By Kate Fazzini,
CNBC
- You might get scammed this holiday season. If you do, here are the steps you should take next.
- If you think your Social Security Number was stolen, set up credit monitoring and consider a credit freeze.
- If you've given your banking info away, get on the phone to your bank as soon as you can.
It's almost Christmas. You're stressed. Someone called demanding your full credit card number, Social Security Number and bank account number to finish that online toy purchase you just made.
And you blurted them out.
Or maybe you got spooked by a phony
IRS pitch. Or entered your bank account info into one of those
well-crafted but fraudulent emails.
Cybercrimes come in a variety of forms, and they are all stressful.
So
we broke down how to respond to five of the most common scams that
might strike you or a loved one over the holidays, based on what the
crooks may have gotten: Your Social Security Number, your bank account
or credit card, access to your hardware or files, your pride or, worst
of all, your hard-earned money.
You gave your Social Security Number away
Credit monitoring. If
you suspect somebody has your Social Security Number -- whether they
stole it from a company (like Equifax) or you gave it to them
voluntarily -- it's important to set up credit monitoring. Typically
your bank or the company that was breached will provide this to you for
free.
You generally shouldn't pay for credit monitoring, as high
quality free products have proliferated in the marketplace particularly
after the incident at Equifax. Paid credit monitoring services can be
tricky to cancel, and you can typically achieve the same level of
service with a free product.
Set up alerts so you
know the instant anything changes with your credit score -- you can
usually do this through the credit monitoring program offered by your
bank or credit card company, which is almost always a free service. Some
of these services are free even if you're not a customer of the bank,
such as
Capital One's Credit Wise.
In fact, you may want to do this anyway -- monitoring your credit in
this manner is good for everyone, not just victims of cybercrime.
Credit freeze.
If you provided a scammer with your Social Security Number directly, or
you already think your number was used fraudulently, you will need to
act more urgently. You can place a credit freeze on your account with
the three credit reporting agencies:
Equifax,
Transunion and
Experian.
The
freeze stays in place until you request it be removed. It's very
important to be prepared to unfreeze or "thaw " (temporarily unfreeze)
your credit if you need it -- for instance, if your home is damaged and
you need to quickly rent an apartment, or your phone is damaged and you
need to get a new one on credit. The credit agencies will provide you
with a PIN number which you must keep on hand to unfreeze it.
Fraud alert.
You can also place a fraud alert on your credit report, which will
require businesses to contact you and verify your identity should anyone
try to take out credit in your name.
A fraud alert is less intrusive than a freeze, and you need only
contact one of the above credit reporting agencies, according to the
Federal Trade Commission (FTC). You'll ask either Equifax, Transunion or
Experian to put a fraud alert on your credit report, and the bureau you
choose will "then contact the other two credit bureaus," the FTC says.
Since
2018, all of these services, including freezing, thawing, unfreezing
and placing fraud alerts on your credit reports are free. If someone is
offering these services for a fee, watch out and make sure they're
offering some additional value before signing up.
You put an account number into a dummy website
Some
phishing emails or fraudulent URLs are created to look so convincingly
like your bank's, it is easy to mistakenly enter your username and
password or, if they ask for it, your checking or savings account
number. Other websites are made to emulate popular e-commerce or retail
websites, tricking you into entering your credit card details.
Call your bank immediately. If you've given away any
of these numbers, call your bank immediately and describe the error in
detail. Your bank should be able to read back any charges have been made
fraudulently and connect you to the right department to help freeze or
suspend the accounts that may have been comrpomised. You can typically
find the fraud department directly by using the fraud services number on
the back of your credit card, or on the bank's website.
If
fraudulent charges have been made, you may have to fill out a paper
report, and any reimbursement may take time, typically a bit longer for
debit cards than for credit cards.
Here's a version of one of these forms, used by Inova Federal Credit Union. A banker may call you to ask follow-up questions.
Changing a checking or savings account number may be more
time-consuming, but it may be necessary to prevent future wire fraud,
which possibly the most painful of all cybercrimes. If you must do this,
you'll have to be extra careful about any automatic debits that you
have from your checking account and remember to change the number to the
new account, as accidentally using the old account number may cause you
to accrue bounced check fees.
You're locked up with ransomware
Ransomware
is ugly, and it's taken down everyone from FedEx and Merck to the city
government of Atlanta. Ransomware is malicious software that locks up
your computer or files, making it impossible to access them.
Anyone
can be a victim. Criminals have even targeted individual people, who
have ended up paying a few hundred bucks to free up their photo albums.
If
you're a victim of ransomware, you will typically lose access to your
files, and you may receive an automatic message from a criminal offering
to give you an encryption key that will unlock your files for a fee.
Back important files up. The best defense against
ransomware is a good offense. If you back up your most important home
files, then you may lose the hardware locked up by the ransomware, but
you won't have to pay money to a criminal to get back your data. The
easiest way to do this is using free or low-cost personal backup storage
programs like
Google Drive, Apple's
iCloud or Microsoft's
OneDrive.
Hunt for a decryption solution. There
are also free databases of publicly available information that can help
you decrypt many popular strains of ransomware, so if you are up to
hunting down this information, you may be able to simply unlock your
files without paying a cent to anyone or losing your computer. The
No More Ransom project
offers an easy-to-use interface, where you can type in details of the
ransom demand or other information to find out if a solution already
exists.
Consider paying, but be aware of the risks. You
can also simply pay the ransom if the files are valuable enough. But
paying can have a lot of downsides, including signaling to criminals
that you are
willing to pay, and possibly inviting more
ransomware in the future. The ransom demand itself may also be a scam,
and you can lose your money if the encryption keys provided by the
criminal either don't work or are nonexistent. The FBI recommends not
paying.
Whatever you choose to do, you can report these scams (and the others) to the
FBI via their Internet Crime Complaint Center (IC3).
You got a sextortion email
Don't believe it. There
are few things in this life that I will claim to know for certain, but
this is one: Nobody has secretly recorded you watching pornography over
your webcam. I mean it. They haven't. And they're not contacting your
spouse about it.
If you get an email asserting that somebody has done this -- even if
it has your email address and password in the subject line -- it's a
scam. Criminals get your passwords and other private information from
darkweb fire sales of personal information. This information can't
really be used for much, other than to convince you that they somehow
know who you are.
If you already paid money to the person on the
other end of one of these emails, contact your bank to attempt to
reverse the transaction.
You can report this to the FBI or local
police as well, and while it is helpful for their ability to track these
types of crimes, there is little they can do to get your money back.
Just be aware that
billions of these emails are hitting inboxes daily and there's no need to panic.
You wired money to a scammer
In
a typical wire fraud scam, a criminal breaks into the email of someone
who you know, usually professionally -- an attorney, realtor or business
associate. He or she squats on the email until he or she knows how you
interact with this person, and then strikes, sending you a message --
usually an urgent one -- convincing you to wire money to an unfamiliar
bank account, in order to facilitate a legal matter, home transaction or
vendor payment.
Usually, the bank account is offshore. Because
the transaction involves email fraud, your bank won't reimburse you.
It's a more involved type of cybercrime and for a good reason -- because
criminals get money wired directly to their accounts, and often very
large sums.
Drop everything and call your bank. If
you have fallen victim to this type of crime, drop everything you're
doing and contact your bank's (the sending bank's) wire department to
attempt to halt the wire. If you are successful, this can save you
enormous headaches later. If you know the real identity of the receiving
bank, you can attempt to contact its wire department as well, although
the fraudster's bank is usually overseas and may be more difficult to
reach.
File reports with law enforcement. If you
have lost money to one of these scams, you can file a police report with
your local department and a fraud report with the FBI. If the fraud was
the result of a compromised professional's email account (such as a
lawyer or realtor), their business insurance may be able to compensate
you in whole or in part for the lost money, but you may also have to
file a lawsuit to retrieve it -- a process that may leave you out of
pocket for a long time.
Wire fraud can best be prevented by
letting those who provide you with professional services know of the
dangers of this type of fraud, and setting up a private system involving
voice verification or other multiple factors of authentication before
wires are approved and sent, and particularly in the event routing and
account number details have changed.
Having the right attitude
But above all of these, to recover from a successful cyberattack, it's best to get mentally ready ahead of time.
I
know that at your workplace, school, or through conversations with your
kids or parents, you may have learned that stupid people cause
cybersecurity incidents, and being not-stupid can prevent them. The
conventional wisdom suggests it's stupid to have an easy-to-guess
password, to re-use passwords or to be fooled by a phishing email or to
take a scammer's call.
Stop thinking this way. Phishing emails
that seek to convince you to give up account numbers, scam calls that
are meant to trick you into providing your social security number --
they are better than ever, and criminals are refining their tricks all
the time.
The average person has hundreds of passwords -- it's
inevitable that some of them are "bad" or subject to being mechanically
uncovered by a simple algorithm. It's inevitable that some may be
reused.
Sure, it's a great idea to use fresh and unique passwords,
especially for financial accounts. But it's impossible to imagine that
everyone will do so perfectly every single time.
It is also
important to pass on this attitude to your friends and family: The
people closest to you can lose valuable time and money because they are
too embarrassed to tell anyone they made a mistake.
So if you made
a mistake, forget all the guilt that may have been conveyed through
poorly designed training methods of the past. Don't be a sad sack, and
don't be a drama queen. Just be ready to take immediate action to
preserve your identity, accounts, computers, dignity, cash or all five.
