Keep your finances safe and secure
Northrop Grumman Federal Credit Union is always mindful of keeping you informed about threats to your financial privacy. Here’s how you can protect yourself from and remedy costly intrusions.
Offers of free money from government grants are scams. Someone might offer you a grant to pay for education, home repairs, home business expenses, or unpaid bills. But they’re all scams. Here’s how to avoid a government grant scam, and how to report it.
How Government Grant Scammers Try to Trick You
Scammers reach you in lots of ways. You might see ads online for (fake) government grants. Scammers might call you, but use a fake caller ID so it looks like they’re calling from a federal or state government agency. Some send texts or emails, saying you may qualify for free money from the government.
Scammers make big promises. They might say you can use this so-called free money or grant to pay for education, home repairs, home business expenses, household bills, or other personal needs.
Scammers try to look official. Besides faking their phone number, they’ll pretend they’re with a real government agency like the Social Security Administration. Or, they’ll make up an official-sounding name of a government agency, like the Federal Grants Administration, which doesn’t exist.
Scammers ask you for information or money. Government grant scammers might start by asking for personal information, like your Social Security number, to see if you “qualify” for the grant (you will). Then they’ll ask for your bank account information — maybe to deposit “grant money” into your account or to pay for up-front fees. But sometimes, scammers will ask you to pay those fees with a gift card, cash reload card, money transfer, or with cryptocurrency. And that’s always a scam.
Scammers try to be convincing. They might even promise a refund if you aren’t satisfied. But that’s a lie. Once you give your bank account information, or pay fees, your money will disappear. And, you’ll never see the grant they promise.
What to Know About Government Grants
The government won’t get in touch out of the blue about grants. It won’t call, text, reach out through social media, or email you. It won’t offer you free government grants of any kind, much less grants to pay for home repairs, medical costs, or other personal needs. Real government grants require an application, and they’re always for a very specific purpose. Learn more (for free) at grants.gov.
Never share your financial or personal information with anyone who contacts you. Government agencies will never call, text, message you on social media, or email to ask for your Social Security, bank account, or credit card number. In fact, no matter who they say they are, don’t give out that information. Once a scammer has your information, they can steal money from your account, or your identity.
Don’t pay for a list of government grants — and don’t pay any up-front fees. The only place you can find a list of all available federal grants is at grants.gov. And that list is free. No government agency will ever contact you to demand that you pay to get a grant. And no government agency will ever ask you to pay with a gift card, cash reload card, by money transfer, or with cryptocurrency. Not for a grant, and not ever.
If you paid a scammer, act quickly. If you think you’ve sent money to a government impersonator like one of these grant scammers, contact the company you used to send the money. Tell the gift card, money transfer, or cryptocurrency company that it was a fraudulent transaction. Then ask them to reverse it.
What To Do If You Paid A Scammer
Scammers often ask you to pay in ways that make it tough to get your money back. No matter how you paid a scammer, the sooner you act, the better. Learn more about how to get your money back.
Report Government Grant Scams
When you report a scam, the FTC can use the information to build cases against scammers, spot trends, educate the public, and share data about what is happening in your community. If you spotted a scam, report it to the FTC at ReportFraud.ftc.gov.
Warning over mysterious hackers that have been targeting aerospace and defense industries for years
An unknown criminal hacking group is targeting organizations in the aviation, aerospace, defense, transportation and manufacturing industries with trojan malware, in attacks that researchers say have been going on for years. Dubbed TA2541 and detailed by cybersecurity researchers at Proofpoint, the persistent cyber-criminal operation has been active since 2017 and has compromised hundreds of organizations across North America, Europe, and the Middle East.
Despite running for years, the attacks have barely evolved, broadly following the same targeting and themes in which attackers remotely control compromised machines, conduct reconnaissance on networks and steal sensitive data.
"What's noteworthy about TA2541 is how little they've changed their approach to cybercrime over the past five years, repeatedly using the same themes, often related to aviation, aerospace, and transportation, to distribute remote access trojans," said Sherrod DeGrippo, vice president of threat research and Detection at Proofpoint.
"This group is a persistent threat to targets throughout the transportation, logistics, and travel industries."
Attacks begin with phishing emails designed to be relevant to individuals and businesses in the sectors being targeted. For example, one lure sent to targets in aviation and aerospace resembles requests for aircraft parts, while another is designed to look like an urgent request for air ambulance flight details. At one point, the attackers introduced COVID-19-themed lures, although these were soon dropped.
While the lures aren't highly customized and follow regular templates, the sheer number of messages sent over the years – hundreds of thousands in total – and their implied urgency will be enough to fool victims into downloading malware. The messages are nearly always in English.
TA2541 initially sent emails containing macro-laden Microsoft Word attachments that downloaded the Remote Access Trojan(RAT) payload, but the group has recently shifted to using Google Drive and Microsoft OneDrive URLs, which lead to an obfuscated Visual Basic Script (VBS) file.
Interacting with these files – the names of which follow similar themes to the initial lures – will leverage PowerShell functions to download malware onto compromised Windows machines.
The cyber criminals have distributed over a dozen different trojan malware payloads since the campaigns began, all of which are available to buy on dark web forums or can be downloaded from open-source repositories.
Currently, the most commonly delivered malware in TA2541 campaigns is AsyncRAT, but other popular payloads include NetWire, WSH RAT and Parallax.
No matter which malware is delivered, it's used to gain remote control of infected machines and steal data, although researchers note that they still don't know what the ultimate goal of the group is, or where they are operating from.
The campaign is still active, and it's been warned that the attackers will continue to distribute phishing emails and deliver malware to victims around the world.
QR codes are useful shortcuts to online resources via a phone's camera, but scammers are now tampering with them to direct victims to phishing pages, cryptocurrency scams and more. According to a report from the FBI, QR codes can also load malware to steal financial information and then withdraw funds from victim accounts.
According to the FBI, the overall advice to avoid falling victim to a QR code scam is to exercise caution when entering information from a website accessed via a QR code. This is especially true for a QR code that directs you to a site that you have no previous experience with.
Here are a few of the FBI's specific tips to avoid QR scams for smartphone users:
- Do not scan a randomly found QR code.
- Be extra cautious about QR codes found in public places. Look for signs of tampering such as labels placed on a poster or a QR code that doesn’t fit the original sign layout.
- Check the URL after scanning a QR code to be sure it is the site you expected.
- If a site looks different than what you expected, leave the site immediately.
- Be careful when entering credentials or financial information on a site visited via a QR code.
- Avoid downloading an app from a QR code and instead use an official app store to download.
- Call the organization if it sent a bill in email, allowing payment through a QR code to verify its authenticity.
- Don't download a QR code scanner because most smartphones have one built into the camera.
- Avoid making payments through a site navigated to from a QR code unless you are familiar with the site. Instead, manually enter a known and trusted URL to complete the payment.
As always, if you feel your financial information has been compromised, call NGFCU immediately at 800.633.2848. NGFCU has 24/7/365 personal service to assist with you with any concerns.
Source: https://www.consumer.ftc.gov/articles/gift-card-scams (May 2021)
Someone might ask you to pay for something by putting money on a gift card, like a Google Play or iTunes card, and then giving them the numbers on the back of the card. If they ask you to do this, they’re trying to scam you. No real business or government agency will ever insist you pay them with a gift card. Anyone who demands to be paid with a gift card is a scammer. Read on to learn more about gift card scams.
What Gift Card Scams Looks Like
Gift cards are for gifts, not for payments. But they’re popular with scammers because they’re easy for people to find and buy, and they have fewer protections for buyers compared to some other payment options. They’re more like cash: once you use the card, the money on it is gone. Scammers like this.
If someone calls you and demands that you pay them with gift cards, you can bet that a scammer is behind that call. Once they have the gift card number and the PIN, they have your money. Scammers may tell you many stories to get you to pay them with gift cards, but this is what usually happens:
- The caller says it’s urgent. The scammer says you have to pay right away or something terrible will happen. But you don’t, and it won’t.
- The caller usually tells you which gift card to buy. They might say to put money on an eBay, Google Play, Target, or iTunes gift card. They might send you to a specific store — often Walmart, Target, CVS, or Walgreens. Sometimes they say to buy cards at several stores, so cashiers won’t get suspicious. And, the caller might stay on the phone with you while you go to the store and load money onto the card. These are all signs of a scam.
- The caller asks you for the gift card number and PIN. The card number and PIN on the back of the card let the scammer get the money you loaded onto the card. And the scammer gets it right away.
How Scammers Convince You to Pay with Gift Cards
Scammers pretend to be someone they’re not to convince you to pay with gift cards. They want to scare or pressure you into acting quickly, so you don’t have time to think or talk to someone you trust. Here’s a list of common gift card scams and schemes:
- The caller says they’re from the government — maybe the IRS or the Social Security Administration. They say you have to pay taxes or a fine, but it’s a scam.
- Someone calls from tech support, maybe saying they’re from Apple or Microsoft, saying there’s something wrong with your computer. But it’s a lie.
- You meet someone special on a dating website, but then he needs money and asks you to help him. This romance scammer makes up any story to trick you into sending him gift cards.
- The scammer pretends to be a friend or family member in an emergency and asks you to send money right away — but not tell anyone. This is a scam. If you’re worried, hang up and call your friend or relative to check that everything is all right.
- Someone says you’ve won a prize but first, you have to pay fees or other charges with a gift card. Remember: no honest business or agency will ever make you pay with a gift card. But also — did you even enter that sweepstakes?
- The caller says she’s from your power company, or another utility company. She threatens to cut off your service if you don’t pay immediately. But utility companies don’t work that way. It’s a scam.
- You get a check from someone for way more than you expected. They tell you to deposit the check, then give them the difference on a gift card. But that check will be fake and you’ll be out all that money.
What to Do If You Paid a Scammer with Gift Cards
If you paid a scammer with a gift card, tell the company that issued the card right away.
Contact information for popular gift card companies
- Call 1 (888) 280-4331.
- Keep the Amazon card itself and your receipt for the Amazon card.
- Learn about Amazon gift card scams and how to report them. Click on “Contact us.”
- Chat with eBay customer support, or have a representative call you back.
- Keep the eBay gift card itself and your receipt for the eBay gift card.
- Learn more about scams using eBay gift cards and how to report them.
- Report the gift card scam to Google.
- Keep the Google Play card itself and your receipt for the Google Play card.
- Learn about Google Play gift card scams and how to report them.
- Call Apple Support right away at 1 (800) 275-2273. Say “gift card” to connect with a live representative.
- Ask if the money is still on the iTunes card. If so, Apple can put a freeze on it. You might be able to get your money back from them.
- Keep the iTunes card itself and your receipt for the iTunes card.
- Learn about iTunes gift card scams and how to report them.
- If you have a Steam account, report gift card scams online. Click the “Purchases” option, then click, “I have charges from Steam that I didn’t make.” Then click, “Contact Steam Support.”
- Keep the Steam card itself and your receipt for the Steam card.
- Learn about Steam gift card scams.
- Call Target GiftCard Services at 1 (800) 544-2943.
- Report gift card scams to MoneyPak.
- Keep the MoneyPak card itself and your receipt for the MoneyPak card.
- Learn about MoneyPak gift card scams.
Don’t see your card on this list? Look for the company’s contact information on the card itself, or do some research online to find out how to reach the card issuer. If you can’t find the contact information or the card issuer doesn’t want to talk to you, report it to the FTC.
Safely Buying and Using Gift Cards
Remember that gift cards are for gifts, not for payments. So if you buy gift cards to give away or donate:
- Stick to stores you know and trust. Avoid buying from online auction sites because the cards may be fake or stolen.
- Check it before you buy it. Make sure the protective stickers are on the card and that they do not appear to have been tampered with. Also check that the PIN number on the back isn’t showing. Get a different card if you spot a problem.
- Keep your receipt. This, or the card’s ID number, will help you file a report if you lose the gift card.
If someone asks you to pay them with gift cards:
- Report it to the Federal Trade Commission at ReportFraud.ftc.gov. Report it even if you didn’t pay. Your report helps law enforcement stop scams.
- You can also report it to your state attorney general.
- If you lost money, also report it to local law enforcement. A police report may help when you deal with the card issuer.
With the popularity of online dating apps and social networking sites, scammers have found another way to steal money from people. Here are a few tips to avoid losing money to an online romance scammer:
- Never send money to someone you have not met in person
- If the person asks for money for any reason, stop communicating with the person immediately
- Do an online search for the type of job the person has. Many romance scams have similar job stories such as “oil rigger scam” or “US Army scammer”.
While these tips are very sensible, be aware of these scams for your own family members, especially younger adult members of your family that are using online networks to meet new people. If something a family member tells you about their new online romance sounds suspicious, speak up!
Family Emergency Scams
These scams can happen online, via text or on the phone. A scammer contacts you and tells you they are a close friend of a family member or a family member that you have little contact with. They will tell you that someone in your family needs your help. Stories like “your brother is in jail and needs bail money” or “your cousin’s car broke down and they need money to stay in a hotel”. The stories are endless.
The scams always include an urgent request for money and the scammer will play to your emotions to help a family member. The scammer will also ask you to keep the emergency a secret. If you receive a call or text with this type of request, here are a few tips:
- Do not send any money immediately.
- Hang up immediately and then contact the family member that is “in trouble” using the contact information you have. Do not use the contact information possibly provided by the scammer.
- Reach out to another family member that can verify the emergency.
As with romance scams, most of these tips make perfect sense and many are unlikely to ever fall victim to these scammers. However, it is good to talk to your family members about these scams. Grandparents can be particularly vulnerable if the scammer pretends to be a grandson or granddaughter. The request of “please don’t tell Mom or Dad” will keep the scam a secret and some grandparents may be reluctant to admit they have been scammed.
While the thought of these scams is unpleasant, share these tips with your family.
And always, report the scam to the FTC at www.ReportFraud.ftc.gov. This reporting can help others before they fall victim to one of these scams. If you believe a scammer has gained access to your NGFCU accounts, notify us immediately at 800.633.2848.
The holiday shopping season isn't just a big season for consumer spending. It's also a peak time of year for fraud. And while fraud unfortunately happens year-round, it is particularly common around the holidays. With the significant increase in online shopping, consumers need to be extra vigilant about cybersecurity at this time of the year.
Here are some tips to avoid fraud during the holidays (and all year):
- Use unique passwords. If you do not want to create unique passwords for every website you use, at least create unique ones for your online banking profile, PayPal account, credit card account, and other accounts linked to your financial information. And in all cases, do not use the same password for multiple financial accounts.
- Use a secure network when shopping online. Do not make online purchases when using a public or unsecured WiFi.
- Only shop from sites or stores you trust. Verify that you are on a store's actual website and trust your gut if something seems suspicious. Do not go to a site by clicking on an ad you received via e-mail or social media. Look at the name of company and go directly to their site.
- Use a debit or credit card with anti-fraud features or fraud alerts like Mastercard® or Visa®. These features can help you catch and stop unauthorized transactions before they’re approved by your financial institution.
- Monitor your credit card and banking accounts frequently. With online account access, daily monitoring is easy to do. Report any fraudulent or questionable charges as soon as you notice them. Set up email or text alerts on your credit and debit cards so you receive notice of any purchase or transaction immediately. If you don’t recognize the transaction, contact your issuer immediately.
- Keep your devices up to date with software, browser and app updates. Fraud prevention technology is constantly improving, which means most software updates include security fixes that address new vulnerabilities.
- Never give your financial or personal information over the phone to someone that initiated the call. Only give information on a call which you placed and are sure you are speaking to the desired company.
- Be careful who you trust your login information to, even if it is a close friend or relative.
NGFCU is available 24/7/365 if you suspect any fraud on your account. Call 800.633.2848 to report any suspicious activity or if you believe your financial information has been compromised.
With the disruption caused by the pandemic, many people are accessing their employer networks and computers from a remote location. Having the ability to do this is called remote access, and it has become an invaluable tool enabling employees to work from home. However, it is very important to make sure your remote access is secure.
There are several ways to keep your computer and data protected when using remote access. Here are a few tips to help you do just that:
Use Strong Passwords
- Your passwords should be a combination of upper and lower case letters, numbers, and symbols. Each password should be at least 12 characters long. Using a password generator is a simple way to create random passwords. Change your passwords frequently and create a unique password for each account or login. And of course, don’t share your passwords.
- Many software updates contain security enhancements or patches. Install updates when they become available to protect your device from new malware or viruses.
Use Antivirus Software
- Install reliable antivirus software and enable auto-updating so it is always up to date.
Enable Your Firewall
- Firewalls monitor and filter incoming and outgoing network traffic based on established security protocols. It monitors attempts to gain access to your operating system and blocks unwanted incoming traffic and unrecognized sources. Be sure your firewall is ON.
Use a Secure VPN
- Setting up a secure Virtual Private Network (VPN) means your remote desktop won’t be connected directly to the internet. Instead, your remote desktop will only be exposed to your local network. This limits the vulnerability to outside hackers.
- Called 2FA or MFA, this adds another layer of protection to your device and requires more than one kind of credential to sign into or log into an account. Beyond the typical username and password, multifactor authentication requires a unique code that will be sent to you via SMS for verification.
Reports of ransomware scams have been headline news recently. Large companies are being targeted and have become victims of this security threat. Here is valuable information about this type of cyber-crime and how to avoid it.
Malware includes viruses, spyware, ransomware and other unwanted software that gets secretly installed onto your device. Once malware is on your device, criminals can use it to steal your sensitive information, demand payment to unscramble data encrypted by ransomware, and make your device vulnerable to even more malware.
How Malware Gets on Your Device
- Malware can get onto your device when you open or download attachments, or visit a fake website. Here are some common ways that your device might get infected with malware:
- Downloading free stuff like illegal downloads of popular movies, TV shows, or games
- Clicking links in fake security pop-ups sent to your computer
- Clicking on ads placed by scammers on websites you visit
- Phishing emails that trick you into clicking on a link or opening an attachment
How To Know if You Have Malware
- Look for unusual behavior from your phone, tablet, or computer. Your device might have been infected with malware if it:
- Suddenly slows down, crashes, or displays repeated error messages
- Won’t shut down or restart
- Won’t let you remove software
- Serves up lots of pop-ups, inappropriate ads, or ads that interfere with page content
- Shows ads in places you typically wouldn’t see them, like government websites
- Shows new and unexpected toolbars or icons in your browser or on your desktop
- Uses a new default search engine, or displays new tabs or websites you didn’t open
- Keeps changing your computer’s internet home page
- Sends emails you didn’t write
- Runs out of battery life more quickly than it should
How To Avoid Malware
Scammers try to trick people into clicking on links that will download viruses, spyware, and other unwanted software — often by bundling it with free downloads. Here are ways to avoid malware:
- Install and update security software and use a firewall if available. Set your security software to update automatically.
- Read each screen when you install new software. If you don’t recognize a program, or are prompted to install bundled software, decline the additional program or exit the installation process.
- Get well-known software directly from the source. Sites offering popular software for free are more likely to include malware.
- Pay attention to your browser’s security warnings. Many browsers come with built-in security scanners that warn you before you visit an infected webpage or download a malicious file. Don’t modify your browser’s security warnings. It could weaken the security.
- Instead of clicking on a link in an email or text message, type the URL of a trusted site directly into your browser. Criminals send phishing emails that trick you into clicking on a link or opening an attachment that could download malware.
- Don’t click on pop-ups or ads about your computer’s performance. Scammers insert unwanted software into pop-up messages or ads that warn that your computer’s security or performance needs attention. You might see a warning that says “suspicious activity detected on your computer. Contact a technician now at 888-888-8888.” These are tech support scams. Avoid clicking on these ads if you don’t know the source.
If you believe you may have malware on any of your devices that may have compromised your NGFCU accounts, call us at 800.633.2848 or email firstname.lastname@example.org.
Wi-Fi hotspots in public places are convenient, but often they're not secure. If you connect to a public Wi-Fi network and send information through websites or mobile apps, it could be accessed by someone else.
Here's how you can protect your information when using public Wi-Fi:
- Log in or send personal information only to websites you know are fully encrypted. You can tell if a site is encrypted by looking at the URL. It should start with https, not just http. As you navigate through a site, watch the URL for each page also. Not all pages on a site are encrypted.
- Don't stay permanently signed into accounts. When you've finished using an account, log out.
- Do not use the same password on different websites. It could give someone who gains access to one of your accounts access to many of your accounts.
- Many web browsers alert users who try to visit fraudulent websites or download malicious programs. Pay attention to alerts many web browsers display when you attempt to visit fraudulent websites or download malicious programs, and keep your browser and security software up to date.
- Consider changing the settings on your mobile device so it doesn’t automatically connect to nearby Wi-Fi. That way, you have more control over when and how your device uses public Wi-Fi.
- Use a virtual private network (VPN) if you regularly access online accounts through Wi-Fi hotspots. VPNs encrypt traffic between your computer and the internet, even on unsecured networks. You can get a personal VPN account from a VPN service provider. In addition, some organizations create VPNs to provide secure, remote access for their employees. What's more, VPN options are available for mobile devices too. They can encrypt information you send through mobile apps.
- Learn how to identify and access Wi-Fi networks that use encryption: WEP and WPA are common, but they might not protect you against all hacking programs. WPA2 is the strongest.
- Install browser add-ons or plug-ins. They can help. For example, Force-TLS and TTPSEverywhere are free Firefox add-ons that force the browser to use encryption on popular websites that usually aren't encrypted. They don't protect you on all websites so watch for https in the URL address as mentioned above.
- Take steps to secure your home wireless network.
For more helpful information about this topic, take advantage of the free resources provided by the Federal Trade Commission at consumer.ftc.gov.
Scammers, hackers and identity thieves are looking to steal your personal information and possibly your money. But there are steps you can take to protect yourself. Here are a few tips to remember:
Update Your Software. Keep your software – including your operating system, your web browsers, and your apps – up-to-date to protect against the latest threats. Many software updates include improved security. If you have outdated software that you no longer use, delete it from your devices.
Protect Your Personal Information. Every time you are asked for your personal information – whether in a web form, an email, a text, or a phone message – think about why someone needs it and whether the request is legitimate. If someone is requesting your information without any initiation from you, always contact the company directly by going to their website or calling them yourself.
Protect Your Passwords. Here are a few ideas for creating strong passwords and keeping them safe:
Use at least 10 characters; 12 is ideal for most home users.
Try to be unpredictable – don't use names, dates, or common words. Mix numbers, symbols, and capital letters into the middle of your password, not at the beginning or end.
Don't use the same password for many accounts. If it's stolen from you – or from one of the companies where you do business – thieves have access to all of your accounts with the same password.
Don't share passwords on the phone, in texts or by email.
If you write down a password, keep it secure, out of plain sight.
Consider Turning On Two-Factor Authentication. Two-factor authentication requires both your password and an additional piece of information to log into your account. The second piece could be a code sent to your phone, or a random number generated by an app or a token. This protects your account even if your password is compromised. If you have the option to activate two-factor authentication, use it.
Give Personal Information Over Encrypted Websites Only. If you're shopping or banking online, stick to sites that use encryption to protect your information as it travels from your computer to their server. To determine if a website is encrypted, look for https at the beginning of the web address. That means the site is encrypted and your data is secure.
Back Up Your Files. No system is completely secure. Copy your files to an external hard drive or cloud storage. If your computer is attacked by malware, you'll still have access to your files.
For more helpful information about this topic, take advantage of the free resources provided by the Federal Trade Commission at consumer.ftc.gov.
The Federal Reserve Bank of New York reports that scammers are telling people they can pay their bills using so-called "secret accounts or "social security trust accounts" and routing numbers at Federal Reserve Banks. In exchange for personal information, like social security numbers, people get what they think is a bank account number at a Federal Reserve Bank. But this really is just a way to get your personal information, which scammers can then sell or use to commit fraud, like identity theft.
It's good to keep in mind that people do not have accounts at Federal Reserve Banks. Only banks can bank at the Federal Reserve. But what happens if you try to use this "secret" account? Well, the Federal Reserve Bank will deny the payment, since you don't really have an account there. Once the payment is rejected, you'll be notified that you still owe the money – which is about when you might figure out that this was a scam. At that point, you may owe a late fee or penalty to the company you thought you were paying. You also may owe fees to your bank for returned or rejected payments.
If you see a video, text, email, phone call, flyer, or website that describes how you can pay bills using a Federal Reserve Bank routing number or account, report it to the FTC. It’s a scam. And remember: never give your credit card, bank account, or social security number to anyone who calls or emails and asks for it – no matter who they say they are.
For more helpful information about this topic, take advantage of the free resources provided by the Federal Trade Commission at consumer.ftc.gov.
Our cell phones contain contact information, text messages, e-mail access, auto-filled login credentials and much more. Imagine that your cell phone suddenly stops working: no data, no text messages, no phone calls. Then imagine calling your cellular provider only to discover that your SIM card has been activated on a new device. At this point, you are possibly the victim of a SIM card swap scam.
How the SIM card swap scam works:
- With your cell phone number and personal information like name and address, a scammer can call your cell phone service provider and say your phone was lost or damaged. Then they ask the provider to activate a new SIM card connected to your phone number on a new phone – a phone they own. If your provider believes the story without additional verification procedures and activates the new SIM card, the scammer – not you – will get all your text messages, calls, and data on the new phone.
- Imagine the damage a scammer – who now has control of your number – can do with all your information. Even if you have multifactor authentication (MFA) enabled on your financial accounts, which requires two or more credentials to log in, you are not protected. The scammer will receive the text message with the verification code they need to log in.
- Armed with your login credentials, the scammer could log in to your bank account and steal your money, or take over your email or social media accounts. And they could change the passwords and lock you out of your accounts. To say the least, this situation is a nightmare.
How to protect yourself from a SIM card swap scam:
- Don't reply to unsolicited calls, emails, or text messages that request personal information. These could be phishing attempts by scammers to get your personal information. If you get a request for your account or personal information, contact the company using a phone number or website you know is real. Companies you do business with, especially financial institutions, will never ask you to verify your information unless you have reached out to them first.
- Limit the personal information you share online. Avoid posting your full name, address, or phone number on public and social media sites. An identity thief can use it to answer the security questions required to verify your identity and log in to your accounts. This includes those supposedly harmless Facebook posts from friends asking you to name your favorite color, movie, etc.
- Set up a PIN or password on your cellular account. This is a very simple way to add security to your cellular account and can help protect your account from unauthorized changes. Check your provider's website for information on how to do this.
If you're the victim of a SIM card swap scam:
- If you discover that your phone has lost your data, text, etc., contact your cellular service provider immediately to determine if you have been the victim of a SIM Swap. Your cellular company should be able to reverse the SIM card swap so you can take back control of your phone number. After you re-gain access to your phone number, change your account passwords.
- Check your credit card, bank, and other financial accounts for unauthorized charges or changes regularly. If your phone stops working, use another device like a desktop computer or tablet as soon as possible. If you see anything suspicious, report them to the company or institution immediately.
- If you think a scammer has your information – like your Social Security Number, credit card, or bank account numbers – go to IdentityTheft.gov to see the specific steps to take.
If you assume no one cares about your personal email, consider this: your personal email can provide a wealth of information to cyber criminals. Think of all the information that is included in your saved emails – receipts, password resets, links to bank statements and so much more. Not to mention, access to your address book.
Many people also use their email address as the login for financial accounts, online retailers and payment processors. If someone has your email and attempts to log into one of your accounts, they only need to click the "forgot password" and the password reset will go to your email, which has been taken over by the cybercriminal. Once the person updates your password, you are locked out and they are logged in.
You might have been hacked if:
- Your email contacts are getting emails or messages you didn't send.
- Your sent messages folder has messages you didn't send, or it has been emptied.
- Your social media accounts have posts you didn't make.
- You can't log into websites you frequently visit such as your online banking or your social media account.
Cyberattackers can also "spoof," or fake your email, but don't actually have access to your account. But you'll want to take action, just in case.
If you have been hacked:
- Update your desktop and mobile operating systems, delete any malware and make sure your security software is up-to-date.
- Change your passwords on all of your online accounts.
- Check the advice your email provider or social networking site has about restoring your account if you have lost access.
- Tell your email contacts about the hack so they don't become victims too.
- Consider closing your email account and setting up a new one.
Steps to prevent hacking:
- Use unique passwords for important sites, like your bank and email. This can be an overwhelming task, but you can use a Password Manager that provides a centralized and encrypted location that will keep a record of all these passwords safe. Password managers store login details for all the websites that you use and logs you in automatically each time you return to a site. When using a password manager you create a master password. The master password will control access to your entire password database. This password is the only one you will have to remember so it's important to make this as strong and secure as possible.
- Use two-factor authentication whenever it is available. This provides a second layer of authentication such as a text or call to verify your identity.
- NEVER click on links or open attachments in emails unless you know who sent them and what they are.
- Download free software only from sites you know and trust.
- Don't use public computers or Wi-Fi to access your most sensitive online accounts, especially accounts that have your financial information.
- If you think a cybercriminal has gained access to your information – like your Social Security, credit card, or bank account number – go to IdentityTheft.gov to see the specific steps to take.
Keylogger is malware that records keystrokes on your keyboard. If you inadvertently allow this malware to be installed, it can track anything you type including passwords, user names, credit card numbers, etc.
Here is helpful information and tips on how to avoid becoming a victim of Keyloggers malware.
How Keyloggers Access your Information
Keylogger software can be installed onto your computer or device in several ways. Here are the most common:
- As an attachment to an e-mail
- As an embedded link in an e-mail
- As webpage script on a malicious website
How to Protect Yourself
- Phishing email: Never click on links or open an attachment from an unknown email address. Even if you recognize the sender, do not open an attachment or click a link if you weren't expecting it. Reach out to the sender first.
- If your browser warns you that you have landed on a webpage that is unsafe or possibly infected, take the warnings seriously and get off the site.
- Download apps and software from reliable sources only. Don't download anything that you have not requested and don't accept any 'free' software from an unrecognized source.
- Implement two factor authentication whenever possible: this is an extra layer of security designed to ensure that you're the only person who can access your account, even if someone knows your password.
- When offered, click the "Remember this computer" option on sites that you trust so your username and other information are auto-populated and do not require keystrokes.
- Install good Antivirus security software and keep the software updated.
If you are concerned that your financial information has been compromised, notify email@example.com immediately. If you think you have been a victim of identity theft, visit IdentifyTheft.gov to see the specific steps to take to protect yourself.
After you have transferred your apps and data to your new device, you'll need to decide what to do with your old device. Regardless of whether you intend to recycle it or trade it in for cash, make sure the hard drive is wiped clean. This will ensure that all your personal information, including user names, passwords, login credentials, files, etc. are not accessible to anyone.
Here is a short list of recommendations to protect your information:
Secure delete all files
Simply deleting files is not enough. Even if you can't see the file name, the data is still on your hard drive and accessible. Most operating systems have a utility for secure deletion of files. Check your device's specifications and follow the instructions.
Deauthorize your applications
Many software packages such as Microsoft Office or Adobe allow installation on a limited number of devices. Be sure to deauthorize these programs so they will be available to use on your new device. Each program will have instructions on the specific procedure.
Clear your browsing history
Most browsers save information about your browsing history and have settings that allow you to store user names and passwords. Just think of how many websites you visit that have your user name and password "remembered.” Locate the procedure to erase your browsing history for all your browsers, not just the one you use most often.
Uninstall all applications
If you have software that you purchased and installed on your hard drive, uninstall the programs so they are available to use again on your new device.
Remove the hard drive
If you intend to just dispose of your device, you can remove the hard drive entirely. While not easily done with many devices, it certainly ensures that your information is not shared. Then you can choose your preferred method of destroying the hard drive.
After you've done the above steps, you are ready to dispose of your old device. Since these devices do contain toxins, the best choice is to recycle if you intend to simply trash your device. Watch for events in your community that sponsor e-waste recycling. However, you may want to consider donating it or trading it in for cash value as well.
- Use strong passwords that include a mixture of letters, numbers and symbols.
- Change your passwords frequently.
- Do not use the same password for your online accounts.
- Use multi-factor authentication when available.
- Consider using a password manager program to eliminate the need to manually enter user names and passwords.
- Install real-time, always-on anti-virus software on your computer.
- Keep all software programs and your operating system up-to-date. Many updates are for security patches and enhancements. Enable "automatic updates" to make this easy.
- Activate the internet firewall.
- Require a password to log onto your computer.
- Quit out of, or log off all online accounts after you have completed your transaction.
- Block pop-up windows.
- Password protect your Wi-Fi.
Mobile Device Security:
- Enable screen lock that requires a password, PIN, touch ID or touch ID to open your device.
- Log off all online accounts after you have completed your transaction, then close the app.
- Keep your apps and mobile operating systems up-to-date. Enable "automatic updates" to make this simple.
- Activate the "find my phone/tablet" feature when available.
- Avoid public Wi-Fi.
- If you are concerned that your NGFCU account information has been compromised, let us know immediately at 800-633-2848.
Protecting your smartphone and tablet requires a distinct approach. Follow these steps to help keep your mobile devices secure:
- Use a PIN/keylock code. Lock your phone when it is not in use by using the passcodes, touch ID or face ID.
- Keep the software updated – many of the upgrades are for increased security enhancements.
- Back up your devices regularly.
- Utilize the apps that can help locate your phone should you misplace or lose it. Be sure these apps are installed on another device such as a tablet or computer.
- Protect sensitive data. Always log out of your financial accounts after you have accessed mobile or online banking.
- Be wary of Wi-Fi. To stay safe, avoid connecting your device to public or unsecured (not requiring a password) Wi-Fi. Never conduct financial transactions or access sensitive data while you're on public Wi-Fi.
If you upgrade or trade in your phone, do these things first:
- Back it up.
- Remove the SIM and/or SD cards.
- Erase your personal information –if you have the option to restore your phone to the original factory settings, do that.
- Delete any apps that contain personal information especially those used to access your financial accounts or online shopping.