A lot of people use social media sites —such as Facebook, LinkedIn, Twitter, Google+ and Instagram — to stay in touch with family and friends, meet new people and interact with businesses like their bank. However, identity thieves can use social media sites in hopes of learning enough information about individuals to be able to figure out passwords, access financial accounts or commit identity theft.
Identity thieves create fake profiles on social networks pretending to be financial institutions and other businesses, and then lure unsuspecting visitors into providing Social Security numbers, bank account numbers and other valuable personal information. Identity thieves also have created fraudulent profiles and then sent elaborate communications to persuade “friends” to send money or divulge personal information. “They might claim to work at the same organization, to have attended the same school, or share similar interests and hobbies,” said Susan Boenau, manager of the FDIC’s Consumer Affairs Section. “They know that communicating a false sense of trust can be easy on social media.”
“Valuable pieces of information to someone seeking to steal your identity include, for example, a mother’s maiden name, date or place of birth, high school mascot or pet’s name,” explained Amber Holmes, a financial crimes information specialist with the FDIC. “Fraud artists use social networking sites to gather this kind of information because it can help them guess passwords to online accounts or answers to ‘challenge questions’ that banks and other businesses frequently use for a second level of authentication beyond a password. Someone who has your password and can successfully answer challenge questions may be able to access your accounts, transfer money or even reset passwords to something they know and you don’t.”
What safety measures can you take with your social media account?
Check your security settings on social network sites.
Make sure they block out people who you don’t want seeing your page. If you have doubts about your security settings, avoid including information such as your birthday or the year you graduated college. Otherwise, though, experts say it is OK to provide that kind of information on your social media pages.
Take precautions when communicating with your bank.
If you want to communicate with your bank on social media, keep in mind that your posts could become public, even though you can protect your posts to some extent through your account settings. You should not include any personal, confidential or account information in your posts. “Also, reputable social media sites will not ask you for your Social Security, credit card or debit card numbers, or your bank account passwords,” said FDIC Counsel Richard Schwartz.
Before posting information such as photos and comments, you should look for a link that says “privacy” or “policies” to find out what can be shared by the bank or the bank’s social media site with other parties, including companies that want to send you marketing emails. Read what the policies say about whether and how the bank will keep personal information secure. Find out what options you may have to limit the sharing of your information.
It is a good rule of thumb to avoid posting personal information on any part of a bank’s social media site. “That type of information is often requested by banks for their security ‘challenge questions’ that are used to control access to accounts,” advised Schwartz. “A criminal could use that information to log in to your account.”
Be cautious about giving third-party programs or apps, such as sites for games or quizzes, the ability to use information from your social networking pages.
“Some of these third parties may use information from your page to help you connect with others or build your network — for example, to pair you with strangers wanting to play the same game,” Boenau said. “But they could also be selling your information to marketing sites and others, possibly even to people who might use your information to commit a fraud.”
Periodically search to see if someone has created a fake account using your name or personal information on social networking sites.
Checking common search engines for your name and key words or phrases (such as your address and job title) may turn up evidence that someone is using your information in a dishonest way.
Courtesy of FDIC Consumer News – Winter 2016
Malicious software — or “malware” for short — is a broad class of software built with malicious intent. “You may have heard of malware being referred to as a “computer bug” or “virus” because most malware is designed to spread like a contagious illness, infecting other computers it comes into contact with,” said Michael Benardo, manager of the FDIC’s Cyber Fraud and Financial Crimes Section. “And if you don’t protect your computer, it could become infected by malware that steals your personal financial information, spies on you by capturing your keystrokes, or even destroys data.”
Law enforcement agencies and security experts have seen an increase in a certain kind of malware known as “ransomware,” which restricts someone’s access to a computer or a smartphone — literally holding the device hostage — until a ransom is paid. While businesses have been targeted more than consumers to date, many home computer users have been victims of ransomware.
The most common way malware spreads is when someone clicks on an email attachment — anything from a document to a photo, video or audio file. Criminals also might try to get you to download malware by including a link in the wording of an email or in a social media post that directs you somewhere else, often to an infected file or Web page on the Internet. The link might be part of a story that sounds very provocative, such as one with a headline that says, “How to Get Rich” or “You Have to See This!” Malware also can spread across a network of linked computers, be downloaded from an infected website or be passed around on a contaminated portable storage device, such as a thumb drive or flash drive.
Here are reminders plus additional tips on how to generally keep malware off your computer:
Don’t immediately open email attachments or click on links in unsolicited or suspicious-looking emails.
Think before you click! Cybercriminals are good at creating fake emails that look legitimate but can install malware. Either ignore unsolicited requests to open attachments or files or independently verify that the supposed source did send the email to you (by using a published email address or telephone number). “Even if the attachment is from someone you know, consider if you really need to open the attachment, especially if the email looks suspicious,” added Benardo.
Install good anti-virus software that periodically runs to search for and remove malware. Make sure to set the software to update automatically and scan for the latest malware.
Be diligent about using spam (junk mail) filters provided by your email provider.These services help block mass emails that might contain malware from reaching your email inbox.
Don’t visit untrusted websites and don’t believe everything you read. Criminals might create fake websites and pop-ups with enticing messages intended to draw you in and download malware. “Anyone can publish information online, so before accepting a statement as fact or taking action, verify that the source is reliable,” warned Amber Holmes, a financial crimes information specialist with the FDIC. “And please, don’t click on a link to learn more. If something sounds too good to be true, then most likely it’s fraudulent or harmful.”
Be careful if anyone — even a well-intentioned friend or family member — gives you a disk or thumb drive to insert in your computer. It could have hidden malware on it. “Don’t access a disk or thumb drive without first scanning it with your security software,” said Holmes. “If you are still unsure, don’t take a chance.”
Courtesy of FDIC Consumer News – Winter 2016
Everywhere you look, people are using smartphones and tablets as portable, hand-held computers. “Unfortunately, cybercriminals are also interested in using or accessing these devices to steal information or commit other crimes,” said Michael Benardo, manager of the FDIC's Cyber-Fraud and Financial Crimes Section. “That makes it essential for users of mobile devices to take measures to secure them, just as they would a desktop computer.”
Here are some basic steps you can take to secure your mobile devices:
Avoid apps that may contain malware.
Buy or download from well-known app stores, such as those established by your phone manufacturer or cellular service provider. Consult your financial institution's website to confirm where to download its official app for mobile banking.
Keep your device’s operating system and apps updated.
Consider opting for automatic updates because doing so will ensure that you have the latest fixes for any security weaknesses the manufacturer discovers. “Cybercriminals try to take advantage of known flaws, so keeping your software up to date will help reduce your vulnerability to foul play,” said Robert Brown, a senior ombudsman specialist at the FDIC.
Consider using mobile security software and apps to protect your device.
For example, anti-malware software for smartphones and tablets can be purchased from a reputable vendor.
Use a password or other security feature to restrict access in case your device is lost or stolen.
Activate the “time out” or “auto lock” feature that secures your mobile device when it is left unused for a certain number of minutes. Set that security feature to start after a relatively brief period of inactivity. Doing so reduces the likelihood that a thief will be able to use your phone or tablet.
Back up data on your smartphone or tablet.
This is good to do in case your device is lost, stolen or just stops working one day. Data can easily be backed up to a computer or to a back-up service, which may be offered by your mobile carrier.
Have the ability to remotely remove data from your device if it is lost or stolen.
A “remote wipe” protects data from prying eyes. If the device has been backed up, the information can be restored on a replacement device or the original (if you get it back). A number of reputable apps can enable remote wiping.
Courtesy of FDIC Consumer News – Winter 2016
In today’s world, it’s important for small business owners to be vigilant in protecting their computer systems and data. Among the reasons: Federal consumer protections generally do not cover businesses for losses they incur from unauthorized electronic fund transfers. That means, for example, your bank may not be responsible for reimbursing losses associated with an electronic theft from your bank account — for instance, if there was negligence on the part of your business, such as unsecured computers or falling for common scams. (To learn more about the rules pertaining to electronic theft, including losses involving a business debit card, see the the article on this page titled, “How Federal Laws and Industry Practices Limit Losses From Cyberattacks.”)
Here are tips to help small business owners and their employees protect themselves and their companies from losses and other harm. Several of these tips mirror basic precautions we have suggested elsewhere in this issue for consumers.
Protect computers and Wi-Fi networks. Equip your computers with up-to-date anti-virus software and firewalls to block unwanted access. Arrange for key security software to automatically update, if possible. And if you have a Wi-Fi network for your workplace, make sure it is secure, including having the router protected by a password that is set by you (not the default password). The user manual for your device can give you instructions, which are also generally available online.
Patch software in a timely manner. Software vendors regularly provide “patches” or updates to their products to correct security flaws and improve functionality. A good practice is to download and install these software updates as soon as they are available. It may be most efficient to configure software to install such updates automatically.
Set cybersecurity procedures and training for employees. Consider reducing risks through steps such as pre-employment background checks and clearly outlined policies for personal use of computers. Limit employee access to the data systems that they need for their jobs, and require permission to install any software.
And, train employees about cybersecurity issues, such as suspicious or unsolicited emails asking them to click on a link, open an attachment or provide account information. By complying with what appears to be a simple request, your employees may be installing malware on your network. You can use training resources such as a 30-minute online course from the Small Business Administration (SBA) at www.sba.gov/ tools/sba-learning-center/training/ cybersecurity-small-businesses.
Require strong authentication. Ensure that employees and other users connecting to your network use strong user IDs and passwords for computers, mobile devices and online accounts by using combinations of upper- and lower-case letters, numbers and symbols that are hard to guess and changed regularly. Consider requiring more information beyond a password to gain access to your business’s network, and additional safety measures, such as requiring confirmation calls with your financial institution before certain electronic transfers are authorized.
Secure the business’s tablets and smartphones. Mobile devices can be a source of security challenges, especially if they hold confidential information or can access your company’s network. In the case of the latter, require employees to password-protect their devices, encrypt their data and install security apps to prevent criminals from accessing the device while it is connected to public networks. Also develop and enforce reporting procedures for lost or stolen equipment.
Back up important business systems and data. Do so at least once a week. For your backup data, remember to use the same security measures (such as encryption) that you would apply to the original data. In addition, in case your main computer becomes infected, regularly back up sensitive business data to additional, disconnected storage devices.
Use best practices for handling card payments online. Seek advice from your bank or a payment processor to select the most trusted and validated tools and anti-fraud services. This may include using just one computer or tablet for payment processing.
Be vigilant for early signs something is wrong. “Monitor bank account balances regularly to look for suspicious or unauthorized activity,” suggested Luke W. Reynolds, chief of the FDIC’s Outreach and Program Development Section.
Courtesy of FDIC Consumer News
When criminals make unauthorized purchases using stolen payment card numbers or other information, federal consumer laws and financial industry practices protect victims from losses under certain circumstances. Here are key details to remember.
If your credit card number is accessed by cyberthieves: “Under federal law, a consumer’s liability is normally capped at $50 for all unauthorized transactions on each card. However, if your credit card number is stolen, but not the card, you are not liable for any unauthorized use,” said Richard Schwartz, a counsel in the FDIC’s Consumer Compliance Section. “In addition, credit card losses are typically absorbed by the card issuer because of zero-liability policies, which preclude consumers from having to pay any amount of an unauthorized charge. These policies are set by the card industry.”
If your debit card or the card number is used to withdraw money from a checking or savings account: To minimize your losses, you should contact your bank as soon as possible if you discover that your debit card has been lost or stolen. Your maximum liability under federal law is $50 if you notify your bank within two business days after learning of the loss or theft of your card. But if you notify your bank after those first two days, under the law you could lose more.
What if your debit card number (not the card itself) is stolen in an online hacking incident? Remember to check your account activity regularly. Timing is critical because under federal law you will not be liable for the transaction if you report it within 60 days after your account statement showing the transaction is sent to you. But if the charge goes unreported for more than 60 days, all your money in the account could be lost. However, remember to check with your bank about the payment card networks’ zero-liability policy, which may protect you.
If you have a debit card for a business account that is used fraudulently: Debit cards issued for business use have different loss protections than debit cards for consumers. The Uniform Commercial Code (UCC), which sets many rules for businesses, requires a standard of “ordinary care” by the card holder in order to avoid liability for losses from online fraud. “This can be a technical area, so check with an attorney to make sure you are managing your business account consistent with the UCC rules,” Schwartz advised.
If a prepaid card account is used fraudulently: Prepaid cards have money deposited onto them, and they usually aren't linked to a checking or savings account. In terms of legal protections against losses as a result of fraud, the rules vary depending on the type of prepaid card:
- Prepaid cards used by employers to pay their employees are covered under the same laws described earlier for consumer debit cards.
- General-purpose “reloadable” prepaid cards, which display a network brand such as American Express, Discover, MasterCard or Visa, currently have no protections limiting liability under federal law but do, in most cases, include in their contracts with customers the same protections as those for consumer debit cards. However, regarding liability for losses, the Consumer Financial Protection Bureau (CFPB) in November 2014 proposed a rule that would include reloadable prepaid cards under the federal law for consumer debit cards. Visit the CFPB website at www. consumerfinance.gov for updates.
- Prepaid gift cards for purchases at stores are typically not registered and, therefore, are not subject to federal consumer liability rights and protections. And, issuers of prepaid gift cards generally do not provide their own fraud liability coverage to card holders. “If you lose your gift card, you will probably lose the entire value of that card,” Schwartz said.
Courtesy of FDIC Consumer News
Part of building a strong foundation for a child’s financial future is taking steps to minimize the risk that his or her Social Security number, bank account details or other valuable personal information will be stolen. Following are tips to help parents and caregivers protect young people from cyber-related identity theft and financial fraud.
Talk with your child about safe online practices. Consider discussing the risks of sharing personal information online, including the possibility that someone can gather small amounts of personal information to guess the correct answers to security questions, reset passwords and take control of financial accounts.
“Encourage your young person to be selective with his or her ‘friends’ online, just as he or she would in real life,” said Bobbie Gray, an FDIC supervisory community affairs specialist. “Discuss how not everything they see on the Internet is true, and that some criminals may pretend to be friends or relatives in order to obtain personal information or worse.” Consider agreeing on a short list of what your child can and cannot do online.
Help your child learn to analyze advertisements, some of which may be fraudulent. “Explain that advertising, even in an online video clip, is intended to get people to make purchases or otherwise act on things they might not usually do,” said Luke W. Reynolds, chief of the FDIC’s Outreach and Program Development Section.
Explain why keeping money in a financial institution is safe. Checking, savings or other deposit accounts at a federally insured financial institution carry protections related to theft and fraud, making them a safe place for your money. If your child doesn't already have a deposit account, consider opening one. You can review how to verify that a bank is FDIC-insured by going to https://www.fdic.gov/deposit/deposits/. And, to find age-appropriate information and activities for kids plus FDIC “Money Smart” guides that help parents and caregivers talk with their children about key financial topics, you can visit an informative website developed by the FDIC and the Consumer Financial Protection Bureau.
Secure electronic equipment. Make sure your child’s devices are configured to download the latest updates from the manufacturer because they usually include security-related enhancements. Almost all video game equipment connects to the Internet and may link to information such as credit or debit card numbers.
If a company wants to collect data on your child, find out why. Controlling access to a child’s information is one of the best ways to protect him or her from identity theft. Under a federal law called the Children’s Online Privacy Protection Act (COPPA), websites and online services (including apps) that are directed to children under 13 must notify parents directly and get their approval before they collect, use or disclose a child’s personal information. When notifying you, the company must disclose how it plans to use your child’s information. The company also may ask for your approval of different options for using information it wants to collect, such as whether it can share the information with others or use it for marketing purposes. To learn more, start at the FTC’s Web page “Protecting Your Child’s Privacy Online”.
Be aware of possible signs that a child is the victim of identity theft.
Criminals may steal the identity of children to file claims for government benefits or apply for a loan online. “While not necessarily a sign of identity theft, your child receiving unsolicited mail or phone calls from marketers can indicate that personal information has been shared somehow. It’s best to take the time to understand why,” Reynolds noted.
Consider asking the three major nationwide credit reporting agencies — Equifax, Experian, and TransUnion — to check if your minor child has a credit report. If the answer is “yes,” review the report to find out if a thief has misused your child’s name. For additional guidance, go to the FTC’s “Child Identity Theft” page, which has contact information for the credit reporting agencies and tips if a child’s identity has been stolen, including how to place a fraud alert in a credit report that can minimize future damage.
The FTC adds that it is generally a good idea for parents to conduct this review of credit reports close to a child’s 16th birthday. Doing so allows time to fix errors or other problems before he or she might want to apply for a loan or a job.
Courtesy of FDIC Consumer News
