All Financial Education

Easy Ways to Stay Cybersafe with ICCU’s Chief Security Officer

September 13, 2024

Binary codes forming an image of an eye

At this point, internet safety can feel like the world’s flashiest unicorn — alluring but obvious make-believe. How do we stay safe when the threat is everywhere? It’s not like most of us can disavow our phones or the internet and just move on with our lives. So how do we protect ourselves?

The first step, as cliche as it may sound, is educating yourself — and educating yourself well. So we brought in the big guns to answer your most common cybersecurity questions: Chief Information Security Officer, Nick Stafford, and VP of Community Development, Laura Smith. Watch the podcast or read the full transcript below.

Developing a Cybersecure Mindset

If Stafford could sum up everything he’s learned in the field of cybersecurity, it would be this: Wear the tinfoil hat. Wear your suspicion heavily. Scammers are after everyone. The only way to be safe is to be suspicious, particularly when it comes to financial information.

If you get a message, call, email, or alert from Idaho Central Credit Union (or anyone for that matter) that seems even just slightly off, listen to that feeling. Your gut often knows something’s off before your mind does.

“If it doesn’t look like something that you would be expecting from ICCU, in most cases, that’s going to be fraud.”

Got a Suspicious Message from ICCU?

If you received a suspicious email from ICCU, forward it to abuse@iccu.com. If it’s a text message, take a screenshot and forward it there as well. 

Report scams even if you’re not 100 percent sure. Our security service providers analyze the threats to see if they’re real, then use advanced mechanisms to take down these harmful sites and scams. By reporting a potential scam, you may prevent that scammer from taking advantage of others down the road.

Read: What is Multi-Factor Authentication (MFA), and How Can It Protect my Bank Account?

The Easiest Way to Be Cybersafe

The simplest ways to boost your internet safety are also the most effective ones. Stafford recommends using a password manager (like LastPass or 1Password) because elsewise, you won’t be able to remember the sheer amount of passwords you need to stay safe on the internet today. He, for instance, has over 450 passwords alone.

Think about it this way: You can’t 100 percent guarantee that your information will stay safe, particularly since the average internet user has data strewn throughout the web. But you can lower the odds of getting hacked, and you can absolutely stop them from causing irreparable damage by doing one thing: using more unique passwords. 

If you use the same password for Facebook and ICCU, for example, and a cybercriminal steals your social media login information, they just got one step closer to accessing your money. But if you use unique passwords, only your social accounts may be at risk. Do what you can to stay safe, and you’ll be surprised at its impact.

Read: Want to Stay Cybersafe? Know Your URLs.

Read the Transcript

Laura: Hello and welcome to Your Daily Balance, Idaho Central Credit Union’s video podcast, where we’re here to bring you tips and tricks to helping you on your way to achieving financial success. October is Cybersecurity Awareness Month. And we’re here to talk with the best around.

Nick: You are too kind.

Laura: Nick Stafford. He’s our Chief Security Officer at Idaho Central Credit Union. Hi.

Nick: How are you?

Laura: Good. How are you?

Nick: Oh, back for another year.

Laura: I know, this is great! This is our first duplicate episode but there’s always new things. So we’ve got to keep it fresh.

Nick: For sure.

Laura: So Nick, tell us about your position at Idaho Central and how long you’ve been here.

Nick: Yeah. So I’m the Chief Security Officer here at ICCU. That role has me managing both the cybersecurity and the information security side of the house, as well as the physical security side of the house. I’ve been here a little over three years now, and it’s been a phenomenal experience to be here at ICCU serving our members.

Laura: Yeah, and we love having you because this is something that we take so seriously as a credit union. Cybersecurity, I mean. A lot of companies take this very seriously, but we really put a lot of effort and people and resources into it. So we’re going to be talking about keeping yourself cybersafe. And one of the reasons we would do a duplicate episode is because things are constantly changing, scammers are constantly evolving, and so we wanted to talk about what are some things that people can do to keep themselves cybersafe?

Nick: Yeah, you know, the first thing that I always talk to people about is to wear the tinfoil hat. Everybody kind of makes fun of cyber security people because they have that stereotype about us. But everybody needs to (be careful) in the digital era. The reason is because the bad guys, the adversaries, the scammers — they’re after everyone. They’re after everyone indiscriminately. Really, the best way to stay safe is to be vigilant, is to be suspicious of anything that comes in, particularly when it’s dealing with your financial institution.  Let’s say you get a message that looks like it might be from ICCU. The best way to deal with it is to not to click on any links, it is if you have questions or concerns is to call in or reach out to your local branch.

And we have had reports of people that would say something like, you know, I got this text. It looks like it could be something from ICCU. What do I do?

Yeah. And the answer is, wear your suspicion heavily. If it doesn’t look like something that you would be expecting from ICCU, in most cases, that’s going to be fraud. If it has some uncertainty to it and you’re not sure, again, the right answer is call the Member Service Center or check in with the Video Service Center or check in with one of our branches. They’ll help you identify whether or not that message is true and real or not.

And when you say call into the VSC or the call center, one of the keys there, and I’ve heard this time and time again, is to actually go to on your own, don’t go through the text or through the information that you’re looking at, but on your own, go to Idaho Central Credit Union’s website, get that number from there directly, right? Don’t just assume that it says contact us and think Oh yeah, I’m contacting them.

Yeah, that’s an important catch. You’re wearing your tinfoil hat, Laura, I’m impressed. One of the things that the fraudsters often do is include their own contact information in these messages. Whether it’s a link and a text, or contact information in an email. You always want instead to go to the origin site or go to iccu.com directly and then engage with us that way, to make sure you’re getting the right phone numbers and contact information there. Because a lot of times the scammers will put their own information in there and that’s a part of the scam.

And one of the other things too, we, we like people to report that, right?

Oh, we totally do. In fact, it’s not just that we like it. It’s an important part of our defense technology. What happens when a member reports an abusive message or a fraudulent message, it goes into our abuse inbox and that automatically gets forwarded to our industry leading partners who help us take down the domains and the websites that these fraudsters are posting on to steal credentials from our members. So it’s, so reporting is actually a very important part of our strategy.

Yeah. And at Idaho Central, we tell people to take a screenshot and send it to abuse at iccu.com Is that the best practice?

Yeah. If it’s an email, obviously just forward that into abuse@iccu.com. If it’s a text message and do a screenshot and go into your email and then send that screenshot into abuse@iccu.com and our service providers are able to distinguish between both of them and then use all of those mechanisms to take down these websites.

Well, that’s good news. So, I wanted to talk a little bit about the motives of the scammers. Like why do they do this? You know, what makes this something that there’s so much of going on?

Sure. Really, the answer is money. And in almost all cases the motive comes back to, the scammers are out trying to make money. There may be some political aspects to it, maybe nation state level types of types of attacks, but that doesn’t happen very much with financial institution members. In general, the primary impetus behind these scams is they’re after money. They’re trying to get people to give them their private information so then they can use it, turn that around and then monetize it.

Yeah. I think one thing that people should be aware of is that, we do so much online, right? And, we have different accounts for all kinds of different places that you’re buying things, places that you’re researching things, whatever the case is. There’s just so much information there. What are some ways that people can increase their online security, or improve their online security for themselves? Cause it’s really all the small things, right?

It totally is. You know, one of the, one of the first things we always try to advise people on is, to use a password manager. Just to illustrate, I was in Google, my password manager, I use Google, on one of my services for, some of my personal functions, and I’ve got over 450 passwords stored in Google. There’s no way I could remember all those passwords.

No, people cannot remember that many passwords.

I can’t. Now maybe some of us can, but I can’t.

And what tends to happen is people tend to reuse passwords when they can’t remember all of them. Since all of us are using dozens or hundreds, maybe thousands, of online services, that password can get reused many times. What ends up happening is that one of those services will eventually get breached then those credentials will then be lost and then they will be sold on the dark web. There are services on the dark web that allow people to buy credential breaches, and plug those credentials in. Those services will test them out against 10,000 websites to see which ones they’re able to log into. So that’s one of the means by which bad guys can gain access to your information. And really the easy answer is you use a password manager to help manage that.

So that you use different passwords on all your different systems?

Yep, different complex passwords.

How do you find a password manager? I mean, I know you’re the expert. So, you know, I just don’t know how to find a password manager and how do you make sure you’re using it correctly? And this is more for personal things that I’m talking about.

Yeah. We don’t have any in particular that we endorse. There’s a number of open and free password managers out there. Both Apple and Google have them. Everybody has a mobile phone, so those are usually the easy ones to start off with. There are more complex password managers out there that allow you to maybe share passwords amongst different groups of people, for example, at work. Those are commercial versions and there’s a number of those out there as well. Really, I think the password managers that most people associate with are the ones that are available on their mobile phones.

The other one that we should talk about is card control. We think about card control sometimes as just getting, you know, updates when, when we’re swiping our card and things like that, but that can be a huge fraud deterrent, right?

Oh, absolutely. I mean, it’s nice to be able to understand when your card is being used and, and the other big part of it too, is to be able to, in the event that you think you’ve maybe lost your card or that it may have been stolen or compromised, you have at your fingertips the ability to get in and manage it almost instantly without having to wait online.

Yeah. And it’s fast. I mean, when you swipe your card, like on your phone or on your watch or wherever you have it set up, you’re getting those alerts and it’s saying, “your card was swiped at XYZ place.”

The best way to know it’s you.

Yeah. And if it wasn’t you– I mean, you’re aware.

Yeah you’re aware, and awareness is really half the battle, being aware of it is half of it. And then, and then doing the right things is the other half. Card control and getting those notifications can be a really, strong way of knowing your finances, and you know, knowing what’s happening with your accounts.

Yeah. And that you’ve authorized to those things to happen.

Exactly.

The other thing too, is with Card Control. If you ever did see something that wasn’t quite right, you can turn your card right off and, and call us right away.

Exactly. And that’s the other big advantage of it is you’ve got that at your fingertips. You don’t have to wait. You don’t have to sit online or, you know, especially if you’re traveling, for example in different time zones. It’s all available, at your fingertips.

And it’s free!

And it’s free! Yeah, it’s all a part of being a member of ICCU.

Yeah. That’s amazing. Another thing that we should mention here is My Credit. When you’re talking about fraud or things that could happen. If you’re keeping an eye on your credit report and making sure that the things that are on there are things that you’ve authorized.

Yeah, that’s one of the more powerful things that you can do to protect yourself is to make sure that you understand what’s happening with your credit. It’s fair to say that everybody’s identity has been compromised multiple times, where there have been dozens and dozens and dozens of breaches, you know, throughout the past 25 years. Our identities are very likely stolen. So it’s best to assume that your identity is out there in a number of different repositories and in the dark web. One of the best ways to protect yourself is to just be vigilant and watch. Make sure that you understand, you know, what’s going on with your credit. And if you see something pop up that you didn’t set up, well, that’s a good sign that you need to get on that right away.

Yeah. We talked about password managers, but what about Multi-Factor Authentication? MFA.

Oh, the big nerd word, yep.

Right. I know I did have to practice that word several years ago. I mean that it’s a big word, but let’s talk about what multi-factor authentication means and how people can be using that to really protect themselves.

So, the concept is that in single-factor authentication, you have a user ID and a password. That’s a single factor. That’s all you have. In multi-factor authentication, you have yet another factor. And that factor is often “something you have.”  So if you think about the strongest forms of multi-factor authentication, we call it “something you know,” which is a password, and then “something you have”, which might be a phone or a token or a fob. Those are very powerful means of authenticating somebody.

Another one of the other things that we recommend to everybody is MFA should be turned on just about everywhere. Especially everywhere it’s important. What many don’t do is turn on multi-factor authentication on their email. But interestingly enough, your email is a lot of times where you can go to reset an account for either your bank, your financial institution, your 401k, or any of your retail services. In many cases, if it’s, I forgot my password, that password reset link gets sent to your email. So, if your email is not well protected, that can be the means by which fraudsters break into a lot of other areas.

So, it’s important to, again, be making sure that all of your passwords are secure in all of those different places?

Absolutely.

Yeah. Let’s see here. Let’s talk about any new scams that people should be aware of. Are there some things that are, you know, out there?

I think the thing that we’ve seen really over the past year and a half, we’ve seen a fairly significant transition from email phishing scams, which are fairly traditional, to text phishing scams. And it makes a lot of sense, you know, the fraudsters are looking for the path of least resistance. They’re looking for the thing that gets them the most clicks. Most people don’t pay near as much attention to their email as they pay to their text messaging. As a result of that, a lot of organizations have started sending text messages for updates that are important for people to sign up for. So thus, the fraudsters are following along and they’re starting to send a significant portion of their fraudulent messages through a text message. Really what they’re trying to do is get an emotional response. They’re trying to get somebody afraid that something bad is going on.

In almost all cases with a financial institution, the message will say something bad has happened and you need to click this link now in order to deal with it. And that’s where we go back to we wear that tinfoil hat. Be hyper-vigilant, be suspicious of everything. If you’re getting messaging like that, and it’s very likely to be fraud. So, if it’s something that you’re not sure about, be sure and contact us because we can help you filter that out.

And some other tips I’ve heard along the way are, you know, if there’s things that are misspelled in there, if there’s weird links that don’t look right, if it is trying to get you to do something quickly or make you fearful in some way, those are also other tactics that are used in these scams too, because it makes you feel like, I better jump on this right now before I have a chance to think this through.

Yeah. You still see a lot of that. Although with AI, with Chat GPT, for example, the messaging has gotten a lot more effective, believe it or not. In many cases, the messaging was written by people, for example, who had English as a second language. So the English was a little bit choppy. It was a little bit easier to identify. That’s becoming a little less so now. The messaging is actually getting pretty clear and pretty effective. But what you tend to still see, when you do go to these links, they’re really not the ICCU site. It’ll be something like bobshamburgers.com/iccu . That’s obviously a dead giveaway that you’re going to a fraudulent site and you should stop.

That’s what I was going to say. If you’ve clicked on something, because obviously the first thing is stop, don’t click on it, don’t take action. But if you do, maybe you’re like, “Oh man, that seems like a good —click — Oh gosh. this is wrong. I shouldn’t be here.” What do you do then? What do you do to back yourself out of that?

Well, Step One is, in many cases, just by clicking that link, you’ve signaled to the fraudsters that you’re likely to click on links. Because they’ll send individuals unique links so they understand who’s likely to click versus who’s not. So just be hypervigilant on the go forward for sure. But in most cases, if you haven’t keyed anything in, if you haven’t put in your credentials, then you’re safe. If you have keyed in your credentials, then it’s likely that you would consider that your credentials are compromised. You would want to go in and change your user ID and password and then contact your financial institution, contact ICCU or whatever it was that you keyed those credentials in for, to make sure that everything else is in order. Those would be the steps: Make sure you change your password immediately, and then contact your financial institution.

Yeah. Are there any other updates or any other pieces of information that you think people need to know, or did we hit it pretty hard today?

I think we hit it pretty hard. Gosh, I think, you know, the big thing that I really just want to make sure everybody’s aware of is, is that this is an era where we have to be hypervigilant. The fraudsters are getting more and more effective in how they communicate and how they attempt to trick people. We call it social engineering in our world. As a result of that, citizens are going to have to become more effective and more sophisticated in understanding what that looks like so they can distinguish that from good, healthy messaging. So, that’s always the balance that we kind of play in this space.

And it’s not something people should be scared of. They should just be aware of it.

Absolutely. You know, the reality is the digital world is a safe place for us to be. ICCU’s there. We’ve been there for a long time and we’ve been protecting our members there for a long time. You know, really the most important things like electricity or playing around with bandsaws, know how to use them safely and you’ll be fine. It’s when you’re not careful and when you’re not cognizant, when you’re not being suspicious, when you’re not being vigilant, that’s when you tend to run the risk of injury.

Well, thank you so much, Nick. I think this was super helpful. It really went over some ways that we can protect ourselves and watch out for things that could be coming at us.

So for more information, visit our security center at iccu.com/security.

And don’t forget to subscribe to our channel to be notified of future episodes. Thanks for joining us. We will see you next time.