security

Avoiding Scams In The Workplace: Keeping Yourself And The Rest Of Us Safe

/ destinationscreditunion / Leave a comment


Pop quiz: What do the data breaches at Target, Home Depot and Sony all have in common? Give up? They were all caused by employee errors. These, along with about 500 other breaches, are confirming what many security professionals have worried about for years. In the digital age, the weakest link in our information security is us: humans. The most common cause of data breaches around the world is employee error or negligence.

This kind of negligence can take a few forms. It can be an employee responding to a phishing email or downloading a piece of malicious software on a company computer. An employee could fail to adequately secure his login information (by, say, writing it on a sticky note and attaching it to the monitor) or could leave company technology vulnerable to theft.

As with many other complex, human-focused problems, no single solution can address this problem. There are structural and technological changes that can help mitigate the risks posed by employee error. While these changes are developed and implemented, here are three simple steps you can take to help keep your workplace safe from hacks. 

1.) Read something, say something 

Everyone thinks they can detect a scam. It’s a line of thinking called the general attribution error, that what’s true of “most people” can’t possibly be true of us and the people we know. We constantly believe we’re the exception rather than the rule, and our susceptibility to fraud demonstrates this well. Most people consider themselves intelligent, discerning Internet consumers. Yet, a recent Google study found that 45% of users fell victim to a fake login page.

Scammers wouldn’t keep using these tactics if they weren’t working, and even if you are savvy enough to spot 99 phishing attempts in a row, the one you miss is all it takes for another big data breach to happen. If you work at a company with 100 people who are all as adept as you are at catching these emails, every scam attempt works on one person on average. Worse still, some hacking attempts begin by sending out emails from the first victim to people on that person’s contact list. When that happens, one person falling victim to an attack can quickly increase the credibility of subsequent attacks.

The solution to the general attribution error is the power of collective wisdom. If you receive an e-mail that’s clearly an attempt to solicit sensitive information, don’t just delete it and move on. Forward it to your company’s IT representative. Mention it to a colleague. Ensure that everyone knows this scam is circulating at your company.

If you do fall victim to one of these hoaxes, don’t try to cover it up. You might face disciplinary action for opening malicious emails, but you will face disciplinary action if your login credentials are used to expose sensitive information! 

2.) Off the clock? Lock it up! 

The VA breach, one of the biggest data leaks that hit some of the most secure data in the nation, was caused when an employee improperly took confidential information home to continue working. The information was stolen and the integrity of the VA’s servers was compromised. Taking work home with you might be a good way to get ahead, but unless your home can provide the same level of security as your office, it’s just not worth it.

If you must take work outside the office, keep it in a secure place. Ideally, you should place it in a safe or locking file box. Failing that, keep it in a locking briefcase or other lockable container. If you’re working with paper copies, don’t forget to destroy or return them once you’re done.

If you have a standing arrangement with your employer to do some work remotely, there are still a number of steps you can take to keep your work technology safe. If you work on a laptop, invest in a cable lock. This piece of hardware works like a bicycle lock. You loop it around a heavy object and fit the lock into your computer’s power port. Should a dedicated thief rip the lock out of the port, the computer will be rendered inoperable, turning a catastrophe into a hardware replacement.

Also, don’t connect to unsecured wireless networks. Anyone can join these and set up monitoring software on them to steal data in transit. If you work on your home wifi, set up a security protocol. Don’t forget to change the default administrator password on your router. Most manufacturers have a default router password which would enable scammers to access your network. 

3.) Keep it out of the office! 

Most people spend at least some part of their work day browsing the Internet. Modern technology has made work more efficient, so some employees think they can do a little browsing during slow times. The problem is that recreational browsing can expose the office to risks.

Even the most tame hobbies can have risks. Searching for “download sewing templates” could take you to websites dotted with malicious software masquerading as innocuous archives and executables. If your interests run to games or gambling, the Internet can be a very dangerous place for your work computer.

If you’re interested in gaming, you might be tempted to load up a USB drive with a few fun titles. It’s very easy to accidentally save sensitive information to that USB, which becomes a liability. USB drives are the bane of IT security people everywhere, since they’re easy to lose, steal or swap.

If you have downtime at the office, stick to browsing sites you know and trust, or the ones permitted by your IT department. If you feel the need to explore the darker side of the Internet, be sure you do so at home where you can better control the sensitive information on your computer. 

Your Turn- 

One final way to beat the bad guys of the Internet is to work together with other good guys. Share your wisdom – your tips, tricks and experiences in keeping information safe! Let us hear from you: What are you doing to keep your workplace safe?

SOURCES:
http://www.pcworld.com/article/251719/how_to_protect_your_laptop.html
http://its.ucsc.edu/security/breaches.html
http://www.central-insurance.com/docs/tips-DataBreach.htm
http://www.promisec.com/blog/study-shows-data-breaches-due-to-employee-error/
http://www.acc.com/aboutacc/newsroom/pressreleases/accfoundationstateofcybersecurityreportrelease.cfm

https://www.entrepreneur.com/article/273221?utm_source=google-news&utm_medium=syndication&utm_campaign=google-editors-pick&google_editors_picks=true

Check Fraud & Swiss Cheese

/ destinationscreditunion / Leave a comment


Just about every article you read about fraud, security and identity theft is based on the idea that with increased technology comes increased security.  In fact, we do everything we can to bring as much cutting edge technology to your defense as possible. Unfortunately, some of the greatest vulnerabilities in your security come from low-tech attacks.

Think about it this way: A dedicated criminal wanting to get into your checking account has to spend thousands of dollars on an RFID skimmer, a device to crack your PIN, and other technological marvels out of a “Mission: Impossible” movie, but when they get access, our fraud protection kicks in after only a very small expenditure.  So, why would a criminal spend thousands of dollars when they could get the same benefits from spending $5 on a blunt object with which to threaten you physically? Why steal RFID signals out of the air when you can pick pockets and shop online?  Why go high-tech and hassle with all our security experts when a criminal can go low-tech and wait for you to slip up?

It helps to think of your financial security as a metaphorical block of Swiss cheese.  Every layer of security may have a few holes, just like every step you take to protect yourself has holes.  The idea is that, if we put enough layers of cheese on top of each other, we can make sure that none of the holes go all the way through the cheese, leaving you vulnerable.  In that spirit, we’ve identified a low-tech hole in the cheese, and we’re putting down another layer.  We’d like to make sure you put down some cheese, too.

Check fraud is still a major problem, and it could get worse as EMV chips and software security make ATM and point of sale transactions more secure.  Check fraud is an umbrella term for a variety of strategies scammers use, ranging from creating blank checks on computer software to stealing and using old checkbooks.  Your checkbook is a source of fraud vulnerability for many of these strategies, but the ways to protect yourself are fairly simple. 

1.) Treat your checkbook like cash.  The easiest thing to do is to just not give thieves access to your checks.  You wouldn’t put an envelope of cash in your mailbox with the flag up, would you?  Then don’t do it with a utility check.  If you’re going to mail a check, drop it into a blue USPS box on your way to work.  You can also see what’s available to pay online.  Our online services are really impressive, and if you set up an automatic payment through us or use our online banking, you never have to mail a check again.

 2.) Balance your checkbook every month.  It may seem like a chore, but balancing your checkbook is the easiest way to make sure you’re the only one spending your money.  We have special buttons built into our online account view to make this as easy as possible. If you want a little personal guidance, come talk to us and we’ll walk you through the process.  It’s easier than it looks. If it takes you forever every month, you might not be using all of our features! Call Destinations Credit Union at 410-663-2500 and we’ll help you make the process much easier. 

3.)  Destroy your old checkbooks and order new ones regularly.  For whatever reason, you might have found yourself with old checks lying around.  Maybe you were running low on checks and ordered a new checkbook but decided not to finish the old one  because they came so quickly. Maybe you’ve moved and didn’t bother to finish the set with your old address. If that’s the case, destroy them.  It’s worth the cost of a checkbook or the effort of a few minutes at the office shredder to keep from leaving yourself vulnerable. Also, don’t put your driver’s license number on the checks when you order them.  It might take a few extra minutes at the register, but that inconvenience is a lot worse for a scammer holding your checkbook than it is for you.  If you need to order a new checkbook, you can do it here:  https://orderpoint.deluxe.com/personal-checks/home.htm. 

It’s a different world for your checkbook than it was even a few years ago. Nationally, we’re writing fewer checks in fewer places and many of us don’t carry a checkbook at all.  Across the country, speech teachers are showing “I Have a Dream” to their students and they have to pause the video to explain what a promissory note is and why Dr. King is talking about writing a check for freedom. They may seem old-fashioned, but that’s exactly why they represent such an important vulnerability in your financial security:  They’re just paper and ink.  No chips to crack, no PIN, no online security protocols.  Don’t let your Swiss cheese have holes that go all the way through. Protect yourself from check fraud.
Sources:

http://money.usnews.com/money/personal-finance/articles/2008/05/19/frank-abagnales-tips-on-avoiding-check-fraud
http://www.consumer.ftc.gov/articles/0159-fake-checks#Youandyourbank
http://www.ckfraud.org/ckfraud.html

Home Improvement Scams

/ destinationscreditunion / Leave a comment


As we reach the dog days of summer, many of us are facing the consequences of our springtime procrastination.  For the next few months, we’re going to have to either spend every weekend on the home improvement projects we’ve been putting off or spend the fall and winter with a half-finished patio.  Again.  It’s tempting to put down your toolbox and pick up your checkbook, but before you do, make sure you can trust the person you’ll pay to do the work.  

Home improvement scams are back again this summer.  As many as 100,000 scammers work in the United States each year, according to recent estimates reported in Consumer Digest, and with Americans spending more than $500 billion a year on remodeling and home improvement projects, they’re not going to stop anytime soon.  Those scammers are very good at identifying their victims, so we need to get better at spotting them.  

Here are some signs you might be working with the wrong person:

He “just happens” to be in the area…

Contractors don’t go door-to-door drumming up business, but one of the most common ways scammers make contact with their victims is by simply knocking on their door, explaining that they were in the neighborhood and offering to take care of a job they noticed a need for.  They might claim to have leftover materials or they noticed some missing shingles on your roof when working on your neighbor’s house, and now they have a great deal to offer you.  By the time you realize you’re not missing any shingles, the scammers will have cashed the check you gave them to buy some extra materials.

He needs you to pay today…

Scammers may claim they want to make some money on the side and if the boss sees leftover materials, then they can’t use them.  Don’t let your fear of losing out on a bargain get you into trouble.  

If your neighborhood recently had the kind of natural disaster that makes it hard to get an appointment with a contractor, it’s even more likely the person you’re talking to is a scammer.  Government agencies refer to these people as “Storm Chasers” because they like to prey on the victims of natural disasters, often crossing the country to do so.  The National Consumer Law Center reported that complaints of contractor fraud vaulted from 150 cases in Louisiana the year before Hurricane Katrina to 6,000 cases during the following two years.

You have to pay up front…

Scammers might claim they need to charge you for materials up front or they need a hefty deposit to get started.  Don’t fall for it.  Professional contractors have enough credit to buy materials and usually have accounts at local hardware stores to make billing easier.  If the person you’re talking to doesn’t have good enough credit to buy materials, they’re probably not good enough at home repair to be worth your money. More than 60 percent of the Katrina-related victims of home repair scams said they paid up front, according to an LSU study, because the lack of skilled contractors in the city made homeowners anxious to get their projects done.

He’s hard to reach…

Many of those who were robbed by home improvement scammers reported it was difficult or impossible to get in touch with their scammer after the initial visit.  In many cases, the scammers told homeowners a sad story to explain their lack of cellphone or business card, taking advantage of homeowners’ sympathy in order to not provide contact information.

It’s 2015.  There is no reason for a person you trust to not have a cellphone, business card or a profile on social media sites like Angie’s List, Facebook, or Twitter.  If they do have a social media presence or business card, check it out before you pay.  Make sure their account has been active for more than a few months and that there are other ways to contact anyone working on your house.  If they can’t provide any of that, how about a reference from one of your neighbors?  There are lots of ways to verify someone’s identity, and with each excuse or objection, it seems more likely the person you are talking to has criminal intentions.  

What to do if you think you have been scammed

If you think you might have been the victim of a home improvement scam and have paid with a Destinations Credit Union check or card, let us know immediately.  Call us at 410-663-2500 or email us at info@destinationscu.org. If we find out quickly enough, we may be able to stop the check before the scammers can cash it.  

We’re here to protect your money.  You can find out more about fraud tips and alerts in our Member Center under “Protecting Your Money.”
Sources:

http://www.bankrate.com/brm/news/home_improvement_07/top-scams-a1.asp

Is 2015 The Year Of The Health Care Hack?

/ destinationscreditunion / 2 Comments
Brought to you by Destinations Credit Union

If 2014 was the year of major retailers being involved in security breaches, 2015 has thus far been the year for insurance companies. Anthem led the way earlier this year with a hack that compromised the personal information of hundreds of thousands of victims. Now, Premera Blue Cross, one of the largest health insurance providers in the Pacific Northwest, has been the target of a security breach.

Security experts are still attempting to discover the full extent of the breach. Hackers evidently accessed housing data from as far back as 2002. It is believed that at least 11 million people were affected by the breach.

Premera also has dozens of subsidiary organizations, clients, and contractors each with its own set of records. Technology experts from the health care provider are working tirelessly to determine the extent of their information that was compromised. Vivacity, a workplace wellness provider, and Connexion Insurance Solutions, which focuses on small- to medium- sized businesses, were both affected, too.

The vulnerability has been in use for some time. Company officials say the first breach occurred in May of 2014 and was only discovered in January of 2015. The FBI, in coordination with private cyber security firm Mandiant, is working to uncover the size and severity of this attack as well as to find the perpetrators.

Criminals have stolen a wide variety of personal information from the provider. Names, addresses, and Social Security numbers are the obvious targets, and these are frequently used to commit identity theft or cloning. A surprising amount of health information is also used to illegally obtain prescription medication or commit insurance fraud. This form of medical identity theft is growing as a black market solution to higher medical costs. In 2014, 2.3 million people were victims of this kind of fraud and each victim had to pay an average of $13,500 to resolve the problem.

There appears to be a strong connection between the attacks made on Premera and those made on Anthem. In both cases, hackers registered domains with common misspellings of the company’s name and used those sites to collect login information. These usernames and passwords were then used to breach the company at higher and higher levels. These tactics, and several others, point to Chinese hacking group Deep Panda.

As these groups grow bolder, it’s more important than ever to keep up with your own best practices in medical identity theft prevention. The FTC recommends following these three steps to keep yourself safe:

1.) Watch your medical records

Medical identity theft results in bills to you for procedures done to someone else. Unscrupulous doctors bill insurance companies for procedures they never did or for more costly versions of operations than what they performed. They count on instant reimbursement, knowing the insurance company will try to collect the fraudulent charge from the policyholder. Medical identity theft confounds this process. In other instances, criminals use your identity to get medical treatment and bill it to your insurance, leaving you on the hook for the charges.

These charges will show up in a few places. For instance, you may get a call from a collection agency over a medical bill. You may also have a medical bill arrive in the mail for a procedure you didn’t have. Your insurance company may also notify you of a change in your premium or coverage based on a new medical condition. Each of these is a red flag that you’ve been the victim of medical identity theft.

2.) Review your records

The Health Insurance Privacy Protection Act (HIPPA) requires that healthcare companies keep and maintain detailed records about patient services. You have the right to obtain a copy of those records. In most cases, your best bet will be to contact a major provider of medical services, like a national pharmacy.

You may also need to contact your insurance provider for copies of their records. They have the same record-keeping and disclosure requirements that providers do, but they may charge for the service of providing records. If you can narrow down a window of time during which you suspect your account was compromised, you can save yourself both time and money.

Providers may refuse to comply with your request for disclosure because they fear violating the privacy of the identity thief. Fortunately, an appeals process exists for this decision. You need to contact the person named in the privacy policy as the patient representative or ombudsman. If you are still unsuccessful, you can contact the US Department of Health and Human Services’ Office for Civil Rights.

3.) Get corrections to your records

You can submit requests for corrections to each provider that has charged you for services. Such a request should explain the reason for the error and include documentation that the charge is, in fact, an error. Examples would be proof that you were nowhere near the provider at the time of the charge or a letter from your doctor stating that you have never experienced the condition that was treated.

If your provider refuses to change or reverse the charge, ask them to place a notice of dispute on your account. This notice will show credit agencies that the charge may not reflect your borrowing habits and will help you mitigate the impact of a poor credit score. Such a notice should also stop the collection calls.

This pattern of security leaks means everyone is potentially at risk. You can’t avoid digitizing your health care information. But you can take steps to keep your identity safe. Credit monitoring services can provide you with peace of mind. Knowing you’ve got a team of dedicated professionals watching your back around the clock can help you sleep soundly at night.

SOURCES:

New Discoveries In TurboTax Fraud: Keep Informed And Stay Safe!

/ destinationscreditunion / Leave a comment


With the April 15th deadline now visible on the calendar, many Americans are finally sitting down to do their taxes. The good news? A standard return isn’t that hard and there’s still plenty of time to get it done. The bad news? One of the most popular online tax filing services is still compromised.

New reports in the Washington Post describe a new breed of tax fraud using the online platform. Previous attacks would focus on filing fraudulent returns using stolen personal information. Such returns were usually riddled with errors designed to inflate the amount of a potential refund, which would be routed to an account far away.

New attacks seem to have taken a different direction. Criminals use stolen email and password information to amend recently filed returns. The only change they make is the account number into which any refund will be deposited.

While only a few people have been victims of this kind of fraud, investigators are still working with TurboTax to identify the source of the leak. In the meantime, additional security measures have been added to online accounts. New logins will be required to answer credit report style identity verification questions, like former addresses, roommates and employers. So-called “knowledge-based authentication” (KBA) procedures are of suspect value.

Fraudsters with access to personal information can find it remarkably easy to get more. Real estate transaction databases can quickly eliminate possible choices about former addresses. The multiple choice nature of the questions makes it possible to mechanically “crack” the authentication procedure in relatively short order.

To make matters worse, fraudsters are getting better at covering their tracks. According to security blog KrebsOnSecurity, more and more scammers are registering accounts using stolen identity information on IRS.gov. Because IRS.gov accounts aren’t necessary for e-filing, many people never have cause to create one. One thing they are useful for, though, is getting copies of past tax returns. This is a vital step in protesting a fraudulent return.

Scammers have identified this weak point in fraud prevention and begun registering accounts using stolen personal information. This presents one more hurdle in the face of fraud reporting. It also gives scammers more time to take the money and run. Without an IRS.gov account, the IRS is bound by policy not to disclose any information on a tax return to anyone not designated on the return as an approved party. This does mean they’re protecting the privacy of criminals, but there’s little they can do about the policy at this point.

The core of the problem, according to Krebs, is that the IRS uses those same KBA procedures. Sophisticated scammers are increasingly adept at bypassing these procedures. That means one less barrier between them and your money.

If you think you’ve been the victim of tax-related fraud, there are still steps you can take. Read on for three ways you can fight back against tax fraud and get your money back!

1.) Create an IRS.gov account and use a strong password

The current KBA authentication protocol can be broken into relatively easily. If you register your account now, you can create a much stronger password to protect yourself. At time of press, the IRS is not allowing new accounts to be created, but new procedures for account verification are forthcoming.

Once you’ve created your account, use a strong password that includes numbers, letters and symbols. Make it unique to your IRS account to reduce the possibility that your password will be compromised. Once you create your login information, write it down and put it with this year’s tax documents (preferably locked in a safe location). You’ll need it again next year!

2.) Request a copy of this year’s tax return

If you think your information has been used to file a fraudulent tax return, you’ll need a copy of the return to file a dispute. If you can’t get it with an IRS.gov account, you’ll need to get a hard copy. The IRS has a form for this and they’ll charge a small fee for processing.

The from you’re looking for is Form 4506. This will get you a printed photocopy of the return, including all information about refund destination. This may help you track down the stolen money, and it will definitely help you in proving to the IRS that this wasn’t your work.

3.) Beware of ‘Money Mule’ scams

Increasingly, international fraudsters are having difficulty getting the money out of the country. That’s why they turn to Americans who are desperate for a buck. They’ll advertise on sites like Craigslist for “financial processing assistants.” They use your checking account to receive the funds, then you’ll wire or send a portion of the proceeds to another bank. It’s one way of eliminating the paper trail of tax fraud. That’s been the laundering scheme of choice for many tax fraud perpetrators this season.

It’s clearly illegal and very dangerous, but it also makes it possible for scammers to steal money in the first place. Beware of any job solicitation that offers to pay you for your ability to have a checking account. If they were a legitimate business, they could get one all their own and wouldn’t have to pay you for the privilege!

SOURCES:

https://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you/

"ISIS" Hacks Credit Unions – What You Need To Know

/ destinationscreditunion / Leave a comment


ISIS is the new face of terrorism and the Internet is the next front. Terror organizations use social media to recruit members, spread their messages and plan attacks. That they would also use hacking to evoke fear should come as no surprise.

That appears to be what happened on March 9 this year when visitors to the websites of several credit unions did not see the front page they were expecting. Instead, they saw a black screen with the logo for the Islamic State. Under the image were the words “Hacked by Islamic State (ISIS) We Are Everywhere :)” along with a link to a now-defunct Facebook page.

A closer examination of the defacement suggested to the FBI that this was not the work of the international terrorist group. First, the smiley face at the end of the message does not fit the tone of other messages the group has sent. Second, the targets, which included several small businesses and credit unions, seem out of character for the group. Most of the group’s rage tends to focus on agents and governments it views as occupying territory in the Middle East. Third, the level of damage was relatively low. A sophisticated hacking operation would aim to debilitate or destroy economically or politically important assets. While taking down a credit union’s website for a few hours is certainly disconcerting, the dollar amount of that can be applied to the damage is relatively low.

Rather, the FBI suspects this is the work of fairly unsophisticated domestic hackers. The target selection fits more with an attention-seeking group of malcontents. The strategy of website defacement is popular among amateur computer security students seeking to prove their skills or leave a “calling card.” No member data, accounts, or contact information was compromised in the hack and the defacement of the websites has already been reversed.

As with every other security compromise, the possibility that a more serious data breach occurred is not out of the question. In most cases, this breach would involve rigging the website to install malicious software on users’ computers. While it is unlikely, precautions are free and an ounce of prevention is worth a pound of cure when it comes to information security. If you’re concerned about your computer integrity, take the following four steps.

1.) Install, update, and run security software

Using the Internet without antivirus software is like reaching your hand into a medical sharps disposal bin. You’re going to get something and the results won’t be pretty. Several free antivirus programs exist. Popular choices include Panda Security, AVG and Avast.

If you already have antivirus software, you might think you’re covered. Yet, antivirus programs only protect against specific kinds of malicious programming. While they’re certainly the worst of the worst, viruses are only one kind of threat you face on the Internet. You also need an anti-malware program, like MalwareBytes or Spybot. These programs find and remove security threats that, while not quite to the level of viruses, can still compromise your computer.

These programs are still serious threats. Data breaches at Home Depot, Target and others were caused by malware on company computers. Even professional security experts occasionally forget about defending their systems this way.

Once you get the software installed, make sure to keep it updated and run it regularly. The scans usually take between 20 minutes and an hour. That’s all it takes to stay safe from the worst threats.

2.) Change your passwords

It appears unlikely that any user data was compromised in this most recent round of hacks. Still, there’s no reason not to be cautious. Change the passwords you use to log on to major financial websites and any website where you use those same passwords. If you use your Destinations Credit Union password to access your email, change your email password, too.

It’s a good idea to cycle passwords every six months or so anyway. Doing so helps to keep your accounts safe. If you have trouble remembering to do so, consider using a password management service to keep track of your security.

Always choose strong passwords. Four random words with a number on the end is a great way to randomize passwords but keep them somewhat memorable. Just look around your computer area and use the names of the first four objects you see, followed by your birth month. Doing so creates a password that humans can easily commit to memory, but the most powerful computers would take years to crack.

3.) Get a credit score report

You can get a free credit report every year, and it’s a good idea to do so. If you’re planning to buy a house or a car this year, you might want to hold off and use your free report closer to your purchase date. If you don’t have major purchases planned for this year, you can use your free credit score report to check if you’ve been hacked.

Look for accounts you don’t remember opening or large, sudden upswings in debt utilization. These could be signals that someone’s compromised your identity. Call the credit reporting bureau immediately to report suspicious activity.

This alleged ISIS hack is nothing to fear, but it’s worth being cautious all the same. It’s much easier to take preventative action than to regret not having done so. Taking these steps can help ensure you stay safe, no matter what happens.

SOURCES:

http://www.cutoday.info/Fresh-Today/Hackers-Claiming-To-Be-ISIS-Take-Down-CU-s-Site

Q & A: Anthem’s Data Breach And What You Need To Know

/ destinationscreditunion / 1 Comment



Q: I keep hearing about Anthem being a hacking target. What happened and am I at risk?

A: Anthem Inc., the second-largest health insurer in America, was targeted in a major security breach over the last month. New reports suggest hackers have been trying to compromise the company’s systems for months and may have been inside their system since December. According to the company, 80 million Anthem customers may have had their names, Social Security numbers and addresses compromised.

This is a unique event in the recent history of cybersecurity. Previous hacks, like those affecting Home Depot or Target, were attacking hardware. Hackers were exploiting vulnerabilities in computer hardware and software to gain access to confidential data. Here, the company is reporting that hackers had a different target: company employees.

Anthem reports that, beginning in December, hackers acquired login credentials of five employees. The employees could have been victimized by malware or social engineering scams. The hackers trying to beat Anthem didn’t need to find a flaw in the computer infrastructure. Instead, they just had to find a weakness in the people operating those systems.

Once they had these credentials, hackers used their access to do two things. First, they breached the company databases. Once inside, they exposed addresses, dates of birth, employment history, employment information, income data, medical ID’s, names and Social Security numbers. Particularly noteworthy is the fact that payment information was not compromised. That means there’s no need to cancel credit cards that were used to pay Anthem bills yet. Second, hackers created a number of phony email accounts with Anthem domains.

There are two ways victims might be affected by this scam. First, they might have their personal information stolen. This group exclusively consists of current and former Anthem customers. Given the timing of the hack, this will likely result in a fraudulent tax returns and possibly other instances of identity theft.
The second wave of victims is only just now emerging. The fake email accounts have been used to send wave after wave of “phishing” attacks to Anthem customers. These attacks take the form of an email apology with an offer for a year of free credit monitoring. Recipients of the email are redirected to another website to enter their Social Security number and other personally identifying information. This information is then used to commit any of a smorgasboard of identity theft crimes.

Anthem is currently being sued in several states. One lawsuit alleges current and former Anthem subscribers were misled about the security of their personal information and is seeking unspecified damages from the provider in overpaid premiums. Another pending lawsuit is seeking damages resulting from the frauds themselves. Until these lawsuits are settled, Anthem will likely not make any public statement of responsibility or apology, as this could be viewed by the courts as an admission of guilt. At this time, Anthem is offering no free credit monitoring service nor has it made any statement to members outside the press.

If you’re an Anthem subscriber, there are a few steps you should take as soon as possible. To find out if you’re an Anthem subscriber, check your insurance card. If you’re part of a group plan at work, you may need to ask your HR representative if your plan is administered through Anthem. In the meantime, take these three steps.

1.) File your taxes.

This will be one way to check if your Social Security number has been compromised. The state of Connecticut is encouraging their citizens to file early if they’re Anthem customers so hackers using stolen Social Security numbers will be easier to detect.

2.) Put a fraud alert on your credit report.

Contact any one of the three major reporting bureaus (Experian, Equifax, or Transunion) and explain your worries. A fraud report on one account will create a fraud report on all three, so there’s no need to duplicate your efforts. This report will notify you if anyone attempts to open an account in your name during the next 90 days. If you’re absolutely sure your number has been compromised, it might be worth putting a freeze on your credit history. This will prevent anyone from checking your credit or from opening up any account in your name, including you. While drastic, this measure is a sure-fire way to keep yourself safe.

3.) Get proactive with government services.

Notify the Social Security Administration and the Internal Revenue Service of the possible fraud to ensure that no one attempts to file a change of address form in your name. The US Postal Service also maintains a similar service. These steps will ensure that you’ll at least get a paper trail if someone makes an attempt to steal your identity.

Anthem is maintaining a toll-free question line.  Customers with concerns or fears should call 877-263-7995.  They have also created a website – www.AthemFacts.com – with up-to-date information about he scope and severity of the breach.  They have made it clear that future contact with customers affected by the breach will be made by mail. 
 
SOURCES:

Direct Deposit: Safe, Simple And Convenient

/ destinationscreditunion / Leave a comment


There’s a very short list of things that really haven’t changed in the past 50 years: apple pie, your fourth-grade teacher’s fashion sense and paper checks. Despite the advances that have been made in financial technology, paper checks are really about the same instruments they always have been. In a digital world, they’re increasingly expensive, cumbersome and insecure.

While larger companies have been using an all-electronic system for paying their employees for years, many smaller employers already have or are moving to direct deposit of your net pay as well. Direct deposit transmits your paycheck from your employer’s business account directly into your checking, savings or pre-paid account(s). You still get a pay stub or an electronic equivalent from your employer that lists the amount of the transfer along with any deductions, like taxes, health care or retirement.

What you won’t have to do is hold on to that check until you can find time to get to a branch. Payroll deposits clear instantaneously, which means the money is generally available in your account the same day.

Direct deposit really is the way of the future. Many large employers and some benefit providers require it, and it’s easy to see why. Let’s look at three reasons why direct deposit is right for you. 

1.) Safety 

Think like a criminal for a second. A paycheck is the largest check most people see on a regular basis. This makes it a tempting target for theft. Think about how your employer would react to someone picking up your paycheck for you. Someone could pretend to be a spouse, babysitter or friend doing you a “favor.”

While the signature requirement is some protection, many check-cashing establishments don’t look closely for a match. It’s remarkably easy to cash a stolen check and the law provides little protection. Your employer might be sympathetic, but they’re probably not willing to issue you a second paycheck. The burden would be on you to prove the theft before you could get your salary.
With a direct deposit, those concerns are virtually nonexistent. There are no paper checks to keep safe. No one needs to pick up your paycheck for you. There’s no concern that someone else will accidentally be given your check. The whole transaction is handled seamlessly by computer. 

2.) Simplicity 

Believe it or not, the process of payroll is incredibly complicated for companies. Many of them hire outside firms at great expense to ensure they’re accurately paying their employees in compliance with various state and federal regulations. One of the costs involved in payroll production is the printing of checks. Paper checks must be printed, signed and recorded, all of which requires labor.

The cost of writing, verifying and safeguarding a paper check is about $1 per employee per pay period, assuming no lost checks or pay disputes. The lost time to distributing and depositing those checks is about $2 per employee, so it costs businesses about $3 to print and distribute paper checks. Direct deposit costs about half as much.

These savings may seem insignificant, but they add up quickly. Your employer spending less money on payroll means more money to pay you. Whether those cost savings result in a lower-priced product, more investment in the business or higher wages, you benefit. When your employer comes out ahead, so do you.

3.) Convenience 

Obviously, direct deposit saves you an errand every pay period. The stress of fighting rush-hour traffic to make it to a branch office before closing time on payday is considerable. There’s also no need to worry if you got your paycheck deposited in time for same-day processing. Say goodbye to account guessing games.

Beyond the obvious conveniences, direct deposit opens up a slew of other possibilities. You can more easily automate your savings by depositing a portion of each payroll into a savings account and the rest into your checking. You can pay bills more easily online since you get confirmation your funds are available. You may also be able to secure lower fees or a higher interest rate on your checking account!

Paperless payroll saves trees, it saves time and it saves frustration. It does all of this while being safer, faster, and more secure. If you’re unsure about your direct deposit options, stop by or call Destinations Credit Union. Our helpful representatives can get you the information you need to set up direct deposit and can even help you organize your deposits to meet your financial goals.

Call, click, or stop by Destinations Credit Union today!  If you are getting a tax refund, make sure you designate Destinations Credit Union to receive your refund via electronic deposit! 

SOURCES:

The 12 Scams Of Christmas

/ destinationscreditunion / Leave a comment


The holidays are a time of family togetherness and celebration. Scammers know you’re distracted, busy, and emotional. That’s why their schemes are so devilish. They get their own twist around Christmas time.

In the interest of keeping things in the holiday spirit, let’s look at 12 scams of Christmas. Don’t get taken in by these or similar schemes. Otherwise, you might be footing the bill for twelve drummers drumming and all the rest!

1.) Mobile malice

Be wary of “season-themed” apps that perform frivolous functions, yet demand top-level security access. An app that makes it look like there’s snow on your background image doesn’t need to send or receive texts. Such an app might send premium text messages and leave you holding the bill.

2.) E-card danger

Everyone with an email address will send these little flash programs. Scammers have designed some with malicious code. They can install data leaching programs on your computer and do untold damage. Don’t click links in emails unless you know the sender. Even then, if it looks a little out of the ordinary, it probably is. They may have already fallen victim and it would be good to let them know.

3.) Fake packages

You’ll be receiving unexpected packages this season. Scammers know this and will send realistic-looking delivery failure notifications. They expect you to follow up with them and reveal personal identification information! Head to your local post office or call the parcel delivery service to check with a clerk before you hand over information on the Internet.

4.) Hotel “Lie”-Fi

The FBI issued a warning to this season’s travelers about a malicious pop-up at hotel chains around the country. This scam requests people install a foreign program before connecting to a hotel Wi-Fi network. This foreign program turns out to be data-stealing malware. Remember, Internet connections you don’t own or control can easily be used against you. Before you use the Internet at a hotel, ask yourself if it’s worth the risk. If you do need access, be wary of what you’re installing–there shouldn’t be a need to install anything.

5.) Festive spam

We’ve all gotten used to filtering out spam in our email. Now prepare yourself for it to take on a more holiday-oriented theme. Messages will suggest that off-brand Rolex watches and cheap pharmaceuticals would make excellent gifts. Be careful, though, because these companies might just be in the market for your personal information.

6.) Bogus gift cards

There’s a bonanza of savings to be had buying gift cards through second-hand retailers. Be careful, though, because many of these retailers might be a front for scammers. Gift cards may be invalid, used, or forgeries, and you’ll be left holding the bill.

7.) Fake charities

These crop up every time there’s a major disaster, but they also show up at the holidays. Leaflets and phone calls from organizations with familiar-sounding names will soon appear. To be safe, don’t give to any charity with whom you didn’t start the contact. Do your research and give to charities whose values align with your own.

8.) Must-have gift scams

There will soon be an “it” gift. You’ll know it by the high demand, low supply, and hugely inflated prices. Almost on cue, websites will pop up offering the rare widget at unbelievably low prices. This is a scam – the advertiser doesn’t have the product and is only using the offer to harvest personal information or bilk you of your hard-earned money through sites like Craigslist or eBay, where they will seek payment through PayPal and never send the item you purchased.

9.) Christmas catfishing

“Catfishing” means pretending to be seeking a romantic partner on the Internet to dupe people. Scammers take advantage of the loneliness the holidays can evoke to trick people out of gifts or worse. As tempting as it is to believe in love stories at Christmas, keep your feet on the ground and practice safe Internet dating. A good rule of thumb: If you’re single at Halloween, stay that way until after New Year’s.

10.) Holiday vacation scams

If it’s cold and miserable where you are, it’s always tempting to go someplace tropical for a few weeks. If you’re thinking about getting away, be careful of unrealistic prices or “too-good-to-be-true” travel offers. Scammers have been setting up phony travel sites to harvest personal information. Only book through reputable websites.

11.) Devious Christmas games

If you’re facing a 5-hour flight and a 3-hour layover, it’s fantastic to have a distracting mobile game to pass the time. Be careful, however, not to download the wrong one. Mobile games can harvest data from your phone or steal password information. Always do a quick search to check the validity of the app you’re downloading and read the permissions carefully. A fun game should never ask for permission to send texts or send information to third parties.

12.) Free USB Tricks

Be careful with unsolicited gifts of “free” USB thumb drives. Security firm McAfee warns that many of these devices come pre-loaded with malware. Such scams often target company computers, so ensure you only use approved hardware on your work network. USB storage is cheap enough that you can pass on the freebies.

SOURCES:

http://www.fbi.gov/scams-safety/e-scams

Hackers Develop New Attack Method: Charities

/ destinationscreditunion / Leave a comment


It’s around this time of year that most charitable organizations run their biggest fund-raising drives. In so doing, they’re getting millions of contributions from many new contributors. Yet while they must make it as easy as possible for folks to donate, their limited personnel are overworked, making it difficult to thoroughly review all credit card authentication data.

Meanwhile, another group is working some holiday overtime too: Internet scammers. Because many consumers are shopping for goods they don’t usually buy, fake websites pop up, taking advantage of this inexperience to harvest payment information. The biggest challenge is sorting out the real sites from the fake or canceled ones. These two problems may have more in common than you think.

A new report by security firm, Phishlabs, unveils a shocking new strategy for solving that hurdle. Hackers use a chat-based program to transmit credit card information to make a small donation. If the transaction is successful, the program confirms the data the hacker supplied is legitimate.

In essence, hackers are using charities as a trial run for stolen credit card numbers. To understand what this means for you, let’s look at how the authentication process works, why charities are ideal targets, and how to keep yourself safe.

Authentication explained

Before you make an online transaction, the retailer will take some steps to verify your identity. You provide a credit card number, a security code and some other information. The form might ask for your billing address or ZIP code, for example. The idea is to keep your account safe by requiring several authentication factors. It works fairly well at frustrating casual scammers.

That’s why this bot is so useful to cyber-criminals. It can check data in low-risk, easily concealable ways. The operators of these services charge a fee in “credits” to would-be scammers. They earn these credits by paying for them or by performing a variety of “services” for the operator’s criminal enterprise.

By making a small donation to a charity, the bot can check to see if the information a scammer stole works. These donations are usually between $1 and $5 to one of a selected range of charitable organizations. If the payment sends, the scammer is free to use the information to buy other, more expensive goods.

Why charities?

Charities are the perfect target for this kind of operation. They use the same authentication strategies as every other business, but they seldom have the resources to investigate fraud. They also want to make it as easy as possible for people to donate. This means they use static donation website names and don’t use anti-bot software like Captcha. This makes them easy for a program to target.

Charities are also good targets because they have little at stake in stopping fraud. Defrauding a retailer puts them out the goods they sell. A fraudulent credit card used to buy a TV leaves the seller of that TV responsible for replacing the TV. Nothing like that exists for a charity. The donation amounts are usually miniscule, so their loss won’t seriously affect budgets.

Finally, charities are good targets because they are innocuous. Average consumers are more likely to overlook small charges to charitable organizations. They might think of them as contributions they made without thinking about it.

Protecting yourself

If you take all the usual measures to keep your identity safe online, this shouldn’t be much of an issue for you. If you think your information might have been stolen,though, consider taking the following steps:

1.) Watch for oddly specific amounts that have been sent to charities in your statement. Neither you nor your partner would give $4.48 to a charitable organization.

2.) Be preemptive in your giving. Donate to charities where you’ve done your research and only give to those that align with your values. Keep a list of charities you support and check your statement for any organization not on that list.

3.) Report these charges immediately both to your card issuer and to the charity on your statement. They can use a variety of indicators to track other fraudulent charges and catch other scammers in the act.

Beating this scam requires care and vigilance, just like every other scam. You need to know where your money’s going and be careful with where you make your payments. Don’t shop at websites you don’t know and trust, and don’t give out credit card information to anyone you don’t know. Check your statements regularly and report any suspicious activity.
SOURCES: