Protecting Yourself Against Identity Theft
Set up strong passwords
- Choose combinations of upper- and lower-case letters, numbers and symbols that are hard for a hacker to guess.
- Do not use your birthdate, address or names a hacker may easily guess.
- Do not use the same password for multiple accounts; if you do, once a hacker guesses your password correctly, he or she will have access to all your accounts.
Monitor your bank account transactions
- Check accounts for fraudulent activity at least once or twice a week. Federal laws and industry practices protect account holders when criminals make unauthorized purchases using stolen payment card numbers or other information in certain situations. For more information, review the FDIC’s article, How Federal Laws and Industry Practices Limit Losses From Cyber Attacks
Use a designated mobile device or computer for online banking and shopping
- Some individuals purchase an old PC or designate one device for online banking and shopping. Devices are less vulnerable to cyberattacks when they are not used for web surfing, emailing, social media or playing games.
Effectively use anti-virus and security software
- It is important to install and constantly update anti-virus and security software. This includes basic anti-virus programs, as well as program updates. Manufacturers are consistently updating their products and services so they operate as efficiently as possible and incorporate the most up-to-date security technology. Next time a program, even as basic as Word, offers an update download it. Please note, you shouldn’t accept updates as they pop up on your computer, because those can be malware or viruses. Instead, you should go directly to the software website, find the appropriate update and download directly from the site.
Be cautious when connecting to the Internet
- A public computer in places like a hotel business center or library may not have up-to-date security software and could be infected with malware. In addition, if you are using a laptop or mobile device for online banking or shopping, avoid connecting it to a public wireless network. Criminals may intercept your device's signal and use it to collect personal information.
If you are a victim of a cyberattack and your identity has been stolen, contact the Federal Trade Commission to report identity theft and get a recovery plan.
For more tips on computer and internet security, watch the FDIC's multimedia presentation Don't Be an Online Victim: How to Guard Against Internet Thieves and Electronic Scams. Also, visit On Guard Online for information from the federal government on how to be safe online. The site includes videos from the Federal Trade Commission on what to do if your email is hacked or if malware attacks your computer.
Protecting Your Business Against Email Compromises
The FBI calls it Business Email Compromise and defines BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” If your business conducts any transaction via wire, you and your company could be at risk.
From January 2015 to June 2016, the FBI reported a 1,300% rise in identified exposed losses. Most of the losses were reported in the United States and fraudulently -transferred funds typically ended up in China and Hong Kong. Unless fraudulent activity is discovered and reported within 24 hours, the chances of recovery are low. Only 4% of funds are ever retrieved.
Per research found by The Verizon 2016 Data Breach Investigations Report, employees and human error are the weakest link in any “IT system.” We recommend educating and training employees on all forms of cyberattacks, as well as asking them to use caution when sharing personal information on social media sites. We recommend educating all employees; however, human resources professionals, IT managers, C-level and senior executives and anyone with finance approval are more likely to be on the receiving end of attacks.
Those involved in large wire transfers are especially susceptible. Many companies have very lax policies when it comes to initiating a transfer. For some, the process is as simple as the CEO picking up the phone and requesting the movement of funds. Cybercriminals fish for information by sending emails to targets to glean information. Once successful, they pose as a familiar person and initiate the transfer. If multi-level safeguards are not in place, you may fall victim.
Human resources professionals are also top targets. Typically, they have access to the employee database, which includes sensitive information such as social security numbers and personal information. In addition, they receive resumes from potential applicants. Criminals may include spyware inside a resume or its delivery source, compromising the system.
What Can You Do to Protect Yourself and Your Business?
Know and guard yourself against the common methods of attack, including:
- Phishing emails are sent to many contacts simultaneously to “fish” sensitive information; hackers pose as reputable sources, such as banks, credit card providers, delivery firms, law enforcement and the IRS, to name a few.
- A more targeted form of phishing, the cybercriminal has either studied up on the group or has gleaned data from social media sites to con users. The email generally goes to one person or a small group of people who use that bank or service. Some form of personalization is included – perhaps the person’s name or the name of a client.
- Targeting top executives and administrators, criminals attempt to pull money from accounts or steal confidential data. Detailed, personal information about the executive and the business has been obtained prior to execution of this method.
- The three previous techniques fall under the broader category of social engineering. Social engineering in this application is the manipulation of people to trick them into divulging confidential information or providing access to funds. The art of social engineering might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.