November 2019- How Important is Your Telephone Number?
Imagine that your mobile phone stops working. No more web access, no text messages and no phone calls. What happened? You may be the victim of an increasingly common SIM Card Swap, in which a bad actor hijacks your cell phone number.
How does it happen? Bad actors are practiced in what they do. Learning your telephone number, they contact and convince your cell phone service provider to activate or transfer your SIM card, your telephone number, to a new device, often claiming that the old device was lost.
Armed with your phone number on their device, a bad actor could:
• Open a new cellular account in your name or buy a new phone with the information.
• Reset your online banking and account passwords by intercepting One-Time-Password/PIN (OTP) that are texted to you.
• Intercept ‘call-back verification’ calls that financial institution’s use to verify your identity and intent.
How can you protect yourself?
• Avoid sharing your telephone number, or any contact or personal information, with any business until you know what it will be used for, if it will be disclosed, and how it will be protected. If the information is not required, don’t share it.
• Don’t reply to calls, emails or text messages that request personal or contact information.
• Contact your cellular service and add a codeword or PIN to your account and require it for any changes. Also ask to be alerted when any change happens.
If it happens–Alert your cellular service provider.
• After you re-gain access to your phone number, change the account passwords. Also take time to review your online accounts for any activity, including changes to the email address and telephone numbers.
– The TBA Credit Union Privacy & Security Team
August 2019- Gift Card scams are on the rise. TBACU members are a big help in educating other members and the public of fraud and scams. With several reports lately, it seems that gift card scams may be on the rise.
This type of scam starts when you’re promised a product, service or even payments on debt and asked to pay by purchasing gift cards with your own money. Next, the perpetrator requests the gift card numbers/IDs from the back of the cards. Then, the perpetrator uses or cashes-out the card, but never provides product or service. While there are variations of this scam that pull at your heartstrings, ask for donation to help in a disaster, promises romance, or to help pay for medical bills, often it includes providing gift cards numbers/IDs.
Generally speaking, no reputable person, business or government agency, including the IRS, will ask you to purchase and share a gift card.
If you answer ‘no’ to these questions, someone may be trying to take advantage you:
- Did you initiate contact with them?
- Have you worked with the person or business before? Do you know them, are they reputable?
- Upon researching, does the business normally ask for payment via gift card?
- Have you received the product or service, as promised? Are you satisfied with it?
Avoid being a victim:
- Use a credit or debit card to pay. There are built-in fraud controls and consumer laws to help protect you against unauthorized purchases.
- Add your telephone numbers to the Do-Not-Call Registry. Reputable organizations will respect your choice to not be solicited.
- Transact directly with businesses and agencies using their official website, telephone number or brick-and-mortar location.
- Don’t be fooled into doing something you or someone else normally wouldn’t do. Ask questions.
- If you’re suspicious, ask a friend or family member for help.
- If you’re ‘coached’ on what to say, or told not to tell anyone, you’re being taken advantage of.
December 2018–A breach at Marriot International / Starwood exposed the personal information of 500 million people and started in 2014.
October 2018–A Google + bug allowed developers to access personal data from 500,000 users who had installed their app.
September 2018–Facebook continues to be in the news. Bugs in one of there services exposed account contents and activity of 50 million Facebook, Instagram, and WhatsApp users.
Phishing. Don’t Get Hooked.
Phishing, or using email to trick you into sharing passwords or private information, is still a big problem and has led to a number of multi-million dollar security incidents over the recent years.
Here are a few easy tips to help recognize phishing and protect your information and accounts.
- Create two email accounts. Limit one for creditors, financial institutions, insurance companies and any official business. Don’t share this address with anyone else. Create a second email account that you can readily share with friends, family, newsletters. Fake email will stand out.
- Manage Your Inbox and Accounts. Download important messages to your local computer. Delete unwanted messages and any that have personal or private information. I’d even delete the Sent and Deleted folder contents. Why? If bad actors get into your account this will limit what they can get.
- Mark spam messages as spam. This will help ‘train’ the filter.
- Think Before You Open a Message.
- Is the sender’s name AND email address unrecognized?
- Is it a catalog or newsletter you didn’t ask for?
- Is the message threatening, urgent or pulling your heartstrings? Your account will be locked or your credit card will be closed if you don’t respond right this moment. What about fake ‘charities?’ Each natural disaster prompts bad actors to ask for money too.
- Is the email or website address misspelled? When hovering your mouse over the link, is the address different?
- Is it out of the norm for the sender to send that kind of message or attachment, or at that time of the day?
If you answered Yes, you should avoid opening the message, or clicking on the attachment or link.
It would be best to call or contact the sender directly, but NOT using the phone number in the email.
Own IT, Secure IT, Protect IT
National Cybersecurity Awareness Month is a great opportunity to take stock of your personal data and devices and take basic steps to protect them.
Own Your Digital Profile
Internet-based devices are present in every aspect of our lives, and that constant connection presents opportunities for cybercriminals. We don’t have to avoid using technology, but let’s balance convenience and security.
- Know What to Protect–Personally-Identifiable Information is any information that can be used to distinguish or link to you. Your name, alias, email address or social security number may seem obvious, but even your picture, internet surfing and purchasing habits, employment, medical, and beliefs are linkable to you. These are the puzzle pieces of information you want to protect.
- It’s Your Property, Don’t Give it Away– Before you register in that next contest, complete a survey for a retailer or post to your social media account, know what your information will be used for. Will it be given away or sold? Can it be linked back to you? Read the fine print first. Also make sure you are cross-shredding and destroying all documents before you recycle or throw them away.
Secure Your Digital Profile
Cybercriminals are good at getting personal information from us, and the methods are getting more sophisticated. Protect against cyber threats by learning about security features available on the equipment and software you use.
- Devices–Any device in your home that is connected to a network or the internet, e.g. mobile phone, TV, computer, burglar system, thermostat, etc. needs to be secured.
- Keep devices and software up-to-date. Call a local computer service company for help.
- Use strong passwords passphrases. Yes, passwords have been replaced. Using four, unrelated words, numbers and special symbol is much easier to remember and just as secure. Enable multi-factor Authentication (MFA) wherever it’s available.
- Install anti-virus software.
- Zero Trust–Criminals will try anything to get at your money and data. Using the latest disaster to pull at your heartstrings, scare or threat tactics, or even pretending to be helpful. Don’t be duped into sharing your personal information or hard-earned money. Hang up the telephone. Never allow anyone to have remote access into your computer.
To protect yourself from becoming a cybercrime victim you must understand, secure and maintain your digital profile. Visit https://www.dhs.gov/be-cyber-smart/campaign for more resources.
- Take inventory and steps to limit the personal data you have in your phone, laptop, wallet, purse and automobile, and assume it will be lost or stolen someday.
- Practice safe surfing and avoid opening email links and attachments from people you don’t know, a message you weren’t expecting or that seems uncommon for the sender.
- Pay attention to the websites and people your children and grandchildren communicate with. They don’t always understand the threats or how to be safe.
- Freeze your credit profile with each of the credit bureaus.
- Share what you’ve learned with your family and friends.
Thinking About Your Safety
What a beautiful place we live in. How can we work together and help keep our neighborhoods, work and play places, and community a little safer, and maintain our way of life? As your body cannot go where your mind has never been, even contemplating a few basic personal safety actions can help you prevent an incident and safely respond.
Be aware of your surroundings. Whether at a restaurant, ballgame or a friend’s home, knowing where you are, how you got there, and the safest exit route can help you quickly and safely respond to a fire, accident or violence. Remember, a door may not be the fastest or safest exit route.
Do you have a Fire and Safety plan for your family? Have you talked it through with them or had a drill? Does everyone know how to escape, where to meet and who to call? It may sound unnecessary but having even a simple plan and talking it through may make the difference to your safety and survival. No plan? Let’s get you started with this sample escape plan and the Smart911 Lifesaving tool.
Reach out, get to know your neighbors. Not only may they have sugar for your recipe or a tool for your project, building a rapport encourages everyone to value their surroundings and to pay attention to what’s going on there. It’ll be easier to identify suspicious persons or activity when everyone is watching and working together. Neighborhood Watch programs continue to pop-up in our region, does your neighborhood have one?
Lock your automobile, home, and garage at night. You are more vulnerable when you are sleeping, and while the likelihood of someone breaking into your home seems low, a locked deadbolt on your doors tells the would-be perpetrator to ‘move on.’ If it’s valuable to you, it may be valuable to someone else who wants to take it.
Build rapport with Law Enforcement. Serving and protecting, men and women in uniform are eager to help maintain a safe community, it’s better for everyone. If you see something, say something. Reporting to 9-1-1 or inviting a patrol car to your neighborhood lets your neighbors, and the bad actors, know that you are paying attention.
Firearms in the house. Owning a firearm has responsibilities. Keeping it out of reach and education are a few of the many ways to protect children. Does your daycare or babysitter safely store their firearms?
What about safely using an ATM? Bad actors are after valuables, and cash is high on the list, so here are a few actions to consider:
- Avoid using an ATM in an unlit or un-trafficked area at night.
- Pay attention to bushes, fencing, and any obstruction that may allow a perpetrator to hide.
- Use the same ATM when possible. You will more easily detect anything anomalous.
- At drive-up ATMs, keep your vehicle running, windows up and doors locked.
- If anyone follows you to or from an ATM, go immediately to a crowded, well‐lighted area and call the police. Don’t accept help from a stranger.
- Avoid leaving an ATM/banking receipt at or near an ATM or in a public trash can. It may include valuable information about you such as your available balance.
- If you ever notice any lights burned out, covered or not bright enough, at any of our ATMs, please let us know by contacting our Service Center at 231.946.7090.
Keeping Your Personal Information Private
Have you ever searched your name online? How did those sites get so much private information about you? What are they doing with it? Taking control of your personal information is a great step to avoid being a victim of a data breach or identify theft. Finding a balance between convenience and privacy, here are a few ideas:
- Avoid sharing secrets. While sharing private details of your life on social media, be aware it’s online forever. Avoid sharing where you live, answers to your security questions, vacation plans, occupation, pet or family members’ names, at least. Own your online presence and read those Facebook, Twitter, WhatsApp, etc. privacy controls.
- Children’s Online Safety. Educate your children on what information is appropriate to share, and why. Periodically discussing their email, social media postings and website choices can help keep them safe and create an open conversation about their wellbeing.
- Freeze your Credit Profile with Each Bureau. Start with the top four credit bureaus. Limiting access to your profile greatly reduces bad actors’ ability to open banking or utility accounts.
- Do Not Call Registry. Adding all your family’s telephone numbers will reduce those unsolicited, disruptive sales calls. While charities and unscrupulous companies will call anyway, at least you know why they are calling. Visit https://www.donotcall.gov
- Direct Mail. Reduce unrequested catalogs and junk mail from overwhelming your mailbox. Remove your name from direct mail solicitation. Visit https://dmachoice.thedma.org
- Avoid Pre-Screening. While you’re reviewing your credit reports for fraud, opt-out of credit pulls for pre-approved credit and solicitations. Get your free, annual report at https://www.annualcreditreport.com/
- Eavesdropping on your telephone conversation. Be discreet when talking about private information on your phone when in public. Loud or speaker-phone conversations may be sharing private details about your family, your home or yourself.
- Is your home listening device sharing your information? Devices that are always listening are hearing and likely recording everything your family says. Their convenience is great but knows who your information is being shared with and where it is being sent.
- Be aware of shoulder surfing. Take steps to block other’s view when you are entering your ATM PIN, mobile phone Code, online account password, etc.
- Limit what information you keep in your wallet, purse, vehicle, mobile phone, table, etc. Assume that it will be lost or stolen someday, so take precautions.
Privacy Precautions While You Are Online
Websites and browsers are tracking your activity and presenting targeted advertisements. It can be a helpful service but all that data about you, your identity, location, persuasions, interests, health etc., is aggregated, stored and possibly sold. Search online for browsers and settings to limit or avoid the collection of your purchasing or browsing activity.
Is Your Email Sharing Information? Many ‘free’ email services ‘read’ your email for details about you–names, contacts, addresses, interests, buying habits, health–and formulate a profile and serve ads. If the email service is ‘free,’ your personal information is likely the product. Some email service providers go to great lengths to help you manage your privacy. A simple online search will identify them.
- Email isn’t Secure. Unless your email is encrypted, avoid sending private information in a message. There are relatively easy ways for a bad actor to capture your messages.
- Email isn’t for Storage. Assume it’ll be hacked someday and limit what’s in it. While overly cautious, periodically delete your Sent messages, clean out your Inbox, and even delete your Contacts if you store them elsewhere. Then, delete the contents of your Deleted folder.
- Spam. Don’t unsubscribe or reply to an email that you did not sign-up for or request. By replying or unsubscribing to spam, you are confirming that your email address is a legitimate address, and you will receive more.
HTTPS://. Look for HTTPS:// in the website address and avoid entering personal or financial information or a password into a site that HTTPS is not the prefix. It’s the ‘S’ that makes the difference.
Avoid using Public or Free Wi-Fi to log into banking or private accounts. You don’t know who really created the network or if or how it is secured. Is it truly McDonalds’ Wi-Fi, or a bad actor who used the same name?
Location Services. Some mobile apps request access to your location, contacts, camera or microphone. Avoid services and apps you aren’t planning to use and review the configuration of your mobile device to learn which apps are accessing your private content and determine if there is a legitimate need.
Securing Your Computer
Manage software. Remove software from your computer that you are not using. Software has bugs. For software that you intend to keep, ensure it is supported and up-to-date. Software makers don’t support or provide software updates forever. This is often found under the software’s About or Help button.
Updates. Keep your computer’s and router’s firmware and Operating System (OS), current to help manage the vulnerabilities and bugs it may have. Most systems can be configured to automatically update on a schedule. Confirm this is happening on your computer and router.
Passwords. Avoid using account or identification numbers or personal information. For important accounts, make the passwords unique. If multi-factor, multi-step or MFA is available, start using it today. By sending a code or PIN to your phone, or registering your computer’s IP, you can increase the security of your account. As for passwords, making them easier to remember and more secure could be choosing: Three or Four unrelated words + Number + Special Character. Like this: BlueChickenDiamond23!
Anti-Virus Software. With the many, even free, AV software that is available, make sure that each computer is running the most current version.
Email Links and Attachments. Many computer viruses and fraud use hacked email accounts, so before you open an email message, confirm that you were expecting it, it’s from someone you know, and the content, request, style or time of day matches what you would expect from the person. Avoid opening links or attachments if you are at all suspicious. Ask yourself…
Shred your Papers. Use a cross-shredder to ensure that the documents you put in the trash or recycle cannot be traced or linked to you. Don’t let someone dig through your trash or dumpster dive to find your personal information.
How Would I Discover that I’m a Victim of Identity Theft?
- Regularly review banking, investment and insurance statements and online accounts. If discover unauthorized transactions or activity, immediately report it.
- Review your credit reports. https://www.annualcreditreport.com/ is the only site for free credit profiles from the top three bureaus, so retrieve one, wait four months, then retrieve another… Review your child’s as well.
- Identity Theft Protection services likely do not prevent fraud or Identity Theft, but can alert and help respond to it. It’s really an insurance policy and may provide piece of mind. Read the fine print though. Also, contact your homeowners’ or renters’ insurance policy. You may have coverage and not even know it.
- You’ve an increase in email spam or unsolicited phone calls. If so, don’t reply, merely block the phone number or email address. If they’re too numerous , you may need to change your email address or your telephone number.
How Can I Respond to Identity Theft
So the bad actors have your personal information and are using it. What can you do?
- Notify each banking, investment and insurance institution. Request a ticket/claim number for each report.
- Contact your homeowners’ insurance provider. Your policy may help you recover.
- Take your computer, tablet and mobile phone to a reputable computer tech to check for malware, remote access and updates.
- Using a secure, cleaned, updated computer:
- Change the password for each online account–banking, email, medical, social media…
- Change the administrator and network passwords to your home wi-fi router.
- If you’ve not, immediately freeze your four credit profiles. https://www.tbacu.com/resources/security-alerts/. In that process, declare that you are an identity theft victim.
- If you’ve not, file your taxes.
- Report to https://www.identitytheft.gov/
- Document each step. Who you contacted and the date. This may help with a claim or uncover how the data was stolen.
- You may need to open new banking accounts.
- Regularly review your banking, medical and investment statements, and your credit report at https://www.annualcreditreport.com/
Should your report it to local law enforcement? It never hurts, however many times the crime happened outside of their jurisdiction.