Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

3/5/2021
10:00 AM
Tom Pendergast
Tom Pendergast
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Make Sure That Stimulus Check Lands in the Right Bank Account

If you haven't already, it's time to build trust relationships with your financial institutions, using strong security, privacy protections and secure, unique user credentials.

When Congress passed a $900 billion economic relief package in December 2020, it wasn't just unemployed Americans and those with low to moderate incomes who were happy: Scammers rejoiced as well. Just like back in May 2020, these vultures see a river of money flowing from the federal government to regular Americans and they are eager to grab some of it for themselves.

And the economic relief and associated scamming aren't over yet: President Biden's relief plan promises more stimulus soon, and California just passed its own relief package, with $600 for low-income residents. Luckily, there are some ways to ensure that the government money goes into the right hands. 

Related Content:

Stimulus Payments Are Popular Leverage for Cyberattacks

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

If scams related to stimulus checks and unemployment payments give you a strong sense of déjà vu, you're not alone. After all, we've been here before, back in May when the first coronavirus relief package was passed and there was massive fraud aimed at state government agencies charged with distributing the unemployment relief. In fact, the Office of the Inspector General of the Department of Labor estimated that fraud claimed $36 billion of the $360 billion available in the CARES Act. 

I had a pretty strong sense of déjà vu myself, since I was the victim of such a scam in my home state of Washington. But on Jan. 11 — some seven months after I filed my initial fraud report — I got an official verification that my Social Security number was mine (really!) and is now officially connected to my account at the Employment Security Department. Now that I have established claim to my ESD account, nobody can present a fraud claim on my behalf.

That doesn't mean there aren't other ways from criminals to profit off my data, because in late January, the Washington State Auditor revealed that the personal data of 1.4 million state residents may have been stolen in a hack of third-party software provider Accellion. I'll add this to the long list of data breaches my data has been involved in!

This Problem Is Mostly Solved by Trust
But I don't despair all that much about this stuff, because there are things you and I can do to keep ourselves safe. Claiming your account — whether it's at your state employment services agency or with the IRS or with any other entity that you do business with, really — allows you to establish a channel for trusted interactions. For example, because I have a trust relationship with the Department of the Treasury, any government stimulus check or tax refund can be deposited directly in my bank account — and I don't have risk a check being lost or stolen, or receiving one of the new, more secure debit cards that are also used to make payments to people who don't have direct deposit. These trust relationships are built off strong security and privacy protections on part of the agency and the use of secure, unique credentials on the part of the user, but they work far better than the other means. Of course, they still need to protect the data I trust them with.

For people who are receiving the stimulus payment via debit card, the US Treasury is doing its best to ensure that the process of getting paid is clear and secure, including showing recipients exactly what they should look for in the mail, including what the cards look like

For all this effort, it's easy to imagine that a scammer could emulate this mailing and ask a user to phone into a call center and provide some essential information — perhaps even a bank account — and run a scam that way. Both Forbes and CNBC have provided good guides for using these cards safely and without fees. 

Whether you're waiting for this stimulus check or the next, bigger one promised by the Biden administration, or seeking to avoid any entanglement in an unemployment scheme, there are some tried and true methods for ensuring that your interactions with government agencies of all sorts are handled securely and privately.

Protect Your Credentials
Protecting credentials — usernames and especially passwords — is one of the best and most basic things you can do to stay safe from hackers. Using unique passwords everywhere is easy when you use a password manager, and adding multifactor authentication adds another level of protection. 

Own Your Accounts
Establishing a secure account with state and federal agencies is the best way to take advantage of the security protections they provide, and this protection generally outweighs whatever risk you have of this agency being breached, though that risk does exist. I'd suggest that people establish an account with their state employment agency (or broader state government) now, and also verify that you have accounts at the major federal agencies you deal with — which will likely include the Social Security Administration and the IRS at a minimum.

While I understand that some people may not believe that they can enter into a trust relationship with the government, I'd suggest that it's better that you control the terms of that relationship than to allow that relationship to be established by someone else. 

Take Quick Action
The moment you suspect fraud, act as quickly as you can to report it.

Many major government agencies and financial institutions have dedicated fraud hotlines or online services, and they may also suggest that you make a report to your local law enforcement agency. If you take quick action, you might be able to avoid the nightmare of full-blown identity theft.

Protect Your Credit
Freezing your credit at all three credit agencies is a simple (and free) act that can prevent anyone with access to your personal information from opening up an account in your name. You'll need to learn a few tricks to unfreeze your account when needed, but it's well worth your time.

Apply Healthy Skepticism
Even if you do all of the above, you can still fall prey to a scam if you allow people to convince to give away information or credentials you shouldn't. That's why you've got to be skeptical of any phone calls, emails, or letters that ask you to divulge financial information or passwords. Your healthy skepticism is your best defense.

Tom Pendergast is MediaPRO's Chief Learning Officer. He believes that every person cares about protecting data, they just don't know it yet. That's why he's constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32077
PUBLISHED: 2021-05-06
Primary Source Verification in VerityStream MSOW Solutions before 3.1.1 allows an anonymous internet user to discover Social Security Number (SSN) values via a brute-force attack on a (sometimes hidden) search field, because the last four SSN digits are part of the supported combination of search se...
CVE-2020-23263
PUBLISHED: 2021-05-06
Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add.
CVE-2020-23264
PUBLISHED: 2021-05-06
Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.
CVE-2021-27941
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
CVE-2021-29203
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...