New Year, New Privacy Settings
While January 28, 2022 marks the 15th annual Data Privacy Day, each of us faces privacy concerns on a daily basis. If our private information becomes public, it can affect our credit ratings, employment options, and even our safety. In this month’s cybersecurity tips newsletter, we’ll focus on steps you can take to maintain privacy on social media. If you’re one of the lucky few who can live your life unplugged from Facebook, TikTok, and the like, you’re in the clear. If you find yourself among the majority of us who either want or need to engage with others via social media, then here are some tips and tricks to stay safe and secure.
Protect Your Accounts
Social media accounts are under constant attack by cybercriminals. Your account can give a scammer a good way to infect your friends with messages that come from a trusted source (i.e., you). There are three simple steps you can take that will thwart most attacks:
- Use long, unique passphrases: Criminals get your account details from breaches and malware. If you use the same one everywhere, cybercriminals will have access to all of your accounts. Consider using a passphrase with multiple words, such as DenverIsBeautiful. It’s easy to remember and tougher to crack.
- Use Multi-factor Authentication (MFA): MFA, sometimes called two-factor authentication (2FA) or advanced authentication, makes it almost impossible for someone else to log in to your account, even if they have your password. You trade the minor inconvenience of entering a one-time code for the huge benefit of keeping the baddies out of your stuff. Turn this on everywhere you can!
- Update Everything: Yes, everything. Keep your operating systems current on your computers, phones, apps, and internet-connected devices. Turn-on automatic updates and reboot when prompted. Networks are usually not compromised because of brand new, 0-day vulnerabilities. Instead, they are breached because a patch was never installed for a bug that was fixed months (or years) prior.
Reduce Your Attach Surface
- Your attack surface is the sum of all the ways your information can be compromised. Every account with your personal data or app with a security flaw adds to it. You can reduce your potential vulnerability by deleting online accounts you no longer use and uninstalling apps you no longer need so they can’t be used against you. With fewer things to manage and update, you can focus on protecting what is actually important.
Tweak Your Privacy Settings
- All major services offer privacy settings to limit what you share publicly. It may take a bit of exploration to find them, but you can use these tools to control your exposure. Pay special attention to location settings, permissions for facial recognition, who can tag you, and who can see your posts. Also, check the details you publish such as your hometown, birthday, family members, and where you work. Consider removing all of them.
- If it’s allowed by the service you use, you can go a step further by not using real information, such as your full name or actual date of birth. Don’t forget to check who can find you by your phone number and remember to also change your vanity name or username so it won’t give you away.
Don't Let Your Photos Betray You
- The photographs you upload to social media or share elsewhere online can expose your face, your address, the valuables you keep at home, the car you drive, and more. Keep this in mind before you post an image that might tell a stranger things you’d rather keep to yourself. Avoid sharing anything with your house number, license plate, or documents in view. For your kid’s safety, watch what they share online as well.
- Photos uploaded to major social media sites are scrubbed so that the metadata – hidden details that live within a picture or video file – are removed. Not all services protect you in the same way, and these metadata are always present when you email a file. Unless you disable the feature, your camera app is probably set to store your location which makes it easy for a criminal to see the exact latitude and longitude where a photo or movie was taken.
Would You Like To Know More?
These links will lead you to more resources to help protect your privacy:
- National Cybersecurity Alliance: Data Privacy Week
- FTC: Protecting Your Privacy Online
- CISA: Online Privacy Tips
- While it’s almost impossible to remain anonymous in 2022, there’s no reason to make it easier for criminals to take advantage of you. Information you share online, even if it’s restricted today, may go viral tomorrow. The best way to protect yourself is to avoid posting anything you wouldn’t want your grandmother to read in your local paper. You can’t regret a photo you never take.
- Once you upload a picture or write an angry tweet, you lose control of it, and anyone with a screenshot can continue to spread it long after you press the delete button. Search for yourself online every now and again to see what others will find when they look for you. Opt-out of any websites that share your personal details. Invest some time to ensure that a would-be attacker will be frustrated and move on to easier prey.
- Perfect privacy is impossible, but by being careful you can stack the odds in your favor. Stay safe, take care, and have a secure and Happy (Cyber) New Year!
Information provided by MS-ISAC
How to Avoid Romance Scams
It’s well known that people online aren’t always as they appear. However, tens of thousands of internet users fall victim to online romance scams each year, and it can happen to anyone. These scams can be incredibly convincing and are increasingly found across dating sites and social media platforms. Bad actors are very good at appealing to victims’ emotions and feigning personal connections, with the intention of stealing large sums of money and personal information. Luckily, there are ways to identify a scam and protect yourself online.
Tips for staying safe online:
- Think before posting about yourself and others online. Consider what a post reveals, who might see it and how it might affect you or others. Consider creating an alternate persona that you use for online profiles to limit how much of your own personal information you share.
- Be wary of communications that push you for immediate action or ask for personal information. Never share personal information through email, especially if you do not know the sender.
- Consider setting your social media profiles to “private”. This will make it harder for scammers to target and communicate with you. A public profile will make it easy for scammers to find your profile and learn about you through old posts and photos.
- If you are unsure if you are being scammed, do a reverse image search of the potential scammer’s profile picture. You may see that image belongs to a completely different person, or has been affiliated with different online identities.
Scammers can be very convincing, however there are ways to identify a scammer, including, but not limited to, the following red flags:
- There’s a request for money for urgent matters, such as medical expenses or a plane ticket. Never send money to someone you haven’t met in person.
- Common forms of money requested by scammers are wire transfers or pre-loaded gift cards.
- The person claims to live far away, overseas or be in the military.
- The relationship is moving very fast.
- They break promises to see you in person.
- There’s pressure to move the conversation off the platform to a different site or text app.
If you believe you or a loved one are the victim of a scam, it is important to take the following steps:
- Cease communications with the scammer immediately.
- Take note of any identifiable information you may have on them, such as their email address.
- Contact your bank or credit card company if you think you’ve given money to a scammer.
- File a police report.
- Report the scammer to the FTC at ftc.gov/complaint and the FBI at ic3.gov.
- Notify the website or app where you met the scammer.
Information provided by National Cybersecurity Alliance
Spoofing Scams on the Rise this Holiday Season
We have recently been made aware of "spoofing" scams in and around our communities. Spoofing is when the caller falsifies the information sent to your Caller ID to disguise their true identity. This tactic is used to trick someone into providing their personal information so it can be used for fraudulent activities. Recent reports include calls seemingly coming from retailers, government agencies and financial institutions.
What you need to know:
Be careful of callers immediately requesting your personal information.
- Never give out your account information, social security number, family maiden names or passwords. Profile Bank will never ask you for your account number even if the call looks like it's coming from the Bank.
- If you are suspicious of the caller, end the call and research the company's contact information. Call the phone number listed on their website to verify any requests.
- If you have a voice mailbox make sure you have set a password for it to prevent hackers from accessing your messages.
How do I report suspected Spoofing?
If you receive a call and you suspect the Caller ID information has been falsified you can file a complaint with the Federal Communications Commission. If you have provided your financial information to the caller you should contact us immediately for information on how to close your account or deactivate your debit card.
Wireless Connections and Bluetooth Security Tips
Wi-Fi networks and Bluetooth connections can be vulnerable points of access for data or identity theft. Fortunately, there are many ways to decrease your chances of becoming a victim.
Encryption is the best way to keep your personal data safe. It works by scrambling the data in a message so that only the intended recipients can read it. When the address of a website you're visiting starts with "https" instead of "http," that indicates encryption is taking place between your browser and site.
The two most common types of encryption are Wired Equivalent Privacy (WEP), and Wi-Fi Protected Access (WPA). The strongest one commonly available is WPA2, so use that if you have the option. Home Wi-Fi systems and public Wi-Fi access points, or "hotspots," usually will inform you of the encryption they use.
Public Wi-Fi Access
Many Wi-Fi users choose to use public networks instead of their devices’ data plans for accessing the internet remotely. But the convenience of public Wi-Fi does not come without risk. If you’re not careful, a hacker can access your connection in a matter of seconds, and potentially put sensitive information stored on your device and in online accounts at risk. Here are some steps you can take to minimize the risk:
- Check the validity of available Wi-Fi hotspots. If more than one hotspot appears claiming to belong to an establishment that you're in, check with the staff to avoid connecting to an imposter hotspot.
- Make sure all websites you exchange information with have "https" at the beginning of the web address. If so, your transmitted data will be encrypted.
- Install an app add-on that forces your web browsers to use encryption when connecting to websites -- even well-known sites that may not normally encrypt their communications.
- Adjust your smartphone's settings so it does not automatically connect to nearby Wi-Fi networks. This gives you more control over where and when you connect.
- If you use public Wi-Fi hotspots on a regular basis, consider using a virtual private network, which will encrypt all transmissions between your device and the internet. Many companies offer VPNs to their employees for work purposes, and individuals may subscribe to VPNs on their own.
- When transmitting sensitive information, using your cellphone data plan instead of Wi-Fi may be more secure.
Bluetooth connections to your mobile devices can be very useful, from connecting a wireless headset to transferring files to enabling hands-free calling while you drive. Most of the time, a user must allow a Bluetooth connection to occur before data is shared – a process called “pairing” – which provides a measure of data security. But just like Wi-Fi connections, Bluetooth can put your personal data at risk if you are not careful. Here are some steps you may wish to take when using Bluetooth:
- Turn Bluetooth off when not in use. If you keep Bluetooth active, a hacker may be able to discover what other devices you connected to before, spoof one of those devices, and gain access to your device.
- If you connect your mobile phone to a rental car, a good deal of data from your phone may get shared with the car. Be sure to unpair your phone from the car and clear any personal data, such as call logs and saved numbers, from the car before you return it. Take the same steps when selling a car that has Bluetooth.
- Use Bluetooth in “hidden” mode rather than “discoverable” mode. This prevents other unknown devices from finding your Bluetooth connection.
Home Wireless Network Security
Home wireless networks are exceedingly popular, in large part because they enable computers and mobile devices to share one broadband connection to the internet without having to use up minutes on a cellular data plan. They also provide the convenience of not having to connect all these devices with wires to do so. But like all other wireless network technologies, home wireless networks present vulnerabilities that could be exploited by hackers to obtain sensitive data and commit other crimes. To help protect your home wireless network from unwanted users, consider the following steps:
- Turn the encryption on. Wireless routers often come out of the box with the encryption feature disabled, so be sure to check that encryption is turned on shortly after you or your broadband provider installs the router.
- Change the network’s default network name, also known as its service set identifier or “SSID.” When a computer with a wireless connection searches for and displays the wireless networks nearby, it lists each network that publicly broadcasts its SSID. Manufacturers usually give all of their wireless routers a default SSID, which is often the company’s name. It is a good practice to change your network’s SSID, but to protect your privacy do not use personal information such as the names of family members.
- Change the network’s default password. Most wireless routers come with preset passwords for administering a device’s settings (this is different from the password used to access the wireless network itself). Unauthorized users may be familiar with the default passwords, so it is important to change the router device’s password as soon as it is installed. Again, longer passwords made up of a combination of letters, numbers and symbols are more secure.
- Consider using the MAC address filter in your wireless router. Every device that can connect to a Wi-Fi network has a unique ID called the “physical address” or “MAC” (Media Access Control) address. Wireless routers can screen the MAC addresses of all devices that connect to them, and users can set their wireless network to accept connections only from devices with MAC addresses that the router will recognize. To create another obstacle to unauthorized access, consider activating your wireless router’s MAC address filter to include your devices only.
- Turn off your wireless router when it will not be in use for any extended period of time.
- Use anti-virus and anti-spyware software on your computer, and use similar apps on your devices that access your wireless network.
Remembering all of your assorted passwords can be a pain. Web browsers and other programs may offer to remember passwords for you, which can be a significant timesaver. However, certain password shortcuts can leave you less safe secure. The following best practices may help keep your personal information safer:
- Don’t use the same password for multiple accounts, especially for the most sensitive ones, such as bank accounts, credit cards, legal or tax records and files containing medical information. Otherwise, someone with access to one of your accounts may end up with access to many others.
- Don’t have your web browser remember passwords and input them for you, particularly for your most important financial, legal and medical accounts. If an unauthorized person gains access to your computer or smartphone, they could access any account that your browser automatically logs into.
- Don’t use passwords that can be easily guessed, such as common words and birthdays of family members. Instead, use a combination of letters, numbers and symbols. The longer and stronger the password, the safer your information.
Information provided by Federal Communications Commission
Staying Safe from Tax Scams
As people seek to file their tax returns this year, cybercriminals will be busy trying to take advantage of this with a variety of scams. Citizens may learn they are victims only after having a legitimate tax return rejected because scammers already fraudulently filed taxes in their name. According to the Internal Revenue Service (IRS), there was a 60% increase in 2018 in phishing scams that tried to steal money or tax data. The IRS identified 9,557 fraudulent tax returns as of only February 24th, 2018 for the last filing season. As everyone aims to file their returns among all this fraud, the following advice will explain how tax fraud happens and provide recommendations on how to prevent it from happening to you or how to get help if you are unfortunately affected by a tax scam!
How is tax fraud perpetrated?
The most common way for cybercriminals to steal money, financial account information, passwords, or Social Security Numbers is to simply ask for them. Criminals will send phishing messages often impersonating government officials and/or IT departments. They may tell you a new copy of your tax form is available. They may include a link in a very official looking email that goes to a website that uses an official organization’s logo and appears legitimate, yet is fraudulent. If you attempt to login into the false website, or provide any personal information, the criminals will see what you type and try to use it to compromise your other accounts and file a false return in your name.
Additionally, much of your personal information can be gathered online from sources like social media or past data breaches. Criminals know this, so they gather pieces of your personal information from a variety of sources and use the information to file a fake tax refund request! If a criminal files a tax return in your name before you do, you will go through the arduous process of proving that you did not file the return and subsequently correcting the return.
Criminals also impersonate the IRS or other tax officials, demanding tax payments and threatening you with penalties if you do not make an immediate payment. This contact may occur through websites, emails, or threatening calls or text messages that seem official but are not. Sometimes, criminals request their victims to pay “penalties” via strange methods like gift cards or prepaid credit cards. It is important to remember that the IRS lets citizens know it will not do the following:
- Initiate contact by phone, email, text messages, or social media without sending an official letter in the mail first.
- Call to demand immediate payment over the phone using a specific payment method such as a debit/credit card, a prepaid card, a gift card, or a wire transfer.
- Threaten you with jail or lawsuits for non-payment.
- Demand payment without giving you the opportunity to question or appeal the amount they say you owe.
- Request any sensitive information online, including PIN numbers, passwords or similar information for financial accounts.
How can you protect yourself from tax fraud?
- File your taxes as soon as you can…before the scammers do it for you!
- Always be wary of calls, texts, emails, and websites asking for personal or tax data, or payment. Always contact organizations through their publicly-posted customer service line. If they contact you end the call and call the organization on the phone number on their website. As mentioned previously, the IRS will initiate contact on these issues by mail through the postal service.
- Don’t click on unknown links or links from unsolicited messages. Type the verified, real website address into your web browser.
- Don’t open attachments from unsolicited messages, as they may contain malware.
- Only conduct financial business over trusted sites and networks. Don’t use public, guest, free, or insecure Wi-Fi networks.
- Use strong, unique passwords for all your accounts and protect them. Reusing passwords between accounts is a big risk that allows a breach of one account to affect many of them!
- Shred all unneeded or old documents containing confidential and financial information.
- Check your financial account statements and your credit report regularly for unauthorized activity. Consider putting a security freeze on your credit file with the major credit bureaus. This will prevent identity thieves from applying for credit or creating an IRS account in your name.
If you receive a tax-related phishing or suspicious email at work, report it according to your organization’s cybersecurity policy. If you receive a similar email on your personal account, the IRS encourages you to forward the original suspicious email as an attachment to its email@example.com email account, or to call the IRS at 800-908-4490. More information about tax scams is available on the IRS website and in the IRS Dirty Dozen list of tax scams.
If you suspect you have become a victim of tax fraud or identity theft, the Federal Trade Commission (FTC) Identity Theft website provides a step-by-step recovery plan. It also allows you to report if someone has filed a return fraudulently in your name, if your information was exposed in a major data breach, and many other types of fraud.
A message from MS-ISAC February 2019 Volume 14, Issue 2
Staying Secure While Shopping Online
It is that time of year where so many people prepare to purchase gifts for friends, family, and loved ones. Though it can be convenient to avoid the lines and rush for that latest Black Friday deal by shopping online, this also carries some risk. Cybercriminals are always working to steal your personal and payment information and the holiday shopping season is the perfect opportunity for this to happen. By following a few key practices, you can greatly lower your chances of becoming a victim of identity theft or fraud.
Choose Trusted Online Retailers and Apps
Always shop only with trusted online retailers. That means using a retailer you already know or one that is verified through another trusted entity. If you find a new possible shop to do business with, but are unsure about its reputation, try to find reviews from trusted sources such as the Better Business Bureau. It is important to stick to trusted review sources because there are several ways to fake online reviews, and there are places where cybercriminals can pay other criminals to post positive reviews. Even though an untrusted site might have the best prices, it is worth it to use a trusted online shop that is known to safeguard your information and purchases.
The same advice applies when downloading apps to help with your online shopping. Whether you are downloading a store app to get a coupon, a deal aggregator app to comparison shop, or a reward app that ensures you get points or cashback, it is important to stick to trusted apps from known developers. Unfortunately, fake apps appear in the app stores, purporting to be from a trusted source while other apps exist to capture your data without providing the services they claim to support. You can avoid many malicious apps by downloading your apps from Google Play, Apple App Store, Microsoft Store, or another trusted platform, selectively choosing which apps to download, and making sure you carefully read the permissions and app reviews.
Secure your Device, Connectivity and Accounts
Keep your devices up-to-date, especially those you shop and bank with – Simply updating the device that you use for conducting your online shopping is a key cybersecurity practice. By keeping the device up-to-date with current patches and software, you ensure you have the manufacturer’s latest security fixes in place.
Never use a public computer when shopping or banking – Using a public computer, like those found at libraries, can expose you to greater risk. It is best to use a trusted home device and network for anything involving financial transactions.
Never shop or conduct banking on unencrypted or public Wi-Fi – It is best to always conduct financial transactions or log on to sensitive accounts via a trusted Wi-Fi networks. Ideally, this should be from your home network, which should require a password and use WPA2 encryption.
Look for the lock icon on your browser - When a site has a lock icon on the browser window, or in the URL bar, it indicates that your communications with the site are encrypted. If you do not see a lock, look for “https” at the beginning of the URL, as this is the same thing as the lock.
Check out as a guest – By checking out as a guest, you prevent the online retailer from storing your personal account and financial information. This minimizes the amount of information that could be lost if the retailer is compromised. If you have or need an account with a retail website:
- Use a strong password – Be sure to use a strong, unique password. Always use more than ten characters, with numbers, special characters, and upper and lower case letters.
- Don’t save your payment information with retailers – If you have an established account with a retailer, do not store your payment information with them. In the case of an account compromise, stored payment information may allow a criminal to make purchases using your financial information.
Be Wary of Fraudulent Emails and Advertisements
Look out for suspicious or unexpected emails – A common tactic of cybercriminals year round is to send fraudulent emails seeking to get you to click a link or open an attachment. When it comes to this time of year, they may make an email look like it contains tracking information for a shipment or a promotion for a store. The link or attachment might download malware or try to get you to enter your user credentials in a convincing, yet fraudulent login screen, so they can steal your password. Always avoid clicking direct links in emails, and if you receive an email with a tracking number in it, head to the shipping carrier’s website in your browser and copy and paste the tracking number itself into the site.
Avoid clicking advertisements or pop-up windows of any kind – Advertisements embedded in websites and pop-ups have been known to be compromised by cybercriminals to distribute malware. It is best to avoid clicking them altogether. To close pop-ups, press Control + F4 on a Windows computer and Command + W on a Mac.
A message from MS-ISAC November 2018 Volume 13, Issue 11
Is someone using your personal or financial information to make purchases, get benefits, file taxes, or commit fraud? That’s identity theft. Visit IdentityTheft.gov to report identity theft and get a personal recovery plan.
The site provides detailed advice to help you fix problems caused by identity theft, along with the ability to:
- get a personal recovery plan that walks you through each step
- update your plan and track your progress
- print pre-filled letters and forms to send to credit bureaus, businesses, and debt collectors
Go to IdentityTheft.gov and click “Get Started.” There’s detailed advice for tax, medical, and child identity theft – plus over thirty other types of identity theft. No matter what type of identity theft you’ve experienced, the next page tells you what to do right away. You’ll find these steps – and a whole lot more – at IdentityTheft.gov.
What To Do Right Away
- Call the companies where you know fraud occurred. Call the fraud department. Explain that someone stole your identity. Ask them to close or freeze the accounts. Then, no one can add new charges unless you agree. Change logins, passwords, and PINs for your accounts.
- Place a fraud alert and get your credit reports. To place a free fraud alert, contact one of the three credit bureaus. That company must tell the other two.
♦ Experian.com/help or 888-EXPERIAN (888-397-3742)
♦ TransUnion.com/credit-help or 888-909-8872
♦ Equifax.com/personal/credit-report-services or 1-800-685-1111
A fraud alert lasts one year. It will make it harder for someone to open new accounts in your name. Get updates at IdentityTheft.gov/creditbureaucontacts. Get your free credit reports from Equifax, Experian, and TransUnion. Go to annualcreditreport.com or call 1-877-322-8228. Review your reports. Make note of any account or transaction you don’t recognize. This will help you report the theft to the FTC and the police
- Report identity theft to the FTC. Go to IdentityTheft.gov, and include as many details as possible. Based on the information you enter, IdentityTheft.gov will create your Identity Theft Report and recovery plan.
Go to IdentityTheft.gov for next steps. Your next step might be closing accounts opened in your name, or reporting fraudulent charges to your credit card company. IdentityTheft.gov can help – no matter what your specific identity theft situation is.
A message from Federal Trade Commission September 2018
Cybersecurity Guide for Businesses
Protect Computers and Networks
Install security and antivirus software that protects against malware, or malicious software, which can access a computer system without the owner’s consent for a variety of uses, including theft of information. Also, use a firewall program to prevent unauthorized access. Protection options vary, so find one that is right for the size and complexity of your business. Update the software, as appropriate, to keep it current. For example, set antivirus software to run a scan after each update. If you use a wireless (Wi-Fi) network, make sure it is secure and encrypted. Protect access to the router by using strong passwords.
Require Strong Authentication
Ensure that employees and other users connecting to your network use strong user IDs and passwords for computers, mobile devices, and online accounts by using combinations of upper- and lower-case letters, numbers, and symbols that are hard to guess and changed regularly. Consider implementing multifactor authentication that requires additional information beyond a password to gain access. Check with vendors that handle sensitive data to see if they offer multifactor authentication to access systems or accounts.
Control Access to Data
Control access to data and computers and create user accounts for each employee. Take measures to limit access or use of business computers to authorized individuals. Lock up laptops when not in use as they can be easily stolen or lost. Require each employee to have a separate user account and prohibit employees from sharing accounts. Only give employees access to the specific data systems they need to do their jobs, and don’t let them install software without permission. Also, make sure that only employees who need administrative privileges, such as IT staff and key personnel, have them and regularly review their ongoing need for access.
Teach Employees the Basics
Establish security practices and policies for employees, such as appropriate Internet usage guidelines, and set expectations and consequences for policy violations. Establish a top-down corporate culture that stresses the importance of strong cybersecurity, especially when it comes to handling and protecting customer information and other vital data. Ensure that all employees know how to identify and report potential security incidents.
Train Employees to be Careful Where They Connect to the Internet
Train employees to be careful where and how they connect to the Internet. Employees and third parties should only connect to your network using a trusted and secure connection. Public computers, such as at an Internet café, hotel business center, or public library, may not be secure. Also, your employees shouldn’t connect to your business’s network if they are unsure about the wireless connection they are using, as is the case with many free Wi-Fi networks at public “hotspots.” It can be relatively easy for cyber criminals to intercept the Internet traffic in these locations.
Train Employees About the Dangers of Suspicious E-mails
Employees need to be suspicious of unsolicited e-mails asking them to click on a link, open an attachment, or provide account information. It’s easy for cyber criminals to copy a reputable company’s or organization’s logo into a phishing e-mail. By complying with what appears to be a simple request, your employees may be installing malware on your network. The safest strategy is to ignore unsolicited requests, no matter how legitimate they appear.
Patch Software in a Timely Manner
Software vendors regularly provide patches or updates to their products to correct security flaws and improve functionality. A good practice is to download and install these software updates as soon as they are available. It may be most efficient to configure software to install such updates automatically.
Make Backup Copies of Important Systems and Data
Regularly backup the data from computers used by your business. Remember to apply the same security measures, such as encryption, to your backup data that you would apply to the original. In addition to automated backups, regularly backup sensitive business data to a storage device at a secondary location that is secure.
Don't Forget about Tablets and Smartphones
Mobile devices can be a source of security challenges, especially if they hold confidential information or can access your business’s network. If your employees connect their devices to the business’s network, require them to password protect their devices, encrypt their data, and install security apps to prevent criminals from accessing the device while it is connected to public networks. Be sure to develop and enforce reporting procedures for lost or stolen equipment.
Watch Out for Fraudulent Transactions and Bills
Scams can range from payments with a worthless check or a fake credit or debit card to fraudulent returns of merchandise. Be sure you have insurance to protect against risks. Additionally, ensure that you report any irregularities immediately.
A message from the Federal Deposit Insurance Corporation FDIC-019-2016
Cybersecurity Guide for Customers
Protect Your Computer
Install software that protects against malware, or malicious software, which can access a computer system without your consent to steal passwords or account numbers. Also, use a firewall program to prevent unauthorized access to your PC. While protection options vary, make sure the settings allow for automatic updates.
Security when Logging into Financial Accounts
Use the strongest authentication offered, especially for high-risk transactions. Use passwords that are difficult to guess and keep them secret. Create “strong” user IDs and passwords for your computers, mobile devices, and online accounts by using combinations of upper- and lower-case letters, numbers, and symbols that are hard to guess and then change them regularly. Although using the same password or PIN for several accounts can be tempting, doing so means a criminal who obtains one password or PIN can log in to other accounts.
Understand Internet Safety Features
You can have greater confidence that a website is authentic and that it encrypts (scrambles) your information during transmission if the web address starts with “https://.” Also, ensure that you are logged out of financial accounts when you complete your transactions or walk away from the computer. To learn about additional safety steps, review your web browser’s user instructions.
Be Suspicious of Unsolicited E-mails
Be suspicious of unsolicited e-mails asking you to click on a link, download an attachment, or provide account information. It’s easy for cyber criminals to copy the logo of a reputable company or organization into a phishing email. When responding to a simple request, you may be installing malware. Your safest strategy is to ignore unsolicited requests, no matter how legitimate or enticing they appear.
Be Careful Where You Connect to the Internet
Only access the Internet for banking or for other activities that involve personal information using your own laptop or mobile device through a known, trusted, and secure connection. A public computer, such as at a hotel business center or public library, and free Wi-Fi networks are not necessarily secure. It can be relatively easy for cyber criminals to intercept the Internet traffic in these locations.
Be Careful When Using Social Networking Sites
Cyber criminals use social networking sites to gather details about individuals, such as their place or date of birth, a pet’s name, their mother’s maiden name, and other information that can help them figure out passwords — or how to reset them. Don’t share your ‘page’ or access to your information with anyone you don’t know and trust. Cyber criminals may pretend to be your ‘friend’ to convince you to send money or divulge personal information.
A message from the Federal Deposit Insurance Corporation FDIC-018-2016
General Personally Identifiable Information
Personally identifiable information or (PII) can be any data that identifies you as a specific individual. This information should be kept private and not shared with others. Examples of PII include your Social Security Number, or your name in combination with your date or place of birth.
Recommendations: Be aware of what you post publicly or submit through applications or services. Consider with whom you share your PII, and give extra scrutiny and consideration as to whether you really need to share this information. If someone contacts you requesting PII through email, social media, or a phone call, do not provide the information. If it is a phone call that you think is legitimate, hang up and call the organization back through a publicly listed telephone number so you can verify the caller is who they say they are.
Information About Your Location
Giving out your location when away from home on social media is a privacy risk. This practice can result in your home being targeted for burglary. Additionally, your family and friends may be targeted by scammers seeking financial assistance on your behalf to help with a non-existent “travel emergency.” Three popular methods of this type of location sharing are geotagging (adding a location tag to a social media post or picture), posting a photo in which the background can be easily identified (like Times Square or the Eiffel tower), or “checking in” at a business.
Allowing apps to use your phone’s location services has its own privacy concerns, as the app is likely recording or using that data, and may automatically add geotagging to social media interactions in that app as a result!
Recommendations: Customize your location settings to minimize sharing your location with websites and applications, especially on your mobile devices. You can geotag social media posts, pictures, or videos after returning from vacation, going out to eat, or that business trip. Also, check the privacy settings of apps to make sure they don’t need access to your location. At a minimum, ensure your social media settings are set to only show your posts and profile to friends.
Security Questions & Social Media
Security questions are a way to authenticate your identity and are an extra layer of security on accounts, which makes it extra important to not post these answers on social media. Posting a picture or writing a post about your first car’s make and model, or color of your car, childhood address, favorite ice cream flavor, mother’s maiden name, or elementary school is a bad idea. These are common security questions and by posting this information, you give away the answers, allowing cybercriminals to potentially access your accounts.
Recommendations: When on social media, be aware of what you post (including pictures!) and how it relates to the security questions you selected for your various accounts.
Website/Application Privacy Settings and Permission
All websites and applications have privacy settings. These settings help you control what others are allowed to see, as well as manage your online experience. You should be familiar with these privacy settings and customize them to protect your information. Additionally, when creating an account on a website or application and agreeing to their services, understand what you are giving them permission to do with the data you provide.
Take Responsibility: Protecting your privacy starts with you. Website owners, websites, and service providers have a responsibility to protect your privacy. However, it is up to you to understand the privacy settings on social media, online accounts, and your devices. Knowing these settings, you will be able to customize them for greater security.
Take ownership of your privacy and read privacy policies and end user license agreements on websites (including social media), and update your settings whenever new privacy features are available.
A message from MS-ISAC January 2019 Volume 14, Issue 1
Internet Devices & Safe Online Banking
Online banking and remote access to financial accounts is part of daily life now — with connections through internet devices such as smartphones, laptops, readers, tablets or desktops — account information is a click away.
These same devices are used to connect to many other things; like baby monitors, TVs, healthcare data, doorbell cameras, news & information, refrigerators and other household items. And, frequently they are interconnected by a home network that shares all this information and allows internet access.
Without proper security for each device, your personal information is at risk.
➤ Secure All Your Internet Devices
There are several software security packages that offer protection for all your interconnected internet devices including your wireless router. Here are the first steps that are essential to an integrated approach to secure your internet devices.
Passcodes and Passwords:
Internet device suppliers allow you to reset passcodes or passwords. The strongest passwords use a combination of letters (upper and lower case), numbers and symbols and should be at least 10 characters in length to provide the best protection. Importantly, each of your devices requires a separate password — that way if one device is lost, stolen or compromised then not all are affected.
KEY POINT – Never allow your passwords to be remembered by your browser software!
Purchase and install software that detects, prevents and removes all viruses, malware or spyware found on your internet devices. Many manufacturers offer an entire suite of anti-virus security software to protect all your devices. Just remember that different internet devices have different operating systems — one security solution may not protect all your devices.
KEY POINT – Each device requires specific security software protection!
Manufacturers of internet devices update their software constantly to provide faster service and more secure products. Some of these software updates provide a needed fix for security weaknesses — so sign up with the software manufacturer to receive any updates automatically and install them on a regular basis.
KEY POINT – Software updates provide the best defense against online threats!
Your home network connects to the internet using a router that comes with a default user ID and a pre-set password from the manufacturer. Reset the manufacturer settings for both immediately. The router ID renamed by you and a strong password are essential protections for a home router. Choose the highest level of security available for your router and activate it. Also, enable the preinstalled firewall protection hardware for added safety.
KEY POINT – The router serves as the pathway to the internet for all your devices!
➤ Device Use and Best Practices
Security experts have developed best practices for everyone to follow when using any internet device.
- Wi-Fi hotspots that are public and shared by many users are not secure.
- Always log off by following the financial institution’s secured area exit procedures.
- Back up your data regularly to your personal cloud storage account or external hard-drive.
- All your internet devices should auto lock with a short time period.
- When not in use shutdown or turn off your devices.
- Enable each device to have your data erased or wiped remotely.
➤ More Connections and More Things Are Coming
The ability to conduct safe online banking, purchase things and remotely access, monitor and control home appliances through internet devices offers great convenience for everyone.
In the coming years experts predict rapid growth in the number of interconnected things — doubling by 2020. Make internet device security your number one priority!
- Federal Trade Commission: www.ftc.gov
- Identity Theft Resource Center: www.idtheftcenter.org
- Federal Deposit Insurance Corporation: www.fdic.gov
- National Credit Union Administration: www.ncua.gov
- On Guard Online: www.onguardonline.gov
- Financial Fraud Enforcement Task Force: www.stopfraud.gov
Financial Education Corporation