Posts

  • The Identity Theft Resource Center (ITRC) teams have seen an uptick in subscription renewal scams as a way of stealing your identity. Criminals send emails about auto-renewals for subscriptions in hopes you will click on a malicious link.
  • Identity criminals are after your personal information so they can use it to commit different forms of identity theft and identity fraud.
  • To avoid a subscription renewal scam, ignore any messages about auto-renewals claiming to be from a company where you don’t have a subscription. If it appears to be from a company where you do have a subscription, check the sender’s email address to ensure it’s from the correct company.
  • Don’t click on any links until you confirm the email is legitimate. If the email is a spoof, report it as spam, block the sender and delete the email.
  • To learn more, or if you believe you have received subscription renewal scams, contact the ITRC. Call toll-free by phone (888.400.5530) or live-chat at www.idtheftcenter.org to speak with an expert advisor.

Subscription renewal scams aren’t new. However, ITRC team members have seen a rise in the number of phishing emails claiming it’s time to renew an annual subscription. The phishing attempt pictured below is a subscription renewal scam one ITRC team member received, claiming to be from Geek Squad.

Scammers use emails like these to get you to click on a malicious link and steal your personal information so they can commit identity crimes with it. Many subscription renewal scams look legitimate. It is important you know how to spot one and the steps to stay safe so your sensitive information isn’t compromised.

Who are the Targets?

Text and email users

What is the Scam?

Criminals pose as a recognized company and send texts and emails to people informing them that their annual subscription has been renewed. The phishing emails go on to ask people to click on a link to review the summary details of their renewal. However, the link is malicious and either installs malware on your computer, steals your personal information or takes you to a fake website.

What They Want

Cybercriminals want you to respond to the subscription renewal scams or click on the malicious link in the message so they can steal your personal information. Identity criminals may proceed to use your information to commit an array of identity crimes.

How to Avoid Being Scammed

  • If you receive a text or email about a subscription renewal from a company you do not have a subscription with, ignore it. Don’t click on any links because they could contain malware. If you receive emails you are not expecting, go directly back to the source to see if the message is real.
  • Check the email sender’s address to make sure it is legitimate if you get an email from a company about a subscription renewal with which you have a subscription. If you are still unsure, reach out to the company directly to confirm the validity of the message.
  • If you know the email is a subscription renewal scam, report it as spam, block the sender and delete the email.

Contact the ITRC toll-free by calling 888.400.5530 or using the live-chat function at www.idtheftcenter.org if you’ve received any subscription renewal scams. ITRC expert advisors will help you create a resolution plan with the steps you need to take.

  • Criminals claiming to be with the Internal Revenue Service (IRS) are targeting people with emails as taxpayers continue to receive the third round of Economic Impact Payments (EIP) that began in March 2021.
  • Identity criminals send messages claiming you can receive an EIP Payment. They say the IRS is sending payments each week to qualified individuals as they continue to process tax returns.
  • However, messages like these are IRS scams seeking your personal and financial information to commit identity theft and fraud.
  • The IRS will never email, text, call or send a message on social media to anyone. If you receive a message claiming to be from the IRS, ignore it. You are also encouraged to forward it to the IRS at phishing@irs.gov and note that it seems to be a phishing scam seeking your personal information.
  • To learn more, or if you believe you have received IRS scams by email, contact the Identity Theft Resource Center (ITRC) toll-free by phone (888.400.5530) or live-chat at www.idtheftcenter.org to speak with an expert advisor.

The third round of Economic Impact Payments (EIP) from the Internal Revenue Service (IRS) began to go out in March 2021. However, the Identity Theft Resource Center (ITRC) continues to receive messages about IRS scams by email, like the one below.

According to an official IRS notice, the Service is still sending EIP Payments weekly as 2020 tax returns are processed. Criminals have been striking with scams since the first stimulus package was passed in 2020. While many EIP Payments have been received, you should beware of scams asking for payment to receive compensation and remember that the IRS will never call, message or email anyone.

Who are the Targets?

U.S. Taxpayers

What is the Scam?

In the latest IRS scams by email, identity criminals send emails to inboxes claiming that they are eligible to receive a payment after the last annual calculation of their “fiscal activity.” The email goes on to say that each week the IRS will continue to send the third EIP Payments to eligible individuals as they process tax returns. The phishing emails also include a button to “claim my payment.”

What They Want

Scammers want you to either respond or click on a malicious link so they can steal your personal and financial information to commit different forms of identity crimes, including financial identity theft.

How to Avoid Being Scammed

  • Ignore emails, texts or social media messages claiming to be from the IRS. Do not respond to the messages or click on any links or attachments because they could be malicious. Acting on the IRS scams by email, text or social media could lead to having your information stolen. The IRS will not email or message anyone. Do not share any personal information, including credit card and bank account numbers, except on the official www.IRS.gov website or the representative you contacted by calling the IRS.
  • Ignore calls claiming to be from the IRS. While IRS scams by email continue to circulate, identity criminals could call you, too. If you receive an unsolicited call claiming to be from the IRS, ignore it. The IRS will not call anyone unsolicited, either.
  • Send phishing emails to the IRS. The IRS asks anyone who receives a phony email to forward it to phishing@irs.gov and note that it seems to be a phishing scam seeking your information.
  • Report the identity crime. You can report any identity fraud to the Federal Trade Commission (FTC) by visiting www.IdentityTheft.gov.

If you have received IRS scams by email, text message, social media or by phone, you can also contact the ITRC toll-free by calling 888.400.5530 or using the live-chat function at www.idtheftcenter.org. ITRC expert advisors will help you create a resolution plan with the steps you need to take.

  • Advanced child tax credit payments are being sent by the Internal Revenue Service (IRS) as part of the American Rescue Plan. However, scammers may try to take advantage of the funds with child tax credit scams.
  • The IRS will not call, text, email or message you about a child tax credit. If you receive an unsolicited message, it is a scam.
  • To avoid a child text credit scam, do not respond to any unsolicited messages or click on any unknown links or attachments. Also, report the fraudulent activity to the Federal Trade Commission (FTC) by emailing reportfraud@ftc.gov and the IRS by calling 800.829.4933.
  • For more information on the child tax credit, who is eligible, how to submit your information and more, click here.
  • If you believe you are the victim of a child tax credit scam or another form of identity theft, contact the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-chat on the company website www.idtheftcenter.org.

The Internal Revenue Service (IRS) has sent approximately $15 billion to around 35 million families eligible for the advanced child tax credit. With the process underway, parents should look out for child tax credit scams. No eligible taxpayer has to do anything to receive the money, but criminals may try to say otherwise.

What You Need to Know About the Advanced Child Tax Credit

The advanced child tax credit was included in the American Rescue Plan, and it provides $250 to $300 per month per child to most families from July through December 2021. The IRS is paying half the total credit amount in advance monthly payments. The payments will come via direct deposit, paper check or debit card (more than 85 percent of the funds have been sent by direct deposit). Parents will claim the other half when they file their 2021 income tax return.

The IRS urges taxpayers who usually aren’t required to file federal income tax returns to file a return if they are eligible for Economic Impact Payments or advance payments of the Child Tax Credit. Learn more from the IRS about the advanced child tax credit, who is eligible, how to submit your information and much more.

Child Tax Credit Scams

Criminals are aware of the payments and will likely launch child tax credit scams. Criminals may impersonate IRS representatives just to steal your personally identifiable information (PII) like a Social Security number or bank account information. PII can be used to pose as you on the IRS website and reroute your money to the cybercriminals.  

The ITRC’s CEO Eva Velasquez recently told NerdWallet: “Do not rely on incoming communications. If you didn’t initiate the contact, don’t engage. Caller I.D. cannot be trusted; even if a government agency’s name is listed, thieves may have originated the call and spoofed the caller I.D. display.”

What Should You Do?

The IRS says parents do not have to take any action to receive the advanced child tax credit funds. If you want to opt-out of the IRS payments or change your information, you can do that at www.irs.gov. Here are other tips on how to avoid an advanced child tax credit scam:

  • Don’t respond to solicited communication. The IRS will not call, text, email or message you. If you receive a message claiming to be from the IRS, ignore it. The IRS will mail you anything that is legitimate, and there are ways you can make sure it is from the Service.
  • Don’t click on any unknown links. If you receive a message claiming to be from the IRS, it is important not to click on any links or attachments because they could be malicious and used to steal your personal information. They could also lead you to a fraudulent website that asks you to input sensitive PII.
  • Know who is supposed to receive the check. If you share custody of a child, make sure you know who is supposed to receive the check because sometimes a “missing” check has actually been delivered.
  • Report child tax credit scams and fraud. If someone tries to take advantage of you with a child tax credit scam, you can report it to the Federal Trade Commission (FTC) by emailing reportfraud@ftc.gov. If you believe someone stole the check from your mailbox, contact the IRS (800.829.4933) because they can trace the check and replace the money.
  • Track your check. If it is mailed to you, go to www.USPS.com and sign up for Informed Delivery, which emails you photos of your mail before it is delivered. When your check is expected, pick up your mail or have someone do it for you as quickly as possible to avoid a repeat of earlier problems with government check deliveries.

Contact the ITRC

For more information on child tax credit payments, or if you believe you were the victim of a child tax credit scam, contact us. You can speak with an expert advisor at no cost by phone (888.400.5530) or live-chat on the company website. Just visit www.idtheftcenter.org to get started.

  • When doing your spring cleaning, consider making a digital spring-cleaning checklist. It is more important than ever in today’s digital-first society.
  • Digital spring-cleaning tips include backing up your information, deleting unused apps, reviewing all of your passwords (and making changes if needed), and checking your social media privacy settings.
  • It is also a good idea to delete or archive old emails, especially with sensitive information.
  • If you would like to learn more or believe you are a victim of identity theft, contact the Identity Theft Resource Center. You can check out our latest resources or speak to an expert advisor toll-free by phone (888.400.5530) or live-chat. Just visit www.idtheftcenter.org to get started.

Everyone looks forward to the spring! The weather changes, the flowers and landscape start to bloom, and people clean out clutter they don’t need before the summer arrives. While spring cleaning may make you feel good and productive, it is also a great way to minimize the risk of identity theft. With the move to a digital-first society, digital spring cleaning and having a digital spring-cleaning checklist is more important than ever. A few basic digital spring-cleaning steps could help keep one’s identity information out of a criminal’s hands.

Before You Begin

There are digital spring-cleaning steps to take before you have to deal with clutter. One possible vulnerability is your email inbox. Adopt the habit of not just deleting unwanted emails, but actively unsubscribing from them. To do that, open the email, scroll down and click “unsubscribe.” Do not follow these steps for emails that appear to be scam attempts. If you click on a malicious link, it can redirect you to harmful websites or install malicious software on your computer. Instead, you should avoid links or attachments in unsolicited messages and block the sender.

One other thing you can do is update your contact information. Review all of your contact information to ensure it is up-to-date and you are not missing any essential information. Once you take these steps, you can begin on your digital spring-cleaning checklist.

Digital Spring-Cleaning Checklist

Your digital identity becomes more important every day as the world moves to a digital-first model. However, the same principles behind decluttering your physical world can help you in the virtual space. Here are some digital spring-cleaning checklist tips to digitally declutter:

  1. Backup your information– No matter how safe and secure you are, you might need to recover old data in the future. Creating automatic backups is a good idea. Consider investing in an external hard drive or cloud-based storage subscription to store and protect the things you want to keep.
  2. Delete unused programs and apps– Take a look at all of the apps on your devices and figure out which ones you are not using. Delete unused apps or programs on the devices. This step is a good idea because some apps require large amounts of storage, can slow the device down, and most importantly, can introduce new vulnerabilities. The fewer apps and programs you have, the more secure your device and personal information will be.
  3. Review your passwords– Check the passwords for all of your accounts to ensure there are no duplicates (especially between work accounts and personal accounts). Also, make sure you use a strong and unique 12+ character passphrase for each account. They are easier to remember and harder to crack. If you cannot remember all of your passwords, consider investing in a password manager to store all of your passwords. Finally, if possible, enable multifactor authentication (MFA) on all of your accounts. The app version is better than the SMS version because scammers can create fake MFA SMS text messages.
  4. Update all of your apps and settings– When going through your digital spring-cleaning checklist, it is important to keep apps, programs and devices up-to-date on all software. The device will run faster, and it will lead to increased privacy, which will make it more difficult for someone to hack into them. It is also a good idea to enable automatic updates when possible.
  5. Look at the permissions you allow– Pay attention to the permissions you allow the mobile apps on your device because third-parties could be tracking information about you that you might not realize. If they aren’t actively using the collected data, they may still be storing it, leaving your personal information vulnerable to cyberattacks should the third-party fall victim to a data compromise.
  6. Review plugins and add-ons in your browser- Review the permission settings of the plugins and add-ons to make sure you are not sharing too much information. If you are not using a particular plugin or add-on anymore, delete it.
  7. Review your social media privacy settings– Check your privacy settings on all of your social media accounts to ensure you are not oversharing information with people you do not know. If criminals get a hold of enough information about you, your family and your friends, they can connect enough dots to commit scams based around social engineering.
  8. Clean out your email– Get rid of any unnecessary emails in your inbox, especially emails that contain personal information.

Other Digital Spring-Cleaning Tips

There are a few more spring-cleaning tips for people to follow:

  • While doing your spring cleaning, if there are important documents you might need later, you can photograph or scan them, and then store the originals in a secure space like a safe or bank safety deposit box.  
  • While you’re cleaning your email inbox, take a moment to destroy any paper documents you no longer need, especially those records with personal information.
  • It is also a good idea to organize your digital files. While it is time-consuming, it will make more space available for the most important things that need to be stored on your devices.

Contact the ITRC

If you have more questions about digital spring cleaning, a digital spring-cleaning checklist, or if you believe you are a victim of identity theft, contact us. You can chat with an expert advisor toll-free by phone (888.400.5530) or live-chat. You can also check out our latest resources. Just go to www.idtheftcenter.org to get started.

CashApp scams have seen an uptick since COVID-19 began impacting the United States. In April, we wrote about scammers out in full force trying to get consumers to fall for CashApp scams by clicking on fraudulent and malicious links that could steal people’s money and identity, taking advantage of the economic hardships. Now, the Identity Theft Resource Center (ITRC) is receiving multiple calls and live-chats about a twist on the CashApp scam: a CashApp customer support scam.

Who Is Targeted

CashApp users

What It Is

A CashApp customer support scam where scammers act as CashApp customer support on a hotline to gain access to users CashApp accounts or ask users to download software to allow remote access to their mobile device.

What They Are After

Scammers are after money and personal information using a fake customer support hotline. In one CashApp scam case reported to the ITRC, a scammer stole all of the victim’s money and changed their username and password. In another case, a scammer was able to get a hold of the victim’s bank account number and access the victim’s bank account.

How You Can Avoid It

  • As of right now, CashApp only offers customer service via email or through the app, not by telephone. Reach out to customer support directly through the company’s website or app.
  • Never give out personal information over the phone if you do not know who is on the other end.
  • Do not download software to allow third parties to have access to any of your mobile devices.
  • Only use CashApp to transfer money to people you know.
  • Add additional security measures, including multi-factor authentication.

If you think you may have fallen victim to a CashApp customer support scam, you can call the ITRC toll-free at 888.400.5530. You can also live-chat with an expert advisor on the company website.


Read more of our latest blogs below

Fortnite Gaming Data Being Sold for Hundreds of Millions of Dollars Per Year

“Meow” Attacks Lead to 4,000 Deleted Databases and Perplexed Security Experts

Cense.Ai, Freepik and ArbiterSports Headline Recent Data Breaches

  • Credential theft is when fake webpages are created that look real for the sole purpose of stealing logins and passwords to access legitimate accounts.
  • The top targeted companies for phishing scams from credential theft include Paypal with 11,000 fake login pages, Microsoft with 9,500 fake pages, and Facebook 7,500 fake pages.
  • To prevent falling victim to a credential theft attack, consumers should not click on any links unless they know they are legitimate, double-check the email address of the sender, and change their password if they believe they used a fake login page.
  • For more information about the latest data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM.
  • Victims of identity theft can contact the ITRC toll-free at 888.400.5530, or by using the live-chat function on the website.

Credential stuffing is a term consumers often hear from cybersecurity experts. Credential stuffing is a type of cyber attack where stolen credentials, like usernames and passwords, are used to gain access to other accounts that share the same credentials. There is another term not heard as much, but just as prevalent: credential theft.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) takes a look at the most interesting data compromises from the last week in our Weekly Breach Breakdown podcast. This week, we are talking about creating fake websites that look real for the sole purpose of stealing logins and passwords used to access legitimate accounts. We will look at how security researchers found tens of thousands of fake website login pages that are used to collect credentials from consumers.

Credential Theft

To commit a credential stuffing attack, a hacker must have credentials. Where do data thieves get the logins and passwords needed to fuel these attacks? The most obvious way is through data breaches everyone has seen over the years, where millions of credentials are stolen in a mass attack. However, there are less obvious ways, too. One of those less obvious ways is credential theft.

Earlier in 2020, security company IRONSCALES began to look for a specific kind of webpage; fake login pages that look like they could come from real companies. From January until June, IRONSCALES found more than 50,000 phony login pages from more than 200 recognizable brands with a high volume of web traffic.  

These fake login pages are used in phishing emails as a way of getting people to click on what they think is a legitimate login page. Most people cannot tell the login page is fake, leading unsuspecting victims to enter their real login and passwords into a fake webpage. That is all it takes for data thieves to have actual credentials from live accounts. They do not even have to buy or steal any data.

Top Targets for Phishing Scams

Anyone reading this blog might be wondering if they have ever clicked on an email link connected to an account. If they have, was it a real login page?

IRONSCALES reports that PayPal is the top target for phishing scams, with more than 11,000 fake login pages spoofing the brand. Microsoft is not far behind with 9,500 phony login pages. The list continues with Facebook with 7,500, eBay with 3,000 and Amazon with 1,500 known fake login pages. Other commonly spoofed brands include Adobe, Aetna, Apple, Alibaba, Delta Air Lines, JP Morgan Chase and Wells Fargo.

All of these companies have people who do nothing but seek and shut-down these and other kinds of fake webpages, websites, social media accounts and text messages that are used to collect personal information from their legitimate customers and prospects. However, research shows that credential theft is easy for a couple of reasons. The first is because malicious phishing emails that deliver fake login pages can easily bypass cybersecurity tools and spam filters just by making small changes in the email.

Inattentional Blindness

The second reason is because of inattentional blindness; when something looks so familiar or causes you to focus so intently that you don’t see the apparent errors hiding in plain sight. An example of inattentional blindness comes from a study where people were told to watch a video to count the number of people wearing white jerseys as they passed a ball. More than 50 percent of people taking the test missed the fact that one of the players was wearing a gorilla suit.

How Inattentional Blindness Applies to Identity Theft

Credential theft attacks translate into the inability to spot the tell-tale signs of a phishing scheme, even among trained cybersecurity and fraud professionals. What should people do if they encounter what they believe is a phishing attack?

1. Don’t click on any links unless you are sure they are legitimate. When in doubt, navigate directly to the website or webpage you are trying to reach instead of using a link.

2. If the link arrives in an email, double-check the address of the sender. An email address can be masked to make it look legitimate in the sender line. However, if you click on the sender’s name to see the actual address, you may find the email from mybank.com is actually from bob@scams-r-us. Get into the habit of checking email addresses.

3. If you believe you used a fake login page, change your passwords and alert the security team at the company whose login page has been spoofed as soon as possible. While changing your password, consider switching to a 12-character passphrase with upper and lower case letters. It will take an automated hacker tool 300 years to break that passphrase, as well as be easier to remember.

notifiedTM

For more information about the latest data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact the ITRC

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor by calling toll-free at 888.400.5530, or on the website via live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


Read more of our latest breaches below

Fortnite Gaming Data Being Sold for Hundreds of Millions of Dollars Per Year

“Meow” Attacks Lead to 4,000 Deleted Databases and Perplexed Security Experts

Cense.Ai, Freepik and ArbiterSports Headline Recent Data Breaches

Phishing attacks are nothing new. However, with scammers increasingly using sophisticated and new methods of harming recipients that experts are not as familiar with, being able to identify a phishing attack has never been more important. They can arrive as emails, texts, social media messages, phone calls or links to websites which appear to come from someone the victim knows or a legitimate business. It might look like a boss or co-worker, someone in an email contact list, a bank or a consumer’s favorite retailer.

Trusted brands are used to provide an air of credibility for scammers, who capitalize on the good reputation and relationships these brands have built. Some brands that have been used in phishing attacks to target consumers include Wells Fargo, Zoom, American Express, Apple and Microsoft. The companies being used are not involved in these scams; in many ways, they are victims of the scammer as much as the targeted consumer.

Every phishing attack has a different goal, depending on what kind of ruse they are using. Some use links or attachments to insert malicious code on the user’s device so they can collect more information. Others attempt to steal people’s personal and business usernames or passwords,  and others still try to get someone to click on a well-disguised link so they can divert them to a place where the user enters even more information that the fraudster will use to his or her benefit. While phishing attacks have different objectives, the attackers’ primary goal is to steal the information needed to scam individuals and businesses.

Fortunately, the age-old advice about avoiding a phishing attack still holds true. These are some things people should keep in mind when trying to identify a phishing attack.

Check the email address and URL to make sure it is not fake

Check unexpected inbound messages very carefully, paying special attention to the sender’s email or website address included in the message; they might notice something strange. If it says “Amaz0n.com,” for example, it is fake. If the website link is Citibank.card.shop.com (as an example), instead of the company’s actual web address, again, it is probably fake. Always go back to the source of the email (or in this case, the company that is being represented) and check for alerts about potential scams of which they are already aware. Many times, the company is aware and has posted information about the scam.

Received an unexpected email, text, social media message or phone call with a link or an attachment?  Consumers should reach out directly to the purported “source” of the communication to verify the validity of the message before clicking on a link or opening an attachment (as mentioned above). Clicking on a malicious link or opening a bogus attachment could lead to someone’s personal information being stolen or infect the device with malware.

Check the message for grammatical errors and awkward phrasing

Read unexpected messages carefully and with a critical eye. Grammatical errors and awkward language are two quick indicators that the email isn’t sent by the company indicated. In trying to identify a phishing attack, customers should remember that companies do not send out emails or other messages with glaring errors – in most cases, large, reputable companies have teams checking their communications for just those types of issues. Smaller businesses may have a looser communication style, but loyal customers will know if something is “off.”  If someone sees any strange mistakes, that is probably a sign it is a fake. In fact, sometimes spelling mistakes are intentional so that only more gullible recipients will interact.

Never trust the caller ID

Do not go by what the caller ID may say. It is easy for a scammer to change the phone number or screen name to say anything, like “IRS” or “County Sheriff’s Department.” If someone calls with an attempt to verify identity information or demands for some kind of payment, consumers should hang up immediately and initiate contact with the company directly using a verified phone number from a trusted source. Here’s a tip: people should put numbers in their contact list for companies that are used regularly – but name them something only they would identify. For example, list the bank as “Bank on 4th & Main St.” instead of by the bank’s name. That way, if there’s an inbound call from the number, the person receiving the call will know they can trust it.

Remember that in many cases, fraudsters are using websites that look like the companies they are pretending to be. A web search could also bring someone to a potential fraudulent site. People should always treat the search results with the same critical eye as they would these other steps.

Phishing attacks can be confusing because of how close to real they can look or sound. Scam websites, emails, phone calls and text messages that mimic trusted brands will continue. However, by implementing these tips to identify a phishing attack, it will help reduce the risk of falling for a phishing attack.

Anyone with additional questions about phishing attacks, or believes they have been a victim of one, can call the Identity Theft Resource Center toll-free at 888.400.5530 to speak with an expert advisor. They can also use the live-chat feature on the website to get the help they need.


People are spending more time on their phones, tablets and computers now than ever, making the importance of cyber-hygiene tips as paramount as they’ve ever been. The Identity Theft Resource Center (ITRC) wants to highlight some of the best practices and steps that users can take to improve their online security.

We recommend everyone make these cyber-hygiene tips part of their regular routine to greatly reduce their risk of identity theft or other cybersecurity compromises.

1. Use a secure connection and a VPN to connect to the internet

A virtual private network (VPN) is a digital tool that keeps outsiders, such as hackers, identity thieves, spammers and even advertisers from seeing online activity. Users should also be wary of public Wi-Fi. While public Wi-Fi may be convenient, it can have many privacy and security risks that could leave someone vulnerable to digital snoops. If connecting to public Wi-Fi, be sure to use a VPN.

2. Get educated about the terms of service and other policies

It is important to understand what the terms of service and other policies say because, once you check the box, you may have agreed to have your information stored and sold, automatic renewals, location-based monitoring and more.

3. Make sure anti-virus software is running on all devices

It is very important to have anti-virus software running on every device because it is designed to prevent, detect and remove software viruses and other malicious software. It will protect your devices from potential attacks.

4. Set up all online accounts (email, financial, shopping, etc.) with two-factor or multi-factor authentication

Two-factor authentication (2FA) or multi-factor authentication (MFA) adds an extra layer of protection to your accounts; it requires at least two separate verification steps to log into an account. Relying on a minimum of two methods of login credentials before accessing accounts will make it harder for a hacker to gain access.

5. Use secure payment methods when shopping online

One easy cyber-hygiene step is to only shop on trusted websites and use trusted payment methods. Consumers should not use payment portals or shop on websites with which they are not familiar.

Always use a payment instrument that has a dispute resolution process – like a credit card or PayPal – if you have to shop on an unfamiliar site.

6. Use unique passphrases for passwords and do not reuse passwords

The best practice these days is to use a nine to ten-character passphrase instead of an eight-character password. A passphrase is easier to remember and harder for hackers to crack.

Also, users should employ unique passphrases; if they use the same one, hackers can gain access to multiple accounts through tactics like credential stuffing.

7. Never open a link from an unknown source

Do not click on links or download attachments via email or text – unless you are expecting something from someone or a business you know. If it is spam, it could insert malware on your device.

Also, never enter personally identifiable information (PII) or payment information on websites and web forms that are not secure or have not been fully vetted. It could be a portal to steal personal information.

8. Make sure devices are password protected

If devices are not password protected, it is just that much easier for a hacker to share or steal personal information. Without a layer of protection or authentication to access the device, all the information saved on it becomes fair game. Use a PIN code, biometric or pattern recognition to lock your devices and set the same protection for apps that have access to sensitive information like banking or credit cards.

9. Log out of accounts when done

This is another bad habit that makes it much easier for someone to share or steal your information. Always log out of accounts when done so no one can get easy access to them.

While there is nothing that can be done to eliminate identity theft, account takeovers and other malicious intent, these cyber-hygiene tips will help keep consumers safe, as well as reduce the number of cybercrime victims.

For anyone who believes they have been a victim of identity theft or has questions about cyber-hygiene tips, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also live-chat through the website or the free ID Theft Help app.


Read more of our related articles below

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Is This an Amazon Brushing Scam?

A recent Google Alert scam has caught the attention of many. Google Alerts recently caught fraudsters trying to push fake data breach notifications for big-name companies in an effort to distribute malware and damage people’s computer networks. According to Bleeping Computer, fraudsters have been mixing black-hat SEO, Google sites and spam pages to direct users to dangerous locations based on data breach information.

Google Alerts is designed to send notifications to people who sign up for specific keywords monitoring and provide search results. As part of this Google Alert scam, fraudsters were able to create pages and use compromising websites to combine “data breach” with well-known brands. Bleeping Computer reports that some of those well-known brands include Chegg, Canva, EA, Dropbox, Hulu, Shein, Ceridian, PayPalTarget, Hautelook, Mojang, InterContinental Hotel Group and Houzz.

In the Google Alerts, fraudsters offer giveaways and download offers, which leads to the dangerous malware. The threat actors are also believed to have used the Google Sites tool to build webpages to host their content. Bleeping Computer says they found that the scammers were pushing unwanted search-related extensions. As part of the Google Alert scam, malicious links were also believed to be sent to people with an iPhone 11 device for a fake giveaway. It claimed to be set up by Google as part of a “Membership Rewards Program” and the offer said the gift was “exclusively and only for Verizon Fios users.” Users had to fill out a survey, allowing scammers to get their money. Browser extension scams can pose a risk to browsing privacy because malware can be used as part of this method.

Consumers who use Google Alerts should be aware of this particular scam; going directly to the source (the purported breached entity) instead of clicking on an unknown link. The Identity Theft Resource Center has been tracking publicly-notified data breaches since 2005 and has the most comprehensive and the most readily available data breach information for publicly-notified breaches. For any consumer that wants to fact check about the latest information regarding a publicly reported breach is encouraged to access our resources to confirm any new circumstances. Consumers can sign up for the monthly data breach newsletter, as well as view monthly and yearly data breach reports. They can also receive a “risk score” on what their true concerns should be by visiting Breach Clarity and entering the particular breach on which they would like information. Anyone who believes they might have fallen victim to a Google Alert scam can live-chat with an ITRC expert advisor, or can call toll-free at 888.400.5530. They can also download the free ID Theft Help App. The app will provide consumers and victims access to advisors, resources, a case log to track their steps and much more.


You might also like…

YEARS OF FORMJACKING LEADS TO BOMBAS DATA BREACH

WATCH OUT FOR 2020 SUMMER SCAMS

CREDIT REPORTING AGENCIES ANNOUNCE FREE CREDIT REPORTS EVERY WEEK THROUGH 2021