Security

"Gone Phishing"

When using email, it is difficult to know with certainty who you are communicating with. Scammers will use this uncertainty to pose as legitimate businesses, organizations, or individuals and gain the trust of users. They can leverage this trust to convince users to willingly give up information or click on malicious links or attachments.

To gain users' trust, scammers will appear like legitimate businesses or organizations by spoofing an email address, creating a fake website with legitimate logos, and even providing telephone numbers to an illegitimate customer service center operated by the scammers. Being mindful and observant can help you defend against scammers' deceptions by being prepared and proactive.

Two Common Types of Phishing Attacks

• Phishing scams are perhaps one of the best-known forms of email scams. This type of scam involves a scammer pretending to have a fortune that he or she is incapable of accessing without the help of someone trustworthy, which happens to be you! The scammers will try to obtain the user's financial information using an empty promise of sharing the wealth in exchange for the user's help.
• Spear phishing is a targeted and personalized attack in which a specific organization or individual is the target. These attacks will use information about the user's email address, which is similar to that of his or her acquaintances, to entice the user to either divulge sensitive information or download a malicious file. This often requires a lot of information gathering on the target and has become one of the favored tricks used in cyberespionage.

Be Mindful

When it comes to phishing, the best line of defense is you. If you are mindful of potential phishing traps and observant of the telltale signs of a scam, you can better defend against a phishing attack. Here are some easy tips to protect yourself:

• Be cautious about all communications you receive, including those purported to be from "trusted entities," and be careful when clicking links contained within those messages. If in doubt, do not click.
• Do not respond to any spam-type emails.
• Do not send your personal information via email. Legitimate businesses will not ask users to send their sensitive personal information through this means.
• Do not input your information in a pop-up advertisement. If you are interested in an offer that you see in a pop-up ad, contact the retailer directly through its website home page, retail outlet, or other legitimate contact methods.

Be Observant

Phishers rely on their deception to entice users to willingly do what the phishers want. Their deception is based upon resembling legitimate websites or trusted sources. These phishing scams can be very realistic and difficult to identify.

However, there are some telltale signs that may indicate a phishing scam. By being observant of these, you can help minimize your risk of becoming a victim. Keep an eye out for these simple telltale signs of a phishing email:

• The email has poor spelling or grammar.
• For secure transactions, look for a lock icon in the URL.
• The use of threats or incredible offers is a common tactic that tries to elicit an emotional response to cloud the user's judgment.
• The URL does not match that of the legitimate website. Scammers cannot use the same URL associated with a legitimate website, so they will tweak the address of their spoofed website so that at a quick glance it looks legitimate.
• The URL may use a different domain name (for example: .com vs .net).
• The URL may use variations of the spelling of the actual Web address.

Be Aware of Attachments

Do not trust a file based on its extension. There are a variety of tricks to hide the nature of a file. While the simplest solution is not to download a file from an unknown user, below are some additional things you can look for:

• Be cautious about double file extensions. One way the extension can be hidden is by adding a second extension, such as "Evil.pdf.exe," so that it looks like a regular PDF, with the ".exe" hidden.
• To help spot double extensions, turn off the "Hide extensions for known files" option on your computer's operating system (see http://support.apple.com/kb/PH10845 for Mac OS® or http://support.microsoft.com/kb/865219 for Windows®).
• Be wary of container files, such as ZIP files. Any number of files can be packaged inside, including malicious ones.
• Beware of attached files. Malicious code can also be embedded in commonly emailed files, such as Word® files and PDFs, giving you another reason why you should only open attachments from trusted sources.
• Do not open executable files. These are files with an ".exe" extension.

Lastly, make sure you have an up-to-date anti-virus software program installed. Enable the feature to scan attachments with the anti-virus program before downloading and saving them to your computer.

Common Risks for Smartphones Take a moment to consider each of these areas:

• Loss of device and information theft Smartphones are small and can easily be lost or stolen. Unauthorized users may access your accounts, address lists, photos, and more to scam, harm, or embarrass you or your friends. They may leverage stored passwords to access your bank and credit card accounts, steal your money, or make credit card charges. They may also gain access to sensitive material.
• Social engineering A common mobile threat is social engineering. Whether via text message, image, or application (app) to download, an incoming communication may be an attempt to gain access to your information. A current example consists of a text message that comes from an unknown number telling you that if you click on the link provided, you will have access to thousands of free ringtones. If this sounds too good to be true, that is because it is. The link is a malicious link. Clicking on it will compromise the security of your smartphone.
• TMI (too much information) Guidelines for protecting privacy, safety, and reputation when sharing via computers also apply when sharing via smartphones. Mobile devices enable instantaneous capturing, posting, and distribution of images, videos, and information. They may also broadcast location information.
• Public Wi-Fi Smartphones are susceptible to malware and hacking when leveraging unsecured public networks.
• Bluetooth® and near field communications (NFC) Bluetooth is a wireless network technology that uses short-wave radio transmissions to transmit voice and data. NFC allows for smartphones to communicate with each other by simply touching another smartphone, or being in close proximity to another smartphone with NFC capabilities or an NFC device. Risks with using NFC and Bluetooth include eavesdropping, through which the cybercriminal can intercept data transmission, such as credit card numbers. NFC also has the risk of transferring viruses or other malware from one NFC-enabled device to another.

Simple Steps to Protect Your Smartphone

• Update the operating system . Smartphones are computing devices that need to be updated. Updates often provide you with enhanced functionality and enriched features, as well as fixes to critical security vulnerabilities. Your smartphone manufacturer should notify you whenever an update is available.
• Use of security software is a must . As the smartphone market is increasing, so too is the amount of malware designed to attack smartphones. The software security solutions that are available for desktops and laptops are not as widely available for smartphones. A key protection is to use mobile security software and keep it up to date. Many of these programs can also locate a missing or stolen smartphone, back up your data, and even remotely wipe all data from the smartphone if it is reported stolen.
• Password-protect your device . Enable strong password protection on your device and include a timeout that requires authentication after a period of inactivity. Secure the smartphone with a unique password – not the default one it came with. Do not share your password with others.
• Think before you click, download, forward, or open . Before responding, registering, downloading, or providing information, get the facts. No matter how tempting the text, image, or application is, if the download is not from a legitimate app store or the site of a trusted company, do not engage with the message.
• Understand the terms of use . Some applications claim extensive rights to accessing and leveraging your personal information. If the app requires more access to your account or device than is needed to run the service, do not continue. In addition, be aware that terms can change over time. Review your terms of use often.
• Be cautious with public Wi-Fi . Many smartphone users use free Wi-Fi hotspots to access data and keep their smartphone plan costs down. There are numerous threats associated with Wi-Fi hotspots. To be safe, avoid logging into accounts, especially financial accounts, when using public wireless networks.
• Disable Bluetooth and NFC capabilities when not in use . Capabilities such as Bluetooth and NFC can provide ease and convenience in using your smartphone. They can also provide an easy way for a nearby, unauthorized user to gain access to your data. Turn these features off when they are not required.
• Enable encryption .  Enabling encryption on your smartphone is one of the best ways to safeguard information stored on the device, thwarting unauthorized access.
• Securely dispose of your device .  With the constant changes and upgrades in the smartphone market, many are upgrading their devices on a regular basis. It is important that you wipe the information from your smartphone before disposal. Additionally, make sure any secure digital (SD) cards are removed and erased. If you are not redeploying the subscriber identity module (SIM) card to another device, then make sure your personal information stored on the SIM card is erased or destroyed.

Below is a copy of the email people are receiving. The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file.

This is the end of the fake email.

Steps to Take Now

• Do not open the attachment in the email.
• Send a copy of the email to spoof@intuit.com .
• Do not forward the email to anyone else.
• Delete the email.

Information
On the Internet, "phishing" refers to criminal activity that attempts to fraudulently obtain sensitive information.
Here's what you can do to protect yourself from a phishing attack:

1. If you suspect you have received a phishing email from Intuit, please forward it immediately to spoof@intuit.com. We will look into each reported instance.
2. Make sure you subscribe to an anti-virus software and keep it up-to-date.
3. Make sure you have updated your web browser to one that includes anti-phishing security features, such as Internet Explorer 7 or Firefox version 3 or higher.
4. Make sure that you keep up to date on the latest releases and patches for your operating systems and critical programs. These releases are frequently security related.
5. Do not respond to emails asking for account, password, banking, or credit card information.
6. Do not open up an attachment that claims to be a software update. We will not send any software updates via email.
7. Do not respond to text messages or voicemails that ask you to call a number and enter your account number and pin.
8. Make sure you have passwords on your computer and your payroll files.

Here are 3 common methods that phishers use in their emails

1. Spoofed email address. Don't reply to unsolicited email and don't open email attachments. It's easy to fake a From or Reply To address, either manually or with spam software, so never assume an email is real by looking at its header. You might be able to spot fake addresses by checking for domain name misspellings, but this isn't foolproof. Some email service providers combat the problem of spoofed addresses by using authentication techniques to verify a sender's integrity.
2. Fake link. When in doubt, never click on a link in an unsolicited or suspicious email. Scam emails can contain a hidden link to a site that asks you to enter your log on and account information. A clue: if the email threatens you with account closure if you don't log on soon, you could be the target of phishing. You may be able to tell if a link is real by moving your mouse over it and looking at the bottom of your browser to see the hidden Web address - it will look different than the one you see on the surface.
3. Forged Website. If you must visit a financial site, like your bank or credit card company, enter its known address into the browser location field manually. Use a browser with an anti-phishing plug-in or extension, like FireFox version 3 or higher or Internet Explorer 7. These browsers warn you about forged, high-risk sites. Phony Web sites mimic real sites by copying company logos, images, and site designs. Malicious webmasters can also use HTML, Flash or Java Script to mask or change a browser address.

Cyber crime is a term that covers a broad scope of criminal activity using a computer. Some common examples of cyber crime include identity theft, financial fraud, website defacements, and cyber bullying. At an organizational level, cyber crime may involve the hacking of customer databases and theft of intellectual property. Many users think they can protect themselves, their accounts, and their personal computers (PCs) with just anti-spyware and anti-virus software. Cyber criminals are becoming more sophisticated, and they are targeting consumers as well as public and private organizations.Therefore, addiitonal layers of defense are needed.

An Example of Cyber Crime

An example of one type of cyber crime is an “account takeover.” This happens when cyber criminals compromise your computer and install malicious software, such as “keyloggers,” which record the key strokes, passwords, and other private information. This in turn allows them access to programs using your login credentials. Once these criminals steal your password, they may be able to breach your online bank account. These criminals can be anywhere in the world and may be able to transfer your money almost immediately.

What are the Effects of Cyber Crime?

The effects of a single, successful cyber attack can have far-reaching implications, including financial losses, theft of intellectual property, and loss of consumer confidence and trust. The overall monetary impact of cyber crime on society and government is estimated to be billions of dollars a year.

What Should We Do?

Training and awareness are important first steps in mitigating these attacks. All citizens, consumers, and employees should be aware of cyber threats and the actions they can take to protect their own information, as well as the information within their organization. So, what can you do to minimize the risk of becoming a cyber crime victim?

1. Use strong passwords Use separate ID/password combinations for different accounts and avoid writing them down. Make the passwords more complicated by combining letters, numbers, special characters, and by changing passwords on a regular basis.
2. Secure your computer
• Enable your firewall
  Firewalls are the first line of cyber defense; they block connections from suspicious traffic and will keep out some types of viruses and hackers.
• Use anti-virus/malware software
  Prevent viruses from infecting your computer by installing and regularly updating anti-virus software.
• Block spyware attacks
  Prevent spyware from infiltrating your computer by installing and updating anti-spyware software.
3. Secure your mobile devices
   Be aware that your mobile device is vulnerable to viruses and hackers. Download applications from trusted sources. Do not store unnecessary or sensitive information on your mobile device. It is also important to keep the device physically secure; millions of mobile devices are lost each year. If you do lose your device, it should immediately be reported to your carrier and/or organization. There are some devices that allow remote erasing of data. Be sure to keep your mobile device password protected.
4. Install the latest operating system updates
   Keep your applications and operating system (for example: Microsoft® Windows®, Apple® Mac, and Linux) current with the latest system updates. Turn on automatic updates to prevent potential attacks on older software.
5. Protect your data
   Use encryption for your most sensitive files, such as health records, tax returns, and financial records. Make regular back-ups of all your important data.
6. Secure your wireless network
   Wi-Fi (wireless) networks at home are vulnerable to intrusion if they are not properly secured. Review and modify default settings. Public Wi-Fi, also known as “hot spots,” may be vulnerable. Avoid conducting sensitive transactions on these networks.
7. Protect your e-identity
   Be cautious when giving out personal information, such as your name, address, telephone number, or financial information on the Internet. Make sure that websites are secure, especially when making online purchases, or that you have enabled privacy settings (for example: when accessing/using social networking sites, such as Facebook, Twitter®, YouTube, etc.). Once something is posted on the Internet, it may be there forever.

Avoid being scammed

Never reply to emails that ask you to verify your information or confirm your user ID or password. Don’t click on a link or file of unknown origin. Check the source of the message; when in doubt, verify the source

Crooks install hard-to-spot card readers, called skimmers, on top of card readers built into gas station pumps. The skimmers grab the account information from the card without interfering with the legitimate payment transaction. Then this data is used to create or clone fake debit or credit cards that are used at ATMs.

Card thieves are becoming more and more sophisticated with the use of technology. Tiny cameras that record PIN numbers; others use fake keypads that slip over the real keypad and transmit the PIN code as it is entered. Also, wireless transmitters are installed inside the pump at gas stations. Thieves sit in the parking lot with a laptop and receive real-time information as victims uses their credit cards at the pump. These devices when placed on the outside of the card reader often can be very difficult to see.

Employers should make certain that all employees that use company credit cards are aware of these scams. The safest way to avoid card skimming is to take the card inside to the cashier to run the charge.

Shoppers Sweepstakes Notification

A letter is received informing you as one of the declared winners and the company has been unsuccessful contacting you regarding this winning sum of money. To expedite the processing, a check is enclosed which has been supposedly deducted from the winnings. The purpose of the check is the payment of applicable Government Taxes. The check is more than is needed for taxes so the letter instructs the tax money to be paid by Western Union or Money Gram and the remainder kept. The check is deposited and the taxes are sent to a third party. The check is fraudulent or counterfeit and you are left "holding the bag".

Secret Shopper Mystery Shopper Program

You are selected to participate in a paid position evaluating selected retail stores, restaurants and various establishments, making predetermined purchases and evaluating the Customer Service of stores and service providers. A check is sent to cover the first week of assignments. Explicit instructions are given to evaluate the effectiveness and efficiency of the payment system called Money Gram/Western Union. You pose as a potential customer by sending a Money Gram/Western Union to a training agent after the check is deposited into a bank or credit union account. The check is returned after the hold period as "Account Closed" or "Account Unable to Find."

Signals for these types of Scams- Individuals who immediately request or demand for a check to be deposited with no holds or a comment that a portion of the check is going to be sent to a third party by money order or Western Union.

Telephone Scam

The telephone call is either an automated call or from a live person claiming to be from a financial institution (bank or credit union), advising the recipient's card has been suspended and needs to be re-activated. The automated call or live person asks you to press #1 to be transferred to the security department and enter your account information.

Safeguards- These are scams. Personal information, account numbers, PIN numbers or social security numbers are not solicited via telephone, email or text message. If a suspicious request is received; do not respond and contact your financial institution immediately.

• R.I.A. Federal Credit Union will never contact you via phone, email or text message asking you to verify confidential or sensitive member or account information. R.I.A. Federal Credit Union will also never contact you via email or text message regarding your account being closed.
• We have implemented both Verified By Visa and MasterCard SecureCode programs to add additional security when using your credit or debit card online for purchases. If you have not registered for these programs, please visit our Links Directory to do so.
• R.I.A. offers you the ability to setup a Phone ID to be used when calling us. Contact your local Branch for details on how to establish yours.
• Secure Internet Account Access. For your protection, our servers require that your web browser uses 128-bit encryption to connect. Review more information on Security here.
• We now offer Enhanced Login Security for Internet Account Access. This feature requires a second authentication factor to be verified prior to gaining access to your accounts online. You can learn more about this feature and how it works by visiting the link at the top of the page.
• Signup for E-Statements and you won't have to worry about your statement getting lost in the mail or stolen by a would be thief. You can view your account details when ever you want from the comfort and safety of your home computer.
• Neural Networks are in place on both our Visa Credit Card and MasterCard Debit Programs. These systems track our members purchasing patterns and alert us when any unusual activity occurs.

What You Can Do...

• Watch out for scams known as "phishing," where someone calls or emails you and claims to be from one of your accounts (Financial Institution, Credit Card, Internet provider etc.) and wants to "verify" your information or "prevent account closure or restriction" by requesting that you give them your account number, Social Security number, Credit Card number, etc. — DON'T GIVE OUT THIS INFORMATION to anyone over the telephone if they've called or emailed you! Hang up and call the company back using a telephone number you know to be genuine (not one they give you) to check that it was a legitimate inquiry and to notify them of these occurrences.
• Forward spam emails that are phishing for information to Anti-Phishing Working Group and to the company, financial institution, or organization impersonated in the phishing email. Most organizations have information on their websites about where to report problems.
• If you get an email or pop-up message that asks for personal or financial information, do not reply. And don’t click on the link in the message, either. Legitimate companies don’t ask for this information via email. If you are concerned about your account, contact the organization mentioned in the email using a telephone number you know to be genuine, or open a new Internet browser session and type in the company’s correct Web address yourself. In any case, don’t cut and paste the link from the message into your Internet browser — phishers can make links look like they go to one place, but that actually send you to a different site.
• Cancel unused credit cards.
• Limit the amount of identification and the number of credit cards you carry.
• When making transactions over the Internet, use only a secure site. Look for the "lock" icon on the Web page.
• Don't leave envelopes with checks inside in an unsecured mailbox. Try to use a sealed U.S. Post Office mailbox for your correspondence. If you have an "open" mailbox, make an effort to pick up your mail promptly. Don't leave mail in your mailbox overnight or on weekends.
• Completely destroy or shred copies of credit card receipts, statements from financial institutions, tax returns and loan applications before discarding them. Keep the ones you need in a SECURE place.
• Look for statements from financial institutions and verify that the account information is correct.
• Never give your Personal Identification Numbers (PINs) to anyone, for any reason.
• Watch for unexplained interruptions in your mail service. If there is one, contact your local post office and verify that your address has not been changed without your knowledge.
• Review a copy of your credit report at least once a year. You may catch an incident early if you order a free copy of your credit report periodically from any of the three major credit bureaus. See www.annualcreditreport.com for details on ordering a free annual credit report.
• Use anti-virus software and a firewall, and keep them up to date. Some phishing emails contain software that can harm your computer or track your activities on the Internet without your knowledge. Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files. Anti-virus software scans incoming communications for troublesome files. Look for anti-virus software that recognizes current viruses as well as older ones; that can effectively reverse the damage; and that updates automatically. A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It’s especially important to run a firewall if you have a broadband connection. Operating systems (like Windows or Linux) or browsers (like Internet Explorer or Netscape) also may offer free software patches to close holes in the system that hackers or phishers could exploit.
• Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them. These files can contain viruses or other software that can weaken your computer’s security.
• If you believe you’ve been scammed, file your complaint at ftc.gov , and then visit the FTC’s Identity Theft website. Victims of phishing can become victims of identity theft. While you can’t entirely control whether you will become a victim of identity theft, you can take some steps to minimize your risk. If an identity thief is opening credit accounts in your name, these new accounts are likely to show up on your credit report.