Security matters—do your part to protect your identity.
Learn more at FTC.gov(Opens in a new Window)
What is Identify Theft?
Identity theft is the use of an individual's personal information such as a social security number, mother's maiden name, date of birth, or an account number to fraudulently open new credit card accounts, charge existing credit card accounts, write checks, open bank accounts or obtain new loans. Identity thieves may obtain this information through a number of means, including:
- Stealing wallets that contain personal identification information and credit cards.
- Stealing financial institution statements from the mail.
- Diverting mail from its intended recipients by submitting a change of address form.
- Rummaging through trash for personal data.
- Stealing personal identification information from workplace records.
- Intercepting or otherwise obtaining information transmitted electronically.
There is now a new form of Identity Theft called Phishing. Learn more about how to protect yourself in our section on Phishing below.
HOW DO I PREVENT IDENTITY THEFT?
- Do not give personal information, such as account numbers or social security numbers, over the telephone, through the mail, or over the Internet unless you initiated the contact or know with whom you are dealing.
- Store personal information in a safe place and tear up old credit card receipts, ATM receipts, old account statements, and unused credit card offers before throwing them away.
- Protect your PINs and other passwords. Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your social security number, your phone number, etc.
- Carry only the minimum amount of identifying information and the number of credit cards you need.
- Pay attention to billing cycles and statements. Inquire to the bank if you do not receive a monthly bill; it may mean the bill has been diverted by an identity thief.
- Check account statements carefully to ensure all charges, checks, or withdrawals were authorized.
- Guard your mail from theft. If you have the type of mailbox with a flag to signal the box contains mail, do not leave bill payment envelopes in your mailbox with the flag up. Instead, deposit them in a post office collection box or at the local post office. Promptly remove incoming mail.
- Order copies of your credit report from each of the three major credit bureaus once a year to ensure they are accurate. Details about how to get a free credit report can be found at the FTC website (Free Credit Reports | Consumer Advice)
- If you prefer not to receive pre-approved offers of credit, you can opt out of such offers by calling 1-888-5-OPT OUT 1.888.567.8688.
- Consider freezing your credit. Under Federal law, credit freezes and thaws are free. Additional details can be found at this FTC website: Free credit freezes are here | Consumer Advice
The FTC provides several resources to help prevent unwanted marketing communications.
For information on reducing unwanted mail, visit: How To Stop Junk Mail | Consumer Advice
For information on reducing unwanted phone calls, visit: National Do Not Call Registry
IF YOU ARE A VICTIM OF IDENTITY THEFT
- Contact financial institutions or other creditors where you think your account(s) may be the subject of identity theft. Request that they restrict access to your account, change your account password, or close your account if there is evidence your account has been the target of criminal activity.
- Also, file a report with your local police department. Report identity theft at the FTC's website: IdentityTheft.gov or by calling 1-877-IDTHEFT. Your information goes into a secure consumer fraud database and is shared with local, state, and federal law enforcement agencies.
- Contact the fraud departments of the three major credit bureaus and request they place a fraud alert and a victim's statement in your file. If you have filed a police report or completed the FTC’s identity theft report, as described above, you will be eligible for an Extended Fraud Alert. The fraud alert puts creditors on notice that you have been the victim of fraud and the victim's statement asks them not to open additional accounts without first contacting you. It is no cost to place a fraud alert.
Review your report to make sure no additional fraudulent accounts have been opened, or unauthorized changes made to your existing accounts. Also, check the section of your report that lists inquiries and request that inquiries from companies that opened the fraudulent accounts be removed.
WHAT IS PHISHING?
Phishing (pronounced like fishing) is a fraudulent practice of sending emails purporting to be from a reputable company or individual in order to induce the recipient to reveal personal information such as passwords and credit card numbers. They then use this confidential information to commit additional fraud.
In the worst case, you could find yourself a victim of identity theft. With the sensitive information obtained from a successful phishing scam, these thieves can take out loans or obtain credit cards and even driver's licenses in your name. They can do damage to your financial history and personal reputation that can take years to unravel. But if you understand how phishing works and how to protect yourself, you can help stop this crime. Here's how a typical phishing scam works:
- In a typical case, you'll receive an e-mail that appears to come from a reputable company that you recognize and do business with, such as your financial institution. In some cases, the e-mail may appear to come from a government agency, including one of the federal financial institution regulatory agencies.
- The e-mail will probably warn you of a serious problem that requires your immediate attention. It may use phrases, such as "Immediate attention required", or "Please contact us immediately about your account". The e-mail will then encourage you to click on a button to go to a phony website. In a good phishing scam, this phony site may look exactly like the real thing.
- Any information entered on this fake site has the potential to be captured by the hacker. This includes username, password, MFA code, or other information you use to verify your identity when speaking to a real financial institution, such as your mother's maiden name or your place of birth.
If you provide the requested information to a fake website, you may find yourself the victim of identity theft.
HOW DO I PREVENT PHISHING?
- Never provide your personal information in response to an unsolicited request, whether it is over the phone or over the Internet. E-mails and Internet pages created by phishers may look exactly like the real thing. They may even have the padlock icon that ordinarily is used to denote a secure site. IF YOU DID NOT INITIATE THE COMMUNICATION, YOU SHOULD NOT PROVIDE ANY INFORMATION.
- If you believe the contact may be legitimate, contact the financial institution yourself. You can find phone numbers and Web sites on the monthly statements you receive from your financial institution, or you can look the company up in a phone book or on the Internet. The key is that you should be the one to initiate the contact, using contact information that you have verified yourself.
- Never provide your password over the phone or in response to an unsolicited Internet request. A financial institution would never ask you to verify your account information online. Thieves armed with this information and your account number can help themselves to your savings.
- Review account statements regularly to ensure all charges are correct. If your account statement is late in arriving, call your financial institution to find out why. If your financial institution offers electronic account access, periodically review activity online to catch suspicious activity.
IF YOU ARE A VICTIM OF PHISHING
- Contact your financial institution immediately and alert it to the situation.
- If you have disclosed sensitive information in a phishing attack, you should also contact all of the three major credit bureaus and discuss whether you need to place a fraud alert on your file, which will help prevent thieves from opening a new account in your name.
Contact information for credit bureau fraud departments can be found at this FTC website: IdentityTheft.gov - Credit Bureau Contact Information, or the FTC can be reached at 1-877-IDTHEFT.
Internet Banking Authentication Security
First Federal Bank & Trust is committed to doing everything possible to secure customer information such that unauthorized parties cannot access it. A number of measures have been taken to secure customer information over the Internet, one of which is the Login Name and Password used to authenticate (login) to Internet Banking.
The Login Name and Password are entered through a basic HTML object called a form. The form securely sends the entered information to a web server for processing through a process called "submit". Part of executing a "submit" involves telling the form where the data is to be transmitted. In the case of the Login Name and Password customers enter from the Bank Homepage, the form is instructed to submit the data to a web server that is protected by Transport Layer Security (TLS). This is what makes the form post secure.
Prior to any exchange of information with a web server protected by TLS, the web browser is required to negotiate a TLS session through a process called a TLS handshake. Once the TLS session is negotiated between the web browser and the web server, the data being sent to the web server is encrypted by the web browser in such a way that only the client and the server involved in the TLS session can read it. Thus, the Login Name and Password entered from the website are secure as they are transmitted via the Internet.
Password Best Practices
- Use a long passphrase. According to NIST guidance, you should consider using the longest password or passphrase permissible. For example, you can use a passphrase such as a news headline or even the title of the last book you read. Then add in some punctuation and capitalization.
- Don’t make passwords easy to guess. Do not include personal information in your password such as your name or pets’ names. This information is often easy to find on social media, making it easier for cybercriminals to hack your accounts.
Passwords should not be a word found in a dictionary, even foreign language dictionaries. When trying to guess passwords, hackers have been known to use dictionaries as part of “brute forcing” access.
Don’t think that substituting letters with numbers and punctuation marks or symbols makes a password unguessable (for example, replacing an “a” with @, or i with !). Hackers have built “custom” dictionaries that include these variations.
- Keep your passwords private. Don’t tell anyone your passwords and watch for attackers trying to trick you into revealing your passwords through email or calls. There is no reason for a bank (or any other service provider) to ask you for your password, so don’t provide it.
Do not reuse passwords for different services. Every time you share or reuse a password, it chips away at your security by opening up more avenues in which it could be misused or stolen.
Unique account, unique password. Having different passwords for various accounts helps prevent cybercriminals from gaining access to these accounts and protect you in the event of a breach. It’s important to mix things up— find easy-to-remember ways to customize your standard password for different sites.
Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. If MFA is an option, enable it by using a trusted mobile device, such as your smartphone, an authenticator app, or a secure token—a small physical device that can hook onto your key ring.
Utilize a password manager to remember all your long passwords. The most secure way to store all of your unique passwords is by using a password manager. With just one master password (and MFA code), a computer can generate and retrieve passwords for every account that you have – protecting your online information, including credit card numbers and their three-digit Card Verification Value (CVV) codes, answers to security questions, and more.
Only provide your password to the device or system that you intend to login to – double-check to be sure that any site you are logging into is the legitimate site. Look for changes in the site name, domain (.net, .com, .co, .gov, etc.). Also, look for misspellings or substitute characters (such as l’s replaced with 1’s.)
- Keep your mobile devices and apps up to date: Your mobile devices are just as vulnerable as your PC or laptop. Having the most up-to-date security software, web browser, operating system and apps are a strong defense against viruses, malware and other online threats.
Keep your other devices up to date. Our computers, phones and tablets are not the only devices that can be hacked. Keep other “smart” devices like internet routers, security cameras, smart thermostats, smart doorbells, and children’s toys up to date as well.
Once you’ve purchased an internet-connected device, change the default password and use different and complex passwords for each one. Consider using a password manager to help.
Check the devices’ privacy and security settings to make sure you understand how your information will be used and stored. Also, make sure you’re not sharing more information than you want or need to provide.
Enable device encryption: encrypting your devices help to prevent unauthorized individuals from gaining access to the information on lost or stolen devices.
Enable automatic software updates where applicable, as running the latest version of software helps ensure the manufacturers are still supporting it and providing the latest patches for vulnerabilities.
Set your security software to run automatic updates and scans.
Secure your devices: Use strong passwords or touch ID features to lock your devices. These security measures can help protect your information if your devices are lost or stolen and keep prying eyes out.
Think before you app: Information about you, such as the games you like to play, your contacts list, where you shop and your location, has value – just like money. Be thoughtful about who gets that information and how it’s collected through apps.
Only download apps from trusted sources. Most vendor app stores vet their apps for malicious behavior, this provides a level of protection that is not provided outside of these stores.
Now you see me, now you don’t: Some stores and other locations look for devices with Wi-Fi or Bluetooth turned on to track your movements while you are within range. Disable Wi-Fi and Bluetooth when not in use.
Get savvy about Wi-Fi hotspots: Public wireless networks and hotspots are not secure, which means that anyone could potentially see what you are doing on your mobile device while you are connected. Limit what you do on public Wi-Fi and avoid logging in to key accounts like email and financial services on these networks. Consider using a virtual private network (VPN) or a personal/mobile hotspot if you need a more secure connection on the go.
Review privacy and location settings regularly to be sure that they are set as you intend them to be. When in doubt, disable it – you can always re-enable if you find that you need them.
Delete when done: Many of us download apps for specific purposes, such as planning a vacation, and no longer need them afterward, or we may have previously downloaded apps that are no longer useful or interesting to us. It’s a good security practice to delete all apps you no longer use.