In this issue:
- Your retirement account: the latest goldmine for scammers
- Savvy Cybersecurity quick links
- Emerging threat: USPS Informed Delivery
- Cybersecurity shorts
- Software updates
Your retirement account: the latest goldmine for scammers
Steven Voss, a Utah-based CSX engineer was nearing retirement and decided to check on his 401(k) account. He was shocked when he logged in and his account balance was zero, according to the Atlanta-Journal Constitution. Voss had moved most of his money out of the Prudential Financial account a few months earlier but left about $50,000 in there.
According to reports, a scammer called Prudential Financial and pretended to be Voss. He provided his name, address, date of birth, and Social Security number and was able to cash out the 401(k). Prudential Financial had planned on sending the check to Voss's home address but the caller asked that it be delivered to a UPS store instead.
Luckily, Voss discovered the missing money before the thieves picked up the check and the police were able to catch them. The two men responsible had a check for $85,000 on them from another 401(k) they stole from. Fortunately, Voss was able to get the missing money back and successfully retire.
The 401(k) scam is a growing cybersecurity threat we all face. The ease of being able to track our retirement accounts online also makes them more vulnerable, says CEO of iboss Network Security, Paul Martini. While 401(k) theft stats are unknown at this point, financial firms are investing in technology to protect these accounts.
As Steve Voss's case exemplifies, little personal information is needed to execute the theft. Countless data breaches have exposed our data such as Social Security numbers and birthdates. Home addresses are often easily found on the Internet.
And 401(k) accounts are valuable targets for hackers because people don't check their accounts as often as a bank account—the theft can go unnoticed for a long period of time. Most banks offer insurance to cover stolen funds and the FDIC does as well, but only up to $250,000. The process can be time-consuming and stressful.
Unfortunately, no fool-proof solution exists to protect you from this type of crime. Here are some prevention methods that can help you keep your accounts safe:
- Protect your account with a unique username and password.
Your 401(k) online account should be one of the toughest to get into. Use a username that you do not use for other accounts as well as a unique password. If you have your secret email address set up, use this to get communications regarding your 401(k) account. If hackers can get into your main email address, they may be able to intercept communications regarding your 401(k).
- Enable two-factor authentication on your account.
If your 401(k) provider allows it, set up two-factor authentication to protect your account. This technology will require you to enter a one-time code that is sent to your phone whenever you log in. This will help protect your account even if a hacker guesses your password. If your account provider does not offer this protection, ask them to consider enabling the technology.
- Only check your account on a secure, private network.
Refrain from logging into your 401(k) account when connected to an unsecure, public wireless Internet connection. Hackers can easily gain access to these networks and spy on your activities and steal login credentials. Instead, only log into your 401(k) when you are connected to a private network such as your home wireless network.
- Check your account regularly.
Lastly, be sure to check your account regularly. The earlier you catch the fraud; the better off you will be in the fight to get your money back. Make it a habit to check your account once a month to monitor activity. If you see anything strange, be sure to contact your account provider.
This 401(k) theft is a scary cybersecurity threat that is growing in popularity. Being vigilant is the best way to protect your account at this point. We will continue to update you on this growing trend as time goes on.
Emerging Threat: USPS Informed Delivery
U.S. Postal Service's Informed Delivery feature has led to fraud says security expert, Brian Krebs. The service, launched last year, allows residents to see scanned images of their incoming mail. The Secret Service is now warning that scammers are signing people up for Informed Delivery and directing the photos to their own email. In many cases, these scammers will sign up for credit cards in the resident's name and then steal the card from the mailbox by monitoring Informed Delivery. A Florida woman received a bill for $2,000 on a card she had never seen and was then notified that she had signed up for Informed Delivery when she never had done so.
Freezing your credit should thwart this fraud as the USPS asks knowledge-based questions through Experian. Those who have frozen their credit report are still able to sign up for the service, however. Even if you sign up for Informed Delivery in your own name and address, a thief could still create a new account with your information. You can try to opt out of eligibility by emailing informeddelivery@custhelp.com .
Cybersecurity Shorts
New scam combines phishing and cardless ATMs.Security expert, Brian Krebs reported on a new trend this month taking advantage of cardless ATM technology. Many banks are now offering ATM transactions where customers can use their mobile device in place of their ATM card to withdrawal money. Scammers, however, are now sending phishing messages designed to collect online bank account credentials from customers. Often, the messages will tell customers their accounts are locked and will have them sign in the "unlock" the accounts. The phishers can then use these credentials to withdrawal money from these cardless ATMs.
IRS audit reveals the agency failed to track 11,000 compromised Social Security numbers during tax time. The audit, completed by the Treasury's inspector general, found that the IRS failed to add new stolen Social Security numbers to a watch list, which resulted in at least 79 cases of tax fraud. In addition, the agency did not review over 15,000 taxpayer IDs designed to help prevent fraud.
Equifax extends free credit monitoring from massive breach by offering Experian service. Many were shocked as the credit bureau chose one of its top competitors for the job. Security writer, Brian Krebs also notes that Equifax will be sharing your information with Experian for the monitoring service. Those who were enrolled in the free one-year credit monitoring will be automatically signed up for the extension if they do not opt out. If you truly want to protect your credit, sign up for a credit freeze which is now free in all 50 states.
'Tis the season for holiday scams. As you shop for holiday presents this year, be mindful of popular scams that pop up during the season. For example, before purchasing items online be sure that the website is correct and secure. You can be sure it is secure by looking for the lock symbol and "https" in the URL. Also be on the lookout for phishing messages disguised as fake shipping notifications. You can read more about holiday shopping scams here.
President Trump signed bill rebranding and elevating the Department of Homeland Security's cybersecurity unit. Previously known as "National Protection and Programs Directorate," the "Cybersecurity and Infrastructure Protection Agency" will carry the same stature as the Secret Service and the Federal Emergency Management Agency. The agency's main role is to oversee civilian cybersecurity and secure federal networks from cybersecurity attacks.
Credit card fraud continues to rise despite the rollout of chip-based cardsaccording to a report by Gemini Advisory. The new EMV chips cards were designed to reduce in-person fraud as the chip makes it difficult for card data to be stolen. The study found, however, the fraud is on the rise. This may be due to the fact that many merchants have not upgraded to chip readers. Instead, they ask customers to swipe the card's magnetic strip—much less secure. When given the choice, you should always use the chip reader.
Employees' cybersecurity is getting worse according to a 2018 Market Pulse Survey by SailPoint. The company surveyed 1,600 employees around the world and discovered that three-quarters of employees admit to reusing passwords. In 2014, only slightly more than half of those surveyed said they did so. Younger employees were bigger culprits with nearly 90% saying they reuse passwords. You can read more here.
Say no to the 'Secret Sister' holiday gift exchange! The popular idea making the rounds on Facebook invites women to send one gift valued at $10 to a "secret sister" and claims they will receive six to 36 gifts in exchange. The "exchange" however, is a scam and type of pyramid scheme. If you get invited to this scam, ignore it.
Banks are looking to the DMV for identity verification help. Many big lenders struggle with verifying the identity of potential customers. Because there is no federal ID system in the U.S., banks have to coordinate with state and federal agencies. The DMV, however, is one of the few places that people need to visit in person to verify identity. JPMorgan, Wells Fargo, and Bank of America have launched the Better Identity Coalition to encourage government agencies to help with identity verification. You can read more about the plan here.
Healthcare.gov breach exposed names, dates of birth, address, partial Social Security numbers, income, immigration status, and more of about 75,000 people. The breach allowed inappropriate access to the site's database. Those who were affected will be notified via phone and then letter. Victims will be given information on free credit monitoring services.
The Social Security number system needs a cyber overhaul. Your Social Security number is the key to your identity yet 80% of Social Security numbers are compromised. With over 150 million Americans using an exposed number, lawmakers are on the lookout for a new system. One suggestion is the creation of Social Security SmartCards. These cards would have a chip and would allow numbers to be changed if compromised. This solution, however, would be very expensive. Others recommend using smartphones as a verification process. You can read more about possible solutions here.
Software Updates
Adobe: Adobe released updates for Adobe Reader, Acrobat, and Flash Player this month. The security hole in Adobe Reader and Acrobat could allow hackers to steal your Windows password. You should update all immediately. You can read more about the updates here.
Microsoft: This month Microsoft released updates closing over 60 security vulnerabilities in programs such as Windows, Edge, and Internet Explorer. Some of the updates are considered critical including a zero-day exploit affecting Windows 7. You can read more about the updates here. Your device should prompt you to update automatically.