Mutual One Bank Content

Most people do a lot more shopping during the holidays. There are gifts to buy, events to attend, and lots of good deals. But unfortunately, scammers know it’s a high volume shopping time and they look for ways to take advantage of busy consumers. According to an article from Forbes, “cyber attacks are on pace to jump by nearly 60% this holiday season, compared to other months throughout the year.” Some simple ways to protect yourself include shopping at websites from trustworthy brands, when dealing with sensitive information (such as your credit card number) avoid using public Wi-Fi, and keep your electronic devices up to date. For more tips on how to shop safely, visit the Forbes blog.

Password reuse occurs when someone uses the same password on multiple websites or accounts. This is a vulnerability if the password is exposed in coordination with other information that identifies who is using the password – such as first and last names, login names, or email addresses.

Avoiding password reuse can be challenging because of the number of websites and accounts that require passwords, some of which require updating your password every 30 days. There are two ways to avoid password reuse and to ensure any password meets the recommended password complexity requirements.

The first technique is to use a password manager to remember each unique password. Password managers are applications that can be stored on a computer, smartphone, or in the cloud, and will securely track passwords and where they are used. Most password managers can also generate complex random passwords for each account if you choose to do so. As long as the password to access the password manager is sufficiently complex, this technique can be affective. However, if the company running the password manager is compromised (which does happen!) it is possible that all your passwords will also be compromised. If you choose a password manager that is local to your computer or smartphone, that information may be compromised if malware gets on your computer or you lose your smartphone. When choosing a password manager, ensure it is from a known, trustworthy company.

The second technique is to choose a repeatable pattern for your password, such as choosing a sentence that incorporates something unique about the website or account, and then using the first letter of each word as your password. For example the sentence: “This is my August password for the Center for Internet Security website.” would become “TimAp4tCfISw.” Since a strong password is complex, and includes upper and lower case letters, numbers, and a symbol, this password keeps the capitalization within the sentence, translates the word “for” to the number “4,” and adds the period to include adding a symbol. The vulnerability in this technique is that if multiple passwords from the same user are exposed it may reveal the pattern.

Regardless of how a unique password is chosen, it is critically important that every password is unique. Some companies, such as Facebook, have begun programs to identify password reuse. Facebook’s program to identify password reuse involves monitoring for lists of compromised usernames, emails, and passwords, and attempting to match those to the usernames or email addresses of existing Facebook users. If a match is found Facebook asks the user to reset their Facebook password.

How Password Reuse is a Threat
Password reuse is a threat because malicious actors can take advantage of a reused password if there is other associated information that identifies you. This typically occurs through one of two potential scenarios:

In the first, and most common scenario, the malicious actors can search for other accounts you use and try to login with the same password. In some cases the actors might try to find personal accounts such as Facebook, Twitter, or banking websites. If they can identify those accounts, and you reuse your password, they can login as you. In other instances the malicious actors may try to determine where you are employed and attempt to use it for remote access, such as through a remote email or timecard access.

A second scenario involving a malicious website is much less common, but still poses a threat. In this scenario the malicious cyber-actor sets up a website that spoofs a legitimate web site, which requests you enter an email address, password, and potentially other information to gain access. Once you have done that, they know who you are and can search for your other accounts where you used the same password.

Save

Source: Federal Trade Commission: Consumer Information

Fake checks drive many types of scams – like those involving phony prize wins, fake jobs, mystery shoppers, online classified ad sales, and others. In a fake check scam, a person you don’t know asks you to deposit a check – sometimes for several thousand dollars and usually for more than what you are owed – and wire some of the money back to that person. The scammers always have a good story to explain the overpayment – they’re stuck out of the country, they need you to cover taxes or fees, you need to buy supplies, or something else. But by the time your bank discovers you’ve deposited a bad check, the scammer already has the money you sent, and you’re stuck paying the rest of the check back to the bank.

The Federal Trade Commission receives tens of thousands of reports each year about fake checks. Over the last three years, the number of complaints has steadily increased, and so have the dollars lost.

The FTC’s new infographic, developed with the American Bankers Association Foundation, offers some tip-offs to rip-offs and what to do if you get a check from someone you don’t know.

Please share this information with others. Victims may be embarrassed to talk about their experiences, but you can help. A simple phone call, email or text, saying “Look what I just found” and sharing this information may make a difference in someone else’s life.

Want to avoid the latest rip-offs? Sign up for free consumer alerts from the FTC at ftc.gov/subscribe.

Source: Federal Trade Commission: Consumer Information

Have you gotten a robocall at work, telling you that you have to take action or your Google business listing will be removed? Or maybe even marked as permanently closed? That kind of thing could be tough for a business — if the threat was real. But those calls are not legit—and not from Google.

The FTC just filed a lawsuit against Point Break Media and others, saying they made just those kinds of calls. According to the complaint, people who believed the calls and then spoke to a live telemarketer were told that they could avoid the problem by paying a fee (up to $700). When people paid this fee, the scammers then allegedly targeted them with offers for even more expensive services that would supposedly improve Google search results.  Of course, nobody making those calls is affiliated with Google. And businesses can — for free — manage their own Google business listing.

In this case, the scammers targeted music instructors, house painting companies, car dealerships, and other small businesses. They knew that appearing in online searches is crucial for those businesses, and threatening that connection with customers might make people act before stopping to think.

If you get a call like this, don’t press any buttons. Don’t call the number back, and don’t engage. That just encourages the scammers. The best thing to do? Immediately hang up the phone, and then talk about it with your colleagues or employees. Let them know that:

• Scammers pretend to be someone you trust. They pretend to be connected with a company you know or a government agency
• Scammers create a sense of urgency. They want you to rush and make a quick decision without considering options.
• Scammers use intimidation and fear. It’s okay to hang up the phone and confirm what’s really going on before taking any action.

Then, sign up for the FTC’s Business Blog (FTC.gov/Subscribe), which will keep you up to date on what’s happening at the FTC, and how it affects your business. Also, check out FTC.gov/SmallBusiness. Knowing about scams that target small businesses will help you protect yours.

How to help protect yourself from high-tech thieves who steal account information 

Source: FDIC Consumer News – Winter 2018

You may have heard in the news that automated teller machines (ATMs) are being targeted by criminals who secretly attach high-tech devices to the machines in order to record consumers’ keystrokes and steal or, as it is sometimes called, “skim” personal identification numbers (PINs) along with credit or debit card account numbers. In addition, criminals are known to add similar devices to credit or debit card readers at checkout registers, especially at gas stations, convenience stores or other merchants where customers may be in a hurry and not notice or take the time to report something suspicious.

“Security experts and law enforcement officials warn that card skimming is present in many communities,” said Michael Benardo, manager of the FDIC’s

Cyber Fraud and Financial Crimes Section. “With the information that can be skimmed, a thief can go on an online shopping spree or sell that valuable data to other con artists.”

And how do thieves retrieve the data they gather?  Some return to the scene of the crime to remove their devices, while others can communicate electronically with their hardware using a laptop or mobile phone and wireless connections.

Through the years, FDIC Consumer News has warned readers to be on the lookout for keystroke-recording devices on ATMs or checkout registers.

Here’s a reminder of the different kinds of skimming devices and what to look for:

Card-reader overlays:  The most common ATM skimmer, and perhaps the easiest device to detect, is the card-reader overlay.  It is made of plastic and fits over the slot where you insert your card.  As you insert your card, the device reads the data from your card and stores it.  How can you tell if there’s an overlay hiding an illegal card reader?  “Before inserting your card, look at the card reader for signs it has been altered,” said Amber Holmes, a financial crimes information specialist with the FDIC.  “Be suspicious if your card doesn’t easily go into the machine or if the card reader appears loose, crooked or damaged, or if you notice scratches, glue, adhesive tape or other possible signs of tampering.”

Hidden cameras: While banks typically have security cameras near their ATMs to keep an eye on the area, thieves sometimes hide tiny cameras on or around ATMs.  “If positioned correctly, a brochure holder on an ATM is the perfect place to hide a mini-camera that can record PIN numbers as customers type them,” warned Benardo. “Also check for tiny holes in the ATM housing or in something else that looks like it was hastily stuck onto the ATM to cover a small camera.”

PIN-capture overlays: Criminals have been known to attach dummy keypads over an ATM’s real keypad to record and capture PIN numbers as they are entered.  The keypad might be fake if it looks too thick or different from what you’re used to seeing.

Fake ATM faceplates: Some thieves go as far as placing a fake ATM cover that could contain card-reader overlays, hidden cameras and PIN-capture overlays over some or all of a real, fully operating machine.  “The best way to determine if an ATM has a false cover is to look for flaws like loose wires, seams that are not flush and slots or keypads that look out of place,” said Holmes.

What should you do if you believe your debit or credit card account has been compromised?

There are consumer protection regulations that can help. For example, the Electronic Funds Transfer Act (EFTA) and the Consumer Financial Protection Bureau’s (CFPB’s) “Regulation E” limit a consumer’s liability for losses from unauthorized transactions using his or her ATM or debit card or card numbers. If your debit card or the card number is used to make an unauthorized withdrawal from a checking or savings account, you can minimize your losses by contacting your bank as soon as possible. Your maximum liability under the EFTA is $50 if you notify your bank within two business days after learning of the loss. If you wait longer, you could lose more, according to the law. If it’s your credit card number that is used without your authorization, your liability is normally capped by the Truth in Lending Act (TILA) and the CFPB’s “Regulation Z” at $50 for all unauthorized transactions, and remaining credit card losses are typically absorbed by the card issuer.

“Even consumers who know the telltale signs of a skimming device may inadvertently use an ATM or a sales terminal that has been tampered with. That’s why it’s great to know that there are consumer protections available,” said Tracie Greenway Morris, an FDIC senior community affairs specialist.

Some other worthwhile precautions you can take include:

• Do not use an ATM or a credit or debit card reader if anything looks suspicious, such as loose or extra parts.  Alert the machine owner or the police immediately.
• Avoid ATMs in remote places, especially if the area is not well lit or not visible to security cameras and the general public.  “ATMs in secluded locations are more likely to be altered,” Benardo said.
• Go elsewhere if you see a sign directing you to only one of multiple ATMs in a location.  It could be the machine that was tampered with by a crook.
• Shield the keypad with your hand when typing your PIN at the ATM or a retailer’s checkout area.  Doing so won’t protect you from skimmers who use keypad overlays, but it will block the view of a hidden camera.
• Regularly check your bank and credit card accounts for unauthorized transactions, even small transactions that you think might not be worth reporting to your bank.  “Thieves might make low-dollar withdrawals or charges as a way to test a counterfeit debit or credit card before they use it for big-dollar transactions,” Holmes explained. “If you spot a potential problem, notify your bank as quickly as possible.”