October Is National Cybersecurity Month: Protect your Identity

Every year, millions of U. S. consumers become victims of identity theft and experience the misuse of their personal information.

In recognition of “National Cybersecurity Awareness Month,” these tips can help you protect your personal information from identity thieves.

Fraudsters can use your personal information to conduct a variety of illegitimate transactions, such as opening bogus accounts, filing tax returns and getting access to medical care, according to the American Bankers Association. As a result, consumers are urged to safeguard their personal information before it gets into the wrong hands.

Tips to Protect your Identity

  • Never share your secrets. Do not provide your Social Security number or bank or credit card account information to anyone who contacts you online or over the phone. Protect your PINs and passwords and do not share them with anyone. Use a combination of letters, numbers and symbols to create strong passwords and change them periodically. Never post personal or sensitive information on social media.
  • Shred sensitive papers. Shred receipts, bank and credit card statements and unused credit card offers before throwing them in the trash.
  • Keep an eye out for missing mail. Fraudsters look for monthly bank or credit card statements or other mail containing financial information. Enroll in American Federal Online Banking to reduce the likelihood of paper statements being stolen. Do not mail bills from your own mailbox with the flag up. Enroll in American Federal Online Bill Pay to pay your bills conveniently and securely.
  • Use Online Banking to protect yourself. Monitor your financial accounts regularly for fraudulent transactions. Sign up for email or text alerts for certain types of transactions, such as transactions of $500 or more.
  • Monitor your credit report. Order a free copy of your credit report every four months from one of the three credit reporting agencies at annualcreditreport.com. Rotate your orders through each of the bureaus, so you are reviewing your credit report from different agencies. Regularly order credit reports for your children as well. Children are often victims of identity theft.
  • Protect your computer. Make sure the virus protection software and patches on your computer are active and up to date. When conducting business online, make sure your browser’s padlock or key icon is active. Also look for an “s” after the “http” to be sure the website is secure.

Protect your Mobile Device

Your mobile device provides convenient access to your email, bank and social media accounts. Unfortunately, it can potentially provide the same access for criminals. Follow these tips to keep your information – and your money – safe.

  • Use the passcode lock on your smartphone and other devices. This will make it more difficult for thieves to access your information, if your device is lost or stolen.
  • Log out completely when you finish a mobile banking session.
  • Protect your phone from viruses and malicious software, or malware, just like you do for your computer by installing mobile security software.
  • Use caution when downloading apps. Apps can contain malicious software, worms and viruses. Beware of apps that ask for unnecessary “permissions” and delete unused or rarely used apps.
  • Download the updates for your phone and mobile apps.
  • Avoid storing sensitive information like passwords or a social security number on your mobile device.
  • Tell your financial institution immediately if you change your phone number or lose your mobile device.
  • Be aware of shoulder surfers. The most basic form of information theft is observation. Be aware of your surroundings especially when you are entering sensitive information on a keypad.
  • Wipe your mobile device before you donate, sell or trade it using specialized software or using the manufacturer’s recommended technique. Some software allows you to wipe your device remotely if it is lost or stolen.
  • Beware of mobile phishing. Avoid opening links and attachments in emails and texts, especially from senders you do not know. And, be wary of ads (not from your security provider) claiming that your device is infected.
  • Watch out for public Wi-Fi. Public connections are not secure, so do not perform banking transactions on a public network. If you need to access your account, try disabling the Wi-Fi and switching to your mobile network. Consider using a Virtual Private Network (VPN) app to secure and encrypt your communications when connecting to a public Wi-Fi network.

Report any suspected fraud to your bank immediately.

Avoid Tech Support Scams

You’re working on your computer when, suddenly, a message pops up on the screen: “Virus detected! Call now for a free security scan and to repair your device.”

That’s a tech support scam. Do not call, text or email. Legitimate tech support companies do not operate that way.

Scammers pose as big-name companies and use pop-up messages, fake websites, and phone calls to trick you into thinking your computer has an urgent problem. Their plan is to get your money by selling you worthless software, enrolling you in fake programs, or getting you to pay for useless tech support. The scammers urge you to call a toll-free number immediately, threatening that you may lose personal data if you don’t.

When you call, the scammer might ask you to give them remote access, pretend to run a diagnostic test, or tell you they have found a virus or other security issue. They try to sell you a security subscription or other “services” that range from worthless (for instance, they are available for free elsewhere) to malicious (they install dangerous software that can help them steal your personal information.)

What should you do?

If you get a pop-up to call a number to fix a virus on your computer, ignore it. Your computer is almost certainly fine. But if you are concerned about your computer, call your security software company directly.  Do not use the phone number in the pop-up or on caller ID. Use a number you know is real, like the one on a software package or your receipt. Tech support scammers like to place online ads pretending to be legitimate companies, so be sure you have the correct telephone number for the real tech company before calling.

And if someone asks you to pay for anything — including tech support services — with a gift card, cash reload card, or a wire transfer, that is a scam. No legitimate company will tell you to pay that way. If you see that, report it to the Federal Trade Commission at FTC.gov/complaint.

Phone Scams on the Increase

Phishing doesn’t only come by way of an email message. There are many ways cybercriminals can dupe unsuspecting users. Using a phone is one way that is becoming more popular as the number of cell phone users increases across the globe.

Called “vishing,” these scams are perpetrated when someone calls and tries to trick the phone recipient into falling for something. In many cases, it is a promise of something free.  In other cases, it could be a pre-approved credit offer or tech support.

A newer scam, called Wangiri, involves “missed calls.”  A scammer will call from an anonymous (usually) international number.  Some people will call that number back and when they do, they are rerouted to premium rate phone numbers. They get an automated message that keeps the caller connected until he or she hangs up the phone. These numbers rack up charges every second the phone is connected without the caller’s knowledge or permission.

Wangiri translates to something similar to “one ring and cut” in the Japanese language. That is where the scam was first used by cybercriminals. It uses one ring, then stops.

Some other reports note texts offering free prizes and contests where the victims can win money. If the number is called, a pre-recorded message comes on the line and just eats away money or credits on the phone.

It is difficult to know if an “unknown” number is legitimate or not. Recently, the Federal Communications Commission (FCC) has allowed mobile service providers to block known spoofed numbers. Authorities have discussed doing something about this, but stopping this behavior has been difficult.

What to Do?

Resist the temptation to pick up phone calls or return calls to unknown numbers. It can be a scammer. If the call is important, the caller will reach you, leave a voice-mail message or contact you in another way.  If you do pick up, never provide any confidential information to the caller.  In fact, it is best not to say a word.  Just hang up the phone.

When a person who is called says, “yes,” that they can hear the caller, their reply can be recorded and used to authorize fraudulent charges via telephone on the victim’s credit card or other account, the FCC warns.

The Better Business Bureau (BBB) offers consumers the following advice:

  • Use Caller ID to screen calls.
  • If someone calls and asks, “Can you hear me?” or “Do you have a moment?” do not answer “yes.” Scammers change their tactics as the public catches on, so be alert for other questions designed to solicit a simple “yes” answer.
  •  Make a note of the number and report it to bbb.org/scamtracker to help warn others. BBB also shares Scam Tracker information with government and law enforcement agencies, so every piece of information is helpful in tracking down scammers.
  •  Consider joining the Do Not Call Registry (DoNotCall.gov) to cut down on telemarketing and sales calls. This may not help with scammers since they do not bother to pay attention to the law, but you should get fewer calls overall. That may help you more quickly notice the ones that could be fraudulent.
  • Check your bank and credit card statements regularly for unauthorized charges. It is also a good idea to check your telephone and cell phone bills. Scammers may be using the “yes” recording of your voice to authorize charges via your phone. This is called “cramming” and it is illegal.

Call 800-366-4484 to report phone scams to the Federal Trade Commission.

Contact the Treasury Inspector General for Tax Administration to report a phone scam related to your taxes or use the “IRS Impersonation Scam Reporting” webpage.

Secure your Devices by Making Some Simple Changes

We are more connected than ever before. According to ABI Research, there will be more than 30 billion devices connected on the Internet by 2020.

Our devices are connected to the world, including laptops, mobile phones, fitness trackers, smart televisions, home security systems, thermostats and refrigerators. And, routers, access points and modems connect everything together.

Connected devices can be a security threat. One of the issues with such devices is that many of them do not come configured with security in mind and connecting an unsecure device to your network is like leaving the back door to your house unlocked as it gives attackers access to your personal information.

Manufacturers develop products to be more accessible, more user-friendly, and to make our lives more integrated. However, that can also mean we are less secure, if these devices are not properly configured. Unfortunately, some devices completely lack the option or ability to configure them, making it nearly impossible to secure them.  Unsecure devices also give threat actors the means to propagate their attacks onto others by using your unsecure devices to attack other networks and devices. Not only can your unsecure devices present a risk to you, they also can become a risk to others who can be victims of an attack from your compromised devices.

Do your Research

Do your research before purchasing a connected device, especially a device that may allow someone access into your home, such as a surveillance camera or home security system. Check the online reviews and look at the company’s website to determine if there are warnings about the security of the device and if the company issues updates and patches to fix security concerns.

What Can you Do to Secure your Devices?

When you first purchase a device, check the default settings and choose the most secure options, such as enabling a password or changing the default password to something only you know.

Here are basic recommendations to make your connected devices more secure.

  • Network or Internet access may be enabled on a device by default. Disable access for devices that do not need it.
  • Update the device operating system or firmware. The default operating software installed on a device may be out of date and/or contain vulnerabilities. Updating or patching your device’s software will reduce the chances of a successful attack.
  • Wireless access points (APs) are oftentimes configured to broadcast the SSID, or network name. Consider changing these settings to turn this feature off, which can better secure your Wi-Fi network.
  • Create two different Wi-Fi networks on your wireless router, if your router supports it. Creating separate Wi-Fi networks, using different SSIDs, allows for the ability to separate smart devices from other networked computers, smart phones and tablets. The goal of the separation is to limit the impact a compromised smart home device will have on the rest of the devices on the network.
  • Oftentimes, Wireless access points or routers are set up by default not to use encryption and not to require a password. It is always recommended to turn on WPA2 encryption for your wireless networks, and to establish a strong password with the next recommendation in mind.
  • Change passwords on all network devices, especially from default “admin” accounts, and use strong passwords of at least eight characters including UPPERCASE and lowercase letters, special characters and numbers.
  • Many mobile devices have no PIN or unlock pattern (where you swipe your finger in a specific pattern on the screen) enabled when sold. Enable PINs or unlock patterns for all your mobile devices to secure them from unwanted entry by others.
  • Automatic updates are often disabled by default. Turn on this setting to ensure your device receives important security updates when they are released.
  • Many mobile devices support remotely wiping the device, if the device is lost or stolen. Enable the remote wipe functionality in case the device is lost or stolen.
  • Turn off location services, if not needed.
  • Cameras and audio input may be enabled by default on certain devices and applications, giving an attacker access to surveillance. Disable these features, if not needed.
  • Replace unsecure devices with more secure ones.

*Information from the MS-ISAC monthly Security Tips Newsletter


IRS Warns of Tax Season Scams

The IRS is warning of a significant increase in a tax scam that gives victims a refund, then requests it back.

Scams are quite timely around income tax filing time. W-2 forms include details that are valuable on the dark web, such as social security numbers.

There are a few ways to protect yourself from fraud that can occur when someone uses your social security number.

  • Regularly check your credit reports. Request one report every four months from a different one of the three major bureaus (Experian, Equifax, TransUnion). This will help you keep better tabs on your credit and potential fraud.
  • File your income taxes earlier. The sooner you can do this, the less likely your information will be used to steal your tax refund.
  • If there is no need for anyone to access your credit, consider freezing it. There may be a cost in your state; however, it is well worth keeping your credit reports out of the hands of someone who wants to open accounts in your name and just not pay the bills.

If you receive a request from someone specifically requesting W-2 information, make sure to independently confirm the identity of the individual via a separate phone call to the company, by paying a personal visit, or by sending a separate text. Do not reply to the email.

The IRS also is warning of another scam that involves a “refund” deposited in the victim’s actual bank account. Once acquiring sensitive information, such as social security numbers and bank account numbers, the scammers file false returns, have an amount of money deposited into the actual account and then ask for it back.

They do this by posing as IRS agents who explain to the victims that it was a mistake, have them return the “refund” to the scammer’s account and then they pocket the money.

The IRS has detailed instructions on its website for returning mistaken refunds to them.

Remember, the IRS will never initiate contact in email, by phone, or in a text message. This will be done using the U.S. Postal Service.

The IRS believes the\is information is being stolen from tax preparers.


Identity Theft Isn’t Only Problematic for Online Users

You can be a victim of identity theft even if you never use a computer.

Malicious people may be able to obtain personal information (such as credit card numbers, phone numbers, account numbers, and addresses) by stealing your wallet, overhearing a phone conversation, rummaging through your trash (a practice known as dumpster diving), or picking up a receipt at a restaurant that has your account number on it.

If a thief has enough information, he or she may be able to impersonate you to purchase items, open new accounts, or apply for loans.

The Internet has made it easier for thieves to obtain personal and financial data. Most companies and other institutions store information about their clients in databases. If a thief can access the database, he or she can obtain information about many people at once rather than focus on one person at a time.

The Internet also has made it easier for thieves to sell or trade the information, making it more difficult for law enforcement to identify and apprehend the criminals.

How are victims of online identity theft chosen?

Identity theft is usually a crime of opportunity, so you may be victimized simply because your information is available. Thieves may target customers of certain companies for a variety of reasons; for example, a company database is easily accessible, the demographics of the customers are appealing, or there is a market for specific information. If your information is stored in a database that is compromised, you may become a victim of identity theft.

Are there ways to avoid being a victim?

Unfortunately, there is no way to guarantee that you will not be a victim of online identity theft. However, there are ways to minimize your risk:

  • Do business with reputable companies – Before providing any personal or financial information, make sure that you are interacting with a reputable, established company. Some attackers may try to trick you by creating malicious websites that appear to be legitimate, so you should verify the legitimacy before supplying any information.
  • Take advantage of security features – Passwords and other security features add layers of protection if used appropriately.
  • Check privacy policies – Take precautions when providing information, and make sure to check published privacy policies to see how a company will use or distribute your information. Many companies allow customers to request that their information not be shared with other companies. You should be able to locate the details in your account literature or by contacting the company directly.
  • Be careful what information you publicize – Attackers may be able to piece together information from a variety of sources. Avoid posting personal data in social media or public forums.
  • Use and maintain anti-virus software and a firewall – Protect yourself against viruses and Trojan horses that may steal or modify the data on your own computer and leave you vulnerable by using anti-virus software and a firewall. Make sure to keep your virus definitions up to date.
  • Be aware of your account activity – Pay attention to your statements, and check your credit report yearly at each of the three major credit agencies. You are entitled to a free copy of your credit report from each of the main credit reporting companies once every twelve months. Go to AnnualCreditReport.com for more information.

How do you know if your identity has been stolen?

Companies have different policies for notifying customers when they discover that someone has accessed a customer database. However, you should be aware of changes in your normal account activity. The following are examples of changes that could indicate that someone has accessed your information:

  • unusual or unexplainable charges on your bills
  • phone calls or bills for accounts, products, or services that you do not have
  • failure to receive regular bills or mail
  • new, strange accounts appearing on your credit report
  • unexpected denial of your credit card

What can you do if you suspect or know that your identity has been stolen?

Recovering from identity theft can be a long, stressful, and potentially costly process. Many credit card companies have adopted policies that try to minimize the amount of money you are liable for, but the implications can extend beyond your existing accounts. To minimize the extent of the damage, take action as soon as possible:

  • Start by visiting IdentityTheft.govThis is a trusted, one-stop resource to help you report and recover from identity theft. Information provided there includes checklists, sample letters, and links to other resources.
  • Possible next steps in the processYou may need to contact credit reporting agencies or companies where you have accounts, file police or other official reports, and consider other information that may have been compromised.

Other sites that offer information and guidance for recovering from identity theft are:

New Year’s Resolution: Manage Passwords for Top Security

SplashData, a password management company, has released its annual list of top worst passwords for 2017.

After reviewing five million passwords leaked in 2017, SplashDash released the list of most popular, and therefore dangerous, passwords.

As usual, “123456” and “password” remain as the top two most popular passwords, but “starwars” is a newcomer to the list. “Football” is the only sport being used as a password in the top 10 worse passwords for 2017, but “hockey” comes in at 78 among the top 100.

Hackers are using common terms from pop culture, entertainment and sports to break into accounts online because they know many users are creating those easy-to-remember passwords.

Password Tips to Remember

Some users opt for a password which looks nonsensical, but is among the least secure because it follows a pattern on the keyboard. For example, “qazwsx” is a newcomer, joining “qwerty,” which ranks fourth behind the third-place worst password “12345678.”  Some users tried to be creative with “querty,” but it fails as a good password, too.  Avoid sequential key variations or common patterns when creating a password.

Swapping the letter “o” with the number “0” may seem like a good idea to change your password, but SplashData points out that trick is not so slick since the worst passwords list includes six variations of the top two worst passwords by replacing “o” with “0” or adding extra digits to a numerical string.   Hackers know the tricks, and merely tweaking an easily guessable password does not make it secure.

So, what’s wrong with “123456,” “qazwsx” and “qwerty?” They are only six characters long.  Technology security experts say the minimum character length is eight to create a strong password, and often recommend 10 to 12 characters to maximize the length of time a computer or a botnet would need to crack the password.  Next, the digits and letters are all in order.  They are easily guessable and easily crackable, especially using brute force methodologies. They need a mix of upper and lower case letters, numbers and symbols.

“Password1,” “Abc12345,” “Jeb2016!” and “Passw0rd” are not any better, despite having mixed case, numbers and special characters. Never use dictionary words, common terms, names, brands, etc. when choosing passwords.  Substituting some of the letters for numbers or symbols is not unique.  Password crackers know to include words like “vuln3rabl3” or “Trustno1” on their look-up tables.

Never use personal identifying information to create a password, such as your name, social security, driver’s license or account numbers.

Do not recycle passwords or versions of them. Do not re-use passwords on multiple accounts. This adds additional risk if one account is breached that your password will be tried on other accounts.

Do not write down your password on a sticky note and put it on your desk. Security experts do recommend writing down important passwords and storing them in a safe deposit box so a family can unlock an account in case of an accident or death.

Schedule regular password changes. Like changing batteries in protection devices, such as smoke detectors or sump pump alarms, or reviewing your credit report at each of the credit bureaus, creating new passwords on a routine basis should be part of your personal security plan.

Making sure that your passwords are as secure as possible is a good resolution for the new year that is not hard to keep.

Safety Tips for Holiday Shoppers

During the holiday shopping season, shoppers are looking for the perfect gifts. At the same time, criminals are looking for sensitive data. This data includes credit card numbers, financial accounts and Social Security Numbers. Cybercriminals can use this information to file a fraudulent tax return.

The IRS is partnering with state tax agencies, the tax industry and groups across the country to remind consumers and businesses about the importance of data protection.

Anyone with an online presence can do a few simple things to protect their identity and personal information.

Following these steps also can help taxpayers protect their tax return and a refund in 2018:

  • Shop at familiar online retailers. Generally, sites with an “s” in the “https” of the URL are secure. Users can also look for the “lock” icon in their browser’s URL bar. However, some criminals may get a security certificate, so the “s” may not always mean a site is legitimate.
  • Avoid unprotected Wi-Fi. Users should not do online financial transactions when using unprotected public Wi-Fi. Unprotected public Wi-Fi hotspots may allow thieves to view transactions.
  • Learn to recognize and avoid phishing emails that pose as a trusted source. These emails can come from a source that looks like a legitimate bank or even the IRS. These emails may include a link that takes the user to a fake website. From there, the thieves can steal usernames and passwords.
  • Keep a clean device. This includes computers, phones and tablets. Users should install security software to protect against malware that may steal data. This software also protects against viruses that may damage files.
  • Use passwords that are strong, long and unique. Experts suggest a minimum of eight to 10 characters, using a combination of letters, numbers and special characters. Use a different password for each account.
  • Use multi-factor authentication when available. Some financial institutions, email providers and social media sites allow users to set their accounts for multi-factor authentication. This means users may need a security code, usually sent as a text to their mobile phone, in addition to a username and password.
  • Sign up for account alerts. Some financial institutions will send email or text alerts to an account holder when there is a withdrawal or change to their accounts. Generally, people can check their account profile to see what added protections may be available.
  • Encrypt sensitive data and protect it with a password. Consumers and businesses who keep financial records, tax returns or any personal information on their computer should protect this data. Users should also back up important data to an external source. When disposing of a computer, mobile phone or tablet, make sure you wipe the hard drive of all information before trashing.


Children Can Be Victims of Identity Theft

Children can be targets of cybercriminals. too.

Some statistics report one in 40 kids have been victims of identity theft.

According to law enforcement authorities, more than one million children have their identities stolen each year.  Half of the children are under the age of six and in more than 50 percent of these cases, the perpetrator is someone known by the victim.

Cyberthieves attack children because the risk of being detected is low.

Gaming sites and apps are targeted frequently, which is why children often become victims of identity theft.

A keylogger is software that records keyboard strokes. Keylogging malware sends all that information back to attackers.  If a child downloads an infected game and a keylogger ends up on that device, anything that is typed is captured.

Public internet-connected computers are common locations to find keyloggers, such as those in hotel business centers, internet cafes, and retail outlets that have an available computer for customers to use. However, those are not the only places they can be found.

If you allow your children or grandchildren to connect to Wi-Fi at a public place, such as the library, a hacker may be sitting nearby, able to trick them or you into connecting to a phony access point. Kids are sharp cookies, and some can connect in a flash. You may not realize it happened until it is too late.  If that happens, a hacker can potentially trick a child into downloading software or apps to the device that will also log all their keystrokes.  Keylogging is not limited to computer keyboards.  It also can affect touch screens.

Remember, that even if a Wi-Fi connection in a public area requires a password, that does not mean it is secure. No connection is ever going to be 100 percent secure.

Children have social security numbers and are susceptible to cybercrime. Lower your child’s risk of becoming a victim of identity theft by checking their credit at annualcreditreport.com every time you check your credit report.

Always ask why someone needs a child’s social security number, including health care providers and schools.  If they can not give you a satisfactory answer, do not provide it.


8 Ways to Avoid Ransomware Attacks

Ransomware is a form of malware used by cyber criminals to freeze your computer or mobile device, steal your data and demand a “ransom” be paid — typically from a hundreds to thousands of dollars.

Ransomware can affect individual computers or laptops, enterprise networks and or servers used by government agencies, financial institutions and healthcare providers.

American Federal Bank recommends the following tips to help individuals and businesses avoid ransomware attacks:

Tips for Consumers

  • Don’t click. Visiting unsafe, suspicious or fake websites can lead to the intrusion of malware. Be cautious when opening e-mails or attachments you don’t recognize even if the message comes from someone in your contact list.
  • Always back up your files. By maintaining offline copies of your personal information, ransomware scams will have a limited impact on you. If targeted, you will be less inclined to take heed to threats posed by cyber criminals.
  • Keep your computers and mobile devices up to date.  Having the latest security software, web browser and operating system are the best defenses against viruses, malware, and other online threats. Turn on automatic updates so you receive the newest fixes as they become available.
  • Enable popup blockers. To prevent popups, turn on popup blockers to avert unwanted ads, popups or browser malware from constantly appearing on your computer screen.

 Tips for Businesses

  • Educate your employees. Employees can serve as a first line of defense to combat online threats and can actively help stop malware from infiltrating the organization’s system.  A strong security program paired with employee education about the warning signs, safe practices, and responses aid tremendously in preventing these threats.
  • Manage the use of privileged accounts. Restrict users’ ability to install and run software applications on network devices, in an effort to limit your networks exposure to malware.
  • Employ a data backup and recovery plan for all critical information. Backups are essential for lessening the impact of potential malware threats. Store the data in a separate device or offline in order to access it in the event of a ransomware attack.
  • Make sure all business devices are up to date. Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans so that your operating systems operate efficiently.

Contact your local FBI field office immediately to report a ransomware event and request assistance.  Visit https://www.fbi.gov/contact-us/field to locate the FBI office nearest you.