9/6/17

WEBSITE SCAM ALERT

Yesterday, a member reported that an individual representing himself as Prime Trust’s CEO Jeff Sikora contacted him about receiving a large inheritance.  He was then directed to a website Primetrustfcu.ca, which appeared very authentic.  THIS IS A SCAM!  Our CEO did not initiate the call, the website is not PTF’s, and we would never initiate such a contact. 

 In the event you receive such a contact, hang up and report the incident to our Security Officer, Matt Kear.  His phone number is 765-281-4220.

 At Prime Trust, we take your security very seriously.  We have reported this scam to the authorities and are trying to close this bogus website down.

4/3/17

EMPLOYMENT SCAM TARGETING COLLEGE STUDENTS REMAINS PREVALENT

College students across the United States continue to be targeted in a common employment scam. Scammers advertise phony job opportunities on college employment websites, and/or students receive e-mails on their school accounts recruiting them for fictitious positions. This "employment" results in a financial loss for participating students.

How the scam works:

• Scammers post online job advertisements soliciting college students for administrative positions.
• The student employee receives counterfeit checks in the mail or via e-mail and is instructed to deposit the checks into their personal checking account.
• The scammer then directs the student to withdraw the funds from their checking account and send a portion, via wire transfer, to another individual. Often, the transfer of funds is to a "vendor", purportedly for equipment, materials, or software necessary for the job.
• Subsequently, the checks are confirmed to be fraudulent by the bank.

The following are some examples of the employment scam e-mails:

"You will need some materials/software and also a time tracker to commence your training and orientation and also you need the software to get started with work. The funds for the software will be provided for you by the company via check. Make sure you use them as instructed for the software and I will refer you to the vendor you are to purchase them from, okay."

"I have forwarded your start-up progress report to the HR Dept. and they will be facilitating your start-up funds with which you will be getting your working equipment from vendors and getting started with training."

"Enclosed is your first check. Please cash the check, take $300 out as your pay, and send the rest to the vendor for supplies."

Consequences of participating in this scam:

• The student's bank account may be closed due to fraudulent activity and a report could be filed by the bank with a credit bureau or law enforcement agency.
• The student is responsible for reimbursing the bank the amount of the counterfeit checks.
• The scamming incident could adversely affect the student’s credit record.
• The scammers often obtain personal information from the student while posing as their employer, leaving them vulnerable to identity theft.
• Scammers seeking to acquire funds through fraudulent methods could potentially utilize the money to fund illicit criminal or terrorist activity.

Tips on how to protect yourself from this scam:

• Never accept a job that requires depositing checks into your account or wiring portions to other individuals or accounts.
• Many of the scammers who send these messages are not native English speakers. Look for poor use of the English language in e-mails such as incorrect grammar, capitalization, and tenses.
• Forward suspicious e-mails to the college’s IT personnel and report to the FBI. Tell your friends to be on the lookout for the scam.

If you have been a victim of this scam or any other Internet-related scam, you may file a complaint with the FBI’s Internet Crime Complaint Center at www.IC3.gov and notify your campus police.

This article can be found at https://www.ic3.gov/media/2017/170118.aspx

10/26/16

What Happened At Wells Fargo?

The financial services industry is based on trust. When a big company abuses that trust, the whole industry seems off kilter. The details about the extent of the recent fake account scandal are still coming to light. Here are a few common questions about the scandal and what to do if you've been impacted by it.

What was going on inside Wells Fargo?

As a commercial bank, Wells Fargo generates revenue from each customer account. It could do this in a variety of ways: fees, low balance penalties or other charges. In an effort to maximize its revenue, the company established a sales quota for each of its sales teams. Individual salespeople and team managers were therefore under heavy pressure to meet an unrealistic goal and open new accounts.

Somewhere along the line, someone inside the organization decided the only way to meet these goals was through fraud. Eventually, fraud became a widespread corporate practice. It became standard procedure to open fake accounts using an existing customer's information and then charge fees for services they never wanted or agreed to.

Worse yet, the company began actively silencing those who attempted to put a stop to this wrongdoing. Over the course of eight years, about 5,600 employees were fired for reporting this activity to the Wells Fargo ethics hotline or attempting to discuss it with human resources. Many of them were effectively blacklisted, preventing them from working in financial services again.

After this information became public, Wells Fargo CEO John Stumpf was forced to resign. All evidence suggests that he was aware of the situation and did nothing about it. The bank has been fined millions of dollars and is also being asked to issue refunds to many of its victims.

What can I do if I was a victim of fraud?

Most of the people who had fake accounts opened in their names have already been given a refund. Wells Fargo is conducting an internal review to uncover the extent of the damage, and it's extended its search back to 2009.

If you've done business with Wells Fargo, it might be a good idea to get a list of accounts that have been opened in your name during your time as a customer. You can do this by getting a free credit report at annualcreditreport.com.

Why did Wells Fargo do this?

Part of what set up Wells Fargo for failure was the profit motive at the heart of its business model. As a corporate bank, Wells Fargo has a first obligation to its shareholders. Any obligation it might have to its account holders is secondary. That creates an inevitable conflict of interest.

Credit unions, on the other hand, are not-for-profit institutions owned by their members. Our shareholders and our account holders are exactly the same people. Our board consists of volunteers from within our community, not individuals seeking a payday. That allows us to always put the interests of our members at the forefront of what we do.

If you're tired of a bank that treats you like a cash machine, maybe it's time to give PrimeTrust a try. We offer the same services that commercial banks do, but with a model that's based on putting members first. For more information about PrimeTrust, call or stop by any of our branch locations, or click here to check out the many services we offer.

7/12/16

HOW PRIMETRUST HANDLES OUTSIDE SECURITY BREACHES

To help ensure PrimeTrust member safety, whenever there is a confirmed security breach outside of PrimeTrust, our protocol is to turn-off signature-based transactions, while still allowing PIN-based transactions, and reissue new debit or credit cards to our members at no cost to the member. The reissuing process could take up to three weeks, depending on the total number of people, members and non-members, involved in the breach. If a member chooses not to wait for a no-cost card to be mailed to them, they may come to a branch and an instant issue card may be purchased for a $10.00 fee.

 6/3/16

EXTORTION E-MAIL SCHEMES TIED TO RECENT HIGH-PROFILE DATA BREACHES

The Internet Crime Complaint Center (IC3) continues to receive reports from individuals who have received extortion attempts via e-mail related to recent high-profile data thefts. The recipients are told that personal information, such as their name, phone number, address, credit card information, and other personal details, will be released to the recipient's social media contacts, family, and friends if a ransom is not paid. The recipient is instructed to pay in Bitcoin, a virtual currency that provides a high degree of anonymity to the transactions. The recipients are typically given a short deadline. The ransom amount ranges from 2 to 5 bitcoins or approximately $250 to $1,200.

The following are some examples of the extortion e-mails:

“Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.”

“If you would like to prevent me from sharing this information with your friends and family members (and perhaps even your employers too) then you need to send the specified bitcoin payment to the following address.”

“If you think this amount is too high, consider how expensive a divorce lawyer is. If you are already divorced then I suggest you think about how this information may impact any ongoing court proceedings. If you are no longer in a committed relationship then think about how this information may affect your social standing amongst family and friends.”

“We have access to your Facebook page as well. If you would like to prevent me from sharing this dirt with all of your friends, family members, and spouse, then you need to send exactly 5 bitcoins to the following address.”

“We have some bad news and good news for you. First, the bad news, we have prepared a letter to be mailed to the following address that details all of your activities including your profile information, your login activity, and credit card transactions. Now for the good news, You can easily stop this letter from being mailed by sending 2 bitcoins to the following address.”

Fraudsters quickly use the news release of a high-profile data breach to initiate an extortion campaign. The FBI suspects multiple individuals are involved in these extortion campaigns based on variations in the extortion emails.

If you believe you have been a victim of this scam, you should reach out to your local FBI field office, and file a complaint with the IC3 at www.ic3.gov. Please include the keyword “Extortion E-mail Scheme” in your complaint, and provide any relevant information in your complaint, including the extortion e-mail with header information and Bitcoin address if available.

TIPS TO PROTECT YOURSELF:

• Do not open e-mail or attachments from unknown individuals.
• Monitor your bank account statements regularly, as well and as your credit report at least once a year for any fraudulent activity.
• Do not communicate with the subject.
• Do not store sensitive or embarrassing photos of yourself online or on your mobile devices.
• Use strong passwords and do not use the same password for multiple websites.
• Never provide personal information of any sort via e-mail. Be aware, many e-mails requesting your personal information appear to be legitimate.
• Ensure security settings for social media accounts are turned on and set at the highest level of protection.
• When providing personally identifiable information, credit card information, or other sensitive information to a website, ensure the transmission is secure by verifying the URL prefix includes https, or the status bar displays a “lock” icon.

The FBI does not condone the payment of extortion demands as the funds will facilitate continued criminal activity, including potential organized crime activity and associated violent crimes.

¹A Bitcoin payment destination containing 26 to 35 alphanumeric characters beginning with the number 1 or 3.

 This article can be found at http://www.ic3.gov/media/2016/160601.aspx 

5/10/16

FRAUD ALERTS

Place a Fraud Alert

Ask 1 of the 3 credit reporting companies to put a fraud alert on your credit report. They must tell the other 2 companies. An initial fraud alert can make it harder for an identity thief to open more accounts in your name. The alert lasts 90 days but you can renew it.

Why Place an Initial Fraud Alert

Three national credit reporting companies keep records of your credit history. If someone has misused your personal or financial information, call 1 of the companies and ask for an initial fraud alert on your credit report. A fraud alert is free. You must provide proof of your identity. The company you call must tell the other companies about your alert.

An initial fraud alert can make it harder for an identity thief to open more accounts in your name. When you have an alert on your report, a business must verify your identity before it issues credit, so it may try to contact you. The initial alert stays on your report for at least 90 days. You can renew it after 90 days. It allows you to order one free copy of your credit report from each of the three credit reporting companies. Be sure the credit reporting companies have your current contact information so they can get in touch with you.

How to Place an Initial Fraud Alert

1. Contact 1 credit reporting company.
2. Report that you are an identity theft victim.
3. Ask the company to put a fraud alert on your credit file.
4. Confirm that the company you call will contact the other 2 companies.
   Placing a fraud alert is free. The initial fraud alert stays on your credit report for 90 days.
   
   Be sure the credit reporting companies have your current contact information so they can get in touch with you.

Update your files.
The credit reporting company will explain that you can get a free credit report, and other rights you have.

Mark your calendar.
The initial fraud alert stays on your report for 90 days. You can renew it after 90 days.

Update your files.

Record the dates you made calls or sent letters.

Keep copies of letters in your files.

Contact Information for the Credit Reporting Companies

TransUnion
1-800-680-7289

Experian
1-888-397-3742

Equifax
1-888-766-0008

Find this article at https://www.consumer.ftc.gov/articles/0275-place-fraud-alert

4/1/16

STOLEN IDENTITY REFUND FRAUD

Each year, criminal actors target US persons and visa holders for Stolen Identity Refund Fraud (SIRF). SIRF is defined as the fraudulent acquisition and use of the Personally Identifiable Information (PII) of US persons or visa holders to file tax returns. The fraudulent tax returns are sent to bank accounts or pre-paid cards that are held under their control. SIRF is relatively easy to commit and extremely lucrative for criminal actors. While all U.S. taxpayers are susceptible to SIRF, over the past year, criminal actors have targeted specific portions of the population, including: temporary visa holders, the homeless, prisoners, the deceased, low-income individuals, children, senior citizens, and military personnel deployed overseas. This may be due to the perception by criminal actors that these individuals are less likely to be aware of or receive notification that their identity has been stolen.

After criminal actors steal PII, they use corrupt tax preparation companies or online tax software to file fraudulent tax returns with the stolen identity information at the federal and state level. The only legitimate information needed to file a fraudulent tax return is a name and social security number. This information is obtained by criminal actors through a variety of techniques, including computer intrusions, the online purchase of stolen PII, the physical theft of data from individuals or third parties, the impersonation of government officials through both phishing and cold-calling techniques, the exploitation of PII obtained through one's place of employment, the theft of electronic medical records, and searching multiple publicly available Web sites and social media. After the criminal actors electronically file fraudulent tax returns, they use pre-paid debit cards or bank accounts under their control to route fraudulent returns. The balances on the pre-paid cards and bank accounts are depleted shortly after the tax refund is issued.

Additionally, investigative information shows cyber criminals compromised legitimate online tax software accounts during the 2015 tax season. Cyber criminals modified victims' online tax software account information, diverting tax refunds to bank accounts or pre-paid cards under their control.

Many victims of SIRF do not know they have been targeted until they try to file their legitimate tax return. Many also receive notifications in the mail that their returns are being audited or are under review before they have even filed their tax returns.

If you believe you are a victim of SIRF, contact your local FBI or IRS field office. You may consult www.identitytheft.gov which can help you report and recover from identity theft. Additional resources are available at https://www.irs.gov/Individuals/Identity-Protection.

Tips to protect yourself:

• File tax returns as early as possible.
• Monitor your bank account statements regularly, as well and as your credit report at least once a year for any fraudulent activity.
• Report unauthorized transactions to your bank or credit card provider as soon as possible.
• Be cautious of telephone calls or e-mails that require you to provide your personal information, especially your birth date or social security number. If you are in doubt, do not provide the requested information.
• Do not open e-mail or attachments from unknown individuals. Additionally, do not click on links embedded in e-mails from unknown individuals.
• Never provide personal information of any sort via e-mail. Be aware, many e-mails requesting your personal information appear to be legitimate.
• If you use online tax services, ensure your bank account is accurately listed before and after you file your tax return.
• Ensure sensitive information is permanently removed from online tax software accounts that are no longer being used. Allowing online accounts to become dormant can be risky and make you more susceptible to tax fraud schemes.

3/4/16

Millennials were one of the most victimized groups of phone scams in 2015

FotoliaRunning a scam by calling victims on the phone seems so old school. In the digital world, you would think scammers would focus on Internet schemes instead.

But apparently, scammers hold to the adage “if it ain't broke, don't fix it.” Because telephone scams, even in the 21^st century, appear to be very effective indeed.

In a survey conducted for Truecaller, the Harris Poll found that 11% of U.S. consumers lost money in 2015 to a telephone scam. And that's just the number that admitted it to a survey-taker.

Remarkably, that represents a 53% increase over the 2014 survey, suggesting that scammers have been busy dialing for dollars, something of a quaint method in this day and age.

Losses of $7.4 billion

The survey estimates 27 million U.S. consumers lost approximately $7.4 billion to this scheme – an average of $274 per victim.

“For as much progress as we’ve made in areas of fraud detection and caller ID, phone scams and spam on our mobile devices continue to increase at an astonishing rate,” Tom Hsieh, VP of Growth and Partnerships at Truecaller, said in a release. “We think this should sound an alarm to millions of unsuspecting Americans who continue to lose out on billions of dollars every year, yet still aren’t taking the proper precautions they need to protect themselves from becoming a victim, or identifying important calls they should be taking because they aren’t able to recognize the source of the number.”

While the scammers may still be targeting victims using 20^th century tools, a notable trend is the increased targeting of mobile phones, as opposed to landlines. About 74% report the scammer called their cell phone. That's up sharply from 2014, when only 49% of the victims were called on a mobile device.

Men fall for it more than women

Another interesting factoid – men were twice as likely to report losing money over the phone than women. Among generations, Millennials make up a huge portion of phone scam victims, right behind seniors.

The survey suggests a need for better awareness of these scams and information on how to combat them. A first step is to make sure your telephone numbers are registered on the national DO NOT CALL list.

Being on this list will not stop scammers from calling, but it will stop legitimate telemarketers. That means if you get a call from a telemarketer who isn't from a non-profit, a political organization, or a survey company, chances are good it's a scam.

You should also be aware of the tried and true schemes that scammers use time and time again. You'll find a partial run-down of the most common phone scams here.

 Find this article at http://www.consumeraffairs.com/news/survey-11-of-adults-lost-money-to-a-phone-scam-last-year-012616.html

2/5/16

Tips for Taxpayers, Victims about Identity Theft and Tax Returns

Here’s a 2013 article from the IRS, but it has relevant information for 2016 as you file your taxes.

IRS YouTube Videos
ID Theft: Protect Yourself from Identity Theft English | Spanish | ASL
ID Theft: Are You a Victim of Identity Theft? English | Spanish | ASL

Podcasts
ID Theft: Protect Yourself from Identity Theft English | Spanish
ID Theft: Are You a Victim of Identity Theft? English | Spanish

FS-2013-3, January 2013

The Internal Revenue Service is taking additional steps during the 2013 tax season to protect taxpayers and help victims of identity theft and refund fraud.  

Stopping refund fraud related to identity theft is a top priority for the tax agency. The IRS is focused on preventing, detecting and resolving identity theft cases as soon as possible. The IRS has more than 3,000 employees working on identity theft cases – more than twice the level of a year ago. We have trained more than 35,000 employees who work with taxpayers to recognize and provide assistance when identity theft occurs.

Taxpayers can encounter identity theft involving their tax returns in several ways. One instance is where identity thieves try filing fraudulent refund claims using another person’s identifying information, which has been stolen. Innocent taxpayers are victimized because their refunds are delayed.

Here are some tips to protect you from becoming a victim, and steps to take if you think someone may have filed a tax return using your name:

Tips to protect you from becoming a victim of identity theft

• Don’t carry your Social Security card or any documents with your SSN or Individual Taxpayer Identification Number (ITIN) on it.
• Don’t give a business your SSN or ITIN just because they ask. Give it only when required.
• Protect your financial information.
• Check your credit report every 12 months.
• Secure personal information in your home.
• Protect your personal computers by using firewalls, anti-spam/virus software, update security patches and change passwords for Internet accounts.
• Don’t give personal information over the phone, through the mail or on the Internet unless you have initiated the contact or you are sure you know who you are dealing with.

If your tax records are not currently affected by identity theft, but you believe you may be at risk due to a lost or stolen purse or wallet, questionable credit card activity or credit report, contact the IRS Identity Protection Specialized Unit at 800-908-4490 (Mon. - Fri., 7 a.m. - 7 p.m. local time; Alaska & Hawaii follow Pacific Time).

If you believe you’re a victim of identity theft

Be alert to possible identity theft if you receive a notice from the IRS or learn from your tax professional that:

• More than one tax return for you was filed;
• You have a balance due, refund offset or have had collection actions taken against you for a year you did not file a tax return;
• IRS records indicate you received more wages than you actually earned or
• Your state or federal benefits were reduced or cancelled because the agency received information reporting an income change.

If you receive a notice from IRS and you suspect your identity has been used fraudulently, respond immediately by calling the number on the notice.

If you did not receive a notice but believe you’ve been the victim of identity theft, contact the IRS Identity Protection Specialized Unit at 800-908-4490 right away so we can take steps to secure your tax account and match your SSN or ITIN.

Also, fill out the IRS Identity Theft Affidavit, Form 14039. Please write legibly and follow the directions on the back of the form that relate to your specific circumstances.

In addition, we recommend you take additional steps with agencies outside the IRS:

• Report incidents of identity theft to the Federal Trade Commissionat www.consumer.ftc.gov or the FTC Identity Theft hotline at 877-438-4338 or TTY 866-653-4261.
• File a report with the local police.
• Contact the fraud departments of the three major credit bureaus:
  • Equifax – www.equifax.com, 800-525-6285
  • Experian – www.experian.com, 888-397-3742
  • TransUnion – www.transunion.com, 800-680-7289
• Close any accounts that have been tampered with or opened fraudulently.

 This article can be found at https://www.irs.gov/uac/Newsroom/Tips-for-Taxpayers,-Victims-about-Identity-Theft-and-Tax-Returns

 11/24/15

Tips for Protecting Your Identity during the Holidays

Credit bureau Equifax is offering tips for protecting your identity as we head into the holiday season.

This year’s busy holiday shopping season entails a lot of credit and debit card swipes, vacations and generally frantic activity. It’s a perfect time for identity thieves to flourish.

So, right on the heels of National Cyber Security Awareness month (October), Equifax put together the following tips for keeping your identity secure – during the holidays and all year long:

• At school, visit the IT department to ensure that your campus Internet is secure.
• At work, when filling out forms that require your personal information try to submit the sensitive information handwritten through priority mail, instead of online.
• Keep birth certificates, Social Security cards, and other personal documents in a lockbox in your home.
• When disposing of documents, use a diagonal shredder.
• Take outgoing bills, government forms, or tax forms directly to the post office.
• Refrain from putting your driver’s license number on your personal checks.
• Consider writing just your first initial and last name on checks.
• Always shred credit card receipts at home.
• Install anti-virus software, anti-malware software and a firewall on your computer and keep the programs up to date.
• Use unique passwords that are different for each Web site.
• Refrain from including your birth-date or other sensitive information on your social media accounts, even just the month and day.
• Consider a credit monitoring and identity theft protection product.

These are great tips. One last thought is that it’s important to change your passwords often – particularly following times when you’ve been swiping in strange places (such as shopping malls).

Stay safe this holiday season, so you can enjoy peace of mind all year.

Article can be found at http://epcor.informz.net/admin31/content/template.asp?sid=41506&ptid=1176&brandid=3111&uid=763633632&mi=4844614&ps=41506

10/16/15

5 Steps to Cut Your Data Security Risks

Online banking has made managing personal finances easier than ever. However, it has also provided cyber criminals with a whole new way to get at Americans’ money. In 2014, hackers snatched $16 billion from about 13 million consumers, according to Javelin Strategy and Research, making it more important than ever to safeguard data.

 Although financial institutions dedicate plenty of resources to fighting fraud, there are several actions you can take to thwart thieves. Here’s where to get started.

 1. Create strong passwords

Make fraudsters’ lives more difficult by coming up with robust passwords. That means ditching any login credentials that contain easy-to-find information like your name or birthplace. Instead, use a combination of numbers, letters and symbols. Include a mix of lower- and uppercase letters, and consider changing it every few months. Write your passwords down, but don’t keep them saved on your computer. Instead, store them somewhere safe in your home.

2. Download security software

Bolster your desktop or laptop’s virtual armor by installing the latest security software, which can ward off viruses and other bugs. You should also practice caution when browsing the web. Most times, a simple eye-test should suffice — if it looks sketchy, click away. This is especially true if you’re ordering something online. If a website doesn’t look trustworthy, or at all gives you pause, don’t enter your credit card information. Credit card fraud data suggest that hackers will increasingly target online transactions as technology gets more secure around in-person purchases.

 3. Avoid e-mail scams

Viruses and malware can also infect your system via e-mail. Cyber criminals are pretty crafty these days and often disguise themselves by using names from your list of contacts. Read every e-mail carefully, even if it purports to come from your colleague or best friend. If something looks suspicious, don’t open any links or attachments, and definitely don’t send your credit card or bank account number.

 4. Monitor transactions

Try to get into the habit of logging into your account and looking over your transactions regularly, even daily. If something looks amiss, contact your financial services provider immediately. They’ll be able to freeze your account, investigate the security breach and possibly refund any money that was lost.

 5. Sign up for alerts

Take precautions one step further by enrolling in text and e-mail alerts, which are offered by financial institutions like PrimeTrust Federal Credit Union. You can tailor these alerts to notify you about potentially suspicious activity — say, whenever more than $200 is withdrawn from your account — and you can also opt to receive daily checking account balance notifications.

 The bottom line
Putting a stop to online crime requires a joint effort between financial institutions and the members that they serve. By making some of the aforementioned moves, you’ll be lowering your risk of getting caught off guard.

 Tony Armstrong, NerdWallet

© Copyright 2015 NerdWallet, Inc. All Rights Reserved

10/2/15

INTERNET OF THINGS POSES OPPORTUNITIES FOR CYBER CRIME

The Internet of Things (IoT) refers to any object or device which connects to the Internet to automatically send and/or receive data.

As more businesses and homeowners use web-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet also increases the target space for malicious cyber actors. Similar to other computing devices, like computers or Smartphones, IoT devices also pose security risks to consumers. The FBI is warning companies and the general public to be aware of IoT vulnerabilities cybercriminals could exploit, and offers some tips on mitigating those cyber threats.

What are some IoT devices?

• Automated devices which remotely or automatically adjust lighting or HVAC
• Security systems, such as security alarms or Wi-Fi cameras, including video monitors used in nursery and daycare settings
• Medical devices, such as wireless heart monitors or insulin dispensers
• Thermostats
• Wearables, such as fitness devices
• Lighting modules which activate or deactivate lights
• Smart appliances, such as smart refrigerators and TVs
• Office equipment, such as printers
• Entertainment devices to control music or television from a mobile device
• Fuel monitoring systems

How do IoT devices connect?

IoT devices connect through computer networks to exchange data with the operator, businesses, manufacturers, and other connected devices, mainly without requiring human interaction.

What are the IoT Risks?

Deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness, provide cyber actors with opportunities to exploit these devices. Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information, or interfere with physical safety. The main IoT risks include:

• An exploitation of the Universal Plug and Play protocol (UPnP) to gain access to many IoT devices. The UPnP describes the process when a device remotely connects and communicates on a network automatically without authentication. UPnP is designed to self-configure when attached to an IP address, making it vulnerable to exploitation. Cyber actors can change the configuration, and run commands on the devices, potentially enabling the devices to harvest sensitive information or conduct attacks against homes and businesses, or engage in digital eavesdropping;
• An exploitation of default passwords to send malicious and spam e-mails, or steal personally identifiable or credit card information;
• Compromising the IoT device to cause physical harm;
• Overloading the devices to render the device inoperable;
• Interfering with business transactions.

What an IoT Risk Might Look Like to You?

Unsecured or weakly secured devices provide opportunities for cyber criminals to intrude upon private networks and gain access to other devices and information attached to these networks. Devices with default passwords or open Wi-Fi connections are an easy target for cyber actors to exploit.

Examples of such incidents:

• Cyber criminals can take advantage of security oversights or gaps in the configuration of closed circuit television, such as security cameras used by private businesses or built-in cameras on baby monitors used in homes and day care centers. Many devices have default passwords cyber actors are aware of and others broadcast their location to the Internet. Systems not properly secured can be located and breached by actors who wish to stream live feed on the Internet for anyone to see. Any default passwords should be changed as soon as possible, and the wireless network should have a strong password and firewall.
• Criminals can exploit unsecured wireless connections for automated devices, such as security systems, garage doors, thermostats, and lighting. The exploits allow criminals to obtain administrative privileges on the automated device. Once the criminals have obtained the owner’s privileges, the criminal can access the home or business network and collect personal information or remotely monitor the owner’s habits and network traffic. If the owner did not change the default password or create a strong password, a cyber criminal could easily exploit these devices to open doors, turn off security systems, record audio and video, and gain access to sensitive data.
• E-mail spam attacks are not only sent from laptops, desktop computers, or mobile devices. Criminals are also using home-networking routers, connected multi-media centers, televisions, and appliances with wireless network connections as vectors for malicious e-mail. Devices affected are usually vulnerable because the factory default password is still in use or the wireless network is not secured.
• Criminals can also gain access to unprotected devices used in home health care, such as those used to collect and transmit personal monitoring data or time-dispense medicines. Once criminals have breached such devices, they have access to any personal or medical information stored on the devices and can possibly change the coding controlling the dispensing of medicines or health data collection. These devices may be at risk if they are capable of long-range connectivity.
• Criminals can also attack business-critical devices connected to the Internet such as the monitoring systems on gas pumps. Using this connection, the criminals could cause the pump to register incorrect levels, creating either a false gas shortage or allowing a refueling vehicle to dangerously overfill the tanks, creating a fire hazard, or interrupt the connection to the point of sale system allowing fuel to be dispensed without registering a monetary transaction.

Consumer Protection and Defense Recommendations

• Isolate IoT devices on their own protected networks;
• Disable UPnP on routers;
• Consider whether IoT devices are ideal for their intended purpose;
• Purchase IoT devices from manufacturers with a track record of providing secure devices;
• When available, update IoT devices with security patches;
• Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it operate on a home network with a secured Wi-Fi router;
• Use current best practices when connecting IoT devices to wireless networks, and when connecting remotely to an IoT device;
• Patients should be informed about the capabilities of any medical devices prescribed for at-home use. If the device is capable of remote operation or transmission of data, it could be a target for a malicious actor;
• Ensure all default passwords are changed to strong passwords. Do not use the default password determined by the device manufacturer. Many default passwords can be easily located on the Internet. Do not use common words and simple phrases or passwords containing easily obtainable personal information, such as important dates or names of children or pets. If the device does not allow the capability to change the access password, ensure the device providing wireless Internet service has a strong password and uses strong encryption.

Article found at http://www.ic3.gov/media/2015/150910.aspx

7/3/15

GIFT CARD SCAMS

While it is very popular to purchase, spend, and give others gift cards, the FBI would like to warn consumers of the potential for fraud. The online presence of the Secondary Gift Card Market has grown significantly in recent years. The Secondary Gift Card Market provides a venue for consumers to resell unwanted gift cards. However, criminal activity has been identified through sites facilitating such exchanges.

There are both online and in-store venues for reselling gift cards. Kiosks and pawn shops are an option for consumers who prefer to handle a transaction in person. Secondary Gift Card Market websites exist to exclusively buy and sell gift cards.

Some of the various types of gift card scams reported to the IC3 are as follows:

• Victim sells a gift card on an auction site, receives payment for the sale, and sends the PIN associated with the gift card to the buyer, who disputes the charge after using the gift card.
• Victim purchases an item on an auction site and is advised by the seller to purchase gift cards to pay for the transaction. After purchasing thousands of dollars in gift cards, the victim finds out the auction transaction is a scam.
• A Secondary Gift Card Market site agrees to pay a victim for a discounted merchant gift card. The victim sends the code on the gift card, and the payment for the transaction was reversed. Thus, the buyer uses the gift card code to purchase an item and stops payment to the seller.

Consumers should beware of social media postings that appear to offer vouchers or gift cards, especially sites offering deals too good to be true, such as a free $500 gift card. Some fraudulent offers may pose as Holiday promotions or contests. The fraudulent postings often look as if a friend shared the link. Oftentimes, these scams lead to online surveys designed to steal personal information. Never provide your personal information to an unknown party or untrustworthy website.

Tips to Prevent Gift Card Fraud:

Consumers can take several steps to protect themselves when buying and selling gift cards in the Secondary Gift Card Market, as listed below:

• Check Secondary Gift Card Market website reviews and only buy from or sell to reputable dealers.
• Check the gift card balance before and after purchasing the card to verify the correct balance on the card.
• The re-seller of a gift card is responsible for ensuring the correct balance is on the gift card, not the merchant whose name is on the gift card.
• When selling a gift card through an online marketplace, do not provide the buyer with the card’s PIN until the transaction is complete. Online purchases can be made using the PIN without having the physical card.
• When purchasing gift cards online, be leery of auction sites selling gift cards at a discount or in bulk.
• When purchasing gift cards in a store, examine the protective scratch-off area on the back of the card for any evidence of tampering.

If you believe you have been a victim of a gift card scam, you may file a complaint, providing all relevant information, with the IC3 at www.IC3.gov.

Found at http://www.ic3.gov/media/2015/150611.aspx 

6/8/15
Section 8 Scammers Cheat People Seeking Housing

If you’re looking for Section 8 housing assistance, here’s something you need to know: scammers have made websites that look like registration sites for Section 8 waiting list lotteries. If you pay a fee or give your personal information, the scammers will take it. And you still won’t be on a real Section 8 waiting list. In fact, there is no fee to register for a Section 8 waiting list.

If you search online for the Section 8 voucher waiting list, the top search results often are bogus sites. The sites look very real: their names may say “Section 8,” an