Tips and Information About Identity Theft and Online Security

The Key Tip About Phishing Much of the following information concerns Phishing with information on how to spot fraudulent e-mails and websites. They can be very difficult to identify. You really need to know only one thing to spot a phishing scam: If you ever receive an unsolicited e-mail that asks you to reveal personal information, it is a fraud. It’s as simple as that.

Identity Theft
Identity Theft has become a major problem for consumers, and especially so in activity involving electronic communications and online activity. “Identity Theft” is a broad term to describe various means by which criminals are able to obtain personal and financial information about people. This information can then be used for fraud activity by stealing from a person’s account, counterfeiting credit cards, or establishing credit using the victim’s identity.

The theft of personal information may include Social Security Numbers (SSN), bank account or credit card account numbers, user names and passwords used in electronic activity, and other types of personal information, all of which can be used for fraudulent activity.

The authoritative source of information about Identity Theft is the Federal Trade Commission, which has a website specifically for consumer information about Identity Theft. This is a place to see the latest available information and more detail about ID theft, prevention and what to do if you are a victim:

Federal Trade Commission: Identity Theft

Common Methods of Identity Theft
There are many means by which criminals attempt to steal identifying information.

Paper and Card Theft: It isn’t all electronic. There are still the old methods such as stealing a purse or billfold or “dumpster diving” to look through trash for copies of account statements and other paper information.

Skimming: The use of hand-held devices to capture the magnetic information strip from a credit or debit card. This is most often done at a point of purchase where a person gives a credit card to a clerk or waiter. The information may be used to make counterfeit credit cards.

Insider Theft: Identity Theft often is the result of someone inside an organization (an employee) stealing and selling customer information. Consumers have no way of protecting themselves from insider theft.

Phishing: This has become perhaps the most widespread method of Identity Theft today. It usually involves fraudulent e-mails and bogus websites that trick people into revealing personal and account information. More on this follows.

Pretexting: This is an attempt by telephone contact to trick people into providing personal and account information. It may involve calls to financial institutions or to individuals from a criminal pretending to be from an institution and using all sorts of explanations for why the information is needed.

Pharming: This is a much more sophisticated activity in which a criminal hacks into the computer system of a business and redirects links on the company’s website, such as a bank’s link to its home banking service. It is less prevalent than other forms because of the sophistication that is required, but is growing.

Spyware: This involves the introduction of a virus or other software onto an individual’s computer that allows a criminal to capture keystrokes such as user name and password when logging onto an online account, or credit card information when making an online purchase. This can occur by following links contained in a fraudulent e-mail.

These are the most common methods that criminals are using today to steal identity. They can take many forms beyond those described here and enterprising criminals are always working on new methods of theft.

More About Phishing
Phishing is the most widespread and fastest growing method of stealing information electronically. In its most common form phishing involves fraudulent e-mails and bogus websites.

The best way to protect against phishing is to be skeptical. If you ever receive an e-mail requesting personal information, including a link to a website where you are asked to update account information, assume it is a fraud. Legitimate financial institutions and other businesses will not send such e-mails.

Fraudulent E-Mails: The starting point in most phishing scams is with a fraudulent e-mail. The e-mail assumes the identity of a financial institution or other business, usually including the company’s logo.

These e-mails are sent in mass and normally use the identity of institutions and companies with a large customer base. The major banks are common targets along with such businesses as e-Bay and Paypal. The criminals know that some percentage of the recipients will have an account. That said, there is an increasing amount of phishing activity that is also targeting smaller more regional and even local financial institutions.

The e-mail typically describes a problem with the account and that it will be deactivated unless updated information is provided. It is an attempt to startle people into providing an immediate response. Less often, the e-mail may describe a new service or some opportunity. The e-mail includes a link to a website on which to update personal and account information.

The e-mail will have a sender’s address that, at first glance, appears to be from the institution or company. The address is similar enough to fool most people.

Following Links: Spyware Risk There is risk in following the link in a phishing e-mail even if you don’t provide any of the information that is requested. Such links can often download spyware or other malicious programs. Spyware may include “key loggers” that will capture keystrokes, such as account numbers and user names and passwords. If you believe an e-mail is fraudulent, delete it and don’t follow any link that is provided in the e-mail.

Bogus Website: By clicking the link in the e-mail the victim will go to a website that has every appearance of being that of the institution or company they do business with. These bogus websites are usually very close copies of the actual website. The URL line (website address) usually appears enough like the company to fool most people.

Once on this bogus website the person is instructed to update their personal and account information: name, address, Social Security Number, account number, drivers license, user name, password, and more.

Spotting a Bogus E-Mail or Website: There are ways to spot these fraudulent e-mails and websites, but it is difficult for the average online user. We’ll say it again. If you receive such and e-mail it is most likely a fraud. Don’t respond.

The E-Mail: Everything about the e-mail can be fabricated to make it look legitimate. This includes a fake sender’s address and logos and other content copied from the actual company. You can’t rely on any of this to suggest that the e-mail is genuine. It can all be bogus.

There will usually be a link contained within the e-mail. It is also a fake. Putting your mouse over the link will show the actual website destination, but even this can be carefully disguised and will fool most people.

The “red flags” are the subject line and message telling you that there is a problem with your account.

• Don’t respond to the e-mail and don’t follow any links.
• Make a phone call to the company or institution.
• If you don’t have a phone number, go to the company or institution website for contact information. Do this entirely apart from the e-mail you have received.

The Website: The website that is linked in the e-mail will look absolutely genuine. It should as it has all been copied from the real one. Don’t let the genuine appearance fool you. In fact, if you follow the first advice about the e-mail, you won’t even be looking at the fake website because you wouldn’t have followed the link. Remember that following links even out of curiosity carries the risk of picking up a virus.

A close look at the website address will often give it away as being a fake. Some are easy to spot while others may be much trickier.

Never rely on the presence of the company or institution name in the web address as meaning it is legitimate. For example, the beginning of the URL will start with www and end with .com, .org., .net or some other domain type. Then it may follow with a slash (/) and go on to include a reference to the institution or company name. Anything following the / is actually only a website page designation, in other words a path within the website. Anyone with a website can give a page any name they want. Seeing the name of the company in the address does not mean it is the company’s website.

In other cases you may see a URL (address) line that begins with a name and .com (or .net, etc) following by other words and then ending with another .com. Only the last .com is actually the URL. Everything before it, including the first .com, is a disguise.

Quite often, the criminal will simply use an IP Address, which is merely a set of numbers representing the code behind what usually appears as a URL name. Somewhere in the address line it will include the name of the company. This is not a very sophisticated approach but works for the criminal. Most people simply don’t pay close enough attention and all they pick up on is the company name.

Sometimes the criminal will link you to the actual website of the company or institution. Then they will lay over the top or have a pop up window that is the information gathering page which has no address identification at all, but is taking you to server of the criminal. These are very tricky.

If you are following a link in an e-mail or on a website, the URL (address) you see may not be the address where you are being taken. Even if the link says “www.companysite.com” this may not be the address behind the link. You can easily test the destination by putting your cursor over the link. A small window will pop up showing you the actual website destination.

Links: Check the Destination Taking that mere second of time to look at the destination before clicking on any link is always a good practice.

These have been a few examples. The methods of disguising fake websites are so numerous and so clever we can’t begin to give examples of everything you might encounter.

The Main Thing to Remember The average person cannot begin to identify all of the methods that are used to disguise phishing scam e-mails and website, but you don’t have to. One more time: If you ever receive an unsolicited e-mail that asks you to reveal personal information, it is a fraud. Don’t do it

Precautions for Online Activity
Many people today use the Internet for various kinds of online financial activity. They may have online access to banking, credit card and other accounts with financial institutions and other businesses. Many also routinely make online purchases with a credit card.

When doing business online be sure that you are doing so on a secure site. A secure site or page within a site means that the information on the site and your logon are encrypted to prevent criminal observation of your activity. Always look for two items when you are on the page for assurance that it is secure.

1. The URL (website address) will begin with “https” as opposed to “http.” The “s” indicates that it is a secure page.
2. A padlock icon will appear on your browser status bar at the lower right portion of your screen. Some criminal attempt to disguise the page by putting a padlock icon on it. The padlock should appear on your browser separately from the website.

Be Sure the Page is Secure Before you provide personal information on any webpage, be sure the page is secure (the data is encrypted). This applies to any information-collecting page even when it is something you are initiating. Look for “https” in the page address line and for the padlock icon in the lower right of your screen

These are some additional tips:

• Look for the presence of the “@” symbol anywhere in the URL, which may indicate a fraudulent site.
• Be suspicious of any information-collecting web page that is an “orphan” page, meaning that you cannot locate a home page for the company or the home page has an “under construction” message.
• Use bookmarks for trusted sites you go to frequently. If you key in an address directly, double check that you have entered the correct address. Criminals may set up fraudulent sites with a similar URL hoping for keying errors.

You may also hear of advice to look at the security certificate of the web page. This indicates that the company has registered the page with a third-party security issuer. When you are on the secure page, right click. Under “properties” you will see an option for “certificates.” This will show you who the certificate is registered to. Unfortunately, for non-technical people this exercise will yield little in the way of useful information. It is mentioned here because this is one type of precaution that may be advised.

Often the name on the security certificate will not match up to the name of the company or institution whose website you are on. This is especially true with smaller companies and institutions that may use a security certificate issued to a third-party service provider such as their data processor or web hosting company. If the name on the security certificate does not match the company or institution name, make a phone call to be sure the page is legitimate.

The secured pages on the Four Points website will show our URL as will the security certificate. If you are an online user of WebAccess, our home banking service, the name you will see on the address and certificate are those of our data processing vendor. It appears as “https//hb2.intech-inc.com.” This is the correct address.

Tips to Avoid Identity Theft
These are some general tips for avoiding Identity Theft.

• Never dispose of anything with sensitive personal information in the regular trash, and certainly not in a public trash container.
• Use a paper shredder to dispose of sensitive paper, such as bank and credit card statements, before putting them in the trash.
• If you receive an e-mail or pop-up message asking for personal or account information, do not reply and do not follow any link contained in the message.
• Never open an e-mail attachment unless you are sure of the sender and what is in the attachment. This is one way viruses can be put on your computer. A safe approach is to delete e-mails from unknown sources without opening them.
• Be sure your computer is equipped with current antivirus software and the latest security patches.
• Set your Internet browser to prompt you if a website tries to install software.
• Avoid sending personal and financial information over the Internet if you are not sure of the website and that the page is secure.
• Avoid sending personal and financial information via e-mail to avoid your information being intercepted by a criminal.

How to Know If You Are a Victim
Unfortunately, there is no good way to find out immediately if you have been the victim of Identity Theft. Usually this comes to light only after your identifying information has been stolen and there has been fraudulent activity.

There are some methods that will allow you to learn of such theft earlier rather than later.

Carefully review your credit card and other account statements immediately upon receiving them. Look for any activity that is not yours. This can give you an alert shortly after the fraudulent activity. However, this will not tell you if someone has used your identity to establish a new credit account.

Review your credit reports regularly. This may show you if anyone has opened up credit using your identification, although it will be some time after it has occurred. You can get one free credit report annually from each of the three major credit bureaus. Go to “annualcreditreport.com.”

The credit bureaus and some other sources offer services that will provide you with more frequent copies of your credit report or alerts about unusual activity in your credit file. There is a fee for these services. For more information you may wish to visit the website of the three major bureaus: Experian, Equifax and Trans Union.

Some major credit card companies offer a service (some free and some with a cost) that allow you to regularly check unbilled activity on your credit card. Go to the website of your card issuer to learn what is available or call the toll-free service number on the back of your card.

What to Do If You Become a Victim
If you should become the victim of Identity Theft you may have some real work cut out for you to get things cleared up. To put it bluntly, it can be a horrible mess.

There are four primary steps that you should take initially. Each may be quite involved. We mention them briefly, but for detail and other advice we refer you to the Federal Trade Commission. Various sections of the FTC website will provide the information you need to get started.

1. Place a fraud alert on your credit reports and obtain a copy of your credit report. Contact any one of three major bureaus, which will share this report with the other two bureaus. The FTC website will tell you how to do this.
2. Contact the institution or company for any account that you find has been comprised. Close the account.
3. File a report with your local police department or the police in the community where the identity theft took place.
4. File a complaint with the Federal Trade Commission. Information on how to do this is on the FTC website.

Contacts for the three major credit bureaus are:

• Experian: 1-888-397-3742; www.experiancom
• Equifax: 1-800-525-6285; www.equifax.com
• Trans Union: 1-800-680-7289; www.transunion.com