Posts

Payment apps, like Venmo, Apple Pay, Zelle and even Facebook Messenger, are used by over 90 million Americans, but are they actually secure? This touch-of-a-button technology lets you use actual funds from your bank account or your credit card to send money instantly to friends, family and retailers.

At first glance, some consumers might be a little reluctant to install and use a payment app. After all, anyone who gets a hold of your smartphone could wipe out your bank account, at least in theory. There are safety protocols in place – like two-factor authentication and one-time use PIN numbers – that help make these apps possibly safer than traditional payment methods. A lot of consumers have their smartphone on them at all times and treat it with the utmost safety concerns, so having payment information stored on their device might not seem all that farfetched.

Remember, convenience and security come with a price. Scammers have already victimized payment app users in a variety of ways including in-person scams and account takeover. Before using payment applications, it’s important to understand how to protect yourself.

Lending Your Phone

In this era of always-connected activity, everyone has a phone, but there is still the occasional instance when someone might ask to borrow your device. Many of us might not think anything of it, but when you allow access to your device you are opening up the door to your payment apps. Scammers have been known to ask to use strangers’ phones to make a call, but instead open payment apps and send themselves money.

You can avoid this one—and still be a generous person—by always logging out of your payment app when you are not using it. Also, if someone does need to make a call or send a text, dial the number for them before handing over your phone.

Scams

According to Javelin, more than $500 million was lost overall to fraud in 2017 involving a variety of peer-to-peer payments. Remember, all payment options are storing your information and are vulnerable to attacks. One woman had $9,000 debited from her account in increments after a thief gained access to her login. Plus scammers could ask for payments via app to eliminate traceability.

Never send money to individuals you don’t trust or who claim to be a business or government agency; many peer-to-peer transactions are instantaneous and irreversible.

Be sure to also not receive money from individuals you do not know as scammers will try to take advantage of you. As described in this article, “If it turns out that there’s a problem, the payment will be reversed, and you’re responsible for that money. If you haven’t used the funds, Venmo will take the money back. If you already spent the money, you’ll need to replace it.”

Enhanced Security

No matter which app you choose, make sure you have enabled all the security features you can. If the app offers one-time PIN numbers or multi-factor authentication, for example, use them. This can keep hackers from accessing your login credentials and stealing your money.

Remember, access to all of your accounts usually starts with your email address or social media accounts. You have to make sure that you are using solid password hygiene on all of your accounts in order to minimize risk of hacking.

With every new type of technology, there are undoubtedly criminals out there who have found some way to take advantage of it. Practice good security protocols that protect your tech tools and be ready to adjust your usage to fit the latest scam reports.

Don’t fall for fake phishing emails or websites asking you to “verify your login.”


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Phishing scams are a low effort way for scammers to trick consumers into revealing personal information. Communication from payment platforms can be convincing with a Stripe email now making the rounds.

Phishing scams have been around for years, and with the ability to send out millions of phony emails a day, scammers don’t have much legwork to do. All they have to do is send a plausible email, get you to click the link or follow the instructions, and their work is done. One widespread form of attack involves pretending to be a high-profile company like Amazon, PayPal, or your bank in order to trick you into following their instruction and landing in their trap.

The latest front for this type of phishing attack is mobile payment company Stripe. Many small business owners, charities, and everyday consumers rely on Stripe for processing everything from payments to donations to cash from friends or relatives. The “Stripe” email claims that your account has been compromised and any money you are expecting will not be transferred to you, scammers hope to lure you into clicking and entering your info.

See real example sent to an ITRC employee:

An email typically with a subject line, “Stripe: deposit will not be made to your bank account,” has been circulating and frightening the site’s users, so much so that the company issued a scam watch statement. This post tells users what to do if they receive a strange communication that appears to come from the company. For instance, misspellings in the message or uncapitalized use of the company name are some red flags, as is an unknown email address or one that does not include the “stripe.com” domain name. Other telltale signs are listed in the website’s post.

There are some steps that tech users can follow to protect themselves from this kind of low-tech crime.

  • Never click a link, open an attachment, or download a file in an email or message unless you were specifically expecting it; even if you think you recognize the sender, it is a good idea to verify it with the sender first.
  • Next, never submit any kind of sensitive information based on a communication about your account. This includes usernames, passwords, account numbers, or any other details. Instead, go directly to the company’s website and log into your account. If there is a problem, it will be visible on the screen.
  • If all else fails, contact the company directly using a verified phone number or email address.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

There are two specifically related but not interchangeable threats to your identity, and the terms can often get confused. Credential cracking and credential stuffing both involve someone getting their hands on your personal data, especially your usernames and passwords, but how those two things take place are somewhat different.

Credential Cracking

Credential cracking happens when a hacker targets you or your company specifically. They spend a significant amount of time and tech resources on breaking into your accounts by undermining your password defenses. While victims of credential cracking can absolutely be random citizens caught up in a hacker’s trap, the effort behind it often means that the victim was targeted specifically. It might be a business account or a company’s social media accounts, financial accounts, or even the personal finances for someone within a company.

Credential Stuffing

Credential stuffing, on the other hand, usually occurs when a hacker casts a wider net. They either steal a database filled with information, buy it on the Dark Web, or even stumble upon it in an unsecured web-based storage server. Then, they use software that lets them attempt thousands of “matches” at a time, cross-referencing the stolen usernames and passwords that work on one website with many other websites. When they land on a match—meaning the victim’s username and password from PayPal, for example, are the same one they use on Amazon—they can use that information to steal money and even more identifying information.

Read next: TurboTax Security Breach Cause by Credential Stuffing

Who’s Targeted

Another major difference between these two forms of attack is in how the tech-using public can take action. Credential cracking is potentially in your own hands, unless a cybercriminal targets your place of employment; a lot of your preventive strategy will involve practicing good password hygiene. Credential stuffing, on the other hand, is a result of finding a treasure trove of information that someone else did not properly secure. You often have no way of knowing whether or not your information was included in such a database until you receive a notification letter from the company who allowed it to become compromised.

How to Protect Yourself

As always, one of the best defenses against either of these attacks is to use strong, unique, unguessable passwords that you change routinely. Changing your password can actually prevent credential stuffing since your old (and stolen) information would no longer be valid; by keeping your passwords unique—meaning they are valid on one account only—you can also work to avoid credential stuffing since they will not work on any other account.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When news of yet another data breach comes out, the reaction can range from panic to “blah.” At the one of end of the spectrum, consumers can be left with documented feelings of stress, fear and even paranoia about further attacks to their identity. At the same time, a very real phenomenon known as “data breach fatigue” occurs when there are so many attacks that consumers stop taking them seriously.

Fortunately, a new tool can help consumers make sense of a data breach; while neither overreaction nor inaction is an appropriate response, this tool can help people who are affected by the breach understand their options and take corrective action.

The Identity Theft Resource Center and Futurion have partnered and launched a tool called Breach Clarity, which takes publicly-available data breach information and breaks down both the threat and that actionable steps for consumers.

Watch Our New Free Webinar: Deciphering the Code of Data Breach Notifications

Unfortunately, far too many consumers do not check up on these kinds of attacks until it is too late. Even then, many victims of data breaches do not follow up on the support that notification letters offer, including things like identity theft protection or credit monitoring.

Breach Clarity lets users type in a general search term for a known breach and see a graphic representation of the threat level based on a number of factors. These include things like understanding whether or not financial information was exposed or if Social Security numbers (or other sensitive PII) were accessed. From there, a one-to-ten risk score is provided so consumers understand just how seriously this could affect them. The Home Depot breach in 2014 only receives a 3 out of 10 because of the nature of the information that was stolen; the 2015 attack on the US government’s Office of Personnel Management was far more serious and received a 10 out of 10 risk score as a result.

Breach Clarity was unveiled at the 2019 KNOW Conference in Las Vegas where it won first place in the third annual Identity Startup Pitch Competition. The criteria for selecting a grand prize winner included factors like the degree to which the entrant meets the customer’s needs and expectations, innovation, originality, and more.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When it comes to avoiding a scholarship scam or financial aid scam is that there really are some obscure and even bizarre scholarships out there. There’s a scholarship for being left-handed, one for being above average in height or below average in height, one for being a redhead, and so much more. That means it’s easy to accidentally fall into a trap of applying for a scholarship from a company or organization that you’ve never heard of.

Fortunately, avoiding a scholarship scam only takes a little bit of attention and precaution.

Stick to reputable scholarship links

Many colleges and high schools will link to safe, trustworthy sources of financial aid on their websites. Start with your school’s site or your guidance counselor to find these and other sources.

Watch out for emailed offers

Once you begin engaging in activities that can be linked to college life—such as signing up for updates, filling out online applications, even searching for housing or shopping for dorm room essentials—that can trigger scammers who are looking for victims. When your email inbox begins filling up with scholarship offers and even “congratulations, you’ve been awarded a grant!” messages, it can be tempting to open them and click the link but you don’t want to do that. Opening the email and finding out if it’s legitimate is fine, but clicking a link or downloading an application can be dangerous if the sender isn’t genuine and can lead to a malicious virus or another compromise of your data.

There’s no such thing as free money

 It might sound like the opposite of a scholarship search—since scholarships are, by nature, free college money—but no one will hunt you down to give you money. Scholarships are funded by many different sources, and they are to reward hard-working students with the means to afford their tuition. No one sends out emails begging students to take the money, though. Many scholarships involve a rigorous selection process, so any claims that something is free or already yours should be a red flag.

You can’t win if you don’t play

Another important truth about scholarships is you cannot receive one if you don’t apply for it. That means you’ll never receive a scholarship that you didn’t submit your application for. If you are contacted by email, text, social media message, or some other way and told you’ve won a scholarship, make sure it’s one you applied for before you engage with the message. Furthermore, don’t fall for any hidden “fees” like paying $40 to process your new $400 scholarship; you never have to pay money to receive money.

Protect your data

With very few exceptions, you should not have to submit your Social Security number in order to apply for a scholarship. The exception may be scholarships that are awarded directly by your university (and even then, they should already have that information) or government grants and aid. A club, team, community organization, or other company should not need it, so don’t turn it over without investigating why it’s necessary.

It’s hard to believe that someone would stoop so low as to steal from a young college hopeful with a scholarship scam, but it’s true. Safeguard your identifying information and be very careful of what information you share.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

No matter where your spring break plans have taken you, it is important to remember that the security practices you use while at home are even more important when you are on the road. Also, those same good habits that protect you while traveling are just as crucial when you are relaxing at home.

Booking Your Trip and Hotel

No matter when you plan to go, finding affordable travel arrangements can be a minefield of potential scams and fraud. Do not be swayed by flashy sidebar ads or “act now” special offers, as these are rarely a good deal and can lead to identity theft. Of course, old-fashioned scams like bait-and-switch schemes in which your condo does not actually exist or your reservation is not real are still a major threat.

Check Your Tech

Your technology can leave you very vulnerable during an out-of-town getaway. From connecting over unsecured public Wi-Fi to having your device stolen and infiltrated, there are a lot of ways that malicious actors can get their hands on your sensitive information. Make sure you turn off the Wi-Fi on your mobile devices when you do not need it, only go online over a secured, password protected connection and make sure you have passcode protected your phone or tablet. When you are not using your important apps like email and social media, it is a good idea to log out of those too.

Bring the Receipts

Make sure you hang onto receipts while you are out of town. First, it will help you stay money-aware and avoid overspending if you keep tabs each day on how much you have spent. More importantly, you’ will have paper proof to compare to your bank or credit card statement when you get home. If anyone has copied your card and used your information, you will know at a glance.

Activate Alerts from Your Bank

By taking advantage of security tools offered by your financial institution, you can be informed the second any unusual activity occurs with your cards or your account. Card Not Present alerts, for example, will text or email you the moment someone uses your card number online. Some banks will even call if a physical card transaction occurs in a location too far outside your billing zip code. These can help you take immediate action against theft and fraud.

Old School Understanding

Remember, depending on where you travel there are a lot of scams that have been around for decades. You do not want to take extreme action to protect your identity, then fall for something as simple as a common pickpocket. Stay on top of the kinds of threats you are likely to encounter so you can avoid them.

The most important security step you can take happens when you get home. That is the time to post any photos and videos online—not while you are still away—but it is also the time to take inventory of your financial accounts and your identity. It cannot hurt to order one of your three free annual credit reports a few weeks after your trip is over, just to look for suspicious activity. If you begin receiving a higher volume of scam calls and emails, that may also be a sign that something has happened to your security. Check out the available tools to monitor your identity and reach out to the Identity Theft Resource Center for help if necessary.  


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.