2021 GUIDE TO Personal cybersecurity Introduction: About this eBook ...... 3

Chapter 1: Securing your accounts ...... 4 Protect yourself from ...... 5 Setting a strong username and password ...... 6

Chapter 2: Protecting your data online ...... 8 Social media cybersecurity best practices ...... 9 Malware and viruses ...... 10 Stay vigilant and protect your data ...... 11

Chapter 3: Digital protection checklist ...... 13

Chapter 4: How to spot and avoid common internet scams ...... 14 Digital account hijacking ...... 15 Sweetheart ...... 16 , vishing, smishing ...... 17 Table of contents Quick money, unexpected windfalls, and too-good-to-be-true offers ...... 18 Fake approval notices ...... 19

Chapter 5: How to spot and avoid common offline scams ...... 20 ATM fraud ...... 21 SIM card swapping ...... 22

Chapter 6: Know the common signs of identity theft ...... 23.

Chapter 7: What to do if you’ve been scammed ...... 24

Chapter 8: Tips for talking to your children about online safety ...... 25 Teaching kids about cybersecurity ...... 26

Chapter 9: Small business cybersecurity ...... 27

Chapter 10: List of resources ...... 28

Conclusion ...... 29

 2  The risk of identity theft has grown in large part due to the rising number of connected devices in our lives. Every time we open an account to try a new service, swipe our cards, or participate in social media, we increase the risk of exposure.

Millions of Americans are the victims of identity theft and fraud each year. With massive data breaches frequently making headlines, even the most careful consumers are open to attack.

Oregon and Washington ranked 33rd and 22nd in identity theft complaints in 2019.1 Nationally, U.S. consumers reported losing $1.48 billion related to fraud complaints, an increase of $406 million from 2017.

Fortunately, you can protect your personal information by taking a proactive approach to cybersecurity. Also, you must be prepared to act quickly if your information is stolen—vigilance can prevent you from becoming a victim of fraud. Learn how you can protect yourself and recover from fraud in our comprehensive guide to ABOUT THIS EBOOK personal cybersecurity. Introduction

   RETURN TO TABLE OF CONTENTS 3 CHAPTER ONE Securing your accounts

Understanding social engineering and confidence schemes When thinking about cyber attacks, you might envision hackers creating viruses to gain access to personal accounts and business networks. However, the vast majority (98%) of cyber attacks actually rely on social engineering.2 Social engineering and confidence schemes are designed to trick you into PROTECT YOURSELF FROM revealing personal information that will compromise your account security. CONFIDENCE SCHEMES BY FOLLOWING THIS ONE In most cases, cyber criminals deceive their targets into thinking they are interacting with someone who is UNIVERSAL RULE: trustworthy—a government official or bank representative for example. Fraudsters use emotional appeals, Never share pressure, urgency, and limited information to trick people into providing the additional information necessary to access and gain control of the target’s account or network. your personal information Take the time to ensure that you contact the business or organization via their official channels. Don’t trust links and phone numbers sent to you by a representative that initiates contact. For example, with someone who a representative from your financial institution will never initiate contact and ask you for sensitive contacted you. information such as your credit/debit card PIN, three-digit code, online banking password or secure access code to verify your identity on a call or email.

Learn more about confidence schemes and how to protect yourself here.

   RETURN TO TABLE OF CONTENTS 4 Protect yourself from cybercrime

Dealing with identity theft can be incredibly stressful and may cost significant amounts of time and money to resolve the issue. A proactive approach to identity security can save you from a substantial disruption.

Using password management best practices • Never repeat passwords between websites. It’s common to use the same username and complex password between sites. However, if an attacker is able to breach one site, they may be able to use that information on other sites across the internet. Consider using different logins, passwords, and username/password recovery methods for accounts with sensitive information. • Use long, complex passwords. Phrases like “Ialwayseat2pizzas” are hard to guess, but easy to remember. • Use a password manager. These are apps and browser plug-ins that make it easy to use complex passwords. There are both free and paid options, do your research and choose what works best for you. • Make secure backups of your data. Most password manager software has an option to do this automatically. Alternatively, you can create a file containing your passwords and store it in an encrypted folder on your computer. Never store your passwords as plain text. If you store your passwords on a physical piece of paper, place them under lock and key.

Use two-factor authentication (2FA) when possible • Factors could include a secure access code sent via SMS text, a secure phone app that generates a one-time code, or a physical token that you plug into your computer. In each case, you’ll be required to use your password plus a secure code to access your account. Accounts that allow you to use a unique identifier in addition to your password creates an added layer of security. • If you attempt to log into to your OnPoint account from an unregistered device, you will always be asked to provide a second form of authentication in the form of a secure access code sent to a phone number on your account.

Chapter 1: Securing your accounts

   RETURN TO TABLE OF CONTENTS 5    Private. Do not share your username or password with anyone—shared passwords increase risk of fraud.    Unique. Use a different username and password for each account—reusing or repeating credentials increases the risk of a fraudster obtaining your information. If an online retailer has a data breach, the credentials obtained from the breach may be used by hacker to attempt to gain access to other accounts using the same information.   Random. A randomized password makes it harder for criminals to use computer software Strong or knowledge of your personal information to guess your password. password    Memorable. Practice your username and passwords and commit them to memory so you’re able to recall your credentials when you need them. Consider using a passphrase checklist with symbols swapped for some characters. For example: “eYeL1kEf00+B@ll” is complex, (  Password |  Username ) relatively easy to remember and significantly more secure than “ilikefootball”.    Secured. If you need to store your credentials, they must be stored securely. If you HERE TO HELP KEEP YOUR have a physical copy, keep it in a safe place—if possible, write down hints instead of the ACCOUNTS SAFE usernames and passwords. For digital storage, use an encryption device or storage service At OnPoint, we take your and commit a single strong username and password combination to memory. If you use account security seriously. security questions, make sure that the answers cannot be found easily through social Please be aware, OnPoint media or public records. will never ask for sensitive   Variety. Make use of all available characters in your password, including lowercase letters, information via phone, email uppercase letters, numbers and symbols. or text. This includes requests for passwords, secure access   Authentication. If your password is guessed or stolen, two-factor authentication can create an additional layer of security. Often in the form of a short code sent via call or text to your codes, PIN or credit/debit phone number, dual authentication requires that a fraudster have access to your phone in card 3-digit codes. For more addition to your username and password. information, please visit onpointcu.com/security. Does not contain:    Birthdate, Social Security number,   Words from the dictionary phone number    Adjacent keyboard combinations    Names of friends, family, pets, (i.e., qwerty, 456789, fghjkl) favorite sports teams, etc.    Less than 10 total characters   Common terms or phrases (letters, numbers, symbols) (i.e., quotes, clichés, etc.)

   RETURN TO TABLE OF CONTENTS 6 Protect yourself from cybercrime (continued)

Identifying spoofed accounts and bots Fraudsters may pretend to be a person or organization you trust by pretending to call, text or email you from an official source. These spoofed contacts can even appear legitimate through caller ID, SMS or email. To identify spoofed accounts or bots pretending to be people: • Check email addresses, not just display names. For example, a message may claim to be from a company’s customer service department, but the address will be something like “[email protected]”. • Check the email header by clicking the drop-down option under the subject line. Look for suspicious addresses in the “return” and “sent from” paths.

Browsing the web through a virtual proxy network (VPN) • A VPN anonymizes your web traffic by routing it through one or more servers across the globe. • Sites won’t remember your information, so you’ll need to re-enter login credentials. Using a VPN can help keep your data more secure, but also makes some digital activities less convenient. For instance, as an OnPoint member, you are able to optionally establish your devices as “registered” or “secure”, allowing you to log into your account using a secure access code. When using a VPN, you would be unable to save your device and would need to enter a secure access code each time you log into Digital Banking. Additionally, using a VPN could result in some financial institutions to flag your account under “suspicious activity,’’ especially if the VPN routes you through other countries. To avoid your VPN creating a barrier to your financial accounts, we recommend establishing a VPN with a U.S. address.

Avoiding open Wi-Fi connections Unprotected Wi-Fi networks could make your web traffic and personal information visible to fraudsters.

Chapter 1: Securing your accounts

   RETURN TO TABLE OF CONTENTS 7 CHAPTER TWO Protecting your data online

Understanding the value Take these steps to protect your data online: • Consider privacy on social media. Personal information commonly used for of your personal information security questions and contact info is frequently shared on social media. Minimize risk by updating privacy settings, deleting unused social media One of the most significant personal information security profiles, and strongly considering which details to share about yourself online. issues is how we decide to use and share it. Complacency Update your home network and browser. Always keep device software and or disregard for the value of our information could lead • security patches up to date and consider adding browser extensions for to phishing, vishing, smishing and confidence schemes. enhanced security. Additionally, almost any router can do web filtering These scams often rely on engaging with a scam directly. by using one of many different free or pay-for DNS services. You can also In some instances, willingly providing your information or configure your router to use one of many DNS services to protect your entire credentials could leave you liable for financial loss. home, usually for free. For added security, you may want to consider adding • Avoid unsolicited communications and suspicious links. Phishing links and identity theft insurance. Insuring your identity can help communications can lead to malware or to divulging personal information. Be especially careful with communications and links that require urgent restore your finances and credit profile if you’re ever a action—there’s always time to ensure you’re talking with the right person. victim of identity theft. Discover whether identity theft Do your research and remember that your financial institution or the insurance is right for you. government will not contact you for personal information or login credentials.

   RETURN TO TABLE OF CONTENTS 8 Social media cybersecurity best practices Social media and email have opened up new avenues for fraudsters to manipulate unsuspecting consumers. By posing as friends, relatives and businesses, scam artists can trick their targets into giving away personal information. Consider following these best practices:

Don’t post about your vacation on social media until you’re home • Sharing your vacation photos in the moment might be fun, but it’s also a message to criminals that your home is empty.

Control how your data is shared with third parties • Whenever you sign up for a new online account, check the settings for an option to opt out of data sharing—the more companies that have your info, the greater your risk of exposure.

Enroll in e-statements • Signing up for online billing statements from your creditors, financial institutions and utilities companies can reduce your exposure to mail fraud.

Unsubscribe from unwanted or unnecessary marketing emails • Under federal law, anyone sending commercial emails is required to provide an easy method for opting-out of future communications.3 Emails you receive without an unsubscribe option may be in violation of the law. • Major email clients like Gmail automatically generate unsubscribe buttons on marketing emails.

Protect physical documents • Reduce your risk of mail fraud by installing a lock and surveillance on your mailbox, shredding your old documents and using a secure mail receptacle.

Chapter 2: Protecting your data online

   RETURN TO TABLE OF CONTENTS 9 Malware and viruses Even the most precautious people sometimes can’t avoid the highly sophisticated methods fraudsters use. If a hacker manages to install malware or viruses on your computer, they can gain access to your information.

Malware, also called a virus, is a malicious program that can make changes to your computer, access your accounts or lock you out of your computer.

Common malware types include: • : A program that appears normal at first, but then takes over your computer. • Spyware: Programs that watch your activity and steal your passwords. • Ransomware: A virus that locks up your computer until you pay a ransom.

Not all viruses make themselves known immediately. A malicious program might sit in your computer for a long time before accessing your information. That’s why it’s important to regularly scan your computer for malware.

Use a trustworthy security program to monitor your computer for suspicious programs. New viruses emerge all the time, so it’s important to keep your security software up to date at all times.

Likewise, it’s a good idea to keep your operating system and programs updated. As hackers find new vulnerabilities, software vendors create security patches to improve protections.

Chapter 2: Protecting your data online

   RETURN TO TABLE OF CONTENTS 10 e Considering credit monitoring services

• There are many services available that monitor internet traffic for personal information posted on the “dark web,” which includes web pages not indexed in search engines. Stay vigilant • These services also look for abnormal charges to your credit accounts. • Note that these services can’t prevent fraud and they won’t correct and protect mistakes on your credit report. your data e Placing alerts on your financial accounts • Set up text or email alerts to automatically monitor transactions and Fraudsters have an easier account balances. time stealing personal • If you notice suspicious activity, take action immediately by contacting information online, but their the financial institution. illicit activity isn’t limited to the web. Here are ways you e Limiting physical access to your devices can stay vigilant and protect • Never leave your devices unattended. your data. • Set up passwords, PINs and biometric authentication (e.g., fingerprints) on any device with access to your personal information. • Ensure that your device is set to lock automatically after a short period of inactivity.

   RETURN TO TABLE OF CONTENTS 11 e Keeping your login information private

• Never share your login data with anyone. That goes for your financial accounts as well as services like Netflix and Spotify. • Don’t store your passwords in unencrypted files (e.g., text files, spreadsheets).

Many people share media accounts for entertainment purposes, and although our recommendation is to never share login credentials for these accounts, that’s not always practical. If you decide to share your login credentials for entertainment sites, ensure that all passwords and usernames are unique from those that you use for your financial Stay vigilant accounts. and protect e Checking for card skimmers your data • Criminals can place skimming devices over ATMs, POS systems and gas station pumps. (continued) • Before inserting your card, check for loose pieces, hidden cameras and fake keypads.

e Monitoring your credit report for unusual activity

• Regularly reviewing your credit reports can help you spot fraudulent activity before it takes a toll on your finances—get your credit report for free once per year from https://www.annualcreditreport.com. • Download our free credit eBook to learn how to easily understand your credit report.

   RETURN TO TABLE OF CONTENTS 12 e Invest in a reliable password manager

e Use PINs and passwords on all of your mobile devices

e Set up two-factor authentication on sensitive accounts

e Sign up for e-statements from financial institutions, CHAPTER THREE utility companies and creditors Digital e Unsubscribe from irrelevant marketing emails e Review your data-sharing agreements with all organizations protection and social media sites with which you do business e Review shared entertainment accounts and consider checklist separate login credentials

Considering how many ways e Sign up for a trusted credit monitoring service there are for fraudsters to e Learn how to identify account spoofing target consumers online, it’s essential to make sure you e Keep your computer operating system and software up to date have all your bases covered. e Keep your anti-virus software up to date

e Consider using a secure VPN connection

e Add physical security to your mailbox

e Make a habit of checking for card skimmers

   RETURN TO TABLE OF CONTENTS 13 CHAPTER FOUR How to spot and avoid common internet scams

   RETURN TO TABLE OF CONTENTS 14 Digital account hijacking

What is it? How to avoid it Account hijacking occurs when a fraudster obtains The previous decade has been punctuated with high-profile a target’s login credentials for a social media, email data breaches: or online banking account. The attacker might • In 2019, Facebook exposed more than 540 million manipulate the stolen account to defame the victim, user records. steal their money or gain access to an account of • A 2013 data breach affected all 3 billion Yahoo higher value. user accounts. • In 2017, Equifax exposed the identifying information of 147 million Americans. In other words, there’s a high likelihood that some piece of your personal information has been exposed to malicious actors.

Avoid account hijackers by regularly updating your How to spot it passwords, using two-factor authentication and protecting • Someone you know contacts you about a your web traffic with a VPN. Additionally, ensure that all of too-good-to-be-true offer.4 your passwords are unique across your various accounts. • Someone you know contacts you via a strange If you repeat passwords across accounts, once one is 5 phone number. compromised, others could be as well. • Someone you know starts posting strange offers If you suspect one of your accounts has been accessed on social media.6 without your permission, contact the organization’s customer service department immediately and file a complaint with the Federal Trade Commission.

Chapter 4: How to spot and avoid common internet scams

   RETURN TO TABLE OF CONTENTS 15 Sweetheart fraud

What is it? How to avoid it A sweetheart scam is a trick in which a fraudster uses Always be extra cautious with granting requests from powerful emotional manipulation techniques to gain someone you have never met. If someone contacts you out of the trust and goodwill of their target. Using online the blue, question their reasons for contacting you, especially dating apps and similar tools, the scammer convinces if you have no mutual connections. These scammers prey on their targets to send money or commit crimes. our desire to be valued and our willingness to help—it’s an extremely effective form of fraud and requires a high level of situational awareness.

Never send money to a stranger you met online. Recognize that sweetheart scammers will attempt to manipulate you emotionally. They’ll even claim to fall in love with you, and How to spot it then request money to replace their broken phone, fix their • An online acquaintance professes strong feelings— car or for another type of emergency. Their goal is to get at even though you have never met as much of your finances as possible—they may start small • Someone you meet online requests a check, and gradually grow their requests, or ask for a considerable money order or wire transfer amount from the get go. Either way, the romance never progresses past your finances. • Someone contacts you through a dating site, but claims to live in another city or country If someone asks you to do something illegal, refuse and • The need for help is urgent and/or it involves a consider making a report to local law enforcement. financial incentive

Chapter 4: How to spot and avoid common internet scams

   RETURN TO TABLE OF CONTENTS 16 Phishing, vishing, smishing

What is it? How to avoid it A phishing attack is when a fraudster uses an email In all its forms, phishing attacks mimic communications from to impersonate a business in an attempt to steal brands, businesses and people you trust. Fraudsters often confidential information. Phishing is a form of social masquerade as banks, credit card companies, retail brands engineering where fraudsters use psychological and social networking sites. Their messages often contain: tactics against their targets to convince them to • Notices of suspicious account activity provide their personal information. • Payment verifications When attackers make phone calls pretending to be • Refund claims legitimate businesses, it’s known as , or vishing. • Counterfeit invoices

Similarly, smishing tactics use SMS messages to solicit The goal is to convince you to give up your personal or passwords, credit card numbers and other identifying confidential information by creating a false sense of urgency information from targets. or desire. These scammers often use fear, false authority, or other emotional manipulations to get you to let down your guard. If you have doubts about a message:

• Never trust a request for your password—your password How to spot it is only for you—a legitimate source will not need your • Messages contain requests for your sensitive password to access your account information information • Call the organization directly, but don’t follow any links • Messages come from unknown or strange email in the message addresses or phone numbers • Research the company that sent the communication • The message sender doesn’t use your name • Report it to the Federal Trade Commission

Chapter 4: How to spot and avoid common internet scams

   RETURN TO TABLE OF CONTENTS 17 Quick money, unexpected windfalls, and too-good-to-be-true offers

What is it? How to avoid it These too-good-to-be-true messages promise You should always be suspicious if a lawyer, bank or company money, often in exchange for a fee or tax. The most contacts you offering any sum of money. Even if the offer well-known variation of this scam involves a prince includes official-looking bank statements or birth certificates, in crisis requesting help to transfer funds. However, you should question the legitimacy of the message. fraudsters may also pose as cash-prize contests, Not all scammers claim to be royalty. Attackers can also rebate programs or lawyers representing the estate claim to represent someone you know, like a lawyer of wealthy relatives. representing an arrested family member.

If you are contacted, never send anyone money, and don’t attempt to deposit unverified funds—especially if you’ve never met them—the funds may become available, but the How to spot it check turns out to be a fake and the funds from the check • Someone offers you money unexpectedly deposit are removed from your account. Try to get as much • You get a message from someone you know, information as you can without giving any information but you don’t recognize their email address or of your own. Likewise, you can search for the person or phone number organization online. Seek out the advice of a lawyer or financial consultant if you’re suspicious of a communication. • Someone asks you to deposit a check on their behalf and offers you a portion of the cash for your help

Chapter 4: How to spot and avoid common internet scams

   RETURN TO TABLE OF CONTENTS 18 Fake approval notices

What is it? How to avoid it Impostor scams were the most common complaint Scam artists often target recent college graduates with to the FTC in 2018.7 A common example of this fraud fraudulent credit card offers. Homebuyers are likewise is when attackers send fake credit card approval vulnerable to housing scams. It’s important to be on the notices to consumers. lookout for scams anytime you’re making major life decisions involving large sums of money. Scammers may send emails claiming the target has been “pre-approved” for a line of credit, mortgage or Always be cautious of lenders that: personal loan.8 Similarly, attackers may claim to be • Promise to negotiate a loan modification to avoid insurance companies offering federal tax relief after a foreclosure. natural disaster. • Guarantee credit if you can pay a fee in advance. • Offer a suspiciously low or extremely high interest rate; or credit offers that don’t mention an interest rate.

Likewise, if you don’t remember applying for credit, it’s best to seek credit elsewhere. How to spot it • You get approved for an offer you don’t remember applying for. • You’re offered an insurance payout for coverage you don’t have.

Chapter 4: How to spot and avoid common internet scams

   RETURN TO TABLE OF CONTENTS 19 CHAPTER FIVE How to spot and avoid common offline scams

Today, consumers don’t only interact with electronic financial systems from their home computer or smartphone. Any time you swipe your Other offline scams to watch out for: credit card or insert your debit card chip, you make a vulnerable • Social Security fraud: Scammers often target seniors, claiming they will suspend Social Security benefits, threaten arrest or digital transaction. demand the target’s Social Security number.9 Physical purchases are susceptible to skimming devices. For example, • Health care scams: Fraudsters may attempt to solicit fees for a criminal might place a false chip reader over a legitimate point-of- services not rendered. sale device to siphon card data. In other cases, fraudsters might use a • Secret shopper scams: Mystery shoppers are independent portable RFID scanner to read card chips from a target’s wallet, purse, contractors posing as customers who report back to market or bag. If you would like to protect your cards from RFID scanners, you research companies, among others, about brand experience. can buy various RFID blocking protective card slips, wallets, or various However, duplicitous mystery shopping schemes demand shoppers to pay for goods upfront, or for a worthless certification. other accessories with this technology.

   RETURN TO TABLE OF CONTENTS 20 ATM fraud

What is it? How to avoid it ATMs are tempting targets for scammers. Always evaluate an ATM before you use it, even if it’s a The machines are filled with cash and consumers machine you frequent. Check for new buttons, unfamiliar regularly expose their card information and PINs. keypads or attachments that might conceal a pinhole Scams range from stealing card data to spying on camera. unknowing consumers. Pull on the card reader to check for devices that can capture your card data, known as skimmers. If it’s loose or comes off in your hand, do not trust the machine. Likewise, if the keypad feels loose, it may have been altered.

How to spot it Try to avoid ATMs in areas with low foot traffic or low light. • An ATM you use regularly looks different; there may Make sure no one is standing near you when you use the be a new card reader, different colored buttons or a machine. new attachment • Holes or cracks appear in the ATM shell • The card reader wiggles when you pull on it

Chapter 5: How to spot and avoid common offline scams

   RETURN TO TABLE OF CONTENTS 21 SIM card swapping

What is it? How to avoid it Fraudsters don’t need physical access to your The only way to really protect yourself from this scam is to phone to steal your phone number. They can trick never consider your phone number to be fully secure. You your phone carrier’s customer service into thinking can strengthen your phone account by requesting that your that you’re attempting to activate your SIM card on carrier place an additional passcode on it. another device. Then, they can use your number to You can prevent damage caused by a SIM swap scam by access your texts, phone calls, data and any accounts never linking other accounts, like your social media profiles, associated with your phone number. This includes to your real phone number. Instead, you can use a VoIP receiving secure access codes that are sent to your service such as a Google Voice number. These types of phone phone number. numbers aren’t associated with SIM cards, so there’s no way for a hacker to take them over.

How to spot it • Your phone suddenly stops receiving calls and messages • You get an alert saying your phone number has been successfully transferred to another SIM card

Chapter 5: How to spot and avoid common offline scams

   RETURN TO TABLE OF CONTENTS 22 CHAPTER SIX Know the common signs of identity theft

Clues that your identity has been stolen include: • You stop receiving calls and texts or can no longer connect with your wireless cell network. Vigilance will reduce your chances of becoming This could be your first sign that a criminal has taken over your cell phone account. a victim of identity theft, but there are no • A notice from an organization with which you do business stating you were impacted guarantees. If you are the target of fraud, it’s by a data breach. vital to take action as soon as possible. • Withdrawals from your accounts that you don’t recognize. Never ignore suspicious activity related to your • Your mail stops unexpectedly. financial accounts. Fraudsters often check to • You’re notified of a tax return that you did not submit. see if their targets are paying attention by • Your checks are refused by merchants. making small charges on accounts. Even if an • Your health insurance provider says you’ve reached your benefits limit when you haven’t unidentifiable charge only amounts to a dollar, been to the doctor. you should investigate. • You receive medical bills for procedures and services you didn’t use. • Unfamiliar accounts appear on your credit report.

   RETURN TO TABLE OF CONTENTS 23 CHAPTER SEVEN What to do if you’ve been scammed or think you might be vulnerable

Seeing fraudulent activity on your credit card bill, credit report or background Your next steps should include: check is never fun, but you shouldn’t panic. Approximately 16.7 million Americans • Change the passwords on all affected accounts—and were victims of identity fraud in 20171 and there are many resources available. unaffected accounts using similar login credentials or If you have a reason to believe your personal information was stolen, if you verification methods. do business with a company that recently experienced a data breach or your • Place fraud alerts with any one of the three major credit wallet was stolen take action immediately. reporting bureaus: Experian, TransUnion or Equifax— the chosen agency will provide notice to the others. It’s important to take these steps, even if you’re not certain that fraud has occurred. Scammers often hold onto information to wait until the target has • Freeze your credit. dropped their guard. • Contact and get reports from your debt collectors, creditors and your financial institutions.

Unsure if your accounts were impacted by a data breach? • File a report with local law enforcement or the FTC. The site Have I Been Pwned? can help determine if you were compromised. • Consider a credit monitoring service for added protection. • Check out OnPoint’s identity theft resources for more information.

   RETURN TO TABLE OF CONTENTS 24 CHAPTER EIGHT Tips for talking to your children about online safety

Some key ways to protect minors from these types of scams include: Fraudsters prey on vulnerable targets who may not have • Education: Teach children about threats they are likely to encounter online, much knowledge about financial scams. For that reason, such as malicious links, viruses, spam and online predators. identity thieves may target children. What looks like a • Device permissions: Newer models of smartphones often provide child-safety fun online game may be a trap designed to capture their controls, allowing parents to limit user access to an approved app list, block parent’s credit card information. Scammers may also offensive content and limit screen time. pose as children online to solicit personal information • Oversight: Parents can promote good digital habits by playing an active role from young targets. in the online interactions of their children. Playing an online game together can be a fun teaching moment.

   RETURN TO TABLE OF CONTENTS 25 Teaching kids about cybersecurity The best way to teach children about cybersecurity is to talk with them and engage them at a level they can understand. Try to connect cybersecurity to the advice you give your children about real life interactions. For instance, taking a gift from a stranger in the street is similar to accepting a friend request from a stranger online.

Important security topics for kids include: • Making strong passwords: Practice creating passwords by following best practices, including a unique password that contains a random combination of 10 or more upper- and lowercase letters, numbers and symbols. • Keeping devices safe: Establish rules about who is allowed to touch your children’s devices. Practice saying “No” to strangers. • Identifying secure Wi-Fi networks: Use flashcards to practice spotting the symbols that represent secure and unsecured networks. • Maintaining privacy of social media: Explain who can see social media profiles and practice finding and updating privacy settings online and in video games.

Learn more about how to protect your family from cybersecurity threats.

Chapter 8: Tips for talking to your children about online safety

   RETURN TO TABLE OF CONTENTS 26 CHAPTER NINE Small business cybersecurity

How small businesses can protect themselves from cyber attacks Small businesses are common targets for cyber criminals. Roughly 43% of cyberattacks target SMBs, resulting in an average loss of $188,000.10 SMBs are vulnerable because they often lack dedicated IT staff. Basic cybersecurity protocols to follow include: SMB owners can protect their assets by putting policies into effect that limit their exposure to risk. For • Keeping all software example, the decision to allow staff to access sensitive materials from their personal devices should be up to date. weighed against potential risks, such as malware infection. • Installing firewalls on all company devices. Before working with any IT vendors, SMB owners should ask for references and check online reviews. • Making secure backups of A trustworthy IT partner can audit the business’s current technology and make recommendations to all business-critical data. reduce the risk of a costly data breach. Learn more about how to teach employees about cybersecurity and what your employees should do to stay secure while working from home.

   RETURN TO TABLE OF CONTENTS 27 CHAPTER TEN List of resources

Education is the first defense against identity theft, but help is always available if you suspect you are a target for fraud or identity theft. If you’re ever in doubt about a suspicious message or transaction, follow the steps provided in this guide or notify your financial institutions and the credit bureaus of the suspicious activity.

Resources to prevent becoming a victim of identity theft Resources if you suspect your information has been compromised • The OnPoint Security Center • Have I been Pwned? • How to choose a password manager • File a complaint with the FTC • Get your free credit reports • Oregon identity theft resources • USPS Informed Delivery Service • Washington State identity theft resources • How to choose a VPN app • TransUnion credit freeze information • Experian credit freeze information • Equifax credit freeze information

   RETURN TO TABLE OF CONTENTS 28 Preventing identity theft and other forms of online fraud protects your finances and can give you peace of mind. Practicing good habits online can save you time and money in the long run.

Nevertheless, even people with the best cybersecurity plans are still vulnerable to new and unexpected attacks. Knowing how to respond if you suspect fraud can conserve valuable time and help you resolve your issue quickly.

OnPoint Community Credit Union is dedicated to providing reliable and trustworthy banking services in person and online. We follow a clear set of guidelines each time we contact you about your accounts or share your information with our affiliates.

Stay up to date on the latest security news, review tips, and learn more about how to protect your information at the OnPoint Security Center. Conclusion

   RETURN TO TABLE OF CONTENTS 29 1. https://www.iii.org/fact-statistic/facts-statistics-identity-theft-and-cybercrime 2. https://purplesec.us/resources/cyber-security-statistics/#:~:text=Social%20Engineering%20 Statistics&text=98%25%20of%20cyber%20attacks%20rely,schemes%20in%20the%20last%20year 3. https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business 4. https://www.cbsnews.com/news/millions-facebook-user-records-exposed-amazon-cloud-server/ 5. https://arstechnica.com/tech-policy/2019/04/yahoo-tries-to-settle-3-billion-account-data-breach-with-118- onpointcu.com million-payout/ 800.228.7077 | 503.228.7077 6. https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement 7. https://www.ftc.gov/news-events/press-releases/2019/02/imposter-scams-top-complaints-made-ftc-2018      8. https://www.fincen.gov/sites/default/files/shared/MLFLoanMODForeclosure.pdf 9. https://www.aarp.org/money/scams-fraud/info-2019/social-security.html 10. https://www.microsoft.com/en-us/microsoft-365/business-insights-ideas/resources/cybersecurity-small- business#:~:text=A%20recent%20Verizon%20data%20breach,months%20of%20a%20cyber%20attack

©2021 OnPoint Community Credit Union

   RETURN TO TABLE OF CONTENTS  30 