We've been alerted to a scam that's targeting financial institutions across the U.S. While we have no reports of our members being victimized, we urge you to remain vigilant about protecting your personal information. Here's a brief description of what's happening, called "credential stuffing," and what you can do to make sure your accounts remain secure.
Basically credential stuffing is when bad guys use previously exposed credentials, such as login names and passwords from hacked sites, to script log-in attempts on new sites with the hope that the users have re-used the same usernames and passwords elsewhere.
Fortunately Hanscom FCU requires our members to use two-factor authentication, which means these malicious actors get stopped at the door. Two-factor authentication is a means of confirming your identity with a combination of two different factors, such as something you know, something you have, or something you are. An example of two-factor authentication would be your cellphone (something you have) and a Secure Access Code (something you know).
However, when these criminals figure out they've got a legitimate account on the hook, so to speak, they can contact the account owner and use scam techniques to bypass two-factor authentication to get into the account. They may pose as credit union employees or fraud department personnel to obtain the last bit of information they need to break through that final wall of security.
The fraud works when the bad guys call their target victim using a spoofed phone number that looks like it's coming from the financial institution. They'll pose as an employee and ask the member to confirm suspicious transactions on their account. Since the transactions are fake, it's natural that the member will say they're unfamiliar and may be lured into giving the fraudster their login id, a Secure Access Code, and debit card/PIN information, which the fraudster can then use to complete a fraudulent withdrawal.
"If you get a call from someone claiming to be from the credit union and they ask you to verify transactions and ask for your pin or security code, you hang up the phone immediately and call the number on the back of your credit card or on your statement to report the fraud attempt," said Denise Bouchard, Hanscom FCU's assistant vice president and information security officer. "We will never call a member and ask them for their login credentials or a Secure Access Code, ever."
Bouchard urges members to follow these four best practices to keep accounts safe and secure:
1. Make sure your login and password to your Hanscom FCU accounts are unique.
Do not be tempted to reuse a login and password from another account. Because data breaches are so common, it makes it easy for bad actors to run automated scripts with this information to try to crack other sites. If you're currently using a login and password you use elsewhere, change it now. And even if you're not and you notice your login and password aren't that creative, do yourself a favor and spend five minutes making a change.
2. Use complex usernames.
Jason Traugut, Hanscom FCU's senior digital strategy analyst, said that members who have easy-to-guess usernames may be vulnerable with this scam. "They may be using an email address or just their first and last names," he said. "This is just too easy for someone to guess." This is the time to let your creativity shine. Make your login name a phrase only you would know, but that's easy enough for you to remember.
3. Change passwords frequently.
Even if you have complicated, hard-to-guess passwords, with all the data breaches going on, your passwords may become vulnerable at some point. Be smart and change them regularly, especially for sites where the loss would be personally and/or financially devastating.
4. Consider using a password manager.
We get it. With so many sites out there, how can anyone remember fresh login and password every time? A password manager can make it easier. Just remember one login and one password and let the manager be your brain. It's important, however, that if you use a password manager you use a complex username and password, a duo you've not used elsewhere.
Again, Hanscom FCU will never ask for your online banking login credentials, secure access code, or passwords over the phone. If you have been contacted by someone who claims to be from Hanscom FCU and wants access to your account, please hang up on them and report the incident to our Remote Support team at 800-656-4328.
Keep your computer browsing safe, too. Cyber thieves are always looking for ways to get access to other people’s accounts. There’s a free tool that will stop them from getting into your Hanscom FCU account…Detect Safe Browsing (DSB) from Easy Solutions. Learn more here.
Others are reading:
- How to Protect Yourself From Mobile App Fraud
- Fraud Alert: Here’s Why You Shouldn’t Abbreviate 2020
- How Your Credit Union Protects Your Accounts From a Cyberattack
- What You Need to Know Now About Bluetooth Security
- 3 Tips to Create Stronger Passwords