RESOURCE CENTER

Account takeover is when a criminal gains control of a personal account by stealing the victim's credentials. Any account can be compromised this way, but two common takeover types you should be aware of are email account and bank account takeovers.

Email account takeovers occur when a criminal steals the credentials for an email account. The criminal may then try to access accounts tied to that email address. They may also try to steal more credentials by impersonating the person who owns the email address to compromise personal contacts.

Bank account takeovers occur when a criminal steals the credentials for online banking. This information can be used by the criminal to access bank accounts, transfer money, further compromise other accounts and perpetrate identity theft.

Criminals use several common tactics in account takeovers: malware, social engineering, and phishing by voice, text and email.

To reduce your risk of account takeover, take the following precautions:

• Install, update and maintain good quality anti-virus and anti-spyware software.
• Keep your security questions safe.
• Maintain strong, unique passwords for each of your accounts.
• Watch your accounts for unauthorized activity.
• Be cautious of any suspicious emails from contacts or on-site links.
• Do not install unknown software.

Business customers should use online banking features like positive pay and dual controls.

If you have released any online banking information improperly or believe your bank account information may have been compromised, immediately report it to Customer Care using the phone number below.

Some internet users choose to use services that provide online anonymity by “anonymizing” or masking their network communications to the web. Specialty software, such as privacy browsers or VPNs, are becoming more common offerings.

These services provide a degree of anonymity and claim that this anonymity lends itself to more security. Unfortunately, that is not always the case. In some instances, using these services can actually open you up to more security vulnerabilities due to factors out of your control.

If you choose to use these services, you should avoid using them with your online financial service accounts, like online banking. Keep in mind that the bank knows your identity once you log in, so using anonymizing services do not provide any benefit.

Associated Bank takes your security seriously, using strong encryption and other protections for your account and personal information. Secure Sockets Layer (SSL) encryption ensures industry-standard, strong security for your online activities.

Online shopping has become one of the easiest and most convenient ways to purchase everyday items. However, with this convenience also comes a specific set of scams. Whether you're purchasing from a known site, buying directly from a seller or using a buy-sell-trade page such as Facebook Marketplace, these steps can help you protect yourself.

When shopping online, make sure that you are verifying the seller to the best of your ability. You can simply search the name of the seller and see the reviews that customers have posted. Avoid questionable sites and sellers because it could be a scam site or may not deliver the promised product.

Always pay for online purchases using a credit card or payment system like PayPal. These payment methods offer protection from fraudulent sellers and account activity.

If you use a buy-sell-trade site to purchase anything, local police stations typically offer designated safe transaction areas that are monitored and well-lit. Buying directly from a person is most safely done with cash or a cash app such as Zelle or Venmo so that you do not have to give someone a check.

If you use these pages to sell, only sell locally or through websites like eBay. If you sell online through an ad and accept a check or online payment method, the purchaser has all the power to dispute the transaction and take their money back without sending the item back to you. You could also be the victim of a fake check scam (you can read more in the Fake Check section for information on this). Sites like eBay will offer consumer protection for both buyers and sellers as well as remediation steps if a dispute occurs.

The FTC has put together a comprehensive video with a list of tips that can help you stay safe when shopping online.

The Fair Credit Reporting Act (FCRA) requires all three of the credit reporting companies to provide you a free copy of your credit report upon request every 12 months. This report contains information on where you have credit, how much debt you currently have, the status of those accounts, whether you have been sued or filed for bankruptcy and if your accounts are being paid on time.

Requesting these reports regularly is a good way to monitor activity on your credit as well as correct any errors. If you notice an incorrect mailing address, old employers listed on your report, errors on your accounts, late payments and unauthorized hard inquiries, you will want to work with the credit bureau to correct them immediately, as these can also be indicators of identity theft.

The FTC has put together information about your credit reports on their website. You can also visit annualcreditreport.com or call 1-877-322-8338 to order your credit report either digitally or by mail.

Checks are a convenient form of payment, but they can easily be misused by scammers. As a consumer, you should be aware of “fake check” fraud.

You might notice any of a number of variations on the fake check scam. It could start with someone offering to buy something you advertised, pay you to do work at home, give you an “advance” on a sweepstakes you’ve supposedly won or pay the first installment on the millions that you’ll receive for agreeing to have money in a foreign country transferred to your bank account for safekeeping. In many cases, the person may sound quite believable.

Fake check scammers hunt for victims. They scan newspapers and online advertisements for people listing items for sale, and they check postings on online job sites from people needing employment. They may place their own ads with phone numbers or email addresses for people to contact them. They might even call or send emails to people randomly, knowing that someone will take the bait.

Don’t be a “mule” for a scammer. They do this by sending a fake check that draws money from an account that does not belong to them (another victim).

Tip: Just because funds are available, it doesn’t mean that the check has cleared. If a check doesn’t clear, you will be liable for money drawn against it.

The checks are fake, but they may look real. Some are phony cashier’s checks, others look like they’re from legitimate business accounts. The companies whose names appear may be real, but someone has made up the checks without their knowledge.

They may offer this check as payment for service or work. Many times, they will call the victim an “agent,” requesting they transfer money overseas. In exchange, they will typically allow the victim to keep a percentage of money as “payment.” Whatever the scam, the act is illegal, and the victims will be defrauded. They may also be subject to legal prosecution.

The FTC has put together a number of steps you can take to help avoid check fraud. They also post information online on the FTC website that catalogs and informs the public of common scams, though there are many more than can be listed. All of them follow the same pattern, so knowing this pattern can help protect you. Some of the most common scams are:

• Secret shopping
• Publishers Clearing House imposters

Technical support scams have been a rising threat for years. With more people using smartphones, tablets and computers, they have become more effective and more prevalent.

One common scam involves a phone call, pop-up ad or online banner notifying you of an unknown—but extremely urgent—issue with your PC or phone. They may offer to speed up your computer, remove viruses or fix a battery issue.

These fake services will claim to be Microsoft, your internet service provider or a third-party technical support company. While these services do exist, a legitimate company won’t seek out business by telling you that you have a specific issue; you’ll have to seek out their service.

If you engage them, they’ll ask for bank account or credit card information for anything from a one-time charge to hundreds of dollars for a subscription service. They’ll claim to have fixed the issue and hang up. They can then fraudulently charge you multiple times.

They may also ask that you install a program they send you to let them remotely fix your issue. This software is a virus that will let them steal information from your computer as well as access your machine later without your permission.

If you’d like more information about these scams, the FTC has put together a comprehensive article covering different versions of tech support scams as well as the steps to take to avoid them.

Firewalls are systems that monitor network traffic going in and out for suspicious or malicious activity.

Associated Bank uses leading firewall and network security technology to protect our internal computer systems and servers from unauthorized access. You can be confident that your personal information is completely safe and private.

You should also use firewalls to protect your computers at home. Most operating systems come installed with a firewall pre-enabled, but these can be disabled and need some configuration.

While firewalls are a necessary layer of protection for online security, they do not protect you from phishing or malware which require different types of protection.

To learn more about firewalls and computer security, see the FTC website OnGuardOnline.

Identity theft occurs when someone compromises your personal information and uses it to conduct fraudulent activity. This may include tax-related theft, opening accounts or services in your name and medical identity theft to receive medical care. It can be extremely damaging and cause long-lasting repercussions on your financial future.

Identity theft can occur without any warning, but the best way to minimize impact and the time it takes to recover is to catch it early and take the necessary steps as soon as you can. There are a few simple steps you can take to help with this:

• Check your statements for unexplained transactions.
• Make sure that you’re receiving all your bills and mail.
• Don’t ignore debt collection calls—these could be tied to fraudulent activity.
• Pull your free annual credit reports to check for new, unknown accounts.

If you would like more information, the FTC has compiled a number of pages covering different identity theft topics.

If you believe that you’ve been the victim of identity theft, the FTC has an identity theft website, where you can report it and start taking the necessary steps to recovery.

The invoice scam has been around for years and is making a resurgence in popularity.

This is a phishing scam that starts with an attacker emailing a fake invoice that claims that you have purchased music or apps from them. A link in the email says you can dispute the charges if you did not make those purchases. However, this is a malicious link that leads to a compromised site.

If you go to that site, you may be asked to log in to your email or account to begin the dispute process. This is a credential harvesting site. The site may also ask that you download certain software to help with the process of disputing. This software download is a virus that can allow the attacker to access your computer remotely, steal information, and key log your passwords for further compromises.

A great way to avoid these scams is to verify any messages like this by directly navigating to the website through your web browser rather than clicking on the link in the message. If there is an issue with your account or unauthorized transactions, you will also be able to see those by logging in through the webpage. If you don't see any of the transactions that the invoice claims were charged to your account, then you know that this is a scam.

The FTC has put together a page that talks about these invoice scams and how to report to them if you receive one.

Malware is a generic term that is used to describe any unwanted software on your devices. This can be a program that shows you unwanted ads, a virus that steals your passwords, or ransomware that encrypts your files and holds them hostage. Malware can be extremely complex or simple, but is usually hard to detect and remove without taking the proper steps to protect yourself and your devices.

To avoid malware, you want to avoid untrusted websites and be cautious when asked to download any files from unknown sources. Email attachments are another avenue that attackers can use to infect your machine. If you’re not expecting an attachment from someone that you know, call them to verify they sent it before opening; an attacker may have compromised their email and used that to infect that person's contacts.

There are also different security products you can install on your machine to help protect you from malware. Having an up-to-date firewall can prevent malicious traffic to and from your machine. Installing an anti-virus software and keeping that software up-to-date will quarantine and remove malicious software if it makes it onto your machine. These programs aren’t perfect, though, so you must be diligent when using the internet.

The FTC has put together a list of actions you can take to help prevent malware, ways to detect malware, and actions to take if you have been infected. There is also a place where you can report malware to the FTC.

Mobile security, which includes both the physical and digital security of your mobile devices, is particularly important given how many people are using phones and laptops on the go.

Smartphones are the main source of information and contact for most people today. Working on laptops and tablet while on public Wi-Fi is more common than ever. These are some of the security concerns we hope you'll be aware of when using your devices in public.

• Because so much personal information is on your phone, the most basic step you’ll want to take is to secure your phone with a password, PIN, pattern and/or biometric security. Setting your phone to automatically lock after a certain period of inactivity can also save you a lot of headaches if your phone is stolen.
• Apps on your phone also use biometric locks and PINs for fast access. This is convenient and secure, but also means that you need to be extremely cautious when sharing access to your phone. Anyone who has the unlock information also has access to mobile banking, credit card, money and social media applications you are logged into. The most secure option is to not share access with anyone.
• Phones usually include a built-in remote security system. By setting up these systems, named Find My Phone by Apple and Find My Device by Google, you’ll be able to remotely lock your device, locate it if it is on, sound an alarm in case you have just misplaced it nearby, and wipe your device if it is unrecoverable. If your phone is off when you send these instructions, it will perform whatever actions you’ve sent as soon as it’s turned on and connects to a network. Once you set these up, you only need to log on to another phone or computer to activate it.
• Software security on mobile devices such as phones and tablets is similar to computers, but with a few key differences. The built-in security software on phones is robust, but many people will delay updating phones or apps for various reasons. Most patches are software fixes and security updates, which should be applied as soon as possible for maximum security.
• Avoid jailbreaking, rooting or downloading apps from unofficial app stores. These can give attackers direct routes to sensitive information and controls in your phone that security software can’t prevent. Anytime you bypass security controls on your phone to install unapproved software, it presents a major risk of compromise, so it is best to outright avoid those situations.

Many scams and threats employ tactics like text messages, phone calls and robocalls to solicit you. Do not reply to any unknown text messages, avoid answering unknown numbers and hang up when it is a robocall or spam call, as these can all be attempts to phish you.

The FTC has put together a number of articles and videos focused on mobile security if you would like more information.

Phishing is when an attacker impersonates a trusted person or company to trick you into surrendering personal, confidential information such as credit card or account numbers, login credentials, and identity information to commit further crimes. These can include identity theft, financial theft, and impersonation by accessing your personal contacts.

Phishing is the most common tactic for cybercriminals because it can target a large amount of people and bypass basic security measures. It’s usually automated and will either ask you for login credentials or for you to open an attachment that can install viruses. Once an attacker has access to a computer or account, they will use that information to spread as far as possible.

Because of how these attacks occur, being able to spot them is the best defense. When watching for these attacks, look for the following:

• A notice of suspicious activity or login attempts.
• Claims that there is something wrong with an account or payment.
• A request to confirm personal information.
• A request to open a link or attachment.
• An offer for gift cards or government programs.

There are quite a few versions of these, and some are much more complex than others. In most cases, these phishing attacks are written to appeal to the most people possible with a request to click on a link or open an attachment. To create a sense of urgency, they may suggest someone else is accessing your account, or that there will be legal implications if you don’t act. They may offer a reward such as a gift card or free item if you fill out a survey, or by impersonating someone you trust and asking you to open a picture or funny article.

You may have difficulty identifying phishing emails because there are so many that are just spam or poorly-designed advertisements. Phishing emails will try to mimic these to slip under the radar. There are some red flags, though, that cannot be hidden:

• Sender address is important. Phishers will make it similar to a real email address but cannot make it an official one. Look at other emails you know are legitimate from the same sender to verify the address is correct.
• Check the link to make sure it goes where it says it does. Hovering over a link without clicking on it will display the URL. If it doesn’t go where it says it will, don’t click on it. If the email claims there’s an issue with your account, navigate directly to the homepage with your web browser rather than click on the link. If you don’t see a similar notification on your account, then that email was phishing.
• Pay attention to what the email is asking you to do. Important communications will come with specific information or steps you can take. If the message seems vague or you’re unsure about it, simply call the person or company to verify the message is legitimate.

Not all suspicious emails are phishing emails, which can make this difficult. These red flags are not the only ones, but they are the easiest to find and give you a strong indication if an email is suspicious. Red flags do not guarantee a phishing email, but they are meant to help you decide if you should verify an email before clicking on a link inside of it or opening an attachment. When in doubt, call the sender to validate.

The FTC has put together a number of articles about phishing which you can use for more tactics and information.

Software security—for your personal computer and your phone—shouldn’t be your only concern. Physically securing your device is equally important when protecting your information.

The basic step to physical security is to always set passwords, PINs, patterns and biometric locks on all your devices. Without these, anyone—good or bad—with physical access to your device can access any information on it.

Keep in mind that anyone who has access to your device will also have access to any applications or programs that use that information. This can include financial applications such as mobile banking or online shopping.

For computers and laptops, newer versions of Windows offer encryption options. This makes the information on your computer unreadable without a special key or code that you set when you start the encryption. Without this decryption key, no one will be able to access your data if your computer is stolen.

For mobile devices, major operating system developers have included security that mirrors encryption on a computer or laptop. They have location services if your device is stolen, as well as remote functions for locking and wiping the information off your phone if it’s deemed unrecoverable. These must be set up with an account on your phone.

When disposing of or selling a device like a phone or laptop, make sure that you properly wipe the information from the machine so that the new owner can’t access sensitive data. Factory-reset your device and log out of all accounts.

To learn more about computer disposal and how computers store personal information, visit the Federal Trade Commission’s website.

Read more information on disposing of old computers and laptops.

Ransomware is a type of virus that criminals use to hold your information hostage by encrypting files and systems that are valuable to regular daily operations. Ransomware attacks are one of the most common cyberattacks. They have become extremely lucrative with the advent of bitcoin and other cryptocurrencies.

If a system is infected and encrypted, decoding the decryption key can take months or years depending on the complexity of the encryption—and may even never be found at all. The attackers will offer the key for a payment in digital currency.

Proper security protocols such as updating software, avoiding phishing attacks from unknown attachments and links, and backing up important files regularly can help you from becoming a victim. It can also give you recovery options if you’re compromised and don’t pay the ransom to unlock your information.

If you become a victim of a ransomware attack, you should take the following steps to help mitigate the damage and get back to business as usual:

• Contain the attack by disconnecting the infected machines from the network. These viruses are designed to spread and be copied to all devices connected to them. Remove and destroy any portable memory devices, as they also can store the virus for later activation.
• Use the backups you have created to restore and resume using your machine. You may be able to wipe your machine and reinstall the operating system before restoring your backup files; this will remove the ransomware from your system.
• Report any ransomware attacks to the Internet Crime Complaint Center or an FBI field office. Include all information from the attack, including any of the attacker's contact information and their ransom payment details, as these may help in the investigation.

The FTC has put together a number of articles pertaining to ransomware that covers a broad range of topics as well as examples of real attacks that have occurred.

As dating websites and apps continue to rise in popularity, so have romance scams.

These scammers use fake profiles to meet people online, connect with them emotionally and use those emotions to extort money. Criminals usually conduct these scams over the course of weeks and months. The scam involves online chatting, phone calls and text messaging, with the goal of asking the target to transfer money to them in smaller, regular amounts over time.

Scammers may use real profiles for source material and impersonate someone that would considered attractive to most targets. Using a real profile allows them to post regular, new content ripped directly from a real person. A reverse image search is a good way to verify if someone's photos are being used in multiple profiles.

Certain occupations are commonly used when creating these profiles as well, which can be a good tipoff of a potentially fake account. Oil rig work, a doctor with an international organization or military personnel can give a plausible explanation for not being able to visit physically.

When communicating, the scammer will avoid video chatting or using live streaming. They may claim that their camera is broken, or they have bad internet. They can then ask for money to help them so that they can afford to video chat with the target.

They may also ask for help paying for plane tickets or travel expenses, medical bills, customs fees, gambling debts or travel documents, and leverage the trust they’ve built. They’ll ask the target to either wire money or buy gift cards or money cards—funds that are extremely hard to recover, and the scammer can use them safely.

The FTC has put together a number of articles regarding romance scams such as how to spot them, what to do if you think you’ve fallen for one, and also specific examples of scams that people have reported.

Phishing that is conducted through text messages is referred to as SMSishing.

This type of scam will usually be in the form of text messages claiming to be from a company or someone important asking you to respond with information or follow a link. Because these are often sent to millions of people, they’re often very vague.

The most common goal of these attacks is to harvest sign-in credentials or payment information, though malware can also be installed on phones in the process. The type of security on mobile phones makes this more complex, but it is possible.

The major difference between SMSishing and phishing by email is that it’s difficult to impersonate trusted contacts. Generally, these messages will be sent from anonymous or shortened numbers like other automated messages. If you receive a message from anyone outside of your contact list, do not reply or interact with it. Any message received from a legitimate company can be validated by simply dialing the listed customer service number.

The FTC has published a number of articles about how to spot and handle phishing should you become a target.

Social engineering is used by attackers to trick people into helping them commit further crimes. It’s the basis for most online scams because it targets the person rather than the system.

Social engineering can be as complex as impersonating a law enforcement official or other person of authority, or as simple as peeking over your shoulder as you sign in to see your login credentials.

Here are ways you can likely avoid being a victim of social engineering:

• Ignore all spam messages, as they can be a hiding place for many social engineering schemes. The FTC has put together a number of articles about how you can avoid spam messages.
• Don’t fall for phishing. Phishing is more direct, dangerous and difficult to avoid. Stay diligent and apply the tactics by visiting the FTC phishing page.
• Keep up to date on current scams. You can sign up for the FTC scam alert system that will send out notifications when new scams are reported. If you see a scam, report it to the FTC reporting system.

Spam messages are one of today’s biggest nuisances. Between spam text messages, robocalls and spam emails, it’s almost impossible to avoid them. But many spam messages contain bogus offers that can cost you time and money if you trust them.

Be sure apply email filters to your accounts so that spam messages can be funneled to your spam folder. Most online email services already have them, but, as you receive different spam messages, you can add more rules that will remove these from your mailbox.

Legitimate companies will often use automated robocalls to try to sell products and services--but so will scammers. Criminals may also try spoofing, in which the number shows up as unknown or as a local number based on your area code.

Text message spam is similar to robocalls and email spam. Usually scams offering something for free, they can lead to unwanted charges on your cell phone bill, and can potentially slow down your phone's performance by taking up large amounts of memory.

If you’d like more information on avoiding these types of spam, the FTC has comprehensive articles on these topics which you can find below:

• Spam Emails
• Robocalls
• Text Message Spam

Spoofing is a tactic that scammers and criminals use to make a piece of information to look like something else to help them gain your trust or avoid scrutiny.

For example, scammers use spoofing to make a link appear to go to a familiar website, such as your bank or an online store, but it actually leads to the scammer’s webpage.

Scammers may also use your caller ID show a local number or no number rather than the caller’s actual number. This is a popular tactic with robocalls and scam callers.

You can refer to the phishing section for more information about the types of scams that may use spoofing.

Security questions are a part of the authentication process. They’re mainly used for password recovery both online and over the phone.

When selecting security questions and answers, use information that is personal and memorable but not easily guessed or publicly known. An attacker should not be able to find the answers to security questions by searching social media profiles or using a search engine for past information.

A tactic used when setting security questions is to not answer the question but use it as a prompt for another random word or phrase. Also, avoid using the same questions and answers for different accounts because, just like passwords, you do not want an attacker to be able use that information to compromise all your accounts.

The FTC has put together an article about keeping personal information secure which talks about security practices like this.

The most important security step is creating strong, unique passwords.

A strong password is one that uses letters, numbers and special characters and contains a phrase or string of words rather than one word. These types of passwords are very difficult to guess, even for a computer. You should also have a different password for each account. This prevents an attacker from compromising multiple accounts if they somehow compromise one of them.

Here are a few ways to make your password more secure:

• Use uncommon words and/or phrases to make guessing your password more difficult.
• Use more characters in your password. We recommend a minimum of eight to twelve.
• Don’t use personal information in your passwords. Words and phrases tied to you can make them easier to guess.
• Don’t make all of your passwords similar while changing only one character or part. This still makes it easy to guess if one become compromised.

Treat your passwords like your PIN or SSN. Don’t write them down or share them with anyone. Password vaults can help you maintain your password list. Also, change your passwords periodically, especially if you receive a breach notice from a company or service that you use.

You can also visit the FTC site for information on creating and maintaining strong passwords.