Resources | Addition Financial Credit Union

Episode 3: Preventing ID Theft & Fraud During a Pandemic

Written by Addition Financial | May 8, 2020

On this episode of Making it Count, hosts Cristina and Will learn strategies to prevent identity theft and fraud during the COVID-19 pandemic with expert guests Kevin Schmick and Brian Stevens from the Network Security Services department at Addition Financial. They cover the common scam red flags so listeners can spot and avoid malicious attacks and keep their finances secure.

 

          

 

Guest Interview

5:00

Will asks Question 1: “Let’s jump right into our first question. I’ve read a few articles recently that have mentioned an increased risk of fraud due to the COVID-19 pandemic. Is that something we should be worried about?”

Kevin answers: “Unfortunately, yes. Since the 2008 financial crisis, fraud has been up. Especially recently, with the COVID-19 pandemic, there are a lot of scams out there – phishing and smishing. We had a smishing attack last week where Addition Financial members were receiving text messages with malicious links, which you don’t want to click on.”

Brian also answers: “This situation we are in with the pandemic is like Christmas for criminals. They know you are not going to be able to concentrate or be as vigorously watching emails and protecting yourself because your mind is distracted with everything that’s going on.”

Kevin follows up: “And they’re feeding off people’s fear right now.”

6:15

Cristina asks Question 2: “These criminals seem to also be feeding off of people’s goodwill as well because I’ve heard a big thing called charity scams. So what are those?”

Brian answers: “They are basically false charities where people try to get you to donate money that is not going to a charity – it’s going straight to their pockets. Unfortunately the people out there performing these acts can very easily trick people into sending them money. For example, one that I’ve actually gotten recently was one from the IRS asking me to fill out direct deposit information. Which the IRS would never, ever send you an email like that. It’s rampant right now to be honest with you.”

7:40

Will asks Question 3: “What’s the best way for people to determine whether a donation request is legitimate?”

Kevin answers: “Well first, when a request comes in that you think is a scam or phishing email, just go ahead and delete it. If you’re unsure, look for a phone number in the email and give it a call. Or verify the charity online using one of the many resources available that helps people determine legitimate charities from scammers. Personally, before I donate, I’ll go online and get their contact information to call and verify the charity.”

Cristina asks a follow-up question: “What are the different resources we can use to tell if a charity is legitimate?”

Kevin answers: “Some of the ones I use are the BBB Wise Giving Alliance, Charity Watch, Charity Navigator and GuideStar.”

8:55

Cristina asks Question 4: “Now you both have been using some strange words to describe these scams. What is phishing and how can we protect ourselves?”

Brian answers: “In security we have the best terms ever – phishing, vishing, smishing, smurfing. Phishing is email attacks, vishing is voice or phone attacks, smishing is SMS or texting attacks, and smurfing is bluetooth attacks. Phishing is the most common and has been around for a while, while I’ve recently noticed an uptick in smishing during the COVID-19 breakout. I’ve personally gotten one or two smishing texts per week recently. They come from an unknown number and will just have a link in it – don’t click it!”

Cristina asks a follow-up question: “So what happens if we click the link? Can the hackers take over our phone?”

Brian answers: “The link could take you to a website that is malicious or it could actually open up a payload on your phone if you have automatic downloads. That means it will open a file and execute it without your permission. In today’s age we are transitioning to having everything on our phones, even our most personal information. So criminals and hackers are definitely targeting mobile devices a lot more now.”

Cristina asks another follow-up question: “So what are things I can look for when I get a suspicious email?”

Brian answers: “The very first thing you should look for is the sender – the From address. If you don’t recognize who it’s from, then don’t open it. If you do recognize the sender (or at least think you do), there are other indicators. The obvious one being spelling and grammar. Emails that are legit and sent through companies are usually proofread before being sent out. So if you see strange mistakes in the email, there’s a good chance it’s a phishing email. Also links and attachments. Unless you are expecting these from someone, you shouldn’t be receiving them. If you’re not expecting it, the email could be spam or phishing.”

Cristina asks another follow-up question: “What’s the difference between spam and phishing emails?”

Brian answers: “Spam is just garbage marketing emails.”

Keven also answers: “Phishing emails have the goal of stealing your personal information – passwords, bank account information, Social Security number, etc.”

12:55

Will asks Question 5: “What do we do if we suspect an email to be phishing?”

Brian answers: “Outlook has what’s called the Preview tool, where you can see the email message without opening the actual email. Most email platforms have this feature. You can ‘preview’ the email using this tool to further determine if it is phishing and understand the content of the message. And if you still think it’s phishing, just delete the email. If it’s someone that needs you and is legit, they will reach out to you again.”

Kevin also answers: “We have protections for our employees at Addition Financial that help fight against spam and phishing emails, but you can use filters in your personal email account at home. Most platforms let you lock down your account to only receive emails from people in your contact list – that will filter out 99% of your junk and phishing emails. It’s also a great idea to have multiple email accounts: one that you keep secure and personal for important information, accounts and communications, and another for external use at retailers and social media sites.”

15:15

Cristina asks Question 6: “What if I get an email from a name I recognize, but still looks suspicious – can scammers impersonate people in my contact list?”

Brian answers: “Absolutely. It may take them longer to get that information, but their goal is to get as much information as possible to pose as someone else and make you believe it. The more information they have about you, the easier that job becomes.”

Kevin also answers: “Exactly. Another tactic hackers use to steal your information is to change your forwarding rules after they gain access to your email. Most of us don’t check these settings on a regular basis, so we have no idea they are sitting there watching and waiting for sensitive information to come through to our inbox. They get an exact copy of every email, so that when, for example, a wire transfer email comes to us, they can interject and hijack the communication.”

Cristina asks a follow-up question: “Something I’ve always wanted to know is, when you get an email from a marketing list that has an unsubscribe link, should you click that link or just delete the email?”

Brian answers: “Just delete it. That unsubscribe link could be where the hacker hides the malicious link. The best thing to do is to create a forwarding rule that forwards it straight to your junk mail or the recycle bin.”

Kevin also answers: “The other option is to find the company’s contact center or support email address and send them an email asking to be removed from the marketing list. It’s safer because you are initiating the communication.”

17:40

Will asks Question 7: “What about protecting our devices? A lot of us store information on our phones, tablets or laptops.”

Kevin answers: “I personally have antivirus software on all my devices – those are technical controls that we use to mitigate the risks. But at the end of the day it really is all about user awareness.”

Brian also answers: “Yeah, the problem is that these phishing emails are designed to go around all your security controls. If you open one of these emails, you are allowing the hackers to come in around your antivirus software.”

19:40

Cristina asks Question 8: “I’ve been wondering about my passwords. With so many of us working from home, is there a benefit to changing passwords more frequently?”

Brian answers: “There are a lot of different schools of thought around password management. Some experts recommend changing passwords all the time, while others recommend creating such a difficult, long password that no one will ever guess it. One tip is to never write down your passwords. If you can’t remember your passwords without writing them down, then you should probably come up with a new system for creating passwords.”

Cristina asks a follow-up question: “So how do we do that when there are so many requirements for strong passwords and I need a different one for each account?”

Brian answers: “Personally, I like using what we call passphrases. So think of a sentence about something you love in life – you could make that a password. That would make it over 100 characters, which is never going to be hacked – unless you write it down!”

Kevin also answers: “Yeah, passphrases are the way to go. They are easier to remember and much longer than typical passwords. This means it will take hackers much longer to use the tools out there to crack your password.”

Cristina asks another follow-up question: “Are there any other things we should or should not use as passwords?”

Brian answers: “There are many lists out there that detail out commonly used passwords that hackers will grab and put into software that tries to break your password automatically.”

Kevin also answers: “Another bad practice is using the same password for multiple accounts. So if a hacker gets your email password, they could use it on your bank account if you use the same password.”

Brian follows-up: “There are some free and paid password vaults you can use. This type of software saves all your passwords and uses one master password to access it.”

23:25

Will asks Question 9: “What about credit freezes? Is it worth doing something like that, or is that too extreme?”

Kevin answers: “If you know you’re not going to be opening up any new accounts in the next 6 months or so, I would highly recommend freezing your credit. This is a preventative measure to protect yourself so criminals can’t open up accounts in your name. You just have to remember to freeze your credit at all three credit bureaus – Equifax, Experian and TransUnion.”

Making it Count Essentials

25:20

Cristina asks Quick Question 1: “I read something recently about debt collection scams. What should our listeners know?”

Kevin answers: “They should be wary of any debt collector who refuses to disclose information about the debt, doesn’t follow up with a written notice or makes threats about telling other people about the unpaid debt. And never give money via a prepaid card or money transfer.”

25:50

Will asks Quick Question 2: “What other scams and fraud attempts should people be aware of?”

Brian answers: “Right now people just need to keep their head on a swivel because it’s coming from every direction you can think of. The phishing emails, the call scams, the IRS scams, those are hot right now. But anyone contacting you and asking for information should not be happening. If they are legit, they should already have your information. Be wary and ask questions.”

26:35

Cristina asks Quick Question 3: “Normally people can get a free credit report from each bureau once a year, but that’s changed, hasn’t it?”

Kevin answers: “AnnualCreditReport.com is allowing people to pull their credit report from each bureau once per week for the rest of the year. You should also check out Credit Karma.”

27:05

Will asks Quick Question 4: “What about working from home? Does that open people up to new threats?”

Brian answers: “It does. Now you’re spending all your time at home connecting to your personal and work accounts and there’s just more going on. Everyone has more distractions trying to work from home and the atmosphere is more lax than at work. So you might not follow the same security practices and procedures that you would in the office. You should try to take those procedures and practice them at home.”

27:50

Cristina asks Quick Question 5: “Final question. If you could give just one piece of advice about avoiding scams during the pandemic, what would it be?”

Kevin answers: “The biggest piece of advice we could give is to just be aware. Take a close look at all the communications you’re receiving and don’t be afraid to ask questions. And if it seems too good to be true, it usually isn’t true.”

The Sum Up

29:30

The Federal Trade Commission has decided to raise awareness about potential fraud during the pandemic by jumping on a recent trend and creating a scam bingo card for people to share on social media.

This is such a good idea, if only because it raises awareness about some of the kinds of scams people may see, including offers related to COVID-19 as well as perennial scams about problems with your Social Security Number or student loans.

While we don’t want to make light of fraud, we do think that there’s a real benefit to providing consumers with a tool that can help them be more aware of potential scams. It’s normal to be concerned when someone sends you an email about your personal finances, but recognizing common frauds is more than half the battle when it comes to avoiding them.

How to Make it Count

32:40

At the end of every episode, we like to leave our listeners with a resource to help them manage their money. Today’s is “The Essential Credit Card Fraud Prevention and Detection Guide,” which you can find here. In this guide, you’ll learn everything you need to know about protecting yourself from credit card fraud.

Addition Financial will also be hosting a live webinar on this same topic on May 20th at 6 p.m. You can reserve your spot by clicking here. They also share the webinar recordings on their YouTube page, which you can find here if you aren’t able to make the live presentation.

They also have a very helpful security center if you’d like to learn more about protecting your identity and finances.