About the Episode
According to The Motley Fool, credit card fraud is still the top concern, with roughly 426,000 cases of credit card fraud reported to the FTC in 2023. While these crimes can be incredibly frustrating to deal with, staying informed is key to keeping your dollars safe. In this episode, Cristina and Randy are chatting with Lee and Paul, IT Network Services Manager and IT Security Engineer at Addition Financial Credit Union.
 |
 |
Common Scams
7:47
Randy asks Question 1: “So Paul, what are some of the most common types of scams that we should be watching out for this year?”
Paul responds: “Phishing is always the biggest one. So, email-based phishing attacks where people are sending you messages, either trying to stir up your emotions, make you feel like you won some sweepstakes, or offering you money. They’re going to get better because of AI. Before, some of the guidance was to look for misspelled words, look for improper English. But with AI, you have to be more vigilant. And it's really anything really that's trying to trigger emotions or make you feel like you want something or you have to do something quickly. You want to pause and think.”
Red Flags
9:25
Cristina asks Question 2: “Lee, what kind of red flags should we look out for?”
Lee responds: “I would say a couple of things. One: are you expecting it? Are you expecting that text from UPS or the post office saying that your shipments are late and you need to click here to make sure it gets delivered? Well, if you're not, that's phishing, or smishing. Smishing is SMS phishing.”
Lee follows up: “They want you to click on the link or they want you to click on an attachment. There's almost always a financial angle to these types of things. They want to get your money. They want to figure out how to build that trust. And so one of the ways of doing that is by using reputable brands out there like UPS, Fedex, Amazon, you name it. Or maybe they try to pretend that they're a pharmacy and your prescription is running late. So, you log in, you give some health information, and they can use that eventually in the future as well.”
Lee follows up: “Worst case scenario is that if you click on a link, there could be a malicious payload that it downloads to your computer or to your device that then allows them to have access to your machine. Maybe a little bit less malicious, it could take you to a login page that looks like your email login, or let's say a fake Walgreens login page. You go log in, and now the hackers actually have your username and password for that page. And then what they do is redirect you to the real page, and pass those usernames and passwords to the real page. Now, you're in and you're none the wiser, because you don't really realize what happened there.”
Lee follows up: “So the easiest way to really inspect that, let's say if it's a phishing email, is to look at the URL, and look at the link that's in there. Take your mouse, hover over it, look at that link. If it says it's from Amazon, does it say in that URL amazon.com? Or does it look like something else is in there? Does it say walgreens.com? Look at that information. That’ll be one of the biggest indicators of knowing if that's a real email or a phishing.”
Password Management
12:17
Randy asks Question 3: “Paul, what do you think are the safest ways to manage your passwords and sensitive financial information online?”
Paul responds: “Nowadays, you really have to be using a password manager. Some of the most important recommendations are, don't use the same password for every single site that you have. Once you get a compromised one, then they've got it for all of your stuff. So, not being able to use the same password for every site means you have to remember a lot of passwords. And you need to make them strong so they're not easily guessed.”
Paul follows up: “In this day and age, you're looking for making a sentence or some words for a strong password. Something that you can't really guess, that's going to take a computer a lot of time to hash away at before they can figure out what you might have used. Because of that, password managers are key so you're not forgetting all your passwords and resetting every time.”
Paul follows up: “They’ve got apps for the phone and for the computer. Lastpass is a really popular one that a lot of people use. You create an account and it creates a database that you will then log into with a very strong password. You’ve got to pull out all the stops, something huge.”
Paul follows up: “It’s an encrypted database that will enter the password into the website. It stores all that for you. A lot of them integrate with your web browser or your phone, like Apple has its own built in. You would put in your password to unlock the safe, and then it would load that in for you. Or you could pull it out and put it in yourself in a lot of different ways to utilize them. But it's basically a vault that you have the keys to that contains all of your logins.”
Randy asks: "What is multi-factor?”
Paul responds: “Multi-factor authentication. You give your username, then you provide your password. Then, you're going to do a second form of authentication. The best is to have an app, like Google Authenticator or Microsoft Authenticator. You configure that with the service you're using to send you a code or pop up that says, ‘Hey, you're trying to log in. Is this really you?’ You either say yes, or you have to match a code up between the site and your app and put that code in the site. That’s your second form of authenticating. it's always going to be on a device that you have available, usually the phone. Then it will let you in. So, even if they get your password and they try to log in there, unless they have your phone, they’re going to get stopped at that second factor.”
Lee follows up: “Another thing with the password managers that’s really good is, when you put your passwords in there and it's managing it for you, it actually will come up if there's a data breach at one of the many websites you go to. It will warn you and say, ‘This site has had a data breach and your password may be or is compromised.’ It’ll warn you of that to make sure that you go and change that password and make sure that your information is then safe.”
Cristina asks: “How do you know if a password manager is a good one?”
Lee responds: “You want to look up a listing from a reputable company. Then, take those recommendations and go and pick one and use it. Most of the ones have free trials or free versions of the product you can use. So, you can see what works for you, what you like, and then you can pay for it, or just use the free version of that. Part of that is avoiding the unknowns, because you could click on, let's say, an application that is not real. Maybe it's a malicious website with a malicious application, and then you are handing them your password by doing it that way. So you want to follow avenues that you trust before you hand over that information.”
Checking for Fraud
19:01
Cristina asks Question 4: “How often should we be checking our accounts? Can you give us some suggestions on how to make sure we can catch fraud really quickly?”
Lee responds: “I would say the more often the better. Depending on what you're using and where the fraud is happening, if it's a credit card versus a debit card, you have different avenues of protecting yourself. A credit card, you're going to have the most protection, because if something happens, you have a little bit more time to dispute that. And generally with a credit card, if you dispute it, you can get your money back right away. They'll take it off your account and they'll kind of do that work for you. If it's a debit card, you have a lot more that you have to prove that this was truly malicious or a scam. Generally, it takes a lot more to get that money back. In the meantime, your bank account could have that money withdrawn while that dispute happens. So it’s advantageous, if you're doing any kind of purchases online, to use a credit card, not your debit card.”
Lee follows up: “The more often you can check your bank account, the better. I would say daily - weekly at a minimum. If you can, set up alerts that notify you when there is a transaction. Is there a transaction outside the United States? Is there a transaction over a certain dollar amount? Those are types of things you want to be looking for, because those are things that a threat actor would do. And you want to be alerted.”
Helpful Resources
20:58
Randy asks Question 5: “Paul, what resources are available if we need to report something that looks like a suspected scam or fraud?”
Paul responds: “The Department of Justice has an excellent resource site and it actually lists out the many different types. So consumer fraud, they recommend you reach out to the FTC, Federal Trade Commission. Medical fraud, the Health and Human Services Department. Internet fraud, there’s the Internet Crime Complaint Center. So they list all those out, websites and phone numbers. You definitely want to be reporting that. Then, the credit bureaus. If you were a victim of fraud, the recommendation is you want to reach out to the credit bureaus and have a temporary freeze, at least on your credit, while you figure out you know how to recover.”
Lee follows: “All three credit reporting bureaus are required by law to have that as a free option to lock your credit. The only way to really protect yourself is by locking your credit, and only unlocking it for those periods of time when you are doing that big purchase.”
Making It Count Essentials
24:07
Cristina asks Quick Question 1: “How safe is mobile banking?”
Paul responds: “I would say it's very safe. As long as you're getting your app from a reputable source. They use the same encryption methods as modern computers. A lot of times I would even go as far as to say they might be a little bit safer, because it's a lot harder to compromise a mobile phone than it is a personal computer.”
25:04
Randy asks Quick Question 2: “Lee, can you give us some quick tips for spotting phishing emails?”
Lee responds: “Look at the ‘from’ address. Sometimes it'll obfuscate the ‘from’ email address. So you might actually have to click on the name. So let's say if it says "Randy Mills" then, you've got to click on that and it'll actually say the real email address. And that's when you'll see maybe it's not actually coming from Randy's email address. It's coming from something that looks a little bit different. So that's one way to spot if the email address looks wrong. Different domain.”
Lee follows up: “Another one is if it’s coming from someone you weren't expecting an email from, and they want you to maybe pay this invoice or look at this attachment. If you're not expecting it, don't click on it. Don't open up the attachment. Oftentimes, that is a way to infect your computer and get access to it.”
25:59
Cristina asks Quick Question 3: “Lee, is it ever okay to give someone your Social Security number over the phone?”
Lee responds: “It is okay to do that with this one main caveat. Make sure you're the one that made the phone call to the correct phone number, and you're talking to the right people. If I receive a phone call and I know for sure I'm talking to, let's say, my doctor's office and I already know the phone number and I know the person I'm talking to, that would be okay. But if I receive a phone call out of the blue and they say they're my bank, they're my doctor's office, they’re my 401K company, I don't trust that. I'm going to hang up that call, and I'm going to call that company and I'm going to talk to someone there. Then I know I'm actually talking to the person from that company. And that goes for all sorts of confidential information, not just Social Security numbers.”
27:09
Randy asks Quick Question 4: “Paul, are there any anti-fraud tools that we should be using?”
Paul responds: “Yes. Nowadays, a lot of the phone carriers are offering, most of the time free apps that will help identify phone calls, sometimes text messages, that they would consider spam. So when it comes in on your phone, it's already labeled as spam, phishing, or telemarketing. Depending on your carrier, some of them require you to download an app, others just give that to you for free and you just see it in the caller ID. Check to make sure that you have that enabled.
Paul follows up: “Specific to the iPhone, they have a couple other features that I think are really cool. So if you get a text message from an unknown number, you have the ability to change the way that your text message app presents that to you too. So you'll have a different screen. You have to purposely go and click on it, and you'll see all the messages from numbers that are not a contact. That way it keeps it out of the immediate view, and you can react differently in the message preview. I would recommend people to turn it on.”
Paul follows up: “They also have the ability for unknown numbers to just ring silent. You won't actually get the call. They'll think it's ringing and then they'll go to your voicemail. You'll never see it. If it's truly something, someone that wants to get in contact with you, they'll leave a voicemail. Then you can call them back. If it's a scammer, they're usually not going to leave a voicemail. So right there, you just ignore the call. And I think Android's got some similar things.”
33:38
In this episode, Cristina and Randy shared a post from Addition Financial’s blog: What to Do If You Spot Fraudulent Activity and Transactions. This guides victims of fraud on their next steps.
Posted on Jun 27, 2024
Topics:
