How to Spot Phishing Messages Like a Pro
The Federal Trade Commission’s definition of phishing is “when a scammer uses fraudulent emails or texts, or copycat websites, to get you to share valuable personal information.”1 When a user falls for a phishing message, the malicious actor achieves their purpose of getting the victim to hand over sensitive information such as login names and passwords. Though we count on technologies and controls to minimize threats, phishing exploits users through social engineering, which allows the malicious actors to side step these protections. This is why it is important that everyone learn to spot these fraudulent messages. Let’s take a look at some example emails of phishing messages.
Subject: Low Cost Dream Vacation loans!!!
We understand that money can be tight and you may not be able to afford to go on vacation this year. However, we have a solution. My company, World Bank and Trust is willing to offer low cost loans to get your through the vacation season. Interest rates are as low at 3% for 2 years. If you are interested in getting a loan, please fill out the attached contact form and send it back to us. We contact you within 2 days to arrange a deposit into your checking account.
Please email your completed form to VacationLoans@worldbankandtrust.com.
Your dream vacation is just a few clicks away!
Dr. Stephen Strange
World Bank and Trust
177a Bleecker Street, New York, NY10012
What did you notice in message #1?
In this message, you can see that the phisher wants to give us a low cost loan with no credit check. They say we just need to send them our information and they will give us money, right? Not only does it seem too good to be true, but also when you hover the cursor over the email address to examine it further, you see that the link actually has a different destination. It is the email address of the attacker. Lastly, as much as you might like Dr. Strange, he’s probably not working for a bank part-time.
Subject: Free Amazon Gift Card!!!
You name has been randomly selected to win a $1000 Amazon gift card. In order to collect you prize, you need to log in with your Amazon account at the link below and update your contact information so we can put your prize in the mail. This is a limited time offer, so please respond to the request within 2 business days. Failure to respond will forfeit your prize and we will select another winner.
What did you notice in message #2?
Aside from this seeming too good to be true, you can see that “Amazon” is misspelled as “Amozan” on the link provided. If you read this quickly, you may think you are responding to the real company to get your gift certificate. In reality, you are providing your information to the attacker. For the purposes of this example, the link actually navigates to the Center for Internet Security, which is a trustworthy site.
Subject: Urgent – Take Action Before Your Email Account is Deactivated
Subject: Urgent – Take Action Before Your Email Account is Deactivated Following changes to our Microsoft email systems, each user must authenticate their account to prevent it from being deactivated. You can accomplish this by heading to the link below and entering your Microsoft Outlook email account credentials, and then we will know your account is active and should remain so.
Helpdesk Support Team
What did you notice in message #3?
This email is fairly well crafted without errors. Note that it establishes a sense of urgency that the malicious actor hopes will cloud your judgement and threatens the deactivation of your email account. Additionally the link at the bottom looks like a link to Microsoft, yet it is in fact heading somewhere else! Luckily, for the purposes of this example, that link simply leads to the Center for Internet Security, which is a legitimate site.
With these three examples considered, here are some basic recommendations to help protect you from becoming a phishing victim:
Additional information and a phishing game can be found on the FTC’s website, https://www.ftc.gov/.
Reducing your Information Footprint
While spring cleaning your home and, if you’re like me, the top of your desk, consider also cleaning up your information footprint. Your information footprint is how much information about you is recorded and available in both digital and paper formats. Cleaning up your footprint can mean examining social media, online accounts, and even paper records containing sensitive information. While we may use a few key digital devices and services on a regular basis, they often contain more information about us than is necessary. It’s also likely that devices and services we don’t use anymore may still contain information. You might have that pile of paper you’ve been meaning to shred for a while, making this an opportune time to spring clean your information footprint. By spending a little bit of time and effort, you can better secure your information to safeguard against various forms of identity theft.
Disks, Hard Drives, and USB drives, Oh My!
Over the years, it’s easy to accumulate a mass of CD’s, DVD’s, hard drives, and USB drives that are no longer needed or with data that is no longer needed stored on them. If you have hard drives or USB drives with old data but want to continue to use them, consider following US-CERT’s guidance on how to securely clean the data off of these items before properly recycling them. Many shredders, including those rated for home use, can shred CDs and DVDs. If your shredder can’t handle them, check your local community for shredding days as many towns, schools, and office supply businesses will sponsor shredding events.
Clean Up Your Paper Trail
Many of us have a large quantity of paper documents that may contain sensitive information about ourselves, financial accounts, government identification information, tax returns, and more. Take some time to go through these documents this spring and check whether it is something you truly need to hold onto. If the answer is no, be sure to securely dispose of it by shredding it and recycling the shredded pieces. Simply ripping up sensitive documents is not enough to guarantee your information is unreadable.
Not sure how long you should hold on to those old documents? The Federal Trade Commission (FTC) has a handy website – “A Pack Rat’s Guide to Shredding” with information on how long you should hold on to those documents!
Closing Old Online Accounts
It is common for people to use many different shopping sites, social media outlets, online storage, clubs, and other online outlets that require you to enter, store, and sometimes share information from or about you. If you are no longer using any of these accounts, consider removing information that may be sensitive and consider closing them out if you do not plan to use them again. Sometimes, it is easiest to check out as a guest when shopping online at a place that you rarely, if ever, patronize. Checking out as a guest should minimize the data retained about you.
Old Social Media Accounts
Remember MySpace? LiveJournal? Do you still have that old email account or an account on an old dating website? As we move from Myspace to Facebook to Twitter, Instagram, and the other latest and greatest social media platforms, our old accounts and information are left behind, filled with personal details. Consider closing out social media accounts that you no longer use, as it will reduce your digital footprint. Keep in mind that all social media platforms have different policies when deleting old accounts and content. Be sure to read the policy. And, don’t forget to remove the app from your smartphone, too!
Oversharing on Social Media That You Do Use
If you frequently use a social media or online account but it contains lots of personal details or information that you now think should be safeguarded more closely, consider removing it from your profile or deleting the posted content. Think about if the information you continue to share could be used against you or combined with other information to be used against you. Enough pieces of personal information combined together can be very useful to cybercriminals.
Being aware of any information that you share that could be used to respond to “Challenge” questions, which are frequently used to reset passwords. What does that mean? How could information be combined to be used against you? Think about your online bank account. If you forget your password what types of questions do they ask? Probably something about the color of your car, your mother’s maiden name, your birthday, or pets’ names. Did you post a picture of your new car? Friend your mother or her brother on social media? Answer a meme about your birth month and day? Share adorable pictures of Fluffy? If you did, you’ve helped someone find out the answers to your bank’s security questions!
This is the case for many of the pieces of information you may share online and many online accounts that use challenge questions to reset passwords. Information commonly used for challenge questions include the above examples and other details, such as your favorite sports team, vacation spot, fruit, ice cream, type of reading material, youngest sibling, elementary school name, and so on. As you clean up your data think about what information could be used to answer your security questions and try to remove that data from your social media accounts.
In closing, these short tips can make a world of difference in lowering your information’s exposure to others. By questioning if you need to share or provide certain information online as you move forward, you can save yourself from many of the unnecessary overexposures we discuss here. Additionally, by taking a look at both your digital and paper trails to do these activities on a routine basis, you can be sure to keep overexposure in check.
I’m connected. You’re connected. We’re all connected!!
We are more connected than ever before. According to ABI Research, there will be over 30 billion devices connected to the Internet by 2020. Today, our everyday devices are connected to the world including laptops, mobile phones, fitness trackers, smart televisions, home security systems, thermostats, and refrigerators. Additionally, let us not forget the devices that connect everything else together, such as routers, access points, and modems.
Many people may not consider their connected devices to be a security threat, but they absolutely can be. One of the issues with such devices is that many of them do not come configured with security in mind and connecting an unsecure device to your network is like leaving the back door to your house unlocked as it gives attackers access to your personal information. Manufacturers develop products to be more accessible, more user-friendly, and to make our lives more integrated. However, that also means we are less secure if these devices are not properly configured. Unfortunately, some devices completely lack the option or ability to be configured, making it nearly impossible to secure them. Unsecure devices also give threat actors the means to propagate their attacks onto others by using your insecure devices to attack other networks and devices. Therefore, not only can your unsecure devices present a risk to you, but they can also become a risk to others who can be victims of an attack from your compromised devices.
Do Your Research
You should do your research before purchasing a connected device, especially a device that may allow someone access into your home, such as a surveillance camera or home security system. Check the online reviews and look at the company’s website to determine if there are warnings about the security of the device and if the company issues updates/patches to fix security concerns.
What Can You Do to Secure Your Devices?
So, what can you do to enjoy the functionality of your connected devices and remain more secure at the same time?
When you first receive your device, check the default settings and choose the more secure options, such as enabling a password or changing the default password to something only you know. Below is a list of these basic recommendations and some effective ones that may be less obvious choices.
- Network access or Internet access may be enabled on a device by default. Disable network/Internet access for devices that do not need it.
- Update the device operating system or firmware. The default operating software installed on a device may be out of date and/or contain many vulnerabilities. Updating or patching your device’s software will reduce the chances of a successful attack.
- Wireless access points (APs) are oftentimes configured to broadcast the SSID, or network name, Consider changing these settings to turn this feature off, which can better secure your WiFi network.
- Create two different WiFi networks on your wireless router, if your router supports it. Creating separate WiFi networks, using different SSIDs, allows for the ability to separate smart devices from other networked computers, smartphones and tablets. The goal of the separation is to limit the impact a compromised smart home device will have on the rest of the devices on the network.
- Oftentimes, Wireless access points or routers are set up by default to not use encryption and to not require a password. It is always recommended to turn on WPA2 encryption for your wireless networks and to establish a strong password with our next recommendation in mind.
- Change passwords on all network devices, especially from default “admin” accounts, and be sure to use strong passwords of at least 8 characters including uppercase and lowercase letters, special characters, and numbers.
- Many mobile devices have no PIN or unlock pattern (where you swipe your finger in a specific pattern on the screen) enabled when sold. Be sure to enable PINs or unlock patterns for all your mobile devices to secure them from unwanted entry by others.
- Automatic updates are often disabled by default. Be sure to turn on this setting to ensure your device receives important security updates when they are released.
- Many mobile devices support remotely wiping the device if the device is lost or stolen. Be sure to enable the remote wipe functionality in case the device is ever lost or stolen.
- Turn off location services if not needed.
- Cameras and audio input may be enabled by default on certain devices and applications, giving an attacker access to surveillance. Disable these features if not needed.
- Replace unsecure devices with more secure ones.
Staying Safe from Tax Scams
Though Benjamin Franklin is often quoted as saying “in this world, nothing can be said to be certain, except death and taxes,” an updated version for the current day would need to include tax scams. As people nationwide seek to file their tax returns, cybercriminals attempt to take advantage of this with a variety of scams. Hundreds of thousands of U.S. citizens are targeted by tax scams each year, often only learning of the crime after having their legitimate returns rejected by the Internal Revenue Service (IRS) because scammers have already fraudulently filed taxes in their name. The IRS reported a 400% rise in phishing scams from the 2015 to the 2016 tax season. In the state, local, tribal, and territorial government sector during 2017, approximately 30% of all reported data breach incidents were related to the theft of W-2 information, which was likely used for tax fraud.
Another way criminals gather your information is through the W-2 variant of the Business Email Compromise scam. Criminals using this scam trick others into providing your personal information.
How is Tax Fraud Perpetrated?
Unfortunately, much of your personal information can be gathered from multiple locations online with almost no verification that the right person is receiving the information. Criminals know this, so they use this trick to get your personal information from a variety of websites and use the information to file a fake tax refund request! If a criminal files a tax return in your name before you do, they will file it with false information to get a large refund, forcing you to go through the arduous process of proving that you did not file the return and subsequently correcting the return. Once they have your personal information, criminals can continue to commit identity theft well beyond the tax season.
Another favorite technique used by criminals during the tax season is sending phishing messages indicating that a new copy of your tax form(s) is available. These emails often impersonate state, local, tribal, and territorial government comptroller and/or IT departments. They might include a link to a phishing website that uses your organization’s logo and the email might even have the right signature line. If you fill out or attempt to login into the phishing website, the criminals will be able to see your login name and password, which they can then use to try and compromise your other accounts. The more information they gather from you, the easier it is for them to use the information to file a fake tax return in your name.
Tax fraudsters also impersonate the IRS and other tax officials to threaten taxpayers with penalties if they do not make an immediate payment. This contact may occur through websites, emails, or threatening calls and text messages that look official but are not. Sometimes, criminals request their victims pay the “penalties” via strange methods like gift cards or prepaid credit cards. It is important to remember:
- The IRS will not initiate contact about payment with taxpayers by phone, email, text messages, or social media without sending an official letter in the mail first.
- The IRS will not call to demand immediate payment over the phone using a specific payment method such as a debit/credit card, a prepaid card, a gift card, or a wire transfer.
- The IRS will not threaten to immediately notify local police or other law-enforcement agencies to have you arrested for not paying.
- The IRS will not demand that you pay taxes without giving you the opportunity to question or appeal the amount you owe.
What Can You Do?
Here are some basic tips to help you minimize the chances of becoming a victim of a tax scam:
- If you haven’t already, file your taxes as soon as you can…before the scammers do it!
- Be aware of phone calls, emails, and websites that try to get your information, or pressure you to make a payment. If something seems suspicious, contact the organization through a known method, like their publicly posted customer service line.
- Ignore emails and texts asking for personal or tax information. Be cautious as to whom you provide your information, including your Social Security Number and date of birth.
- Don’t click on unknown links or links from unsolicited messages. Type the verified, real organizational website into your web browser.
- Don’t open attachments from unsolicited messages, as they may contain malware.
- Only conduct financial business over trusted websites. Don’t use public, guest, free, or insecure Wi-Fi networks.
- Remember, the “HTTPS” does not mean a site is legitimate.
- Shred all unneeded or old documents containing confidential and financial information.
- Check your credit report regularly for unauthorized activity. Consider putting a security freeze on your credit file with the major credit bureaus if you suspect you have been targeted for identity theft.
If you receive a tax-related phishing or suspicious email at work, report it according to your cybersecurity policy. The IRS encourages taxpayers to send suspicious emails related to tax fraud to its firstname.lastname@example.org email account or to call the IRS at 800-908-4490. More information about tax scams is available on the IRS website and in the IRS Dirty Dozen list of tax scams.
If you suspect you have become a victim of tax fraud or identity theft, the Federal Trade Commission (FTC) Identity Theft website will provide a step-by-step recovery plan. It also allows you to report if someone has filed a tax return fraudulently in your name, if your information was exposed in a major data breach, and many other types of fraud.
Spotting and Avoiding Olympic Scams
In February, the best athletes from around the world will gather in PyeongChang to test their skills against one another at the Winter Olympics. Entire countries will wait with excitement to see the outcomes of individual competitions and count the medals. However, as with any high-profile event, cybercriminals and scammers will also focus on the Games, using your interest in the Olympics to try to trick you into visiting malicious websites, opening malicious spam, downloading malware, and falling for scams. Below we will explore these tactics and techniques, and provide recommendations on how to spot and avoid them, so you can safely enjoy the Games!
Malicious Olympic Websites and Apps
Cybercriminals commonly create convincing but fraudulent websites as a means to distribute malware or gather information about you. This year there will also likely be many suspicious and, possibly, malicious Olympic-themed mobile apps intended to compromise your smartphones and tablets. Whether you’re looking to find out the current medal count, who won the bobsled race, see an amazing figure skating routine, or find out what curling is, these malicious websites and apps will be there for you.
You can start protecting yourself by being careful what websites you visit and emails you open. As with any high-profile event, it’s always safest to get your news from websites you already know and trust. When you get that email with the link to the video you just have to see or the fascinating story of the amazing win, remember to Hover to Discover. This means to hover your mouse over the link and see where the link is really sending you. If you don’t recognize the website, don’t click on the link. Instead, go to the official Olympics website or another online website that you trust and look for the video or news there.
You can also like/friend/follow the official Olympics accounts on your favorite social media platforms (Google+, YouTube, Twitter, and Facebook) and get the news directly from the source, instead of waiting for potentially suspicious links to appear later. As the Games get closer, many social media apps will also likely role out news feeds and other special features, related to the Games. Keep an eye out for those so you can safely stay in the know!
Of course, there’s also an official Olympic app for your smart device! The Olympics website says the app will contain real-time updates and news, as well as images, videos, and the medal count. The app is available in the Google Play Store and iOS App Store. Since there are a-lot of other Olympic apps, some of which are malicious, make sure you’re careful to download the right one! You can check the app against the app images on the Olympics.org website.
Olympic Games Related Scams
When it comes to high-profile events like the Olympics, cybercriminals always seek to trick you with scams, too. Many of these scams may involve websites that sound and look legitimate. This is because criminals often register these domains with names similar to the event, so that the website name adds credibility to their scams. Two very common Olympic scams are:
Trip and Lottery/Sweepstakes Scams
With this year’s Winter Olympics occurring in PyeongChang, South Korea, it is a bit pricey to head over to view the Games in person. Scammers commonly send phishing emails during and leading up to Olympic Games identifying the recipient of the email as the winner of a sweepstakes or lottery for tickets to the Games and travel arrangements. You just have to pay a “fee” or “tax” first and provide a few details… maybe including your Social Security Number or credit card number. Whether they seek your payment information to take your money or your personally identifiable information for identity theft, these notices are always false and should be avoided, as you cannot win a lottery that you have not entered!
Olympic Merchandise Offers
As with lots of other events, there will be Olympic merchandise for sale so you can display your pride and support your favorite athletes. This is great, just be careful where you buy from as you may receive emails or see online advertisements enticing you to purchase fraudulent or counterfeit items from less than reputable vendors. At best, by clicking on these advertisements and offers you will open yourself to the risk of purchasing counterfeit merchandise and at the worst, you open yourself to the risk of having your payment information or identity stolen. Display your team pride by ignoring these suspicious offers and purchasing your merchandise through a known, trusted, and authorized retailer.
It’s also a good idea to make all online purchases through an alternative or more secure payment system, such as Visa Checkout, Mastercard Securecode, or PayPal. Otherwise consider using one credit card (not a debit card!) for all online purchases. As always, remember to look for the “HTTPS” in the URL and the little lock icon in the browser bar to ensure your communication with the trusted vendor is safe. If you don’t see these, don’t submit sensitive information to that website. Lastly, remember to always make your purchases on a trusted, secure network, never through public, unsecured Wi-Fi.
We hope you safely enjoy the 2018 PyeongChang Winter Olympics.
Go Team USA!
Online Dating Scams
With Valentine’s Day around the corner, we want to make our customers aware of Online Dating Scams.
Scammers know millions of people use online dating services. They are there, too, hiding behind profiles.
Top Signs of an Online Dating Site scam:
- Professes love quickly;
- Claims to be from the U.S., but is overseas for business or military service;
- Asks for money and lures you off the dating site;
- Claims to need money for emergencies (hospital bills or travel);
- Plans to visit but can’t because of an emergency.
In 2016, there was 14,456 reports filed in the United States, with losses of around $220 million. Online Dating Scams have more than tripled over the last 5 years!
What should you do if you think you are being scammed?
- Slow down – and talk to someone you trust. Don’t let a scammer rush you.
- Never wire money – put money on a gift card or cash reload card or send cash to an online love interest. You won’t get it back.
- Contact your bank right away if you think you’ve sent money to a scammer.
- Report your experience to:
National Data Privacy Day, January 28th
January 28th is National Data Privacy Day, an educational initiative focusing on raising awareness among businesses and individuals about the importance of protecting the privacy of personal information. With more and more information being collected by companies, websites, and social media, this is something everyone should consider.
To understand the importance of Data Privacy day, it is vital to understand Personally Identifiable Information (PII) and exactly what privacy is. PII is any combination of data points that can lead to the identification of a specific individual (you). This can mean things such as your name or email address, but most times PII refers to “sensitive PII” such as Social Security, driver’s license, state identification, or financial account numbers. Sensitive PII can also exist if PII is combined with another piece of information about you such as a birthdate, medical information, or even passwords. The more pieces of data combined about an individual, the more valuable and sensitive the body of information becomes.
Privacy is often considered to be the concept of confidentiality, which is keeping information secret from those that should not see it. While that is an aspect of privacy, often called “need to know,” privacy is much more. Privacy is a larger concept centering on you as the individual to whom the information refers. It is about your rights to access, correct, and control the information that another entity has about you.
Organizations that honor your privacy will not only protect confidentiality, but should follow a set of principles related to how they manage your information, including:
- Not collecting more information than they need to conduct their business with you;
- Informing you of what they will do with the information that they collect and not doing more with it than they have promised;
- Retaining the information for only as long as it is needed and then properly destroying the information;
- Not sharing your information with others without your permission, except as required by law;
- Allowing you to review and correct information if necessary.
To understand your privacy rights it is essential that you read the privacy policies of any organization to whom you provide information, especially PII. This includes websites, health care providers, insurance companies, and financial institutions. If you do not agree with how they intend to protect your privacy, consider not using their service.
Privacy is a Shared Responsibility:
Identity Theft Protection:
Despite many organizations best efforts in handling and using your private information properly, the countless breaches of PII by cyber criminals in the past few years have resulted in the exposure of information about millions of people. One reaction to such breaches can be to provide credit monitoring for one year. This is a very short amount of time to have such a protection. Those that have stolen the information, or those to whom they have passed it on, may hold it for much longer than a year before using it to steal your identity, commit credit card fraud, or worse in your name. If you have been a victim of a breach, check out some of the FTC’s resources on starting a credit freeze to protect yourself.
If you are considering Identity Theft protection services, research the firms that you are considering engaging and ensure you understand the services they will and will not provide. Also, read their privacy policies, because for them to deliver these services you must provide them with varying amounts of PII.
Protecting privacy is both your responsibility and that of those individuals and organizations that have information about you. Do everything in your power to be aware of how you personally can compromise your privacy and hold those organizations that you engage with accountable for their management, or mismanagement, of your personal information.
For More Information:
US-CERT Data Privacy Day Events
Online Trust Alliance Data Privacy & Protection website.
Stay Safe Online website. National Cyber Security Alliance
Forbes, Data Privacy Day: Easy Tips to Protect Your Privacy
Avoiding Holiday Scams
The holiday season is a great time to make charitable gifts to support the causes you care about, and charities often run end-of-year fundraising campaigns. However, criminals take advantage of this fact and run scams and frauds of their own to fool consumers into giving them money instead. Below are some common scams and frauds used by cybercriminals and some tips on how to avoid them. If you can spot these seasonal tricks, you are more likely to ensure your donation goes where you intend it to go.
Fake Charity Websites
One of the most convincing ways for cybercriminals to exploit charitable giving is by creating convincing charity websites. These websites are in fact fraudulent and may copy an existing charity’s site or use the charity’s name and branding. While few techniques are fool proof for detecting fake or malicious websites, try to follow these recommendations:
- Whenever possible, browse directly to the charity by entering the charity’s URL directly into your browser’s address bar.
- If you are not sure of the charity’s URL, an Internet search can help, but instead of automatically clicking on the first link, look at the top few links. If the top link is what you want, great, but if you see several very similar links this could indicate one of them is a potentially fraudulent website.
- Carefully study the website’s URL for typos, such as two “v” characters in place of a “w” or an “i” instead of an “l.” If you’re not sure about a potential typo, try changing to all capitals or a different font.
- Fraudulent charity websites frequently use domain names and email addresses that sound legitimate. You can do a little research into what the correct domain name and email address should be by looking into the organization using resources recommended by the Federal Trade Commission in their charity guide, or through resources like GuideStar, Charity Navigator, and Charity Watch.
Social Media Donation Pleas
Scammers commonly impersonate staff from major charities via social media channels, as this makes it easier for them to impersonate someone else. Avoid making donations through social media and never send your personal or payment information in a social media message. Instead, consider heading directly to a charity’s established website.
In addition to traditional charity scams at this time of year, social media is also susceptible to the spread of a variety of pyramid schemes and other charity scams. Pyramid schemes involve the simple but unsustainable premise of receiving more than you give. One of the most common schemes on social media right now involves 7 bottles of wine. You receive the message indicating that to participate you should send one bottle of wine to the person who tagged you and post the message, tagging 6 other people who will each send you a bottle. Another scheme purports to be from a sick child who wants something – holiday cards for example and asks you to send a card and share the post with all your friends so that they will send a card, too. If you come across one of these viral posts, let it stop with you! Don’t share it, repost it, or send anything along, and do take a moment to educate your friends!
When donating to a charity, make sure that the charity is a registered charity under U.S. or international tax law. U.S. 501 charities have to make certain information public and you can look the charity and its information up under any of the several charity tracking websites
Shopping Safely Online
Making #CyberMonday #CyberSecure
As Cyber Monday and the season for online shopping quickly approaches, it’s worth taking a few moments to ensure you’re not giving the gift of your personal or financial information to online criminals! Identity theft, scams, frauds, and malware infections are serious problems that target shoppers during the holiday season and can arise from using your devices to find the perfect gift. Below, we will explore some key tip
Create and maintain your online shopping accounts safely
- Establish a strong password for each online shopping account. Always use more than ten total characters consisting of upper case letters, lower case letters, numbers, and special characters to create a strong password.
- Use different passwords on each of your online accounts. If one retailer experiences a data breach in which your credentials are leaked, using the same password between accounts makes it quick and easy for criminals to exploit you and your information. If you have trouble remembering all your unique passwords, consider using a pattern for your password or a password manager.
- Check out as a guest to avoid saving payment information online. The inconvenience of having to enter your credit card information each time keeps you safer because a data breach at a retailer will not expose your financial information. It also means your payment information is not saved or ready to be used by anyone who gets access to your account.
- Use one credit card online or pay through a secure online mechanism. By using only one credit card online you’re limiting the damage that can happen if malicious actors gain that information. Alternatively, use one of the online payment mechanisms, such as PayPal.
Shop with trusted online retailers while browsing safely
- Use well-known online retailers that have an established reputation for cybersecurity. Verify that they have good contact information listed on their site, and check with the Better Business Bureau or the FTC if you have questions or concerns.
- Look for the lock symbol at the top of your browser or “https” in your URL bar. These mean that your communications with the website are encrypted and safe from prying eyes.
- Never shop or login to personal accounts when on public Wi-Fi or a public device. Public Wi-Fi can make all the personal information that you transmit visible to criminals. Public, shared devices, such as kiosks or library computers, can be infected with malware that will steal your information.
- Do not leave your browser open on a shopping site for long periods of time. Websites that use advertising feeds have occasionally had them hijacked by cyber criminals, who are then able to put malware on your device. This malware can steal your personal information or encrypt your device and demand a ransom to return it to your control.
- Keep your devices up-to-date. Always apply updates to your devices and software when they are available. Keeping devices up-to-date means you have applied all the available fixes for known problems and vulnerabilities. This makes you more secure.
Be smart when it comes to email confirmations and tracking information
- Be careful which links you click in your emails. At this time of a year a favorite trick among cyber criminals is to send emails purportedly from the major shipping companies with a link to track your package. These may be a scam to download malware. They count on the fact that you’ve ordered many things online and are waiting for a package. Instead, cut and paste the tracking number into the shipping company’s website in order to track it. Additionally, always head directly to the site of the company you want to shop with by entering the URL into your browser when aiming to log in. Avoid clicking links directing you to log in, as they may send you to a malicious site that looks real, but can just steal your information.
- Do not use your work email address for retail accounts. By using one of the free webmail accounts, such as Gmail or Hotmail, it will be much easier to identify a potentially malicious email coming to your work email, since the online retailers should not know that email address. This can also help you prevent criminals from knowing where you work, which is information they can potentially use to hack into your work account!
National Cyber Security Awareness Month
National Cyber Security Awareness Month (NCSAM) is now its 14th year. This annual month-long event dedicates October to reminding all digital citizens and businesses that protecting our computers and networks is “Our Shared Responsibility” and that everyone plays a critical role in promoting safe computing. The NCSAM is led by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS). The month’s primary goal is to provide Internet users and businesses with the information and tools they need to be safer and more secure online, including education about how to protect personal information in today’s highly connected world. Everyone can join in and be a part of the something big by becoming a NCSAM 2017 Champion. Hundreds of organizations and individuals have officially signed on as Champions to support the month. NCSAM Champions strengthen and boost the greater effort by spreading the word and host NCSAM Partner Events about online safety at home, at work, and in the community.
NCSAM 2017 kicked off on October 1st with a strong reminder for all digital citizens to
STOP: make sure security measures are in place
THINK: about the consequences of your actions and behaviors online
CONNECT: and enjoy the Internet.
Cybersecurity in the Workplace is Everyone’s Business
Whatever your place of work ? whether it’s a large or small organization, healthcare provider, academic institution or government agency – creating a culture of cybersecurity from the breakroom to the board room is essential and a shared responsibility among all employees. NCSA’s advice, based on national standards, recommends that organizations have a plan in place to identify your digital “crown jewels,” protect your assets, be able to detect incidents, have a plan for responding, and quickly recover normal operations. You can help your organization do this: take part in cybersecurity discussions, learn how to protect the digital “crown jewels,” and what to do if you detect an incident. Then expand this to your home: identify what you would hate to lose, and ensure that information is protected with antivirus software and backed up somewhere else. Be sure everyone in your family knows how to detect and recover from an incident.
NCSA and DHS are highlighting particular themes as we continue through the month. We invite you to join in each coming week, with the following user-friendly, actionable advice:
Today’s Predictions for Tomorrow’s Internet
Take a look into our future through the lens of the connected Internet and identify strategies for security, safety, and privacy while leveraging the latest technology. With the explosion of digital interconnectivity, it is critical to explore everyone’s role in protecting our cyber ecosystem. NCSA’s top tips include:
- Learn how to safeguard your Internet of Things (IoT) devices: Protecting devices like wearables and smart appliances can be different than securing your computer or smartphone. Research how to keep an IoT device secure before you purchase it and take steps to safeguard your device over time.
- Pay attention to the Wi-Fi router in your home: Use a strong password to protect the device, keep it up-to-date and name it in a way that won’t let people know it belongs to you.
- Delete when done: Many of us download apps for specific purposes or have apps that are no longer useful or interesting to us. It’s a good security practice to delete apps you no longer use.
The Internet Wants You: Consider a Career in Cybersecurity
A key risk to our economy and security is the shortage of cybersecurity professionals to protect our extensive networks. Growing the next generation of a skilled cybersecurity workforce ? along with training those already in the workforce ? is a starting point to building stronger defenses. Here are a couple of to-dos for parents or anyone interested in a cybersecurity career of their own:
- Volunteer at schools, after-school programs, boys and girls clubs, and community workshops to teach kids about online safety and cybersecurity careers. Check out NCSA’s online safety resources for ideas on what to cover and materials you can use.
- Learn more about starting your own path to a cybersecurity career by checking out the National Initiative for Cybersecurity Education (NICE) Framework. The framework provides information on what knowledge, skills, and abilities are valued by employers for different cybersecurity jobs.
Equifax Data Breach – Frequently Asked Questions
I’ve been hearing about the Equifax breach in the news. What happened?
Equifax, one of the three major credit bureaus, experienced a massive data breach. The data breach at the company may have affected 143 million Americans. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people.
In a press release, Equifax said it discovered the “unauthorized access” on July 29, after which it hired an outside forensics firm to investigate. Equifax said the investigation is still ongoing. Equifax said the attackers were able to break into the company’s systems by exploiting an application vulnerability to gain access to certain files. It did not say which application or which vulnerability was the source of the breach.
Equifax will be sending direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted.
Was my information stolen?
If you have a credit report, there’s a good chance it was. Go to a special website set up by Equifax to find out: https://www.equifaxsecurity2017.com/. Scroll to the bottom of the page and click on “Potential Impact,” enter some personal information and the site will tell you if you’ve been affected. Be sure you’re on a secure network (not public wi-fi) when you submit sensitive data over the internet.
How can I protect myself?
- Enroll in Equifax’s services.
Equifax is offering one year of free credit monitoring and other services, whether or not your information was exposed. You can sign up at https://www.equifaxsecurity2017.com/.
- Monitor your credit reports.
In addition, you can order a free copy of your credit report from all three of the credit reporting agencies at annualcreditreport.com. You are entitled to one free report from each of the credit bureaus once per year.
- Monitor your bank accounts.
We also encourage you to monitor your financial accounts regularly for fraudulent transactions. Use online and mobile banking to keep a close eye on your accounts.
- Watch out for scams related to the breach.
Do not trust e-mails that appear to come from Equifax regarding the breach. Attackers are likely to take advantage of the situation and craft sophisticated phishing e-mails.
What is First State Bank & Trust Company doing to protect my information?
In order to provide our customers with efficient service while preventing unauthorized access to your account information, staff at First State Bank & Trust Company may ask additional questions about your account for verification during telephone inquiries, beyond the information that could have been compromised in the breach. These additional inquiries may include information about the opening of the account or information on recent transactions.
You may also ask a customer service representative to establish an Identity Theft Question that must be answered before any information will be given on your account.
Should I place a credit freeze on my files?
Before deciding to place a credit freeze on your accounts, consider your personal situation. If you might be applying for credit soon or think you might need quick credit in an emergency, it might be better to simply place a fraud alert on your files with the three major credit bureaus. A fraud alert puts a red flag on your credit report which requires businesses to take additional steps, such as contacting you by phone before opening a new account.
How do I contact the three major credit bureaus to place a freeze on my files?
Equifax: Call 800-349-9960 or visit its website.
Experian: Call 888-397-3742 or visit its website.
TransUnion: Call 888-909-8872 or visit its website.
Where can I get more information about the Equifax breach?
You can learn more directly from Equifax at https://www.equifaxsecurity2017.com/. You can also learn more by visiting the Federal Trade Commission’s web page on the breach at https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do. To learn more about how to protect yourself after a breach, visit https://www.identitytheft.gov/Info-Lost-or-Stolen.
Free Credit Reports:
You are entitled by law to a free credit report from each of the Big 3 once a year. This means you can check your credit 3 times a year (once every 4 months with each of the bureaus). The only site you need to obtain this free copy is annualcreditreport.com, or by phone at 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring. There are lots of look-alike sites out there (like freecreditreport.com) that are not the real, government-mandated service.
Your free credit report will show all your lines of credit and other debt obligations, along with lots of data. However, it won’t show your FICO score, it usually costs money to get your FICO score.
Connected Home Devices: The Internet of Things
What is the Internet of Things (IoT)?
We have become more connected than ever before. A little over ten years ago, we only accessed the Internet through a laptop or a desktop computer. Then, we added phones and tablets to our list of connected devices. Today, we have even smaller connected devices, such as fitness trackers and smart watches. According to ABI Research, there will be over 30 billion devices connected to the Internet by 2020. The list of Internet connected devices, or “things”, keeps growing. Kevin Ashton, cofounder and executive director of the Auto-ID Center at the Massachusetts Institute of Technology (MIT), first mentioned the term Internet of Things (IoT) in 1999, but the first device to be connected to the Internet was actually a Coke machine at Carnegie Mellon University in the early 1980s. Programmers could connect to the machine over the Internet, check the status of the machine, and determine whether there would be a cold drink waiting for them. Today, IoT consists of everyday devices that are connected to the Internet, such as fitness trackers, vehicles, smart televisions, doorbells, light bulbs, home security systems, thermostats, and refrigerators. Basically, if it is not a computer, smartphone or tablet, and it connects to the Internet, it can be called an IoT device.
What are the issues with IoT devices?
Many people know they should install anti-virus (AV) software on their computers and be careful of what websites they visit or software they download. Unfortunately, most people probably do not consider their IoT devices to be a security threat. These devices are more accessible and make our lives more integrated, but many of the companies behind these new devices are not designing them with security in mind. For example, many IoT devices have default passwords that are well known and cannot be changed, or cannot be changed easily. They also can be difficult or impossible to update to mitigate known vulnerabilities, or have no settings to customize security.
Our dependence on Internet-connected devices has grown faster than the means, and/or awareness, to secure them. Leaving IoT devices unsecured, as with any Internet connected device, is like leaving the back door to your house unlocked. It gives attackers access to your personal information and the potential to further compromise other devices on your network. It also gives attackers the means to propagate their attacks onto others by using your insecure devices to attack other networks and devices.
How can you secure your IoT device?
So, what can you do to enjoy the functionality of IoT devices and remain more secure at the same time? The following tips may help you in these endeavors:
- Know what IoT devices are connected to your network. It is possible that there are devices connected to your network that you do not know about.
- Consider only purchasing devices that you need to use. Some Internet-capable devices may be nice to have, but provide limited benefit and reduce your security.
- Isolate IoT devices from other devices on your network by creating a separate Wi-Fi network just for them. This protects your other devices if your connected IoT devices are compromised.
- Update the device’s software, if possible. If you update your device regularly, this will reduce the chances of a successful attack.
- Replace default passwords with unique and strong ones of your choosing. Passwords should have upper and lower case characters, numbers, and special characters, with at least 10 total characters.
- Configure security and privacy options, such as enabling encryption and limiting the information your devices share.
- Replace insecure IoT devices with more secure ones. Seek out reviews on these devices that address security features and patching support to determine which ones may have a reasonable baseline of security.
Identifying and Reporting Common Scams
On July 6, 2017 the Federal Trade Commission (FTC) issued an alert on scammers posing as FTC officials who contact individuals and claim they have won prizes from a charity contest. The scammers ask for money to cover taxes or insurance costs associated with the prize. While this is a new malicious campaign, scammers use these basic tactics time and time again with slightly different wording to take advantage of unsuspecting individuals. It may seem like a day doesn’t go by without scammers contacting you online or by phone seeking money and/or personal information. Since this is so commonplace, it is worth exploring how to identify these schemes, and how to go about reporting them in the event that scammers target you.
Identifying the scam
Two common financial schemes involve coercing individuals into paying money to prevent a negative outcome, such as a tax audit or police investigation, or asking the individual to pay a fee up front to claim a prize. A third type of scam seeks individuals’ personally identifiable information (PII), such as Social Security numbers and birthdates, to commit identity theft. Individuals providing information to scammers may suffer large financial losses, as well as negative impacts to their credit. It is important that you know how to spot these scams so you can easily ignore them.
It's most likely a scam if you...
- have to pay money to claim a “prize” or “winnings”
- are asked for money to stop or prevent a police, FBI, or other federal investigation
- have to provide your bank account number and information
- are specifically asked to purchase any form of prepaid gift card to be used as payment
- are approached with no prior contact to give out your date of birth, social security number, password, username or other personal sensitive information online or over the phone
- are approached online or by phone in an unprovoked manner and asked for payment or personal information by someone claiming to be a government employee on official business
One final thing to be aware of is that scammers create convincing emails that may look like official communication from your bank, credit card issuer, or a retailer. These emails often include a link to a very convincing, yet fraudulent website that will ask you to log in with your username and password. If you provide your credentials, the criminal can then use them to gain access to your legitimate account. From there, they can steal your personal information or generate fraudulent transactions. If you ever receive an email asking you to click a link to log in and update your account or change your information, be safe and use your browser to directly type in the legitimate website address for that account in order to complete this request. By doing this, you will always be sure you are on the right website.
Scammers constantly target individuals by email, false advertisements, and phone calls to bring these types of scams to fruition. Being wary of any communication that meets any of the above criteria will go a long way in keeping your information and money safe!
Finally, it is very important that targets of online or phone scams report this to the proper authorities. Although it can be a bit embarrassing to have been hit by such a crime, reporting is the only way to direct investigators and regulators to pursue the criminals behind the scam or identity theft. Aside from reporting the scam to law enforcement, it is important to work with your bank, credit card issuer, or the business where your account was compromised to take the necessary steps in preventing further financial loss.
If you are the target of a financial scam, report it to the FTC at www.ftc.gov/complaint. If this scam was via email or over the Internet, also file a complaint with the FBI’s Internet Crime Complaint Center at www.ic3.gov/complaint.
Targets of identity theft can also file a report at www.identitytheft.gov and receive a recovery plan detailing how to move forward based on the type of scam committed.
Sun, Sand, and Cybersecurity
School’s out and the beach and mountains are calling. It is that time of the year when so many of us pack our bags and hit the open road or head to the airport for a well-earned vacation. We may be ready to take a break from our normal lives, but we still need to be cyber secure while we are enjoying our time off! In this month’s edition, we will explore some ways to be safe and smart with our devices, Internet usage, and social media while out travelling on vacation.
Always be careful about how much you post on social media about your vacations before and during your travels. Criminals can and do watch online posts to find people that are on vacation because that means you have left your home unattended.
Before “checking in” to a location on a social network, consider what else you are sharing – like the information that you aren’t home. Consider skipping the “check in” and making your vacation posts after you have gotten back. This is another way people can see you aren’t home. Perhaps this will have the double benefit of letting you take the time to choose only the best photos to post after your trip is over! At the very least, consider using privacy settings that only let friends see your posts. Additionally, consider turning off GPS and auto-tagging/auto-check in features, if you have them enabled.
Disable WiFi auto-connect services
Some devices have an auto-connect feature that will search for and automatically connect to available and accessible WiFi networks without your interaction. This can allow your device to automatically connect to an unencrypted, public WiFi network, or even one that was set up by a malicious actor to eavesdrop on your browsing and connection activity.
If you want to connect to a store or hotel’s network, check with an employee to see what the correct network is called, and see if they can provide a network password for a more secure, encrypted network. Always use a secure, encrypted network that requires login credentials if you have the option. In the event that isn’t an option, and you can use your phone as a WiFi hotspot, use that instead to get a more secure connection for another device that can’t make direct use of the cellular network’s connection.
Additionally, make sure you do not choose to “remember this network” or “join this network automatically” once you have settled on a more trusted network for use during your vacation. If you have these settings switched on for a very generically named network, your device may connect you to a less secure one that happens to have the same name. Even if you have this turned off, there’s another setting that will automatically connect you to a network you have joined before, which can be a problem since your device doesn’t know the difference between your coffee shop’s “Guest” network and a malicious “Guest” network. Turn these settings off so you don’t automatically connect, and choose to connect only to more trusted, safer WiFi networks.
Keep your devices close, and keep them locked when not in use!
Whether it’s your laptop, tablet, or smartphone, be sure to keep your device on you or with someone you trust. Never leave a device unattended in an airport, train station, restaurant, hotel lobby or anywhere else in public while travelling. There is a common scam that targets people who leave devices sitting next to them. In this scam, another traveler will approach you and ask for help and then lay a newspaper or map down over your device. While you’re distracted answering their question, they are picking up and pocketing your device under the cover of the newspaper or map!
Are You Really Being Secure Online?
Browsing the web and interacting with websites in a secure fashion is immensely important in today’s connected world. Everyday things like online banking, shopping, and submitting your taxes involve sharing financial and sensitive information online. This makes browsing securely something that everyone should consider more closely. Below we will explore some ways to connect to the Internet and browse websites securely, as well as how you can double check that you are being secure.
Use a Secured Wi-Fi Network
Wi-Fi access is widely available, but many of the free connections are to unsecured public Wi-Fi that will leave your information travelling openly! On an unsecured public Wi-Fi network, cyber criminals can easily access the data you are transmitting due to the fact that your information is not encrypted.
A more secure public Wi-Fi network requires a password or credentials to gain access that are provided by someone acting in an official capacity for the local business and the use of encryption. When looking for an available and more secure wireless network, you will see ones using encryption marked with a small lock symbol next to the name of the network. Some hotels and shops that provide free Wi-Fi to customers provide access to their secure networks by providing you with credentials or an access code when checking in, making a purchase, or on request.
If you opt to use a public Wi-Fi connection, make sure you understand the risk – others may be able to see what you do. Keep this in mind and do not conduct sensitive transactions or log in using your credentials on any sites. Not all apps and sites support encryption and other good security practices, which leaves you much more open to many types of cyber-attacks when on a public Wi-Fi connection.
Secure Your Information in Transit
Keep an eye out for that little lock icon on your browser, or the “https” in the URL! Sites that are taking security seriously will encrypt the sensitive information you are exchanging with the site. This is a strong way to ensure that your online activities like shopping or submitting personal information are protected.
The small lock icon or “https” at the beginning of the URL are indicators that encryption is currently in use. The lock icon is commonly found in the address bar on the most popular browsers, including Chrome, Firefox, Safari, Edge, and Internet Explorer.
Verify the Website
When you are looking for information or products online, make sure you are on the website you intended to visit, or are going to the correct site.
One particular sneaky technique used by cyber criminals is called typosquatting. Typosquatting is when someone purposely owns a website that is similar to a trusted website but with a typo in the address. For instance, the website “thisissafe” might be trusted, but the website “thisisafe” could be a malicious website using typosquatting. People are often linked to these incorrect, but very closely named websites through phishing emails sent out by malicious actors. Many websites look the same, and sometimes criminals or other unscrupulous folks use the names and logos of trustworthy companies to mislead you. In some forms of attack, a user being led to a false, but convincing copy of a known website will be prompted to enter their legitimate credentials, which are stolen by the malicious actor who set up this ruse.
A good practice is to not click a link that is provided in your emails, and to instead go type the intended website’s address directly into your browser to ensure you get to the right place.
May 8, 2017 - Skimmer identified on two First State Bank & Trust ATMs
Fremont, Neb. – First State Bank and Trust Company of Fremont learned this weekend that an ATM skimming device had been placed on the outdoor ATM at our 1005 East 23rd Street location. This device was found by a user of the machine, was removed and turned into local law enforcement. In investigating this matter, it came to the bank’s attention that a device had been used at our 1965 East Military location.
First State feels confident that users of the 23rd Street machine will not be impacted since the device on this location was captured. We have identified bank customers whose cards may have been skimmed at the Military location and have flagged their cards in our system. We are reaching out to those affected customers. It appears only those who used the ATM at the Military branch in Fremont on Friday, May 5th -Saturday, May 6th are potentially impacted. All consumers are fully protected by the bank against fraudulent transactions. As always, we strongly encourage our customers to monitor their transaction history in online banking or through our mobile app.
If you are a non-customer who used our Military branch location and see unusual activity, please contact your bank directly for assistance. You are also fully protected against fraudulent charges, but the process does need to begin with your own financial institution.
“We take a situation like this very seriously. We are working with local and federal law enforcement on this matter and are reaching out to all identified customers. We are doing everything we can to resolve this situation quickly for those affected,” states Chuck Johannsen, President of First State Bank & Trust Company.
Here are some tips from the Office of the Comptroller of Currency/U.S. Department of the Treasury to protect your financial information:
- Walk away from an ATM if you notice someone watching you or if you sense something wrong with the machine; immediately report your suspicions to the company operating the machine or a nearby law enforcement officer.
- Before using an ATM, examine nearby objects that might conceal a camera; check the card slot for a plastic sheath before inserting your card.
- Never keep a written copy of your PIN in your wallet or purse as it could be stolen; instead memorize your PIN and keep a paper record hidden at home.
- When entering your PIN, stand close to the machine and hold your hand over the keypad or screen to make it more difficult for a person or camera to watch you.
- Beware of strangers offering to help you with an ATM that appears disabled and notify someone responsible for the security of the machine.
- Regularly review your account statements, either online or on paper, and check for unauthorized withdrawals and purchases. If you find one, immediately contact your bank or credit card provider, as this will limit your financial liability for fraudulent charges.