January 5, 2018

How to Protect Your Data


Each year, scammers, hackers, and data thieves find new ways to steal data or fool people into giving it to them freely. No matter how secure you keep your own data, some pieces of your personal information are stored and protected by a third party. Whether it’s a retailer where you shop, a social media account, or even something as simple as a hotel booking, your life leaves a trail of breadcrumbs that some smart scammers could use to steal your identity, money, or other personal data.

Phishing

While phishing is certainly not a new tactic, it will continue to be a major threat in 2020 and beyond. When a scammer poses as a legitimate person or business and tricks people into giving away private information (passwords, Social Security numbers, etc.), they are “phishing” for that information. Fortunately, there are ways to protect yourself, however in 2020 phishing tactics are becoming more sophisticated and sometimes more targeted, a method known as “spear phishing.”

Spear Phishing

Spear phishing is a more targeted form of phishing in which the scammer, instead of casting a wide net and hoping to catch anyone they can, chooses a specific person or group to target with an email attack. Many schools and businesses experienced phishing attacks in 2019, and that number is likely to increase in 2020 with the new economic conditions brought on by the COVID-19 pandemic.

Spear phishers actually research their targets, gathering what information they can to craft emails that will convince people at a company or organization to enter their password in a fake login page created by the scammer.

The best way to protect yourself and your company from spear phishing tactics is to be very suspicious of any emails you receive that ask you to enter personal information, passwords, or other data right away.

Even if a message appears to have come from your own company and takes you to a familiar-looking log-in page, it could be a spoofed version created by the spear phisher. It’s always a good idea to check with your company’s IT department if you’re unsure about an email you have received.

Vishing

Another type of phishing is called “vishing” and the V is for VoIP. Scammers are using Voice over IP (VoIP) phones to connect their digital scams to phone numbers they control. Scammers have posed as banks and sent emails to the bank’s customers asking them to call a phone number to discuss their account.

Phone fraud, typically known as vishing (phishing that happens through a phone call), can be just as deceptive and damaging as email or text fraud. A criminal calls and poses as a legitimate bank or trusted financial service to notify you of a non-existent alert or some sort of urgent matter as a way to trick you. In some variations, scammers will use specialized technology to clone a financial institution’s number so it appears on the victim’s caller ID as the company’s correct contact number. Then, when you answer the call, they often pose as a “trusted employee” in order to persuade you to disclose sensitive financial and personal details.

The best advice to beat the scam is simple – never assume that someone is who they say they are just by the number displayed on your phone. Always be suspicious if you’re asked for your four-digit PIN, personal information, or passwords. Remember, your bank will never call and ask you to do any of these things.

Smishing

Smishing is phishing but through SMS text. It is on the rise in 2020, but fortunately you can protect yourself using the same methods for other phishing scams.

Social Media Attacks

Scammers are creating social posts that mimic big brands, companies, or influencers offering giveaways or rewards. Their goal is to gather identifying information from people or even hook them into paying for a fake but expensive service. Be aware of social media ads that make big promises but require you to provide information or sign up for a paid service to get the “rewards.”

Steps You Should Take

The first step after any breach is to change passwords. Usually, vendors will email you to let you know that a breach has occurred and urge (or even require) you to change your password. Don’t ignore these requests. It’s a good idea to act quickly, and it’s an even better idea to have different passwords for each online service you use. Otherwise, one compromised account would give a hacker access to every account you have. If remembering all those passwords is too much, try a password manager like LastPass. With a password manager, you can save all your passwords in one place and only have to remember a single master password to access them.

For high-security accounts, like your primary email address, credit cards, brokerages and online banking, it’s best to change passwords every six months, regardless of how safe your information might be.

Another less examined aspect of the data breach is security questions. Questions and answers used in the password reset process may have been compromised, too. If you use information like your favorite author, book or sports team to secure multiple accounts, that data could also be at risk. Worse yet, this data is frequently unencrypted, since it represents only one part of the password reset process. This means it may be widely available, especially if it’s something you post publicly about on your social media.

If you use the same personal information question(s) at multiple websites, now is a good time to review and change that information. Wherever possible, switch to a two-step authentication method. These processes use your cellphone number as a backup password option. If you try to reset your password, the service will call or text you with a code to use as a verification method. It puts another step between potential thieves and your information.

Finally, this is a good time to check your credit. It’s possible you could already be a victim of identity theft if you haven’t checked your credit score recently. Getting a credit report will let you know if any new accounts have been opened using your personal information. Similarly, this might be a good time to consider a credit monitoring service. Such services keep an eye on your credit periodically, and can help protect against identity theft.

How to Protect Yourself with a Credit Freeze

Unfortunately, most people aren’t aware of their right to control who is able to access their credit report. But, all three major credit reporting agencies, Equifax, Experian and TransUnion, offer you the option to restrict access to your credit report. They also make it possible for you to decide when and with whom your credit report may be shared. It’s called a security freeze or a credit freeze, and it’s important to understand how that works.

Here’s a real-life example of a credit union member in Texas who didn’t know he had the right to restrict access to his credit report. He has a very high credit score, and without his knowledge, an identity thief who was also a resident of Texas was able to establish a new cellphone service and qualify for the purchase of a new vehicle using this man’s profile. The cellphone service was already established when the thief shopped for a vehicle online. But that was the beginning of the end of the crime spree.

Three different auto dealerships called the credit union member to verify he was, in fact, going to take possession of the car he’d arranged to buy online. They had found his legitimate phone number on his credit report. You can imagine this consumer’s surprise, not just the first time, but each time he got a call. Every dealership alerted the local police, who contacted the credit union member directly for more information.

Turns out, the identity thief was using the cellphone obtained in the stolen name, and also presenting a temporary, new Texas driver’s license in the stolen name. Both were obtained prior to his attempts to purchase a car.

The member was advised to call all three credit reporting agencies and put a freeze on his credit report. The identity thief still had his Social Security number, address and credit card numbers, but could no longer use them. The fraudulent cellphone account was closed, at no cost to the member, and the State of Texas rescinded the temporary driver’s license.

Without a credit freeze in place, the member would continue to be vulnerable to fraudulent use of his identity by the Texas thief. And he would be vulnerable to other thieves who may have purchased his credit report, as well.

How To Protect Your Identity With A Security Freeze

1.)  Call your bank or credit union to report fraudulent use of your account or credit card if it has been breached.

2.)  Call the fraud department of every credit card that is issued in your name. You don’t need to cancel the cards, just report the fraudulent use and announce your plans to set up a security freeze with the credit reporting agencies.

3.)  Call each of the three major credit reporting agencies to set up a security freeze. Each has its own process, and there may be a small fee for the service, approximately $10 per agency.

Equifax – 1-800-349-9960

Experian – 1-888-397-3742

TransUnion – 1-888-909-9972

4.)  Call each credit reporting agency whenever you want a particular vendor to access your credit report. This is called a “temporary lift” of the credit freeze for one vendor only. The permanent credit freeze remains in place until you choose to remove it entirely. There may be a fee for each temporary lift.

Making the choice to control who can access your credit report (and who cannot) gives you the most security possible, but it requires more work on your part, too. And it may involve occasional but nominal fees. The member in our story decided it was worth the time and small expense to control access to his credit report, because he never wants to go through identity theft issues again.

This article is for educational purposes only. Tulsa FCU makes no representations as to the accuracy, completeness, or specific suitability of any information presented. Information provided should not be relied on or interpreted as legal, tax or financial advice. Nor does the information directly relate to our products and/or services terms and conditions.