Security News

April 2018

3 SIMPLE wAYS TO Stop Cybercriminals

In 2017, $16 billion was reported stolen from 15.4 U.S. million users, and the numbers keep rising.
That means you probably know someone who was robbed by cybercriminals, or worse still you could be next. Here are three simple ways to stop cybercriminals before they target you.

  1. Tune up passwords

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to guess or “crack” them. Instead, choose a random word and intersperse it with numbers, symbols, as well, or rely on a series of words.

  1. Avoid strangers

As kids we were told to never talk to strangers. Why open emails from them? Malicious emails (phishing scams) are designed to lure you into opening links and downloading files, which can corrupt your computer. If they’re from people or companies you don’t know, don’t open them.

  1. Skip Public Wi-Fi

When using a public Wi-Fi at locations like Starbucks, you never know what web-browsing policies their server is running. In places like this, you can become a victim of a man-in-the-middle attack, or unknowingly connect to a fraudulent, free public wireless access point posing as a real franchise. Never use public Wi-Fi with confidential data unless you’re behind a Virtual Private Network (VPN).

For more security tips, visit our Security Center at

January 2018

Chip Vulnerability Created by “Meltdown” and Spectre”

You may have seen media notices regarding potential threats to computers and cell phones entitled “Meltdown” and “Spectre.” These “vulnerability flaws” are present in processing chips manufactured by major chip vendors, such as Intel. Although it has not happened, a successful “hack” of these chips could access the memory found in computers and expose passwords and other sensitive information.

Computer and phone manufacturers are presently working on patches to repair these vulnerabilities, and we wanted to remind members of the importance of keeping their operating systems current and downloading security fixes as they become available.

As it relates to your relationship with LAPFCU, we already have numerous safeguards in place and are working diligently to apply all available security patches to our systems as they are released. As some of these may impact online banking and other member “tools,” we will do our best to notify members in advance of any service interruptions which may result from the addition of security patches.

Over recent years, LAPFCU has made a heightened effort to strengthen our security controls as hacking and fraud became more widespread. Rest assured, your relationship with us remains safe and secure.

November 2017

Cyberattacks Will Spike During Holidays, Cybersecurity Firm Predicts

Holiday shopping will set new records this year — and so could fraud, according to new predictions from cybersecurity company ThreatMetrix.

“According to data from our Q3 2017 Cybercrime Report, businesses will be heavily targeted for cyberattacks this week through Black Friday — with more than 50 million attacks anticipated to be unleashed. Intensified bot activity detected by ThreatMetrix during the past quarter shows cybercriminals are leveraging automated attacks, which will help fuel these increased incidents,” the company said.

The San Jose, California-based company said this year’s peak holiday shopping days will see highest-ever transaction volumes, and online commerce will outpace in-store commerce.

“We will see the return of the ‘Cybercrime Christmas,’” the company said.

New findings reveal the stunning amount of data breaches happening so far in 2017.

Fraudsters are expected to launch automated bot attacks to test identity credentials on retailer websites, the company said.

“ThreatMetrix also anticipates sustained high volumes of bot attacks as more leaked identity data becomes available to cyberthieves on the dark web. Indeed, some attack peaks will see more than 90% of retailers’ web traffic coming from automated bots testing identity credentials,” it predicted.

More than 450 million bot attacks were detected in the third quarter of 2017 alone, a large proportion of which targeted e-commerce merchants, it noted.

That could rack up a big bill. In 2016, illegal transactions and chargebacks grew 31% during the holidays; the cost to merchants totaled 7.5% of their annual revenue that year, the company said. The most targeted segment for online purchases was cosmetics and perfume, which saw fraud rates spike 172% in October 2017 alone.

Rising mobile use is helping open the door to fraud, according to the company.

“Mobile appears to be the starting point for most shoppers, accounting for up to 54% of retail web traffic. And the channel is now home to roughly 33% of all online purchases. But for retailers, the mobile revolution isn’t risk-free. With a growing number of consumers opening and managing accounts on their mobile devices, more of them are saving credit card information to retailer sites and apps, making them tempting targets for cybercriminals wielding stolen login credentials,” it said.

Gift cards are also becoming a bigger gateway to crime, offering criminals a way to monetize stolen credit cards quickly, sell gift cards for cash at online auction sites, it noted.

“If Holiday 2016 was any indication, expect such online marketplaces to face several sustained spikes in rejected transactions as fraudsters use bots in their attempts [to] hack into user accounts,” ThreatMetrix said.

Even holiday charitable donations are targets.

“ThreatMetrix detected a series of transactions aimed at testing payment credentials. These $5 payments made with stolen credit cards are designed to test the validity of cards before using them elsewhere online to make a high value purchase. Charities are also vulnerable because they typically make donations very easy, with few security barriers. Despite high legitimate giving, the testing volume was sometimes as high as 70% of the total transactions,” it reported.

Online holiday shopping is expected to rise about 14% to over $107 billion this year, with Cyber Monday becoming the largest online shopping day in history, according to new predictions from Adobe Analytics.

Orem, T. (2017, November 21). Cyberattacks Will Spike During Holidays, Cybersecurity Firm Predicts. Retrieved November 22, 2017, from


September 2017

Fraud Alert: Tech Support Scams

If you’re sitting at home or work and you suddenly receive an email, text or phone call saying your computer system is at risk, what do you do? Your first reactions might be fear and shock. But what you do next can determine whether or not you compromise your personal or financial information. If you haven’t asked for technical assistance from a company or website, you are most likely being scammed and a potential target of fraud.

Why would fraudsters choose to impersonate tech support to get your personal information? Because it plays on fears of something you heavily use being compromised. Your computer, internet, product orders and profiles from websites, etc. are all mediums that you use daily and contain personal information. When we fear something important to us has been compromised, we can make rash decisions. According to,

“The phishing attacks are always evolving and trying to force us into ignoring our own good sense…Lately, modified phishing email messages appear to be from reputable and well-known companies. They’ve used Amazon, LinkedIn, and Alibaba so far, but more are likely around. They use social engineering to trick the user into clicking on links that take them to fake technical support websites…In some cases, users give up payment card information, but in others popup windows keep appearing. Another one is a never-ending dialogue loop throwing up fake tech support warnings with fake phone numbers where the user can get “help.”1

By exploiting emotions, scam artists get you to quickly take action without questioning the validity of the claim. So how can you protect yourself in one of these situations?

  • Don’t jump to conclusions or make decisions based on emotions.
  • Trust your gut. If it seems suspicious – don’t give out any personal information.
  • Always be cautious of someone claiming they are trying to help you when you never asked for assistance.
  • If you receive a suspicious email from a regularly used vendor, go to your account on their website to read notifications instead of opening up links inside the email you received.
  • Do not give your social security or credit card number over the phone. Hang up and call the company directly to confirm the alleged issue. Always find the phone number from the company website, and do not use the number that the “agent” provides.

Remember: you are never obligated to give out your personal information. If you have more questions about keeping your personal information safe, please call 877-MY-LAPFCU (877-695-2732).

1New Twist On The Popular Tech Support Scam Has Surfaced. (2017, August 21). Retrieved August 22, 2017, from

July 2017

The FBI issued a Fraud Alert1 regarding counterfeit checks, payment scams and extracting personal information. The best way to avoid falling victim to scams is to prevent them from happening. But as technology gets more sophisticated, so do the techniques that fraudsters use. Ask yourself the following questions, suggested by this Fraud Alert1 from the FBI, to ensure you haven’t become a victim of fraud.


  • Is the check from an item you sold on the internet, such as a car, boat, jewelry, etc.?
  • Is the amount the check more than the item’s selling price?
  • Did you receive the check via an overnight delivery service?
  • Is the check connected to communicating with someone by email?
  • Is the check drawn on a business or individual account that is different from the person buying your item or product?


  • Have you been informed that you were the winner of a lottery such as Canadian, Australian, El Gordo, or El Mundo, that you did not enter?
  • Have you been instructed to either “WIRE”, “SEND”, OR “SHIP” MONEY, as soon as possible, to a large U.S. city or to another country, such as Canada, England, or Nigeria?
  • Have you been asked to pay money to receive a deposit from another country such as Canada, England, or Nigeria?
  • Are you receiving pay or a commission for facilitating money transfers through your account?


According to the Collins English Dictionary, Phishing is “the practice of using fraudulent e-mails and copies of legitimate websites to extract financial data from computer users for purposes of identity theft.” Be sure to ask yourself:

  • Did you respond to an email requesting you to CONFIRM, UPDATE, OR PROVIDE your account information?

Scam artists are always thinking of new ways to defraud victims. Always be aware of the latest scams, and don’t be afraid to second guess any communication that seems suspicious, especially when it is regarding money. To learn more about fraud schemes, please visit

1Source: Fraud Alert Poster. (2016, June 16). Retrieved July 14, 2017, from

2Collins English Dictionary – Complete & Unabridged 2012 Digital Edition. © William Collins Sons & Co. Ltd. 1979, 1986 © HarperCollins. Publishers 1998, 2000, 2003, 2005, 2006, 2007, 2009, 2012.

May 19, 2017

DocuSign Phishing Attempt

DocuSign users are being targeted by an email phishing attempt. The users receive an email from what appears to be from DocuSign. The email is designed to be official-looking and states that the user needs to download and print a document attachment. However, the document attachment is really an executable program file containing malware that infects the user’s computer.

We have notified LAPFCU members who have used DocuSign about this phishing attempt. However, the attempt is targeting all Docusign users, not just LAPFCU members.

It is important to note that the perpetrators are only targeting users with phishing emails and have not stolen any user personal information.

Never open emails or attachments when they are unexpected, if you do not recognize the sender, or if you are unsure of what the email is or why you received it. Always keep your antivirus software and operating system up-to-date.

For more information about the DocuSign phishing attempt, please visit the DocuSign Trust Center.

January 17, 2017

What is Ransomware?
A Security Update from LAPFCU

The Los Angeles Times called 2016 the year of “ransomware.”1 What is ransomware and how can we make sure this security threat doesn’t roll over to 2017?

First and foremost, let’s define ransomware. Ransomware is malware –malicious software designed to damage your system – that makes you pay a “ransom” to regain access to your website or data.

Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. [Ransomware]… attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.


Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.2

According to the United States Computer Emergency Readiness Team (US-CERT)2, here are some steps you can take to prevent ransomware:

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process.
  • Maintain up-to-date anti-virus software.
  • Keep your operating system and software up-to-date.
  • Do not follow unsolicited web links in email.
  • Use caution when opening email attachments.
  • Follow safe practices when browsing the web.

If you become a victim of ransomware, report it to the FBI at their Internet Crime Complaint Center. LAPFCU is always looking out for you and new ways to keep your personal information safe. If you would like more information, please read the FBI Cyber Division’s brochure on ransomware here.

Sources: 1Hiltzik, M. (2016, March 8). 2016 is shaping up as the year of ransomware. Retrieved March 11, 2016, from 2Crypto Ransomware. (20104, October 22). Retrieved March 11, 2016, from

December 2, 2016

Monitor Account Activity During the Holidays With Text Alerts

During the holidays, your accounts and card experience a lot of activity. It’s important to keep track of balances, transactions and monitor for fraud. One useful feature of LAPFCU’s text banking services* is the ability to receive alerts and block unauthorized transactions. Here are three free and simple ways you can monitor account activity:

  1. smsGuardianTM For Debit Cards. The best way to beat fraud on a debit card is to catch it early and stop it. That’s why LAPFCU is introducing smsGuardianTM, which sends a text alert when a signature-based transaction is performed on your LAPFCU debit card.* If you receive an alert for a purchase you didn’t make, and confirm that it’s an unauthorized transaction, a notification will immediately be given to a fraud analyst so they can block the card. Learn more and opt-into smsGuardian here.
  1. PATROL Text Alerts For Your Accounts. Sign up for account alerts through PATROL Online Banking! Simply go to My Settings and choose Alerts and Notifications on the left side. You can choose text alerts for various types of account activities and reminders.*
  1. eZCard For Your Visa Always be aware of your transactions and how close you are to the limit on your credit card account. The more knowledgeable you are, the more likely you are to notice unauthorized purchases, an approaching credit limit or high balance. Members can receive multiple notifications for their LAPFCU Visa credit cards, including payment due date reminders, current balances, transactions and much more!*

eZCard gives you plenty of options so you always know what is happening with your LAPFCU Visa credit card! Take advantage of this free service on Create an account, log in and then select Add New Alert in the upper right corner.

Learn more about smsGuardian or eZCard here. If you would like to sign up for PATROL Online Banking, please call 877-MY-LAPFCU (877-695-2732).

February 22, 2016

To Shred or Not to Shred?

One the best ways you can defend yourself against identity theft or other forms of fraud is to shred important documents when you don’t need them anymore. But, what is considered an important document? The following is what we recommend you shred:

  • ATM Receipts. You don’t need them after you have compared them with your online account or paper statement.
  • Tax Returns. The IRS states that you should keep your tax returns for approximately three years. After that, it is recommended you shred them because of the personal and financial information on them.
  • Monthly Account Statements. Regardless of the account type, any type of monthly financial statement you receive should be shredded after three years.
  • Plastic Cards. If you have an expired credit or debit card, be sure to shred it. You should never just throw it away.
  • Paycheck Stubs. You really should only keep your latest paycheck stubs if you are applying for a mortgage loan. Otherwise, you can shred the ones you don’t need.
  • Insurance Policies, Claims and Payment Information. Anything about your insurance policy should be kept as long as you have your policy. You should speak to your broker to see how long you should keep claims and payment information, and anything you do not need to keep should be shredded.
  • Loan Information. Anything that has to do with a mortgage loan, auto loan or other type of loan that includes your loan number, address, Social Security Number or other personal financial information should be shredded when you do not need it any longer.

The best rule of thumb to follow is if there is personal financial information on the document or form, you should shred it. If you feel more comfortable using a professional shredding service, just bring your documents to one of LAPFCU’s free shredding events. To learn more, check back at for Shred-It Day events or give us a call at 877-MY-LAPFCU (877-695-2732).

Southwest Strategic Marketing, LLC

January 24, 2016

Beat scammers to your IRS refund check

Here is the IRS’s phone number: 800-829-1040. With an anticipated $21 billion in tax refund fraud this year, you might need it. And that figure doesn’t include losses from dodges like the IRS phone scam, which has been enjoying a renaissance of late.

IRS phone frauds aren’t terribly difficult to detect. You get a call from the IRS saying you owe money and that you must pay immediately. The threat of police intervention may or may not accompany this hot and heavy approach.

Here’s the one-step method: hang up. The IRS doesn’t call asking for money yet.

Let’s say you forget the one-step method. Here are four dead giveaways that it’s a scam:

  1. The IRS never asks for immediate payment.
  2. The agency will never bill you without giving you an opportunity to dispute the claim.
  3. Although you shouldn’t get this far into the conversation, the IRS doesn’t care how you pay, and won’t point you to a particular method.
  4. There will never be any threat involving police or marshals or prison.

If you were starting to feel a little better, stop. Think of tax refund fraud as the clever cousin of the above. It’s not at all easy to detect, or even avoid.

Tax refund fraud getting worse

With more than a billion personal records “out there,” identity theft has become the third certainty in life, right behind death and the topic at hand.

I continue to talk about this topic because a knowledgeable taxpayer stands a better chance of sidestepping the tax-time pitfalls out—especially tax refund fraud.

Unfortunately, if you become the victim of tax refund fraud, you are going to have a long road ahead before everything is resolved. It is not uncommon to wait more than six months before you get the tax refund that’s actually owed to you.

That is why it’s important to shift to a new paradigm and act.

  1. Assume that your data has been compromised, and proceed accordingly.
  2. File your taxes as early as possible.
  3. Read all mail from the IRS, and if there is any indication of fraud, act without delay.

What’s the bottom line here? There are myriad ways to get scammed. If your Social Security number has been compromised in a data breach (21.5 million SSNs were compromised in last year’s Office of Personnel Management breach alone, not to mention the approximately 100 million SSNs involved in health care breaches), then you are in the danger zone.

What to do if you’re a victim

Report the crime. File a report with your local police, call the FTC Identity Theft Hotline at 1-877-438-4338, and the IRS at the number provided at the beginning of this column.

Request a fraud alert or credit freeze. Your Social Security number is definitely in enemy hands. Contact one of the three major credit reporting agencies—Equifax, Experian or TransUnion—and ask that a fraud alert be placed on your credit records. A credit freeze is a more comprehensive lockdown of your credit report than a fraud alert, but it’s also a bit more cumbersome. You have to request a freeze with each of the three bureaus and there may be a fee to freeze and unfreeze your credit, depending on the state where you live. No matter which option you choose, it’s important to remember this is no silver bullet and there are still other forms of identity theft you’re vulnerable to despite having a frozen credit report.

Consider enrolling in credit monitoring programs. You might wish to purchase a combination credit and fraud monitoring service, which provides instant alerts whenever anyone attempts to open a credit account in your name. This can be an effective backup to fraud alerts.

Close fraudulent accounts. Again, the tax refund fraud is impossible without your personally identifiable information. Check your credit reports. You can get free copies of your credit reports once a year at (You can also get a free credit report summary every month on Close any credit or financial account that has been tampered with by a thief or opened without your permission.

Contact the IRS. Call the number provided on the IRS notice informing you of the fraud if it is not the same as the number provided here. To clear your tax record, complete IRS Form 14039, Identity Theft Affidavit. You can use a fillable form at, print it, then mail or fax it.

Pay your taxes. Be sure to continue to pay your taxes and file your tax returns on time, even if you must do so by mailing in paper forms.

Stay diligent. If you contacted the IRS about taxpayer ID theft and did not receive a resolution, also contact the Identity Protection Specialized Unit at 1-800-908-4490 about your case.

Stay alert. You have to assume that if someone has enough of your personal information to file a tax return, they have more than enough information to commit other forms of identity theft. Read every explanation of benefits statement and be sensitive to any communication you may receive from a debt collector. It may not be a mistake.

Unfortunately, tax fraud is a fact of life. The best way to deal with it also happens to be simple: File as early as possible and open all your mail.

January 11, 2016

Common Tax and IRS Scams

Phone scams are not a new invention, but thieves step up their game around the holidays and during tax season. E-mail scams are also becoming increasingly more popular as technology expands. With so many avenues, scam artists seek to exploit more opportunities every day.

Here are some of the common scams that you should be aware of:

Phone Scams:

Although it is not a new scheme, IRS impersonators are on the rise. Sometimes these fraudsters will say you owe money, and sometimes they will actually say you have come into a windfall and they need your information so you can claim your money. Because the scammers may already have some of your information, it might seem like a legitimate phone call.

In addition, the scam artists may be able to change the caller ID to make it seem like the IRS really is calling. If you owe taxes, or if you should receive a refund, the IRS will notify you by mail. They will not call you.

E-mail Scams:

E-mail gives IRS impersonators a platform for reaching the masses. By getting the person who receives the e-mail to click on a link or attachment, they are able to gather information about your username, passwords or other sensitive information. Even if the email has a legitimate logo or URL, the IRS does not initiate contact with taxpayers via e-mail.

According the IRS website:

Note that the IRS will never: 1) call to demand immediate payment, nor will the agency call about taxes owed without first having mailed you a bill; 2) demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe; 3) require you to use a specific payment method for your taxes, such as a prepaid debit card; 4) ask for credit or debit card numbers over the phone; or 5) threaten to bring in local police or other law-enforcement groups to have you arrested for not paying.1

It is important to be aware of phone, e-mail and any other type of IRS scams. Many scammers try to target victims during the holidays, when taxpayers are already spending a lot of money and prepping for tax season. Don’t be a victim – stay informed! If you would like to learn more about tax scams and consumer alerts, please visit