Member Alerts

• When purchasing a smartphone, know the features of the device, including the default settings. Turn off features you don’t need to minimize the risk of attack.
• Some phones have encryption available. This can be used to protect your personal data in the case of loss or theft. Ask your cellphone dealer if this is available on your model.
• With the growth of the application market for mobile devices, be sure to look at the reviews of the developer/company who published the application.
• Review and understand the permissions you are giving when you download applications.
• Use a passcode to protect your mobile device. This is the first layer of security to protect the contents of the device. Also enable the screen lock feature after a few minutes of inactivity.
• Obtain malware protection for your mobile device. Look for applications that specialize in antivirus or file integrity that help protect your device from rogue applications and malware.
• Be aware of applications that use geo-location, which will track the user’s location anywhere. This application can be used for marketing, but can also to assist a possible stalker and/or burglar.
• Jailbreak or rooting is used to remove certain restrictions imposed by the device manufacturer or cellphone carrier. This allows the user nearly unregulated control over what programs can be installed and how the device can be used. However, this procedure often compromises the cellphone’s security, making it more vulnerable to attack.
• Do not allow your device to connect to unknown wireless networks. These networks could capture information passed between your device and a legitimate server.
• If you decide to sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data on the device.
• Smartphones require updates to run applications. Update your phone regularly to reduce the risk of the device being hacked or compromised.
• Avoid clicking on or otherwise downloading software or links from unknown sources.
• Use the same precautions on your cellphone as you would on your computer when using the Internet.

*Source: Federal Bureau of Investigations, IC3 (Internet Crime Complaint Center), October 2012.

On April 26, 2014, Microsoft announced a serious vulnerability for users of Internet Explorer (IE) affecting versions IE 6 through IE 11. This vulnerability allows an attacker to insert and execute code on a computer.

What you need to know: Microsoft released a patch on May 1, 2014 to address the vulnerability. Users of IE 6 through IE11 should review the Microsoft Security Bulletin MS14-021 and ensure the patch has been installed prior to using the Internet Explorer browser. Until the patch has been installed, members are encouraged to utilize another internet browser, such as FireFox or Chrome.

While Microsoft released an update for Microsoft Windows XP users due to the severity of this vulnerability, further security updates are not expected for Microsoft Windows XP as the product has been discontinued.

An additional layer of security can be put in place to protect against financial malware threats by installing the IBM^® Trusteer Rapport product offered to CAFCU members at no-cost. Click here for details.

The mobile security firm, BlueBox has detected a security bug, dubbed, “Fake ID”, in all Android operating systems (OS) beyond version 2.1. This vulnerability could allow hackers to steal personal information, such as passwords or financial information, from Android users by creating an app that uses fake security credentials to access other apps on a user’s device.

Below are recommendations from Symantec:

Update your Android OS – While the Android security team has issued a patch and provided it to their partners, it may take some time for all partners to implement the patch, which unfortunately increases the chances of malware being developed to take advantage of this vulnerability. If you have an Android device with an OS version 2.1 or beyond, keep an eye out for platform updates from your service provider and implement them immediately.

Install a mobile device anti-virus/malware prevention tool – Several trusted providers offer apps which target this type of activity on a mobile device, such as Symantec’s Norton Mobile Security. Research the app on the vendor’s website to ensure it covers the Android vulnerability and that the vendor is legitimate prior to installing the application.

Use caution when downloading apps from stores other than Google Play – Google Play is taking extensive measures to detect “fakers” and prevent this vulnerability from becoming a serious threat. Make sure that your favorite app stores are reputable and are taking steps to protect users.

Although some card account data may have been compromised in these incidents, it does not mean data related to your account was taken, or that fraud has occurred on your account. Please be assured that we are actively monitoring the activity on your account to protect you from fraud. You will be contacted if we determine that your card must be replaced or if we see any activity that requires you to take any action. Otherwise, please review your monthly statements carefully and call us immediately if you see any suspicious activity.

You’re protected! Visa’s Zero Liability* policy means you don’t pay for unauthorized use of your credit or debit card. Rest assured knowing your financial security is our top priority.

*Visa’s Zero Liability policy covers U.S.-issued cards only and does not apply to ATM transactions, PIN transactions not processed by Visa, or certain commercial card transactions. If any unauthorized use is discovered, cardholder must always notify CAFCU promptly.

Basic phishing targets email users with a variety of ploys to try to gain access to sensitive information such as user names, passwords and credit card details. Cyber crooks may send out millions of messages that appear to be from a trustworthy or legitimate company, in hopes that even a tiny percentage of their scam's recipients are customers of the company they claim to represent. Phishing emails contain a link to a website where the user is asked to update personal information. But the site exists only to steal consumers’ data.

What you need to know: Legitimate companies do not send emails asking for personal information. Regardless of a caller’s claims or a website’s official appearance, never give out personal information when you receive an unsolicited phone call or email.

DocuSign^® is a globally-trusted, secure communication channel for signing documents. Recently, criminals acquired email addresses of people that use the service, and these criminals have attempted to commit fraud by sending fake emails that look like they are from DocuSign.

What you need to know:

1. Requests from DocuSign always come from one of these two addresses:
   • www.docusign.com
   • www.docusign.net
2. If you are not expecting a DocuSign email, don’t open it. If you feel it may be valid, access the documents directly by visiting www.docusign.com and enter the unique security code included at the bottom of every legitimate DocuSign email.
3. DocuSign never asks recipients to open a PDF, Office document or ZIP file in an email. If one is attached, assume the email is not legitimate and delete the email.

Fake emails using the names of U.S. airline companies urge recipients to confirm a ticket purchase by printing the invoice and ticket attached to the email. When unsuspecting recipients open the attachment, malware downloads onto their computer and fraudsters gain access to sensitive information such as account numbers, passwords and access codes.

What you need to know:

• Grammar and spelling mistakes and unusual formatting in the emails mark them as the work of scammers rather than legitimate airlines.
• If you didn’t order airline tickets recently, or if the email looks suspicious, don’t open the attachment. Delete the email immediately.
• Visit the FBI web page for more information.

Fraudulent emails request that recipients complete an online survey for the National Credit Union Administration (NCUA) and promise $40 compensation for completed surveys.

What you need to know: Neither NCUA nor CAFCU solicit personal information or send surveys via email.

Credit union members receive an automated call claiming to be from the credit union. The recipient’s caller ID may even show a legitimate looking local number. The recorded message requests verification of financial information or claims that the member’s account has been compromised and the member is asked to enter account information using the touchtone phone. The sensitive information is then digitally transcribed onto the scammer’s computer.

What you need to know: CAFCU may need to contact members by telephone for a variety of reasons. Our calls are always made by live credit union representatives and we will always verify your identity by repeating information you have previously shared with us. We will never ask you to volunteer information such as account numbers, credit card numbers or your PIN.

Text messaging scammers send a text message from an unrecognizable number stating that your credit union account or credit card account has been closed due to suspicious activity. The text then provides a number to call or URL to follow for more information. When you call or click, you are asked for personal information like Social Security and bank account numbers.

What you need to know:

• If you receive unwanted text messages, be careful. Contact your cell phone company and find out how to avoid receiving spam texts. They can help prevent text messaging fraud by adding spam filters to your account.
• Exercise the same caution you would when giving out a mobile phone number as you would with a personal email address or other personal information.
• Never respond to unsolicited text messages – it lets the sender know they've reached a working number.

The Federal Trade Commission recommends never turning over private information based on a text message request. And CAFCU will never ask you to follow a link or call a number via text message. Contact our Member Center immediately at 1-800-359-1939 if you have entered any personal information on a fraudulent web page.

You can also file a complaint on the Federal Trade Commission’s website, www.ftc.gov, or call 1-877-FTC-HELP.