Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

3/5/2021
10:00 AM
Tom Pendergast
Tom Pendergast
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Make Sure That Stimulus Check Lands in the Right Bank Account

If you haven't already, it's time to build trust relationships with your financial institutions, using strong security, privacy protections and secure, unique user credentials.

When Congress passed a $900 billion economic relief package in December 2020, it wasn't just unemployed Americans and those with low to moderate incomes who were happy: Scammers rejoiced as well. Just like back in May 2020, these vultures see a river of money flowing from the federal government to regular Americans and they are eager to grab some of it for themselves.

And the economic relief and associated scamming aren't over yet: President Biden's relief plan promises more stimulus soon, and California just passed its own relief package, with $600 for low-income residents. Luckily, there are some ways to ensure that the government money goes into the right hands. 

Related Content:

Stimulus Payments Are Popular Leverage for Cyberattacks

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

If scams related to stimulus checks and unemployment payments give you a strong sense of déjà vu, you're not alone. After all, we've been here before, back in May when the first coronavirus relief package was passed and there was massive fraud aimed at state government agencies charged with distributing the unemployment relief. In fact, the Office of the Inspector General of the Department of Labor estimated that fraud claimed $36 billion of the $360 billion available in the CARES Act. 

I had a pretty strong sense of déjà vu myself, since I was the victim of such a scam in my home state of Washington. But on Jan. 11 — some seven months after I filed my initial fraud report — I got an official verification that my Social Security number was mine (really!) and is now officially connected to my account at the Employment Security Department. Now that I have established claim to my ESD account, nobody can present a fraud claim on my behalf.

That doesn't mean there aren't other ways from criminals to profit off my data, because in late January, the Washington State Auditor revealed that the personal data of 1.4 million state residents may have been stolen in a hack of third-party software provider Accellion. I'll add this to the long list of data breaches my data has been involved in!

This Problem Is Mostly Solved by Trust
But I don't despair all that much about this stuff, because there are things you and I can do to keep ourselves safe. Claiming your account — whether it's at your state employment services agency or with the IRS or with any other entity that you do business with, really — allows you to establish a channel for trusted interactions. For example, because I have a trust relationship with the Department of the Treasury, any government stimulus check or tax refund can be deposited directly in my bank account — and I don't have risk a check being lost or stolen, or receiving one of the new, more secure debit cards that are also used to make payments to people who don't have direct deposit. These trust relationships are built off strong security and privacy protections on part of the agency and the use of secure, unique credentials on the part of the user, but they work far better than the other means. Of course, they still need to protect the data I trust them with.

For people who are receiving the stimulus payment via debit card, the US Treasury is doing its best to ensure that the process of getting paid is clear and secure, including showing recipients exactly what they should look for in the mail, including what the cards look like

For all this effort, it's easy to imagine that a scammer could emulate this mailing and ask a user to phone into a call center and provide some essential information — perhaps even a bank account — and run a scam that way. Both Forbes and CNBC have provided good guides for using these cards safely and without fees. 

Whether you're waiting for this stimulus check or the next, bigger one promised by the Biden administration, or seeking to avoid any entanglement in an unemployment scheme, there are some tried and true methods for ensuring that your interactions with government agencies of all sorts are handled securely and privately.

Protect Your Credentials
Protecting credentials — usernames and especially passwords — is one of the best and most basic things you can do to stay safe from hackers. Using unique passwords everywhere is easy when you use a password manager, and adding multifactor authentication adds another level of protection. 

Own Your Accounts
Establishing a secure account with state and federal agencies is the best way to take advantage of the security protections they provide, and this protection generally outweighs whatever risk you have of this agency being breached, though that risk does exist. I'd suggest that people establish an account with their state employment agency (or broader state government) now, and also verify that you have accounts at the major federal agencies you deal with — which will likely include the Social Security Administration and the IRS at a minimum.

While I understand that some people may not believe that they can enter into a trust relationship with the government, I'd suggest that it's better that you control the terms of that relationship than to allow that relationship to be established by someone else. 

Take Quick Action
The moment you suspect fraud, act as quickly as you can to report it.

Many major government agencies and financial institutions have dedicated fraud hotlines or online services, and they may also suggest that you make a report to your local law enforcement agency. If you take quick action, you might be able to avoid the nightmare of full-blown identity theft.

Protect Your Credit
Freezing your credit at all three credit agencies is a simple (and free) act that can prevent anyone with access to your personal information from opening up an account in your name. You'll need to learn a few tricks to unfreeze your account when needed, but it's well worth your time.

Apply Healthy Skepticism
Even if you do all of the above, you can still fall prey to a scam if you allow people to convince to give away information or credentials you shouldn't. That's why you've got to be skeptical of any phone calls, emails, or letters that ask you to divulge financial information or passwords. Your healthy skepticism is your best defense.

Tom Pendergast is MediaPRO's Chief Learning Officer. He believes that every person cares about protecting data, they just don't know it yet. That's why he's constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-35198
PUBLISHED: 2021-05-12
An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
CVE-2021-23872
PUBLISHED: 2021-05-12
Privilege Escalation vulnerability in the File Lock component of McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by manipulating a symbolic link in the IOTL interface.
CVE-2021-23891
PUBLISHED: 2021-05-12
Privilege Escalation vulnerability in McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by impersonating a client token which could lead to the bypassing of MTP self-defense.
CVE-2021-23892
PUBLISHED: 2021-05-12
By exploiting a time of check to time of use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitra...
CVE-2020-36289
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...