Protect Your Business and Employees from Email Compromise Scams

Security Icon

Here at American Federal Bank, protecting our customers from fraud is a top priority and we want you to know about a threat that we have seen multiple businesses fall victim to.

Fraudsters know that many business owners and executives will be out of the office during the upcoming spring and summer seasons, and will use the opportunity to try and trick your employees. The fraudsters send email messages to your employees that appear to come from a company owner or executive, along with instructions to send money or sensitive information to them. This threat is very real and we’ve seen significant losses happen in our communities.

These attempts are especially deceitful because emails often make what appears to be a legitimate request, including sending an invoice with updated payment information. Employees believe they are just doing what their superiors or coworkers are asking them to do, and mistakenly comply.

Below are some steps to reduce the chances of an employee becoming a victim of business email compromise:

  • Educate and train employees to recognize, question, and independently authenticate changes in payment instructions, payment methods (e.g., ACH to wire), or when pressured to act quickly or secretively.
  • Be old-fashioned! Verbally authenticate any changes via phone call to a verified telephone number.
  • Review accounts frequently.
  • Initiate payments using dual controls.
  • Never provide passwords, usernames, authentication credentials or account information when contacted.
  • Don’t provide nonpublic business information on social media.
  • Avoid free web-based email accounts for business purposes. A company domain should always be used in business emails.
  • Consider registering domains that closely resemble the company’s actual domain to make impersonation harder.
  • Do not use the “reply” option when authenticating emails for payment requests. Instead, use the “forward” option and type in the correct email address or select from a known address book.

If you do fall victim to one of these fraud attempts, please reach out to American Federal Bank as soon as possible so we can assist.

The Importance of Small Business Security Check-Ups

Security Icon


Cyber security remains a growing concern for small businesses. It’s a good idea for business owners to conduct periodic reviews of their data security program.

Security Check-Up Suggestions

The Small Business Administration, the Federal Trade Commission and the American Bankers Association offer a number of suggestions aimed at helping businesses protect their files and devices and their company and customer information from cyberattacks.

Start with a Plan

Begin by understanding your business risk profile.  What are you trying to protect and where are you most vulnerable? Identify devices, servers and vendors that store company date and customer credit card and other information.  Know what vendors supply the software you use, and how secure their practices are.  Also, take a broader look at protecting your financial and bank data, personnel information and intellectual property.

Review Policies and Procedures

Re-evaluate your security policies and procedures that determine access controls to acceptable use. Have you added new products and services or entered new markets that altered the operations of your business?  Who has access to information in your company and the log-in credentials to conduct transactions?

Train Employees

The weakest link in a security plan is employees. From day one, explain the importance of your organization’s data security practices to employees. Conduct regular training that outlines your company’s practices and how to spot new risks, security vulnerabilities and identify theft.  Create a culture of security by demonstrating what you expect and making security an essential part of employees’ duties.  When employees leave, terminate access immediately.

Warn about Phishing

Educate employees on the dangers of spear phishing – emails containing information that makes them look legitimate. Require independent verification of emails requesting sensitive information.  Train employees not to reply to email when they do not recognize the sender, and not to use links, phone numbers or websites contained in the suspect email.

Cover the Basics

Implementing the basic steps of cyber hygiene will protect your business and reduce the risk of a cyberattack.

  • Update Software. Update and apply the latest patches to your operating systems and software, including anti-virus software and antispyware, apps and web browsers. Set updates to take place automatically.
  • Secure your Network and Files.   Safeguard your Internet connection by using a firewall. Back up files offline, on an external hard drive or in the cloud.  Control physical access, too. Make sure you also store your paper files securely.
  • Encrypt Devices. Encrypt devices and other media that contain confidential, sensitive and proprietary information.  This includes laptops, smartphones, inventory scanners, digital scanners, removable devices, backup tapes and cloud storage solutions.
  • Use Multi-Factor Authentication. Enable multi-factor authentication to access areas of your network and sensitive information.  This requires additional steps beyond logging in with a password.
  • Require Strong Passwords. Use passwords for all computer hardware, including routers, laptops, tablets and smartphones. Require strong passwords of 8-12 characters that are a mix of UPPER and lower case letters, numbers and symbols.  Passwords must not contain personal information, like part of a TIN, or be easily cracked, like “password,” “qwerty” or “12345678.” Never leave devices unattended in public places and avoid pubic WiFi.

Secure Payment Processing

Work with your bank or credit card processor to ensure the most trusted and validated tools and anti-fraud services are being used.  Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.

Develop an Incident Response Plan

Know what to do and who to call when a cyber incident occurs.

Resources

Report scams against a small business at FTC.gov/complaint.

These websites and publications also have information on securing sensitive data:

Watch Out for Imposter Scams and Money Mule Schemes Related to COVID-19

The Financial Crimes Enforcement Network (FinCEN) is alerting consumers to potential imposter scams and money mule schemes observed during the COVID-19 pandemic.

Illicit actors are engaged in fraudulent schemes that exploit vulnerabilities created by the Coronavirus pandemic.

Consumer frauds include imposter scams and money mule schemes where fraudulent actors deceive victims by impersonating federal government agencies, international organizations or charities.

Imposter Scams

In imposter scams, criminals impersonate organizations such as government agencies, non-profit groups, universities or charities to offer fraudulent services or otherwise defraud victims.

While imposter scams can take multiple forms, the basic methodology involves an illicit actor contacting a target under the false pretense of representing an official organization and coercing or convincing the target to provide funds or valuable information, engage in behavior that causes the target’s computer to be infected with malware or spread disinformation.

In the case of schemes connected to COVID-19, imposters may pose as officials or representatives from the Internal Revenue Service (IRS), the Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO), other healthcare or non-profit groups, and academic institutions.

Illicit actors can use imposter scams to defraud and deceive the vulnerable, including the elderly and unemployed, through the solicitation of payments (such as digital payments and virtual currency), donations or personal information via email, robocalls or text messages. The Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) have sent warning letters to multiple Voice over Internet Protocol (VoIP) service providers for allegedly routing illegal pandemic-related scam telemarketing, robocalls or other communication methods.

For example, an imposter may contact potential victims by phone, email or text to imply that the victim must verify personal information or send payments to scammers in return for COVID-19-related stimulus payments or benefits.

Another instance includes imposters contacting victims and posing as government or health care representatives engaged in COVID-19 contact tracing activities, implying that a victim must share personal or financial information as part of contact tracing efforts.

Multiple examples include phishing schemes, where imposters send communications appearing to come from legitimate sources, to collect victims’ personal and financial data and potentially infect their devices by convincing the target to download a malicious attachment or click malicious links.

Scammers may also impersonate legitimate charities or create sham charities, taking advantage of the generosity of the public and embezzling donations intended for COVID-19 response efforts.

Criminals often use social media accounts, door-to-door collections, flyers, mailings, telephone and robocalls, text messages, websites and emails mimicking legitimate charities and non-profits to defraud the public. These operations may include words like “relief,” “fund,” “donation” and “foundation” in their titles to give the illusion that they are a legitimate organization.

Money Mule Schemes

A money mule is a person who transfers illegally acquired money on behalf of or at the direction of another.

Money mule schemes, including those related to the COVID-19 pandemic, span the spectrum of using unwitting, witting or complicit money mules.

An unwitting or unknowing money mule is an individual who is unaware that he or she is part of a larger criminal scheme. The individual is motivated by his/her trust in the actual romance, job position or proposition.

A witting money mule is an individual who chooses to ignore obvious red flags or acts willfully blind to his/ her money movement activity. The individual is motivated by financial gain or an unwillingness to acknowledge his/her role.

A complicit money mule is an individual who is aware of his/her role as a money mule and is complicit in the larger criminal scheme. The individual is motivated by financial gain or loyalty to a criminal group.

During the COVID-19 pandemic, U.S. authorities have detected recruiters using money mule schemes, such as good-Samaritan, romance and work-from-home schemes.

In work-from-home schemes, for example, COVID-19 money mule recruiters, under a false charity or company label, may approach targets with a seemingly legitimate offer of employment under the pretense of work-from-home jobs, often through internet or social media advertisements, emails or text messages. Once the target accepts the “employment,” he or she receives instructions to move funds through accounts or to set up a new account in the target’s name for the “business.” The target (i.e., the money mule) earns money by taking a percentage of the funds that he or she helps to transfer per the instructions of the “employer.”

U.S. authorities also have identified criminals using money mules to exploit unemployment insurance programs during the COVID-19 pandemic.

Stay in the Know

Detecting, preventing and reporting consumer fraud and other illicit activity related to COVID-19 is critical for national security, safeguarding legitimate relief efforts and protecting innocent consumers from harm.

Overall, the message from the Federal Bureau of Investigation (FBI) and the FTC during this time is to be extra vigilant and cyber-smart. Hackers know how vulnerable the world is to Coronavirus fears, and everything involved with the pandemic can be exploited.

The FBI’s ic3.gov has helpful information, including where to report scammers so others can avoid them. They welcome all concerned to visit the site frequently as it is continually being updated with legitimate Coronavirus-related information and resources.

Go to ftc.gov/coronavirus for the latest information on COVID-19 scams. Sign up to get FTC’s alerts at ftc.gov/subscribe.

FBI Warns: Increased Use of Mobile Apps During Pandemic Could Lead to Exploitation

man and woman looking at a tabletAs the public increases its use of mobile banking apps, partially due to increased time at home from the Coronavirus pandemic, the FBI anticipates cyber actors will exploit these platforms.

Americans are increasingly using their mobile devices to conduct banking activities such as depositing checks and transferring funds. Studies of U.S. financial data indicate a 50 percent surge in mobile banking since the beginning of 2020.

With state and local governments urging or mandating social distancing, Americans have become more willing to use mobile banking as an alternative to physically visiting a bank.

The FBI expects cyber actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking trojans and fake banking apps.

App-Based Banking Trojans

The FBI advises the public to be cautious when downloading apps on smartphones and tablets, as some could be concealing malicious intent. Cyber actors target banking information using banking trojans, which are malicious programs that disguise themselves as other apps, such as games or tools. When the user launches a legitimate banking app, it triggers the previously downloaded trojan that has been lying dormant on their device. The trojan creates a false version of the bank’s login page and overlays it on the legitimate app. Once the user enters their credentials into the false login page, the trojan passes the user to the real banking app login page so they do not realize they have been compromised.

Fake Banking Apps

Cyber actors also create fraudulent apps designed to impersonate the real apps of financial institutions, with the intent of tricking users into entering their login credentials. These apps provide an error message after the attempted login and will use smartphone permission requests to obtain and bypass security codes texted to users.

TIPS TO PROTECT YOURSELF AND YOUR BUSINESS

Obtain Apps from Trusted Sources

Private sector companies manage app stores for smartphones and actively vet these apps for malicious content. Additionally, most U.S. banks, like American Federal Bank, provide a link to their mobile app on their website. The FBI recommends only obtaining smartphone apps from trusted sources like official app stores or directly from bank websites.

Use Two-Factor Authentication

Cybersecurity experts stress that two-factor authentication is a highly effective tool to secure accounts against compromise, and enabling any form of two-factor authentication will be to the user’s advantage.

Do:

  • Enable two-factor or multi-factor authentication on devices and accounts to protect them from malicious compromise.
  • Use strong two-factor authentication, if possible, via biometrics, hardware tokens, or authentication apps.
  • Use multiple types of authentication for accounts, if possible. Layering different authentication standards is a stronger security option.
  • Monitor where your Personal Identifiable Information (PII) is stored and only share the most necessary information with financial institutions.

Don’t:

  • Click links in e-mails or text messages. Ensure these messages come from the financial institution by double-checking e-mail details. Many criminals use legitimate-looking messages to trick users into giving up login details.
  • Give two-factor passcodes to anyone over the phone or via text. Financial institutions will not ask you for these codes over the phone.

Use Strong Passwords and Good Password Security

Cyber actors regularly exploit users who reuse passwords or use common or insecure passwords. The FBI recommends creating strong, unique passwords to mitigate these attacks. The National Institute of Standards and Technology’s most recent guidance encourages users to make passwords that are 15 characters or longer.

Do:

  • Use passwords that contain UPPER CASE letters, lower case letters and symbols.
  • Use a minimum of eight characters per password.
  • Create unique passwords for banking apps.
  • Consider using a password manager or password management service.

Don’t:

  • Use common passwords or phrases, such as “Password1!” or “123456.”
  • Reuse the same passwords for multiple accounts.
  • Store passwords in written form or in an insecure phone app like a notepad.
  • Give your password to anyone. Financial institutions will not ask you for this information over the phone or text message.

If a Banking App Appears Suspicious, Call the Bank

If you encounter an app that appears suspicious, exercise caution and contact the financial institution. Major financial institutions may ask for a banking PIN number, however, will never ask for your username and password over the phone. If the phone call seems suspicious, hang up and call the bank.

Coronavirus Scams Continue Unabated

The number of scams and scammers using the Coronavirus (COVID-19) as a platform for theft continues to grow.

The public’s need for COVID-19 information, online purchases, and charitable donations are being exploited at historic levels, according to public service announcements posted by the FBI.

The FBI warns that online fraud and identity theft are rampant during the CVOID-10 pandemic, and cybercriminals are doing their best to take advantage of those in need.

As the range of online criminal behavior is expanding, the FBI wants the public to be aware of some of the worst and most prolific scams that cybercriminals currently have to offer.

Payment Protection Program (PPP) phishing emails are flooding the market. These emails are being broadcasted out to everyone and not targeting the business contact who applied for the loan. The emails are often convincing.

Fake emails and apps claiming to be from the Centers for Disease Control (CDC), the World Health Organization (WHO) and other respected information sources offering Coronavirus news and tracking are rampant. The FBI warns that following email links, opening attachments, and sideloading apps (apps downloaded from a third-party and not from the official app stores) also can lead to identity theft and malware.

Phishing emails saying you need to verify your personal information, even if it offers a financial stimulus payment from the government, should be deleted and not acted upon. No matter how tempting the reward promised, know that government agencies (like the IRS) never send unsolicited emails asking for private information. The FBI also warns that phishing email topics such as financial relief, fake cures, vaccines, testing kits, and airline refunds should not be responded to. Fake GoFundMe pages and other social media charitable contribution sites also can be fraudulent.

Counterfeit PPE equipment and Coronavirus treatments are being exploited. The need for Personal Protective Equipment (PPE) is prompting fake claims. The sale of unapproved and counterfeit masks, goggles, gowns, gloves, sanitizing products, virus cures, and more are being pushed online. A spike in shipping and other cyber fraud means consumers may pay for products and shipping, but never receive them. Meanwhile, a bad actor may have your payment card information, address and possibly enough personal details for identity fraud.

Tips from the Federal Trade Commission

  • Don’t respond to texts, emails or phone calls about stimulus payment checks from the government. Don’t click on links or attachments in texts or emails you did not expect.
  • Ignore online offers for vaccinations.  There are no products proven to treat or prevent COVID-19 at this time.
  • Be wary of ads for test kits.  The Food and Drug Administration (FDA) just announced approval for one home test kit, which requires a doctor’s order.  But most test kits being advertised have not been approved by the FDA, and are without proof that they work.
  • Hang up on robocalls.  Scammers are using illegal robocalls to pitch everything from low-priced health insurance to work-at-home schemes. Scammers use these illegal sales calls to get your money and your personal information.
  • Do your homework when it comes to donations.  Don’t let anyone rush you into making a donation.  Never donate cash, by gift card or by wiring money.

Stay in the Know

Overall, the message from the FBI and the FTC during this time is to be extra vigilant and cyber-smart. Hackers know how vulnerable the world is to Coronavirus fears, and everything involved with the pandemic can be exploited.

The FBI’s ic3.gov has helpful information and trusted sources for PPE, including where to report scammers so others can avoid them. They welcome all concerned to visit the site frequently as it is continually being updated with legitimate Coronavirus-related information and resources.

Go to ftc.gov/coronavirus for the latest information on COVID-19 scams. Sign up to get FTC’s alerts at ftc.gov/subscribe.

Protect Yourself Against Imposters

Person Viewing Code on Laptop

The Federal Deposit Insurance Corporation (FDIC) has received reports of fraudulent communications that have the appearance of being from the FDIC.

This is particularly important to know during the outbreak of the Coronavirus (COVID-19) as scammers try to take advantage of consumers in a variety of ways.

Fraudsters know that people trust the FDIC name, so scammers use the FDIC’s name and logo in perpetrating fraudulent schemes.

Some recently reported scams have fraudulently used the names of real FDIC employees, including Martin Henning and Michael Benardo. They have also used fictitious employee names such as Peter Harding, Christine Marshall, and Kate Marshall.

These scams may involve a variety of communication channels, including emails, phone calls, letters, text messages, faxes and social media.

The messages might ask you to “confirm” or “update” confidential personal financial information, such as bank account numbers. In other cases, the communication might be an offer to help victims of current or previous frauds with an investigation or to recover losses.

Some scams have included official looking forms for such things as filing insurance claims or paying taxes on prize winnings. They might tell you that you have an unpaid debt and threaten you with a lawsuit or to arrest you, if you don’t pay. Other recent examples have included check endorsements, bankruptcy claimant verification forms, stock confirmations, and investment purchases.

Additional known scams ask for an upfront payment in the form of gift cards or digital currency before service can be provided. They might include a cashier’s check with instructions to deposit the check and send some portion of the funds back via wire transfer service.

Scammers might ask for personal information such as Social Security numbers, dates of birth, and other valuable details that they can use to commit fraud or sell your identity.

Tips from the FDIC

Here’s what you need to know to protect yourself against government imposters like these:

  • The FDIC does not send unsolicited correspondence asking for money or sensitive personal information and will never threaten you.
  • No government agency will ever demand that you pay by gift card, wiring money or digital currency.
  • The FDIC would never contact you asking for personal details, such as bank account information, credit and debit card numbers, social security numbers, or passwords.

If in doubt about something you receive, contact the FDIC’s Call Center at 1-877-ASK-FDIC (1-877-275-3342), Monday through Friday, 8 am to 8 pm Eastern Standard Time.

If you feel you have been the victim of fraud, report this incident to local law enforcement or a local field office of the Federal Bureau of Investigation (FBI).

Also notify the United States Postal Inspection Service (USPIS), if the crime involved misuse of the U.S. Postal Service.

For more help or information, go to FDIC.gov (insert link) or call the FDIC toll-free at 1-877-ASK-FDIC (1-877-275-3342).

Beware of Coronavirus Scams

Scammers are taking advantage of uncertainty surrounding the Coronavirus (COVID-19). Fraudsters are setting up websites to sell bogus products and creating fake email, texts and social media posts as a ruse to take your money and get your personal information. Investment frauds ridiculously claim a company’s products or services will be used to help stop the Coronavirus outbreak.

The emails and posts may even be promoting awareness and prevention tips, and fake information about cases in your neighborhood, according to the Federal Trade Commission (FTC). They may also be asking you to donate to victims, offering advice on unproven treatments, or contain malicious email attachments.

Here are some tips from the FTC to help you keep the scammers at bay:

  • Don’t click on links from sources you do not know. It could download a virus on your computer or mobile device. Make sure the anti-malware and anti-virus software on your computer is up to date.
  • Don’t provide personal information. Always consider why someone wants your information and if it is appropriate.
  • Verify a sender by independently checking their email address. It is insufficient to check an email address using an email reply to see if your message is delivered. The email could be from a cybercriminal’s account.
  • Watch for emails claiming to be from Centers for Disease Control and Prevention (CDC) or experts saying they have information about the virus.
  • For the most up-to-date information about the Coronavirus, visit the CDC at https://www.cdc.gov/coronavirus/2019-ncov/index.html and the World Health Organization (WHO) at https://www.who.int/emergencies/diseases/novel-coronavirus-2019.
  • Ignore offers for vaccinations. If you see ads touting prevention, treatment or cure claims for the Coronavirus, ask yourself: would you be hearing about it for the first time through an ad or a sales pitch?
  • Do your homework when it comes to donations, whether through charities or websites. Do not let anyone rush you into donating. If someone wants donations in cash, by gift card or by wiring money, do not do it.
  • Be alert to “investment opportunities.” The U.S. Securities and Exchange Commission (SEC) is warning about online promotions, including social media, claiming that the products and services of publicly traded companies can prevent, detect or cure the Coronavirus, and that the stock of these companies will dramatically increase in values as a result.
Investor Alert

The SEC has issued an investor alert to be on the lookout for Coronavirus-related investment scams that use the latest news developments to lure investors into scams.

The promotions often take the form of so-called “research reports” and make predictions of a specific “target price.” The SEC warns investors they may lose significant amounts of money if they invest in a company that makes inaccurate or unreliable claims, and you may not be able to sell your shares, if trading in the company is suspended.

The SEC says that when investing in any company that claims to focus on Coronavirus-related products and services, carefully research the investment and keep in mind that investment scam artists often exploit the latest crisis to line their own pockets.

Contact your local American Federal securities-licensed Banker, if you have a question about an investment product or service. Report any suspicious Coronavirus-related investment scams to the SEC at https://www.sec.gov/tcr.

Criminals Pretending to be WHO

Criminals are disguising themselves as the World Health Organization (WHO) to steal money and sensitive information. WHO says cybercriminals are preying on people’s fear with phishing emails claiming to have advice on protective safety measures.

WHO will never:

  • ask you to log in to view safety information
  • email attachments you did not request
  • ask you to visit a link outside www.who.int
  • conduct lotteries or offer prizes, grants, certificates or funding through email
  • ask you to donate directly to emergency response plans or funding appeals

Be aware that criminals use email, websites, phone calls, text messages and fax messages for their scams. You can verify if communication is legitimate by contacting WHO directly.

Imposter Scams – the Most Prevalent Fraud of 2019

Every year, the Federal Trade Commission (FTC) examines all the complaint reports it receives to determine which types of fraud are most prevalent. Of the more than three million reports the public sent the FTC in 2019, it found that imposter scams are the most common.

While there are different types of imposter scams, the basic commonality is that a scammer pretends to be someone you trust in order to get you to send them money.

Americans reportedly lost more than $667 million to scammers through imposter scams in 2019, with the perpetrators often pretending to be from a government agency (Social Security tops the list), well-known companies, love interests, tech support agencies or even family members. Most of those who sent in complaints report that the scammers contacted them via telephone.

The FTC has a series of short videos available detailing the different types of imposter scams and how you can recognize them. Check out the videos.

How to File a Complaint

If you have spotted a scam or have lost money to a scammer, consider filing a complaint with the FTC at ftc.gov/complaint.  Though not all scammers are found and prosecuted, in 2019 alone, the FTC was able to take legal actions that led to more than $232 million being returned to people who lost money.

 

 

 

Securely Configure your New Devices

man and woman looking at a tabletThe holiday season is here, which means shopping for the latest gadget is in full swing. With the large number of discounts that are available, you may end up buying a smart device.

As impressive as the latest smartphone or gaming computer might be, ensuring you are able to properly secure these devices is more important than ever. Any device that connects to the Internet is potentially vulnerable and could become compromised.

Here are several tips to keep in mind that can help you securely configure your new devices:

Adjust Factory-Default Configurations on Hardware and Change Default Passwords

Passwords are a common form of authentication and are often the only barrier between cybercriminals and your personal information. Some Internet-enabled devices are configured with default passwords to simplify setup. However, did you know these passwords can easily be found online? To better secure your digital device, it is important to change the factory-set default password. Be sure to replace it with a strong and unique password or passphrase for each account.

Secure your Wi-Fi Network with Encryption

A home’s wireless router is the primary entrance for cybercriminals to access connected devices. To enhance your defenses, use Wi-Fi Protected Access 3 (WPA3). WPA3 is currently the strongest form of encryption for Wi-Fi. Other methods are outdated and more vulnerable to exploitation.

Double Your Login Protection

Enable multi-factor authentication (MFA) to ensure that only the person who has access to your account is you. If MFA is an option, enable it by using a trusted mobile device such as your smartphone, an authenticator app, or a secure token. For instance, with an iPhone you can use your screen lock feature with a pin or password.

Disable Location Services and Remote Connectivity

Location services might allow anyone to see where you are at any given time. To secure your private information, consider disabling this feature when you are not using your device. Additionally, most mobile devices are equipped with wireless technologies such as Bluetooth that can be used to connect to other devices or computers. Consider disabling these features when not in use as well!

Safeguard Against Eavesdropping

Disconnect digital assistants, such as your Amazon Alexa, when not in use. Limit conversation near baby monitors, audio recordable toys, and digital assistants. Be sure to cover cameras on toys, laptops, and monitoring devices when they are not in use.

Do Not Broadcast Your Wi-Fi Network Name

To prevent outsiders from easily accessing your network, avoid publicizing your Wi-Fi network name, or service set identifier (SSID). All Wi-Fi routers allow users to disable broadcasting their device’s SSID. Doing so will make it more difficult for attackers to find a network. At the very least, change your SSID to something unique. Leaving it as the manufacturer’s default could allow a potential attacker to identify the type of router and possibly exploit any known vulnerabilities.

Install a Network Firewall

Install a firewall at the boundary of your home network to defend against external threats. A firewall can block malicious traffic from entering your home network and alert you to potentially dangerous activity. Most wireless routers come with a configurable, built-in network firewall that includes features such as access controls, web-filtering, and denial-of-service (DoS) defense that you can tailor to fit your networking environment. Keep in mind that some firewall features, including the firewall itself, may be turned off by default. Ensuring that your firewall is on and all the settings are properly configured will strengthen the security of your network. 

Note: Your internet service provider (ISP) may be able to help you determine whether your firewall has the most appropriate settings for your particular equipment and environment.

Install Firewalls on Network Devices

In addition to a network firewall, consider installing a firewall on all computers connected to your network. Often referred to as host or software-based, these firewalls inspect and filter a computer’s inbound and outbound network traffic based on a predetermined policy or set of rules. Most modern Windows and Linux operating systems come with a built-in, customizable and feature-rich firewall. Additionally, most vendors bundle their antivirus software with additional security features such as parental controls, email protection and malicious website blocking.

Remove Unnecessary Services and Software and Install Antivirus Software

Disable all unnecessary services to reduce the attack surface of your network and devices, including your router. Unused or unwanted services and software can create security holes on a device’s system, which could lead to an increased attack surface of your network environment. Additionally, a reputable antivirus software application is an important protective measure against known malicious threats. It can automatically detect, quarantine, and remove various types of malware, such as viruses, worms, and ransomware. Many antivirus solutions are extremely easy to install and intuitive to use, allowing for automatic virus definition updates to ensure maximum protection against the latest threats.

Update and Patch Regularly

Manufacturers will issue updates as they discover vulnerabilities in their products. The perfect example being all of the update notifications you receive on your smartphones. Configuring your device to receive automatic updates makes this easier for many devices, such as computers, phones, tablets, and other smart devices. However, if you need to manually update your device, make sure you are only applying updates directly from the manufacturer, as third-party sites and applications are unreliable and can result in an infected device.

Source: The Multi-State Information Sharing and Analysis Center (MS-ISAC)

Don’t Take the Bait: Combat the Growing Phishing Threat

According to the FBI’s Internet Crime Report, victims lost nearly $30 million due to phishing scams in 2017 compared to $8 million just two years earlier.

In a phishing scam, criminals send an email or a text, or call a victim disguised as a company or person they know. The goal of the phisher is to steal the victim’s money, identity or both by convincing the unsuspecting consumer to click on a link or share sensitive information, such as a password. The fraudsters often pressure victims to act quickly by saying something bad will happen if they do not comply.

Phishing scams are not as obvious as they used to be. The criminals’ techniques have become much more sophisticated, so it is more important than ever that consumers understand the scam and how they can protect themselves.

One way to combat phishing is to use multi-factor authentication, which is a second step to verify you are you, like sending a text to your phone with a confirmation code. Use multi-factor authentication for any of your accounts that support it, especially email and financial accounts.

The American Bankers Association Foundation and the Federal Trade Commission have released an infographic, which describes how phishing scams work and provides the following tips for consumers:

  • Check it out.
    • Independently look up the website or phone number for the company or person who is contacting you.
    • Call that company or person directly. Use a number you know to be correct, not the number in the email or text.
    • Tell them about the message you got.
  • Look for scam tip-offs.
    • You do not have an account with the company.
    • The message is missing your name or uses bad grammar and spelling.
    • The person asks for personal information, including passwords.
    • But note: some phishing schemes are sophisticated and look very real, so check it out and protect yourself.
  • Protect yourself.
    • Keep your computer security up to date and back up your data often.
    • Consider multi-factor authentication — a second step to verify who you are, like a text with a code — for accounts that support it.
    • Change any compromised passwords right away and do not use them for any other accounts.

For more information on phishing scams, visit aba.com/phishing.

Click here to view the phishing infographic.