Protect your financial information
Oregon State Credit Union will never ask you for your online banking username and password. Nor will we ever ask for the authentication code you’re sent when you log in to online banking or the mobile banking app. To protect your financial information, never:
- Respond to suspicious emails or texts
- Share your account information
- Share your online banking username and password
Password best practices
If you have an internet-connected device, like a computer or smart appliance, you also have several passwords to remember and manage. Passwords guard the gateway to your personal and confidential information. They can be the easiest form of computer security to implement, but they can also be the weakest link in your security arsenal. How you create and manage your passwords can be the difference between being hacked and scammed or remaining secure.
Let’s look at what makes for a strong password and how you could manage the inventory of passwords under your control.
- Create a strong password. Passwords should have at least 10 characters and include uppercase and lowercase letters, numerals and symbols. Do not use personal information in your password, such as your name, a family member’s name or pet’s name.
- Make a unique password for each login. It’s tempting to re-use a password; after all, how many unique passwords can one person remember? But doing so sets you up for disaster. Instead, make use of password generators and managers to develop more complex passwords and safely store them for you.
- Don’t save usernames, passwords or credit card information in your browser, and periodically clear your offline content, cookies and history. Set up multi-factor authentication whenever possible. This could be as simple as receiving a code that you have to type in.
- Don’t let retailers store your login and password. It’s a hassle to re-enter your login and password each time you visit your favorite online retailer, but not as big a hassle as having your personal information stolen.
- Never share your passwords with anyone. No reputable company will contact you to ask for your password. And no matter how much you may trust your friend, you don’t know their security practices.
- Change the password to your financial institution regularly. Whether it’s every 60 days or twice a year, the important thing is to keep changing it. If you believe your account has been compromised, change your password immediately. And don’t recycle old passwords.
How to create a strong password
With a little creativity, you can create passwords that are relatively easy to remember but difficult to hack or guess. Cybersecurity experts recommend three techniques:
Make it long: One way to make a strong password is to make it long. You could use a phrase that would be easy for you to remember, but difficult for a stranger to guess. Don’t use book titles, song lyrics or common phrases. Instead, use something from your personal life. It should be at least three words long and include capital letters and at least one symbol, like an exclamation mark or question mark.
Use a coded phrase: Using a combination of letters, numbers and special symbols, you can create coded words and phrases that are meaningful to you. Consider the following:
- 1!f8yl@Nd2!f8yC – (One if by land two if by sea)
- W!1Dg00$e(h@$e – Wild goose chase
- $#0rtW0r)sR8e$t – Short words are best
- 1^^4lle@rz – I’m all ears
Use a password generator: A password generator is a software tool that automatically creates random passwords. There are some excellent password generators that you can buy, but there are also free versions that are probably enough for the typical home user. Secure Password Generator is a free, online tool that creates random passwords based on criteria you set. iPassword Generator is another free tool that can create up to 10 random passwords at one time. Search on “free password generator” to produce a list of options from which to choose.
How to store your passwords
The problem with maintaining an army of passwords – each one unique – is remembering them. You could write them all down on a piece of paper, old-school style. That’s great as long as you keep that paper in a secure, fire-safe location and remember where it is. Or you could store a list of passwords on your computer, but cyber security experts don’t recommend that. If a bad actor gets access to your computer, they also will have access to all your passwords.
Instead, security experts recommend using a password manager. Password managers – which often come bundled with password generators – will store your passwords for you. The best ones will sync your passwords across multiple devices and operating systems.
Like password generators, there are paid and free password managers. Bit Warden offers a free plan that works with almost any device and browser and offers cloud-based syncing across all supported platforms. KeePass is another free password manager. It offers an offline mode that you can use on a desktop or from a thumb drive.
If you want to pay for a password manager, you can find versions that will store your credit card information, IDs and receipts; notify you if one of your passwords has been involved in a data breach; offer 2-factor authentication; and more.
Whether you choose a free manager or pay for one, the most important thing is to be password aware and follow the best practices for creating and managing your passwords. Start there and you’ll be way ahead of most cyber criminals.
Fight the Phish
Phishing (pronounced “fishing”) is a social engineering attack meant to steal your personal information, including online banking credentials and credit card numbers. In a phishing attack, a criminal masquerades as a trusted source to trick the victim into opening an email, instant message, text message or social media post, or respond to a phone call.
The following are examples of actual phishing attacks. Each example includes one of the telltale signs of phishing: it’s unexpected, they’re asking for personal information over an unsecure connection, or there is pressure to act fast.
- “We suspect an unauthorized transaction on your account. To ensure your account is not compromised, click the link below to confirm your identity.” (Don’t click the link. Oregon State Credit Union will never send an email asking you to click a link to confirm your identity.)
- “During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.” (Don’t click the link, and don’t enter your personal information.)
- “Our records indicate your account was overcharged. You must call us within 7 days to receive your refund.” (That’s not how refunds work. Don’t fall for it.)
Phishing is big business. To get started, criminals can purchase a “phishing kit” on the dark web. Then they just need a list of email addresses and telephone numbers–which are also for sale on the dark web. Once credentials have been stolen, criminals loot the accounts or sell the data. There is a thriving underground market for stolen online banking credentials, which can be sold for hundreds of dollars or more per account.
Criminals who send phishing emails and text messages usually have a story to trick you into clicking on a link or opening an attachment. They may:
- Say they’ve noticed some suspicious activity or log-in attempts
- Claim there’s a problem with your account or your payment information
- Say you must confirm some personal information
- Include a fake invoice
- Want you to click on a link to make a payment
- Say you’re eligible to register for a government refund
- Offer a coupon for free stuff
These are not the only stories criminals tell when trying to convince you to fall for a scam. The bottom line is: if it doesn’t feel right, if it is unexpected, if you didn’t initiate it, or if there is pressure to act fast, STOP. Think about the story and verify the details before you act.
Protect yourself from phishing
The best protection against phishing is awareness and education. Learn what you can do to protect yourself, your information and your money.
Be stingy with your credentials. Limit what personal information you post online, don’t volunteer any personal information that isn’t required, and challenge any requirement for personal information that seems unnecessary. No reputable organization will ask for your personal information over email or text. And don’t give your information over the phone unless you’ve initiated the call and are certain you know who you are dealing with.
Beware of surprises. If you receive an unexpected request to verify an account or personal information, an announcement that you’ve won a prize, or even an attached photo of your friend’s new puppy, be suspicious. If you can, verify with the sender that the request is legitimate. If you can’t verify, don’t click the link or open the attachment.
Trust your instincts. Does the message contain misspelled words or grammar errors? Does it seem odd—not like the usual tone your friend or co-worker would normally use? Is the request unusual? If it feels wrong, it probably is. If the message is legitimate, there’s no harm to be done in verifying it before you act on any request.
Check the links. If you hover your cursor over the links in an email, you can see where the URL is pointing. If it doesn’t match up with what you expect, don’t click it. In fact, even if it appears to be going to the correct location, type it into your browser manually. Better safe than sorry.
Think before you click. Be wary of communications that urge you to act now, offer something that looks too good to be true, or ask for personal information in exchange for something desirable.
Check the sender. Visually check the sender’s email address before replying or clicking on links, then go one step further. Because email addresses can be spoofed, float your cursor over the address. If it is from a company, it will most likely have the company’s name in the address. If it doesn’t, call the company to verify.
Use double authentication. Some accounts offer extra security by requiring double authentication. In addition to entering your password, you may receive a code via text or email that you must also enter, or you may be asked to use biometric data, like your fingerprint or face. Whenever possible, opt in to double authentication. It’s an extra step, but it could be just the thing to stop a thief in their tracks.
Types of phishing
There are too many types of phishing attacks to list them all, but the table below lists some of the most common types.
|Name of phishing attack||How it works|
An email spoofing attack that targets a specific person or organization. These often contain highly personalized details about the target.
A specific type of phishing attack that targets high-profile employees of a company, like the CEO or CFO.
The voice equivalent of phishing conducted by voice mail, landline or mobile telephone.
An attack in which someone receives a text message designed to trick them into downloading malware or sends them to a fake website.
Have you ever been surfing the web and been interrupted by a message that pops-up on your screen claiming your computer has been compromised and needs immediate repair? Unless you have installed software that scans your computer in the background while you work, it’s a scam.
|Social media phishing||
This involves the criminals using social media posts or direct messages to persuade you into a trap. They may impersonate one of your friends, pretend to be a company offering a refund on a recent purchase, or attempt to strike up a relationship with you.
There’s no crime scene, no yellow tape or flashing lights from a police cruiser; there may be nothing to indicate that a crime has been committed. Nevertheless, victims of cybercrime suffer many of the same consequences as victims of old-fashioned crime: stolen money, damaged reputation, credit card theft.
If you think you’re one of the 47% of Americans who has been a victim of a cybercrime, the first step is to understand what type of crime you’ve been targeted with and the type of information potentially exposed.
There are many kinds of cybercrime, but they tend to fall into several categories:
Phishing attack – Phishing is a social engineering attack often used to steal personal information, including login credentials and credit card numbers. In a phishing attack, the cybercriminal masquerades as a trusted source and tricks the victim into opening an email, instant message, text message or social media post. The goal is to get you to click on a malicious link or download an attachment. Successful phishing attacks can install malware on your computer that steal your personal information or login credentials, conscript your PC into an army of malware-spreading bots, or even shut down your computer until you pay a ransom to the criminals. The consequences can include unauthorized purchases on your credit card, stolen funds, identity theft and more.
Your best defense against phishing is to learn to recognize and avoid them. Never click on links or download attachments until you verify the sender. Don’t click on online quizzes and contests. Don’t fall for solicitations to verify your email or other personal details. Instead, call the person or company using a valid phone number and validate the request.
Malware – Malware is malicious software designed to harm or exploit a programmable device, like your PC, mobile phone or tablet. But malware can also infect some unexpected devices, including your internet router, smartTV, online security camera and even your smart door bell. In fact, the smart devices in your home are just as vulnerable to malware as your computer.
Malware is often spread through phishing attacks and malicious advertising on popular sites, but it can also spread through sharing infected USB drives, infected apps and fake software installations. The goal is similar to phishing: to steal your personal information or login credentials, scare you into paying to repair your computer, spread spam, add your PC or device to a growing network of malicious bots, or take your device (and data) hostage and demand a ransom.
Common signs that your device has been infected by malware include slow performance, infection warnings accompanied by offers to sell you a “fix,” annoying pop-up ads, unexpected browser redirects and problems shutting down or starting your computer.
The industry closely tracks malware and pushes out frequent software updates to defend against the latest versions. Your first line of defense is to keep your operating systems, programs and apps up to date on all your PCs, mobile devices and smart devices. Whenever possible, enable automatic updates. You should also install anti-virus software, limit what files you share with others, don’t click on links or download attachments, and don’t trust pop-up windows. Don’t click on any part of the pop-up window, not even to close it. Instead, use the task manager or close the window in the taskbar.
Credential stuffing – Credential stuffing is a cybercrime in which credentials (user names, passwords, etc) stolen through a data breach on one service are used to try to log in to another service. The attacker may obtain a list of logins and passwords stolen in the data breach of a department store and use them to try to log in to a financial institution, like a credit union. The attacker is hoping that at least some of those department store users also have an account at the financial institution and use the same login and password for both services.
You can limit the damage credential stuffing can do by using unique passwords on all your banking, social media, email and retail accounts. At the very least, use a strong login and password for your online banking and don’t use them for any other service. Never share your passwords with anyone or enter them on a public computer.
Debit or credit card fraud – Debit or credit card fraud is the unauthorized use of a card to fraudulently obtain money or make unauthorized purchases. The introduction of new technology, like EMV chips, has made it difficult for criminals to steal your card information using skimmers at the cash register or ATM, but the rising popularity of online shopping has provided new opportunity for cybercriminals intent on this kind of crime.
You can protect yourself by shopping only with trusted vendors.
- Look for URLS that begin with “https,” and a padlock in the site’s address bar.
- Click on the padlock and it will provide you with security information for that site.
- If you’re uncertain about a website, run the URL through an online verification site. For instance, URLVoid.com can provide details about the site, and transparencyreport.google.com can tell you if a website is safe.
- Don’t get to the site by clicking on a link in an email. Instead, type in the URL yourself, or use a web browser to search for the business.
Identity theft – The increasing use of computer networks and electronic data sharing has made stealing personally identifiable information (PII) easier than ever. Cybercriminals can obtain your personal information through a phishing attack, malware, or by purchasing it on the dark web. Being the victim of identity theft is more than an inconvenience. Armed with just your Social Security Number, name and address, a criminal can wreak long-term damage to your financial stability, including the ability to purchase things, open accounts or receive benefits to which you’re entitled.
To protect yourself from identity theft, monitor your accounts and credit reports diligently, change your account passwords regularly, and enroll in alerts and notifications to confirm transactions on your accounts are legitimate.
Card Control and Card Management lets you manage your Oregon State Credit Union Visa credit and debit cards. It puts a powerful set of controls at your fingertips, including: real-time alerts, purchase blocking, reporting your card lost or stolen and ordering a replacement card. We also offer free text alerts on your credit and debit cards, and alerts and notifications for a variety of actions on all your accounts, including large withdrawals.
Scammer targets Oregon State Credit Union members
Oregon State Credit Union members have been receiving messages from an individual impersonating an Oregon State Credit Union employee. The messages may come by phone, text or email. This person will ask for your online banking username and password. Armed with that information, the scammer can gain access to your online banking account and transfer money out of your account.
Don’t fall for it. Oregon State Credit Union will never ask for your online banking username and password. If you believe you may have given out your personal information and could possibly be affected by this scam, please call us as soon as possible at 800-732-0173.
Five ways to tell if you’re being scammed
You can avoid falling for a scam by learning how to recognize the most common techniques. There are hundreds of variations on the details, but most scams include one or more of these elements: money, personal information, unbelievably good luck, pressure to act, and fear. If you can learn to recognize these common elements, you stand a better chance of spotting an online scam before you fall prey to it.
Identify the major red flags of a scam: know when to hang up
It’s not always easy to identify a phone call as a scam from the start—successful scammers will use many tools to appear legitimate. But when it comes time to gain the information that they need from you, there are some common major warning signs.
- The caller asks for your card PIN. Never provide your PIN to anyone—verbally or with your phone keypad. There is no valid reason that a caller will ever request your card PIN.
- The caller asks for your authentication code. Never provide your authentication code to anyone.
- The caller asks you to provide your online banking username or password.
- The caller asks you to provide your card or CVV number.
Below are more fraud articles to help you protect your financial information.
More fraud articles
Wire transfers: Scammers often use methods that make it difficult to cancel or reverse the transaction and get your money back, like wire transfers. Wire transfers are a fast, irreversible way to send money domestically or internationally.
Digital payments: Scammers are targeting person-to-person payment systems like Pay It Now, Zelle® or Venmo®. If they can get your online banking username and password, they can move your money to their account. Never give anyone your online banking username and password.
Check or account deposit: If you have ever sold something online or through a public advertisement, you may have encountered this type of scam. This is when a scammer sends you a check or deposits money to your account for more than the amount needed to cover the sale. They may say the extra is for shipping or other fees. They will instruct you to deposit the check and send any unused portion back to them. They will pressure you to complete the transaction quickly – typically within a few days. But after you send the money, the check will bounce leaving you responsible for the full amount of the check and any associated fees.
This scam takes advantage of the time it takes a check to fully process through the financial system. It can take up to 10 business days to identify a check as fraudulent. If the scammer can get you to complete the transaction before that happens, they will make off with your money.
Be suspicious if anyone pressures you to complete such a transaction quickly, especially if they urge you to use mobile check deposit to deposit the check. Scammers know their fake checks might not stand up to scrutiny. They don’t want to take the chance that a credit union employee might spot the fraud and save you from being a victim of this crime.
Debit or credit card: If you have a debit or credit card, there is a chance your card information has been compromised in a scam or data breach. You can prevent scammers from making unauthorized purchases by setting alerts on your Oregon State Credit Union cards using Card Control and Card Management. You should also examine your monthly statements for suspicious activity.
Gift and prepaid card: One popular scam is to solicit payment or donations by pre-paid credit cards or gift cards. Be wary of anyone who asks to be paid in this manner. Gift cards are like cash, and charges cannot be reversed.
Cryptocurrency: Cryptocurrency is a new form of digital money that can be traded online for goods or services. Cryptocurrency scams are a new way to trick people into sending money because, once sent, cryptocurrency cannot be recalled or canceled. If anyone asks you to make a payment, send money or invest using cryptocurrency, be careful. If they insist the payment must be made using cryptocurrency, it’s probably a scam.
Tech support: Tech support scammers want you to believe you have a serious problem with your computer, like a virus. They want you to pay for tech support services you don't need, to fix a problem that doesn’t exist. They often ask you to pay by wiring money; putting money on a gift card, prepaid card or cash reload card; or using a person-to-person app like Pay It Now because they know those types of payments can be hard to reverse. Tech support scammers use many different tactics to trick people. Spotting these tactics will help you avoid falling for the scam.
Helpful fraud department: In this scam, the caller pretends to be with your financial institution’s fraud department. The caller is likely using a spoofed phone number so the incoming number looks legitimate. The caller explains that possible fraudulent activity occurred on your credit card, and they provide you with fake transaction details or your card number so you believe your card was compromised. They may even claim your card has been blocked. Under the guise of verifying your identity and helping you get a new card, the caller will attempt to gain your personal information and private banking information.
Amazon: This involves people operating under the guise of Amazon customer service, but the only service they’re providing is cleaning out your credit union account. If you get an unusual call from Amazon notifying you of a potential security breach, be very cautious about providing any personal information to them. If you get a text or email advising you to call Amazon, do not call the phone number in the message, and do not call Amazon at a phone number you found by searching online. If you get a message about a refund you did not expect, do not provide your credit union account information. In all of these cases, you should log in to your Amazon account and contact customer service from within your Amazon account. And remember: never click on a link in an email unless you know with absolute certainty who is sending that email.
Economic impact payments: Scammers continue to target economic impact payments. Watch for these scams.
- Fraudsters send potential victims fraudulent checks, instructing the recipients to call a number or verify information online in order to cash the fraudulent checks.
- Stealing an economic payment from the U.S. mail.
- Phishing schemes with the intent of getting financial account information.
Learn about other Economic Impact Payment scams.
COVID contact tracing: Contact tracing is the process of identifying people who have come into contact with someone who has tested positive for COVID-19. Unfortunately, there are people out there pretending to be contact tracers, but are in fact scammers trying to steal your personal information. The Oregon Department of Justice has issued a warning about this scam.
COVID-19 vaccine-related: With every passing day, the news on COVID-19 vaccine distribution seems to change, and scammers, always at the ready, are taking advantage of the confusion. Besides a big dose of patience, here are some tips from the Federal Trade Commission to help you avoid a vaccine-related scam.
Unemployment benefits: Identity thieves are exploiting the COVID-19 pandemic by submitting bogus unemployment benefit claims and collecting benefits meant for others. According to the FBI, these unemployment scams are difficult to detect. Learn how to tell if you’ve been a victim of this type of scam and what you can do about it.
See more articles about fraud and scam awareness
At Oregon State Credit Union, we work hard to protect our members from fraud by developing tools designed to thwart scammers, and by providing helpful fraud protection information that can help members learn how to safeguard personal information. The best way to keep your information safe is to be aware and knowledgeable.
These articles will help you learn how to recognize common scams, take action if you think you are a victim of fraud, and learn what you can do to protect your finances from fraud.
- How to protect your identity from email, phone and online fraud
- Beware of fake check scams
- Be safe at the ATM
- Learn how to protect your identity
- Our commitment to your security
- Beware of social media scammers
- Avoid scams during the holidays
- Estatements are safer than paper statements
- Create a strong password
- How to tell if a charity is legit
- Scamming the elderly
- Fraud involving credit and debt
- Five ways to tell if you're being scammed
- What to do if you’re a victim of ID theft
- Watch for these stimulus payment scams
- Scam text claims card blocked