop or bank only on secure sites. Web addresses with ‘https://’ and a lock icon indicate that the website takes extra security measures. However, an “http://” address indicates your connection is not secure (not encrypted) and you should not transmit payment or sensitive information over to such a site.
- Share with care: Think twice before posting pictures that signal you are out of town. Knowing you are away from home is a great piece of information for a criminal to have and they may target your home for physical crime. Also consider limiting your social media apps’ access to location services on your device, and omit location information while making your posts and sharing your pictures.
- Keep an eye on your devices: Laptops, smartphones, and tablets are all portable and convenient, making them perfect for a thief to carry away! Keep your devices close to you and hold onto them if strangers approach you to talk, as a common scam consists of a stranger distracting you and placing a map or newspaper over your device and walking away with it when finished talking.
- Know your destination’s laws: If you are heading out of the country, check up on any specific laws on internet and device usage. Additionally, bring as few devices as possible and consider using a device specifically purchased for international travel.
Armed with these tips and practices, you should have a happy and cyber safe vacation ahead of you.
How to Spot Phishing Messages Like a Pro
The Federal Trade Commission’s definition of phishing is “when a scammer uses fraudulent emails or texts, or copycat websites, to get you to share valuable personal information.”1 When a user falls for a phishing message, the malicious actor achieves their purpose of getting the victim to hand over sensitive information such as login names and passwords. Though we count on technologies and controls to minimize threats, phishing exploits users through social engineering, which allows the malicious actors to side step these protections. This is why it is important that everyone learn to spot these fraudulent messages. Let’s take a look at some example emails of phishing messages.
Subject: Low Cost Dream Vacation loans!!!
We understand that money can be tight and you may not be able to afford to go on vacation this year. However, we have a solution. My company, World Bank and Trust is willing to offer low cost loans to get your through the vacation season. Interest rates are as low at 3% for 2 years. If you are interested in getting a loan, please fill out the attached contact form and send it back to us. We contact you within 2 days to arrange a deposit into your checking account.
Please email your completed form to VacationLoans@worldbankandtrust.com.
Your dream vacation is just a few clicks away!
Dr. Stephen Strange
World Bank and Trust
177a Bleecker Street, New York, NY10012
What did you notice in message #1?
In this message, you can see that the phisher wants to give us a low cost loan with no credit check. They say we just need to send them our information and they will give us money, right? Not only does it seem too good to be true, but also when you hover the cursor over the email address to examine it further, you see that the link actually has a different destination. It is the email address of the attacker. Lastly, as much as you might like Dr. Strange, he’s probably not working for a bank part-time.
Subject: Free Amazon Gift Card!!!
You name has been randomly selected to win a $1000 Amazon gift card. In order to collect you prize, you need to log in with your Amazon account at the link below and update your contact information so we can put your prize in the mail. This is a limited time offer, so please respond to the request within 2 business days. Failure to respond will forfeit your prize and we will select another winner.
What did you notice in message #2?
Aside from this seeming too good to be true, you can see that “Amazon” is misspelled as “Amozan” on the link provided. If you read this quickly, you may think you are responding to the real company to get your gift certificate. In reality, you are providing your information to the attacker. For the purposes of this example, the link actually navigates to the Center for Internet Security, which is a trustworthy site.
Subject: Urgent – Take Action Before Your Email Account is Deactivated
Subject: Urgent – Take Action Before Your Email Account is Deactivated
Following changes to our Microsoft email systems, each user must authenticate their account to prevent it from being deactivated. You can accomplish this by heading to the link below and entering your Microsoft Outlook email account credentials, and then we will know your account is active and should remain so.
Helpdesk Support Team
What did you notice in message #3?
This email is fairly well crafted without errors. Note that it establishes a sense of urgency that the malicious actor hopes will cloud your judgement and threatens the deactivation of your email account. Additionally the link at the bottom looks like a link to Microsoft, yet it is in fact heading somewhere else! Luckily, for the purposes of this example, that link simply leads to the Center for Internet Security, which is a legitimate site.
With these three examples considered, here are some basic recommendations to help protect you from becoming a phishing victim:
- If it seems too good to be true, it probably is;
- Hover your cursor over links in messages to find where the link is actually going;
- Look for misspellings and poor grammar, which can be good signs a message is a fraud;
- And, never respond to an email requesting sensitive personal information (birthday, Social Security Number, username/password, etc.).
Additional information and a phishing game can be found on the FTC’s website, https://www.ftc.gov/.
Reducing your Information Footprint
While spring cleaning your home and, if you’re like me, the top of your desk, consider also cleaning up your information footprint. Your information footprint is how much information about you is recorded and available in both digital and paper formats. Cleaning up your footprint can mean examining social media, online accounts, and even paper records containing sensitive information. While we may use a few key digital devices and services on a regular basis, they often contain more information about us than is necessary. It’s also likely that devices and services we don’t use anymore may still contain information. You might have that pile of paper you’ve been meaning to shred for a while, making this an opportune time to spring clean your information footprint. By spending a little bit of time and effort, you can better secure your information to safeguard against various forms of identity theft.
Disks, Hard Drives, and USB drives, Oh My!
Over the years, it’s easy to accumulate a mass of CD’s, DVD’s, hard drives, and USB drives that are no longer needed or with data that is no longer needed stored on them. If you have hard drives or USB drives with old data but want to continue to use them, consider following US-CERT’s guidance on how to securely clean the data off of these items before properly recycling them. Many shredders, including those rated for home use, can shred CDs and DVDs. If your shredder can’t handle them, check your local community for shredding days as many towns, schools, and office supply businesses will sponsor shredding events.
Clean Up Your Paper Trail
Many of us have a large quantity of paper documents that may contain sensitive information about ourselves, financial accounts, government identification information, tax returns, and more. Take some time to go through these documents this spring and check whether it is something you truly need to hold onto. If the answer is no, be sure to securely dispose of it by shredding it and recycling the shredded pieces. Simply ripping up sensitive documents is not enough to guarantee your information is unreadable.
Not sure how long you should hold on to those old documents? The Federal Trade Commission (FTC) has a handy website – “A Pack Rat’s Guide to Shredding” with information on how long you should hold on to those documents!
Closing Old Online Accounts
It is common for people to use many different shopping sites, social media outlets, online storage, clubs, and other online outlets that require you to enter, store, and sometimes share information from or about you. If you are no longer using any of these accounts, consider removing information that may be sensitive and consider closing them out if you do not plan to use them again. Sometimes, it is easiest to check out as a guest when shopping online at a place that you rarely, if ever, patronize. Checking out as a guest should minimize the data retained about you.
Old Social Media Accounts
Remember MySpace? LiveJournal? Do you still have that old email account or an account on an old dating website? As we move from Myspace to Facebook to Twitter, Instagram, and the other latest and greatest social media platforms, our old accounts and information are left behind, filled with personal details. Consider closing out social media accounts that you no longer use, as it will reduce your digital footprint. Keep in mind that all social media platforms have different policies when deleting old accounts and content. Be sure to read the policy. And, don’t forget to remove the app from your smartphone, too!
Oversharing on Social Media That You Do Use
If you frequently use a social media or online account but it contains lots of personal details or information that you now think should be safeguarded more closely, consider removing it from your profile or deleting the posted content. Think about if the information you continue to share could be used against you or combined with other information to be used against you. Enough pieces of personal information combined together can be very useful to cybercriminals.
Being aware of any information that you share that could be used to respond to “Challenge” questions, which are frequently used to reset passwords. What does that mean? How could information be combined to be used against you? Think about your online bank account. If you forget your password what types of questions do they ask? Probably something about the color of your car, your mother’s maiden name, your birthday, or pets’ names. Did you post a picture of your new car? Friend your mother or her brother on social media? Answer a meme about your birth month and day? Share adorable pictures of Fluffy? If you did, you’ve helped someone find out the answers to your bank’s security questions!
This is the case for many of the pieces of information you may share online and many online accounts that use challenge questions to reset passwords. Information commonly used for challenge questions include the above examples and other details, such as your favorite sports team, vacation spot, fruit, ice cream, type of reading material, youngest sibling, elementary school name, and so on. As you clean up your data think about what information could be used to answer your security questions and try to remove that data from your social media accounts.
In closing, these short tips can make a world of difference in lowering your information’s exposure to others. By questioning if you need to share or provide certain information online as you move forward, you can save yourself from many of the unnecessary overexposures we discuss here. Additionally, by taking a look at both your digital and paper trails to do these activities on a routine basis, you can be sure to keep overexposure in check.
I’m connected. You’re connected. We’re all connected!!
We are more connected than ever before. According to ABI Research, there will be over 30 billion devices connected to the Internet by 2020. Today, our everyday devices are connected to the world including laptops, mobile phones, fitness trackers, smart televisions, home security systems, thermostats, and refrigerators. Additionally, let us not forget the devices that connect everything else together, such as routers, access points, and modems.
Many people may not consider their connected devices to be a security threat, but they absolutely can be. One of the issues with such devices is that many of them do not come configured with security in mind and connecting an unsecure device to your network is like leaving the back door to your house unlocked as it gives attackers access to your personal information. Manufacturers develop products to be more accessible, more user-friendly, and to make our lives more integrated. However, that also means we are less secure if these devices are not properly configured. Unfortunately, some devices completely lack the option or ability to be configured, making it nearly impossible to secure them. Unsecure devices also give threat actors the means to propagate their attacks onto others by using your insecure devices to attack other networks and devices. Therefore, not only can your unsecure devices present a risk to you, but they can also become a risk to others who can be victims of an attack from your compromised devices.
Do Your Research
You should do your research before purchasing a connected device, especially a device that may allow someone access into your home, such as a surveillance camera or home security system. Check the online reviews and look at the company’s website to determine if there are warnings about the security of the device and if the company issues updates/patches to fix security concerns.
What Can You Do to Secure Your Devices?
So, what can you do to enjoy the functionality of your connected devices and remain more secure at the same time?
When you first receive your device, check the default settings and choose the more secure options, such as enabling a password or changing the default password to something only you know. Below is a list of these basic recommendations and some effective ones that may be less obvious choices.
- Network access or Internet access may be enabled on a device by default. Disable network/Internet access for devices that do not need it.
- Update the device operating system or firmware. The default operating software installed on a device may be out of date and/or contain many vulnerabilities. Updating or patching your device’s software will reduce the chances of a successful attack.
- Wireless access points (APs) are oftentimes configured to broadcast the SSID, or network name, Consider changing these settings to turn this feature off, which can better secure your WiFi network.
- Create two different WiFi networks on your wireless router, if your router supports it. Creating separate WiFi networks, using different SSIDs, allows for the ability to separate smart devices from other networked computers, smartphones and tablets. The goal of the separation is to limit the impact a compromised smart home device will have on the rest of the devices on the network.
- Oftentimes, Wireless access points or routers are set up by default to not use encryption and to not require a password. It is always recommended to turn on WPA2 encryption for your wireless networks and to establish a strong password with our next recommendation in mind.
- Change passwords on all network devices, especially from default “admin” accounts, and be sure to use strong passwords of at least 8 characters including uppercase and lowercase letters, special characters, and numbers.
- Many mobile devices have no PIN or unlock pattern (where you swipe your finger in a specific pattern on the screen) enabled when sold. Be sure to enable PINs or unlock patterns for all your mobile devices to secure them from unwanted entry by others.
- Automatic updates are often disabled by default. Be sure to turn on this setting to ensure your device receives important security updates when they are released.
- Many mobile devices support remotely wiping the device if the device is lost or stolen. Be sure to enable the remote wipe functionality in case the device is ever lost or stolen.
- Turn off location services if not needed.
- Cameras and audio input may be enabled by default on certain devices and applications, giving an attacker access to surveillance. Disable these features if not needed.
- Replace unsecure devices with more secure ones.
Staying Safe from Tax Scams
Though Benjamin Franklin is often quoted as saying “in this world, nothing can be said to be certain, except death and taxes,” an updated version for the current day would need to include tax scams. As people nationwide seek to file their tax returns, cybercriminals attempt to take advantage of this with a variety of scams. Hundreds of thousands of U.S. citizens are targeted by tax scams each year, often only learning of the crime after having their legitimate returns rejected by the Internal Revenue Service (IRS) because scammers have already fraudulently filed taxes in their name. The IRS reported a 400% rise in phishing scams from the 2015 to the 2016 tax season. In the state, local, tribal, and territorial government sector during 2017, approximately 30% of all reported data breach incidents were related to the theft of W-2 information, which was likely used for tax fraud.
Another way criminals gather your information is through the W-2 variant of the Business Email Compromise scam. Criminals using this scam trick others into providing your personal information.
How is Tax Fraud Perpetrated?
Unfortunately, much of your personal information can be gathered from multiple locations online with almost no verification that the right person is receiving the information. Criminals know this, so they use this trick to get your personal information from a variety of websites and use the information to file a fake tax refund request! If a criminal files a tax return in your name before you do, they will file it with false information to get a large refund, forcing you to go through the arduous process of proving that you did not file the return and subsequently correcting the return. Once they have your personal information, criminals can continue to commit identity theft well beyond the tax season.
Another favorite technique used by criminals during the tax season is sending phishing messages indicating that a new copy of your tax form(s) is available. These emails often impersonate state, local, tribal, and territorial government comptroller and/or IT departments. They might include a link to a phishing website that uses your organization’s logo and the email might even have the right signature line. If you fill out or attempt to login into the phishing website, the criminals will be able to see your login name and password, which they can then use to try and compromise your other accounts. The more information they gather from you, the easier it is for them to use the information to file a fake tax return in your name.
Tax fraudsters also impersonate the IRS and other tax officials to threaten taxpayers with penalties if they do not make an immediate payment. This contact may occur through websites, emails, or threatening calls and text messages that look official but are not. Sometimes, criminals request their victims pay the “penalties” via strange methods like gift cards or prepaid credit cards. It is important to remember:
- The IRS will not initiate contact about payment with taxpayers by phone, email, text messages, or social media without sending an official letter in the mail first.
- The IRS will not call to demand immediate payment over the phone using a specific payment method such as a debit/credit card, a prepaid card, a gift card, or a wire transfer.
- The IRS will not threaten to immediately notify local police or other law-enforcement agencies to have you arrested for not paying.
- The IRS will not demand that you pay taxes without giving you the opportunity to question or appeal the amount you owe.
What Can You Do?
Here are some basic tips to help you minimize the chances of becoming a victim of a tax scam:
- If you haven’t already, file your taxes as soon as you can…before the scammers do it!
- Be aware of phone calls, emails, and websites that try to get your information, or pressure you to make a payment. If something seems suspicious, contact the organization through a known method, like their publicly posted customer service line.
- Ignore emails and texts asking for personal or tax information. Be cautious as to whom you provide your information, including your Social Security Number and date of birth.
- Don’t click on unknown links or links from unsolicited messages. Type the verified, real organizational website into your web browser.
- Don’t open attachments from unsolicited messages, as they may contain malware.
- Only conduct financial business over trusted websites. Don’t use public, guest, free, or insecure Wi-Fi networks.
- Remember, the “HTTPS” does not mean a site is legitimate.
- Shred all unneeded or old documents containing confidential and financial information.
- Check your credit report regularly for unauthorized activity. Consider putting a security freeze on your credit file with the major credit bureaus if you suspect you have been targeted for identity theft.
If you receive a tax-related phishing or suspicious email at work, report it according to your cybersecurity policy. The IRS encourages taxpayers to send suspicious emails related to tax fraud to its firstname.lastname@example.org email account or to call the IRS at 800-908-4490. More information about tax scams is available on the IRS website and in the IRS Dirty Dozen list of tax scams.
If you suspect you have become a victim of tax fraud or identity theft, the Federal Trade Commission (FTC) Identity Theft website will provide a step-by-step recovery plan. It also allows you to report if someone has filed a tax return fraudulently in your name, if your information was exposed in a major data breach, and many other types of fraud.
Spotting and Avoiding Olympic Scams
In February, the best athletes from around the world will gather in PyeongChang to test their skills against one another at the Winter Olympics. Entire countries will wait with excitement to see the outcomes of individual competitions and count the medals. However, as with any high-profile event, cybercriminals and scammers will also focus on the Games, using your interest in the Olympics to try to trick you into visiting malicious websites, opening malicious spam, downloading malware, and falling for scams. Below we will explore these tactics and techniques, and provide recommendations on how to spot and avoid them, so you can safely enjoy the Games!
Malicious Olympic Websites and Apps
Cybercriminals commonly create convincing but fraudulent websites as a means to distribute malware or gather information about you. This year there will also likely be many suspicious and, possibly, malicious Olympic-themed mobile apps intended to compromise your smartphones and tablets. Whether you’re looking to find out the current medal count, who won the bobsled race, see an amazing figure skating routine, or find out what curling is, these malicious websites and apps will be there for you.
You can start protecting yourself by being careful what websites you visit and emails you open. As with any high-profile event, it’s always safest to get your news from websites you already know and trust. When you get that email with the link to the video you just have to see or the fascinating story of the amazing win, remember to Hover to Discover. This means to hover your mouse over the link and see where the link is really sending you. If you don’t recognize the website, don’t click on the link. Instead, go to the official Olympics website or another online website that you trust and look for the video or news there.
You can also like/friend/follow the official Olympics accounts on your favorite social media platforms (Google+, YouTube, Twitter, and Facebook) and get the news directly from the source, instead of waiting for potentially suspicious links to appear later. As the Games get closer, many social media apps will also likely role out news feeds and other special features, related to the Games. Keep an eye out for those so you can safely stay in the know!
Of course, there’s also an official Olympic app for your smart device! The Olympics website says the app will contain real-time updates and news, as well as images, videos, and the medal count. The app is available in the Google Play Store and iOS App Store. Since there are a-lot of other Olympic apps, some of which are malicious, make sure you’re careful to download the right one! You can check the app against the app images on the Olympics.org website.
Olympic Games Related Scams
When it comes to high-profile events like the Olympics, cybercriminals always seek to trick you with scams, too. Many of these scams may involve websites that sound and look legitimate. This is because criminals often register these domains with names similar to the event, so that the website name adds credibility to their scams. Two very common Olympic scams are:
Trip and Lottery/Sweepstakes Scams
With this year’s Winter Olympics occurring in PyeongChang, South Korea, it is a bit pricey to head over to view the Games in person. Scammers commonly send phishing emails during and leading up to Olympic Games identifying the recipient of the email as the winner of a sweepstakes or lottery for tickets to the Games and travel arrangements. You just have to pay a “fee” or “tax” first and provide a few details… maybe including your Social Security Number or credit card number. Whether they seek your payment information to take your money or your personally identifiable information for identity theft, these notices are always false and should be avoided, as you cannot win a lottery that you have not entered!
Olympic Merchandise Offers
As with lots of other events, there will be Olympic merchandise for sale so you can display your pride and support your favorite athletes. This is great, just be careful where you buy from as you may receive emails or see online advertisements enticing you to purchase fraudulent or counterfeit items from less than reputable vendors. At best, by clicking on these advertisements and offers you will open yourself to the risk of purchasing counterfeit merchandise and at the worst, you open yourself to the risk of having your payment information or identity stolen. Display your team pride by ignoring these suspicious offers and purchasing your merchandise through a known, trusted, and authorized retailer.
It’s also a good idea to make all online purchases through an alternative or more secure payment system, such as Visa Checkout, Mastercard Securecode, or PayPal. Otherwise consider using one credit card (not a debit card!) for all online purchases. As always, remember to look for the “HTTPS” in the URL and the little lock icon in the browser bar to ensure your communication with the trusted vendor is safe. If you don’t see these, don’t submit sensitive information to that website. Lastly, remember to always make your purchases on a trusted, secure network, never through public, unsecured Wi-Fi.
We hope you safely enjoy the 2018 PyeongChang Winter Olympics.
Online Dating Scams
With Valentine’s Day around the corner, we want to make our customers aware of Online Dating Scams.
Scammers know millions of people use online dating services. They are there, too, hiding behind profiles.
Top Signs of an Online Dating Site scam:
- Professes love quickly;
- Claims to be from the U.S., but is overseas for business or military service;
- Asks for money and lures you off the dating site;
- Claims to need money for emergencies (hospital bills or travel);
- Plans to visit but can’t because of an emergency.
In 2016, there was 14,456 reports filed in the United States, with losses of around $220 million. Online Dating Scams have more than tripled over the last 5 years!
What should you do if you think you are being scammed?
- Slow down – and talk to someone you trust. Don’t let a scammer rush you.
- Never wire money – put money on a gift card or cash reload card or send cash to an online love interest. You won’t get it back.
- Contact your bank right away if you think you’ve sent money to a scammer.
- Report your experience to:
National Data Privacy Day, January 28th
January 28th is National Data Privacy Day, an educational initiative focusing on raising awareness among businesses and individuals about the importance of protecting the privacy of personal information. With more and more information being collected by companies, websites, and social media, this is something everyone should consider.
To understand the importance of Data Privacy day, it is vital to understand Personally Identifiable Information (PII) and exactly what privacy is. PII is any combination of data points that can lead to the identification of a specific individual (you). This can mean things such as your name or email address, but most times PII refers to “sensitive PII” such as Social Security, driver’s license, state identification, or financial account numbers. Sensitive PII can also exist if PII is combined with another piece of information about you such as a birthdate, medical information, or even passwords. The more pieces of data combined about an individual, the more valuable and sensitive the body of information becomes.
Privacy is often considered to be the concept of confidentiality, which is keeping information secret from those that should not see it. While that is an aspect of privacy, often called “need to know,” privacy is much more. Privacy is a larger concept centering on you as the individual to whom the information refers. It is about your rights to access, correct, and control the information that another entity has about you.
Organizations that honor your privacy will not only protect confidentiality, but should follow a set of principles related to how they manage your information, including:
- Not collecting more information than they need to conduct their business with you;
- Informing you of what they will do with the information that they collect and not doing more with it than they have promised;
- Retaining the information for only as long as it is needed and then properly destroying the information;
- Not sharing your information with others without your permission, except as required by law;
- Allowing you to review and correct information if necessary.
To understand your privacy rights it is essential that you read the privacy policies of any organization to whom you provide information, especially PII. This includes websites, health care providers, insurance companies, and financial institutions. If you do not agree with how they intend to protect your privacy, consider not using their service.
Privacy is a Shared Responsibility:
Identity Theft Protection:
Despite many organizations best efforts in handling and using your private information properly, the countless breaches of PII by cyber criminals in the past few years have resulted in the exposure of information about millions of people. One reaction to such breaches can be to provide credit monitoring for one year. This is a very short amount of time to have such a protection. Those that have stolen the information, or those to whom they have passed it on, may hold it for much longer than a year before using it to steal your identity, commit credit card fraud, or worse in your name. If you have been a victim of a breach, check out some of the FTC’s resources on starting a credit freeze to protect yourself.
If you are considering Identity Theft protection services, research the firms that you are considering engaging and ensure you understand the services they will and will not provide. Also, read their privacy policies, because for them to deliver these services you must provide them with varying amounts of PII.
Protecting privacy is both your responsibility and that of those individuals and organizations that have information about you. Do everything in your power to be aware of how you personally can compromise your privacy and hold those organizations that you engage with accountable for their management, or mismanagement, of your personal information.
For More Information:
US-CERT Data Privacy Day Events
Online Trust Alliance Data Privacy & Protection website.
Stay Safe Online website. National Cyber Security Alliance
Forbes, Data Privacy Day: Easy Tips to Protect Your Privacy
Avoiding Holiday Scams
The holiday season is a great time to make charitable gifts to support the causes you care about, and charities often run end-of-year fundraising campaigns. However, criminals take advantage of this fact and run scams and frauds of their own to fool consumers into giving them money instead. Below are some common scams and frauds used by cybercriminals and some tips on how to avoid them. If you can spot these seasonal tricks, you are more likely to ensure your donation goes where you intend it to go.
Fake Charity Websites
One of the most convincing ways for cybercriminals to exploit charitable giving is by creating convincing charity websites. These websites are in fact fraudulent and may copy an existing charity’s site or use the charity’s name and branding. While few techniques are fool proof for detecting fake or malicious websites, try to follow these recommendations:
- Whenever possible, browse directly to the charity by entering the charity’s URL directly into your browser’s address bar.
- If you are not sure of the charity’s URL, an Internet search can help, but instead of automatically clicking on the first link, look at the top few links. If the top link is what you want, great, but if you see several very similar links this could indicate one of them is a potentially fraudulent website.
- Carefully study the website’s URL for typos, such as two “v” characters in place of a “w” or an “i” instead of an “l.” If you’re not sure about a potential typo, try changing to all capitals or a different font.
- Fraudulent charity websites frequently use domain names and email addresses that sound legitimate. You can do a little research into what the correct domain name and email address should be by looking into the organization using resources recommended by the Federal Trade Commission in their charity guide, or through resources like GuideStar, Charity Navigator, and Charity Watch.
Social Media Donation Pleas
Scammers commonly impersonate staff from major charities via social media channels, as this makes it easier for them to impersonate someone else. Avoid making donations through social media and never send your personal or payment information in a social media message. Instead, consider heading directly to a charity’s established website.
In addition to traditional charity scams at this time of year, social media is also susceptible to the spread of a variety of pyramid schemes and other charity scams. Pyramid schemes involve the simple but unsustainable premise of receiving more than you give. One of the most common schemes on social media right now involves 7 bottles of wine. You receive the message indicating that to participate you should send one bottle of wine to the person who tagged you and post the message, tagging 6 other people who will each send you a bottle. Another scheme purports to be from a sick child who wants something – holiday cards for example and asks you to send a card and share the post with all your friends so that they will send a card, too. If you come across one of these viral posts, let it stop with you! Don’t share it, repost it, or send anything along, and do take a moment to educate your friends!
When donating to a charity, make sure that the charity is a registered charity under U.S. or international tax law. U.S. 501 charities have to make certain information public and you can look the charity and its information up under any of the several charity tracking websites
Shopping Safely Online
Making #CyberMonday #CyberSecure
As Cyber Monday and the season for online shopping quickly approaches, it’s worth taking a few moments to ensure you’re not giving the gift of your personal or financial information to online criminals! Identity theft, scams, frauds, and malware infections are serious problems that target shoppers during the holiday season and can arise from using your devices to find the perfect gift. Below, we will explore some key tip
Create and maintain your online shopping accounts safely
- Establish a strong password for each online shopping account. Always use more than ten total characters consisting of upper case letters, lower case letters, numbers, and special characters to create a strong password.
- Use different passwords on each of your online accounts. If one retailer experiences a data breach in which your credentials are leaked, using the same password between accounts makes it quick and easy for criminals to exploit you and your information. If you have trouble remembering all your unique passwords, consider using a pattern for your password or a password manager.
- Check out as a guest to avoid saving payment information online. The inconvenience of having to enter your credit card information each time keeps you safer because a data breach at a retailer will not expose your financial information. It also means your payment information is not saved or ready to be used by anyone who gets access to your account.
- Use one credit card online or pay through a secure online mechanism. By using only one credit card online you’re limiting the damage that can happen if malicious actors gain that information. Alternatively, use one of the online payment mechanisms, such as PayPal.
Shop with trusted online retailers while browsing safely
- Use well-known online retailers that have an established reputation for cybersecurity. Verify that they have good contact information listed on their site, and check with the Better Business Bureau or the FTC if you have questions or concerns.
- Look for the lock symbol at the top of your browser or “https” in your URL bar. These mean that your communications with the website are encrypted and safe from prying eyes.
- Never shop or login to personal accounts when on public Wi-Fi or a public device. Public Wi-Fi can make all the personal information that you transmit visible to criminals. Public, shared devices, such as kiosks or library computers, can be infected with malware that will steal your information.
- Do not leave your browser open on a shopping site for long periods of time. Websites that use advertising feeds have occasionally had them hijacked by cyber criminals, who are then able to put malware on your device. This malware can steal your personal information or encrypt your device and demand a ransom to return it to your control.
- Keep your devices up-to-date. Always apply updates to your devices and software when they are available. Keeping devices up-to-date means you have applied all the available fixes for known problems and vulnerabilities. This makes you more secure.
Be smart when it comes to email confirmations and tracking information
- Be careful which links you click in your emails. At this time of a year a favorite trick among cyber criminals is to send emails purportedly from the major shipping companies with a link to track your package. These may be a scam to download malware. They count on the fact that you’ve ordered many things online and are waiting for a package. Instead, cut and paste the tracking number into the shipping company’s website in order to track it. Additionally, always head directly to the site of the company you want to shop with by entering the URL into your browser when aiming to log in. Avoid clicking links directing you to log in, as they may send you to a malicious site that looks real, but can just steal your information.
- Do not use your work email address for retail accounts. By using one of the free webmail accounts, such as Gmail or Hotmail, it will be much easier to identify a potentially malicious email coming to your work email, since the online retailers should not know that email address. This can also help you prevent criminals from knowing where you work, which is information they can potentially use to hack into your work account!
National Cyber Security Awareness Month
National Cyber Security Awareness Month (NCSAM) is now its 14th year. This annual month-long event dedicates October to reminding all digital citizens and businesses that protecting our computers and networks is “Our Shared Responsibility” and that everyone plays a critical role in promoting safe computing. The NCSAM is led by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS). The month’s primary goal is to provide Internet users and businesses with the information and tools they need to be safer and more secure online, including education about how to protect personal information in today’s highly connected world. Everyone can join in and be a part of the something big by becoming a NCSAM 2017 Champion. Hundreds of organizations and individuals have officially signed on as Champions to support the month. NCSAM Champions strengthen and boost the greater effort by spreading the word and host NCSAM Partner Events about online safety at home, at work, and in the community.
NCSAM 2017 kicked off on October 1st with a strong reminder for all digital citizens to
STOP: make sure security measures are in place
THINK: about the consequences of your actions and behaviors online
CONNECT: and enjoy the Internet.
Cybersecurity in the Workplace is Everyone’s Business
Whatever your place of work ? whether it’s a large or small organization, healthcare provider, academic institution or government agency – creating a culture of cybersecurity from the breakroom to the board room is essential and a shared responsibility among all employees. NCSA’s advice, based on national standards, recommends that organizations have a plan in place to identify your digital “crown jewels,” protect your assets, be able to detect incidents, have a plan for responding, and quickly recover normal operations. You can help your organization do this: take part in cybersecurity discussions, learn how to protect the digital “crown jewels,” and what to do if you detect an incident. Then expand this to your home: identify what you would hate to lose, and ensure that information is protected with antivirus software and backed up somewhere else. Be sure everyone in your family knows how to detect and recover from an incident.
NCSA and DHS are highlighting particular themes as we continue through the month. We invite you to join in each coming week, with the following user-friendly, actionable advice:
Today’s Predictions for Tomorrow’s Internet
Take a look into our future through the lens of the connected Internet and identify strategies for security, safety, and privacy while leveraging the latest technology. With the explosion of digital interconnectivity, it is critical to explore everyone’s role in protecting our cyber ecosystem. NCSA’s top tips include:
- Learn how to safeguard your Internet of Things (IoT) devices: Protecting devices like wearables and smart appliances can be different than securing your computer or smartphone. Research how to keep an IoT device secure before you purchase it and take steps to safeguard your device over time.
- Pay attention to the Wi-Fi router in your home: Use a strong password to protect the device, keep it up-to-date and name it in a way that won’t let people know it belongs to you.
- Delete when done: Many of us download apps for specific purposes or have apps that are no longer useful or interesting to us. It’s a good security practice to delete apps you no longer use.
The Internet Wants You: Consider a Career in Cybersecurity
A key risk to our economy and security is the shortage of cybersecurity professionals to protect our extensive networks. Growing the next generation of a skilled cybersecurity workforce ? along with training those already in the workforce ? is a starting point to building stronger defenses. Here are a couple of to-dos for parents or anyone interested in a cybersecurity career of their own:
- Volunteer at schools, after-school programs, boys and girls clubs, and community workshops to teach kids about online safety and cybersecurity careers. Check out NCSA’s online safety resources for ideas on what to cover and materials you can use.
- Learn more about starting your own path to a cybersecurity career by checking out the National Initiative for Cybersecurity Education (NICE) Framework. The framework provides information on what knowledge, skills, and abilities are valued by employers for different cybersecurity jobs.
Equifax Data Breach – Frequently Asked Questions
I’ve been hearing about the Equifax breach in the news. What happened?
Equifax, one of the three major credit bureaus, experienced a massive data breach. The data breach at the company may have affected 143 million Americans. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people.
In a press release, Equifax said it discovered the “unauthorized access” on July 29, after which it hired an outside forensics firm to investigate. Equifax said the investigation is still ongoing. Equifax said the attackers were able to break into the company’s systems by exploiting an application vulnerability to gain access to certain files. It did not say which application or which vulnerability was the source of the breach.
Equifax will be sending direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted.
Was my information stolen?
If you have a credit report, there’s a good chance it was. Go to a special website set up by Equifax to find out: https://www.equifaxsecurity2017.com/. Scroll to the bottom of the page and click on “Potential Impact,” enter some personal information and the site will tell you if you’ve been affected. Be sure you’re on a secure network (not public wi-fi) when you submit sensitive data over the internet.
How can I protect myself?
Enroll in Equifax’s services.
Equifax is offering one year of free credit monitoring and other services, whether or not your information was exposed. You can sign up at https://www.equifaxsecurity2017.com/.
Monitor your credit reports.
In addition, you can order a free copy of your credit report from all three of the credit reporting agencies at annualcreditreport.com. You are entitled to one free report from each of the credit bureaus once per year.
Monitor your bank accounts.
We also encourage you to monitor your financial accounts regularly for fraudulent transactions. Use online and mobile banking to keep a close eye on your accounts.
Watch out for scams related to the breach.
Do not trust e-mails that appear to come from Equifax regarding the breach. Attackers are likely to take advantage of the situation and craft sophisticated phishing e-mails.
What is First State Bank & Trust Company doing to protect my information?
In order to provide our customers with efficient service while preventing unauthorized access to your account information, staff at First State Bank & Trust Company may ask additional questions about your account for verification during telephone inquiries, beyond the information that could have been compromised in the breach. These additional inquiries may include information about the opening of the account or information on recent transactions.
You may also ask a customer service representative to establish an Identity Theft Question that must be answered before any information will be given on your account.
Should I place a credit freeze on my files?
Before deciding to place a credit freeze on your accounts, consider your personal situation. If you might be applying for credit soon or think you might need quick credit in an emergency, it might be better to simply place a fraud alert on your files with the three major credit bureaus. A fraud alert puts a red flag on your credit report which requires businesses to take additional steps, such as contacting you by phone before opening a new account.
How do I contact the three major credit bureaus to place a freeze on my files?
Equifax: Call 800-349-9960 or visit its website.
Experian: Call 888-397-3742 or visit its website.
TransUnion: Call 888-909-8872 or visit its website.
Where can I get more information about the Equifax breach?
You can learn more directly from Equifax at https://www.equifaxsecurity2017.com/. You can also learn more by visiting the Federal Trade Commission’s web page on the breach at https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do. To learn more about how to protect yourself after a breach, visit https://www.identitytheft.gov/Info-Lost-or-Stolen.
Free Credit Reports:
You are entitled by law to a free credit report from each of the Big 3 once a year. This means you can check your credit 3 times a year (once every 4 months with each of the bureaus). The only site you need to obtain this free copy is annualcreditreport.com, or by phone at 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring. There are lots of look-alike sites out there (like freecreditreport.com) that are not the real, government-mandated service.
Your free credit report will show all your lines of credit and other debt obligations, along with lots of data. However, it won’t show your FICO score, it usually costs money to get your FICO score.
Connected Home Devices: The Internet of Things
What is the Internet of Things (IoT)?
We have become more connected than ever before. A little over ten years ago, we only accessed the Internet through a laptop or a desktop computer. Then, we added phones and tablets to our list of connected devices. Today, we have even smaller connected devices, such as fitness trackers and smart watches. According to ABI Research, there will be over 30 billion devices connected to the Internet by 2020. The list of Internet connected devices, or “things”, keeps growing. Kevin Ashton, cofounder and executive director of the Auto-ID Center at the Massachusetts Institute of Technology (MIT), first mentioned the term Internet of Things (IoT) in 1999, but the first device to be connected to the Internet was actually a Coke machine at Carnegie Mellon University in the early 1980s. Programmers could connect to the machine over the Internet, check the status of the machine, and determine whether there would be a cold drink waiting for them. Today, IoT consists of everyday devices that are connected to the Internet, such as fitness trackers, vehicles, smart televisions, doorbells, light bulbs, home security systems, thermostats, and refrigerators. Basically, if it is not a computer, smartphone or tablet, and it connects to the Internet, it can be called an IoT device.
What are the issues with IoT devices?
Many people know they should install anti-virus (AV) software on their computers and be careful of what websites they visit or software they download. Unfortunately, most people probably do not consider their IoT devices to be a security threat. These devices are more accessible and make our lives more integrated, but many of the companies behind these new devices are not designing them with security in mind. For example, many IoT devices have default passwords that are well known and cannot be changed, or cannot be changed easily. They also can be difficult or impossible to update to mitigate known vulnerabilities, or have no settings to customize security.
Our dependence on Internet-connected devices has grown faster than the means, and/or awareness, to secure them. Leaving IoT devices unsecured, as with any Internet connected device, is like leaving the back door to your house unlocked. It gives attackers access to your personal information and the potential to further compromise other devices on your network. It also gives attackers the means to propagate their attacks onto others by using your insecure devices to attack other networks and devices.
How can you secure your IoT device?
So, what can you do to enjoy the functionality of IoT devices and remain more secure at the same time? The following tips may help you in these endeavors:
- Know what IoT devices are connected to your network. It is possible that there are devices connected to your network that you do not know about.
- Consider only purchasing devices that you need to use. Some Internet-capable devices may be nice to have, but provide limited benefit and reduce your security.
- Isolate IoT devices from other devices on your network by creating a separate Wi-Fi network just for them. This protects your other devices if your connected IoT devices are compromised.
- Update the device’s software, if possible. If you update your device regularly, this will reduce the chances of a successful attack.
- Replace default passwords with unique and strong ones of your choosing. Passwords should have upper and lower case characters, numbers, and special characters, with at least 10 total characters.
- Configure security and privacy options, such as enabling encryption and limiting the information your devices share.
- Replace insecure IoT devices with more secure ones. Seek out reviews on these devices that address security features and patching support to determine which ones may have a reasonable baseline of security.
Identifying and Reporting Common Scams
On July 6, 2017 the Federal Trade Commission (FTC) issued an alert on scammers posing as FTC officials who contact individuals and claim they have won prizes from a charity contest. The scammers ask for money to cover taxes or insurance costs associated with the prize. While this is a new malicious campaign, scammers use these basic tactics time and time again with slightly different wording to take advantage of unsuspecting individuals. It may seem like a day doesn’t go by without scammers contacting you online or by phone seeking money and/or personal information. Since this is so commonplace, it is worth exploring how to identify these schemes, and how to go about reporting them in the event that scammers target you.
Identifying the scam
Two common financial schemes involve coercing individuals into paying money to prevent a negative outcome, such as a tax audit or police investigation, or asking the individual to pay a fee up front to claim a prize. A third type of scam seeks individuals’ personally identifiable information (PII), such as Social Security numbers and birthdates, to commit identity theft. Individuals providing information to scammers may suffer large financial losses, as well as negative impacts to their credit. It is important that you know how to spot these scams so you can easily ignore them.
It's most likely a scam if you...
- have to pay money to claim a “prize” or “winnings”
- are asked for money to stop or prevent a police, FBI, or other federal investigation
- have to provide your bank account number and information
- are specifically asked to purchase any form of prepaid gift card to be used as payment
- are approached with no prior contact to give out your date of birth, social security number, password, username or other personal sensitive information online or over the phone
- are approached online or by phone in an unprovoked manner and asked for payment or personal information by someone claiming to be a government employee on official business
One final thing to be aware of is that scammers create convincing emails that may look like official communication from your bank, credit card issuer, or a retailer. These emails often include a link to a very convincing, yet fraudulent website that will ask you to log in with your username and password. If you provide your credentials, the criminal can then use them to gain access to your legitimate account. From there, they can steal your personal information or generate fraudulent transactions. If you ever receive an email asking you to click a link to log in and update your account or change your information, be safe and use your browser to directly type in the legitimate website address for that account in order to complete this request. By doing this, you will always be sure you are on the right website.
Scammers constantly target individuals by email, false advertisements, and phone calls to bring these types of scams to fruition. Being wary of any communication that meets any of the above criteria will go a long way in keeping your information and money safe!
Finally, it is very important that targets of online or phone scams report this to the proper authorities. Although it can be a bit embarrassing to have been hit by such a crime, reporting is the only way to direct investigators and regulators to pursue the criminals behind the scam or identity theft. Aside from reporting the scam to law enforcement, it is important to work with your bank, credit card issuer, or the business where your account was compromised to take the necessary steps in preventing further financial loss.
If you are the target of a financial scam, report it to the FTC at www.ftc.gov/complaint. If this scam was via email or over the Internet, also file a complaint with the FBI’s Internet Crime Complaint Center at www.ic3.gov/complaint.
Targets of identity theft can also file a report at www.identitytheft.gov and receive a recovery plan detailing how to move forward based on the type of scam committed.
Are You Really Being Secure Online?
Browsing the web and interacting with websites in a secure fashion is immensely important in today’s connected world. Everyday things like online banking, shopping, and submitting your taxes involve sharing financial and sensitive information online. This makes browsing securely something that everyone should consider more closely. Below we will explore some ways to connect to the Internet and browse websites securely, as well as how you can double check that you are being secure.
Use a Secured Wi-Fi Network
Wi-Fi access is widely available, but many of the free connections are to unsecured public Wi-Fi that will leave your information travelling openly! On an unsecured public Wi-Fi network, cyber criminals can easily access the data you are transmitting due to the fact that your information is not encrypted.
A more secure public Wi-Fi network requires a password or credentials to gain access that are provided by someone acting in an official capacity for the local business and the use of encryption. When looking for an available and more secure wireless network, you will see ones using encryption marked with a small lock symbol next to the name of the network. Some hotels and shops that provide free Wi-Fi to customers provide access to their secure networks by providing you with credentials or an access code when checking in, making a purchase, or on request.
If you opt to use a public Wi-Fi connection, make sure you understand the risk – others may be able to see what you do. Keep this in mind and do not conduct sensitive transactions or log in using your credentials on any sites. Not all apps and sites support encryption and other good security practices, which leaves you much more open to many types of cyber-attacks when on a public Wi-Fi connection.
Secure Your Information in Transit
Keep an eye out for that little lock icon on your browser, or the “https” in the URL! Sites that are taking security seriously will encrypt the sensitive information you are exchanging with the site. This is a strong way to ensure that your online activities like shopping or submitting personal information are protected.
The small lock icon or “https” at the beginning of the URL are indicators that encryption is currently in use. The lock icon is commonly found in the address bar on the most popular browsers, including Chrome, Firefox, Safari, Edge, and Internet Explorer.
Verify the Website
When you are looking for information or products online, make sure you are on the website you intended to visit, or are going to the correct site.
One particular sneaky technique used by cyber criminals is called typosquatting. Typosquatting is when someone purposely owns a website that is similar to a trusted website but with a typo in the address. For instance, the website “thisissafe” might be trusted, but the website “thisisafe” could be a malicious website using typosquatting. People are often linked to these incorrect, but very closely named websites through phishing emails sent out by malicious actors. Many websites look the same, and sometimes criminals or other unscrupulous folks use the names and logos of trustworthy companies to mislead you. In some forms of attack, a user being led to a false, but convincing copy of a known website will be prompted to enter their legitimate credentials, which are stolen by the malicious actor who set up this ruse.
A good practice is to not click a link that is provided in your emails, and to instead go type the intended website’s address directly into your browser to ensure you get to the right place.
May 8, 2017 - Skimmer identified on two First State Bank & Trust ATMs
Fremont, Neb. – First State Bank and Trust Company of Fremont learned this weekend that an ATM skimming device had been placed on the outdoor ATM at our 1005 East 23rd Street location. This device was found by a user of the machine, was removed and turned into local law enforcement. In investigating this matter, it came to the bank’s attention that a device had been used at our 1965 East Military location.
First State feels confident that users of the 23rd Street machine will not be impacted since the device on this location was captured. We have identified bank customers whose cards may have been skimmed at the Military location and have flagged their cards in our system. We are reaching out to those affected customers. It appears only those who used the ATM at the Military branch in Fremont on Friday, May 5th -Saturday, May 6th are potentially impacted. All consumers are fully protected by the bank against fraudulent transactions. As always, we strongly encourage our customers to monitor their transaction history in online banking or through our mobile app.
If you are a non-customer who used our Military branch location and see unusual activity, please contact your bank directly for assistance. You are also fully protected against fraudulent charges, but the process does need to begin with your own financial institution.
“We take a situation like this very seriously. We are working with local and federal law enforcement on this matter and are reaching out to all identified customers. We are doing everything we can to resolve this situation quickly for those affected,” states Chuck Johannsen, President of First State Bank & Trust Company.
Here are some tips from the Office of the Comptroller of Currency/U.S. Department of the Treasury to protect your financial information:
- Walk away from an ATM if you notice someone watching you or if you sense something wrong with the machine; immediately report your suspicions to the company operating the machine or a nearby law enforcement officer.
- Before using an ATM, examine nearby objects that might conceal a camera; check the card slot for a plastic sheath before inserting your card.
- Never keep a written copy of your PIN in your wallet or purse as it could be stolen; instead memorize your PIN and keep a paper record hidden at home.
- When entering your PIN, stand close to the machine and hold your hand over the keypad or screen to make it more difficult for a person or camera to watch you.
- Beware of strangers offering to help you with an ATM that appears disabled and notify someone responsible for the security of the machine.
- Regularly review your account statements, either online or on paper, and check for unauthorized withdrawals and purchases. If you find one, immediately contact your bank or credit card provider, as this will limit your financial liability for fraudulent charges.