It's almost Christmas. You're stressed. Someone called demanding your full credit card number, Social Security Number and bank account number to finish that online toy purchase you just made.
And you blurted them out.
Or maybe you got spooked by a phony IRS pitch. Or entered your bank account info into one of those well-crafted but fraudulent emails.
Cybercrimes come in a variety of forms, and they are all stressful.
So we broke down how to respond to five of the most common scams that might strike you or a loved one over the holidays, based on what the crooks may have gotten: Your Social Security Number, your bank account or credit card, access to your hardware or files, your pride or, worst of all, your hard-earned money.
Credit monitoring. If you suspect somebody has your Social Security Number -- whether they stole it from a company (like Equifax) or you gave it to them voluntarily -- it's important to set up credit monitoring. Typically your bank or the company that was breached will provide this to you for free.
You generally shouldn't pay for credit monitoring, as high quality free products have proliferated in the marketplace particularly after the incident at Equifax. Paid credit monitoring services can be tricky to cancel, and you can typically achieve the same level of service with a free product.
Set up alerts so you know the instant anything changes with your credit score -- you can usually do this through the credit monitoring program offered by your bank or credit card company, which is almost always a free service. Some of these services are free even if you're not a customer of the bank, such as Capital One's Credit Wise. In fact, you may want to do this anyway -- monitoring your credit in this manner is good for everyone, not just victims of cybercrime.
Credit freeze. If you provided a scammer with your Social Security Number directly, or you already think your number was used fraudulently, you will need to act more urgently. You can place a credit freeze on your account with the three credit reporting agencies: Equifax, Transunion and Experian.
The freeze stays in place until you request it be removed. It's very important to be prepared to unfreeze or "thaw " (temporarily unfreeze) your credit if you need it -- for instance, if your home is damaged and you need to quickly rent an apartment, or your phone is damaged and you need to get a new one on credit. The credit agencies will provide you with a PIN number which you must keep on hand to unfreeze it.
Fraud alert. You can also place a fraud alert on your credit report, which will require businesses to contact you and verify your identity should anyone try to take out credit in your name. A fraud alert is less intrusive than a freeze, and you need only contact one of the above credit reporting agencies, according to the Federal Trade Commission (FTC). You'll ask either Equifax, Transunion or Experian to put a fraud alert on your credit report, and the bureau you choose will "then contact the other two credit bureaus," the FTC says.
Since 2018, all of these services, including freezing, thawing, unfreezing and placing fraud alerts on your credit reports are free. If someone is offering these services for a fee, watch out and make sure they're offering some additional value before signing up.
Some phishing emails or fraudulent URLs are created to look so convincingly like your bank's, it is easy to mistakenly enter your username and password or, if they ask for it, your checking or savings account number. Other websites are made to emulate popular e-commerce or retail websites, tricking you into entering your credit card details.
Call your bank immediately. If you've given away any of these numbers, call your bank immediately and describe the error in detail. Your bank should be able to read back any charges have been made fraudulently and connect you to the right department to help freeze or suspend the accounts that may have been comrpomised. You can typically find the fraud department directly by using the fraud services number on the back of your credit card, or on the bank's website.
If fraudulent charges have been made, you may have to fill out a paper report, and any reimbursement may take time, typically a bit longer for debit cards than for credit cards. Here's a version of one of these forms, used by Inova Federal Credit Union. A banker may call you to ask follow-up questions.
Changing a checking or savings account number may be more time-consuming, but it may be necessary to prevent future wire fraud, which possibly the most painful of all cybercrimes. If you must do this, you'll have to be extra careful about any automatic debits that you have from your checking account and remember to change the number to the new account, as accidentally using the old account number may cause you to accrue bounced check fees.
Ransomware is ugly, and it's taken down everyone from FedEx and Merck to the city government of Atlanta. Ransomware is malicious software that locks up your computer or files, making it impossible to access them.
Anyone can be a victim. Criminals have even targeted individual people, who have ended up paying a few hundred bucks to free up their photo albums.
If you're a victim of ransomware, you will typically lose access to your files, and you may receive an automatic message from a criminal offering to give you an encryption key that will unlock your files for a fee.
Back important files up. The best defense against ransomware is a good offense. If you back up your most important home files, then you may lose the hardware locked up by the ransomware, but you won't have to pay money to a criminal to get back your data. The easiest way to do this is using free or low-cost personal backup storage programs like Google Drive, Apple's iCloud or Microsoft's OneDrive.
Hunt for a decryption solution. There are also free databases of publicly available information that can help you decrypt many popular strains of ransomware, so if you are up to hunting down this information, you may be able to simply unlock your files without paying a cent to anyone or losing your computer. The No More Ransom project offers an easy-to-use interface, where you can type in details of the ransom demand or other information to find out if a solution already exists.
Consider paying, but be aware of the risks. You can also simply pay the ransom if the files are valuable enough. But paying can have a lot of downsides, including signaling to criminals that you are willing to pay, and possibly inviting more ransomware in the future. The ransom demand itself may also be a scam, and you can lose your money if the encryption keys provided by the criminal either don't work or are nonexistent. The FBI recommends not paying.
Whatever you choose to do, you can report these scams (and the others) to the FBI via their Internet Crime Complaint Center (IC3).
Don't believe it. There are few things in this life that I will claim to know for certain, but this is one: Nobody has secretly recorded you watching pornography over your webcam. I mean it. They haven't. And they're not contacting your spouse about it.
If you get an email asserting that somebody has done this -- even if it has your email address and password in the subject line -- it's a scam. Criminals get your passwords and other private information from darkweb fire sales of personal information. This information can't really be used for much, other than to convince you that they somehow know who you are.
If you already paid money to the person on the other end of one of these emails, contact your bank to attempt to reverse the transaction.
You can report this to the FBI or local police as well, and while it is helpful for their ability to track these types of crimes, there is little they can do to get your money back. Just be aware that billions of these emails are hitting inboxes daily and there's no need to panic.
In a typical wire fraud scam, a criminal breaks into the email of someone who you know, usually professionally -- an attorney, realtor or business associate. He or she squats on the email until he or she knows how you interact with this person, and then strikes, sending you a message -- usually an urgent one -- convincing you to wire money to an unfamiliar bank account, in order to facilitate a legal matter, home transaction or vendor payment.
Usually, the bank account is offshore. Because the transaction involves email fraud, your bank won't reimburse you. It's a more involved type of cybercrime and for a good reason -- because criminals get money wired directly to their accounts, and often very large sums.
Drop everything and call your bank. If you have fallen victim to this type of crime, drop everything you're doing and contact your bank's (the sending bank's) wire department to attempt to halt the wire. If you are successful, this can save you enormous headaches later. If you know the real identity of the receiving bank, you can attempt to contact its wire department as well, although the fraudster's bank is usually overseas and may be more difficult to reach.
File reports with law enforcement. If you have lost money to one of these scams, you can file a police report with your local department and a fraud report with the FBI. If the fraud was the result of a compromised professional's email account (such as a lawyer or realtor), their business insurance may be able to compensate you in whole or in part for the lost money, but you may also have to file a lawsuit to retrieve it -- a process that may leave you out of pocket for a long time.
Wire fraud can best be prevented by letting those who provide you with professional services know of the dangers of this type of fraud, and setting up a private system involving voice verification or other multiple factors of authentication before wires are approved and sent, and particularly in the event routing and account number details have changed.
But above all of these, to recover from a successful cyberattack, it's best to get mentally ready ahead of time.
I know that at your workplace, school, or through conversations with your kids or parents, you may have learned that stupid people cause cybersecurity incidents, and being not-stupid can prevent them. The conventional wisdom suggests it's stupid to have an easy-to-guess password, to re-use passwords or to be fooled by a phishing email or to take a scammer's call.
Stop thinking this way. Phishing emails that seek to convince you to give up account numbers, scam calls that are meant to trick you into providing your social security number -- they are better than ever, and criminals are refining their tricks all the time.
The average person has hundreds of passwords -- it's inevitable that some of them are "bad" or subject to being mechanically uncovered by a simple algorithm. It's inevitable that some may be reused.
Sure, it's a great idea to use fresh and unique passwords, especially for financial accounts. But it's impossible to imagine that everyone will do so perfectly every single time.
It is also important to pass on this attitude to your friends and family: The people closest to you can lose valuable time and money because they are too embarrassed to tell anyone they made a mistake.
So if you made a mistake, forget all the guilt that may have been conveyed through poorly designed training methods of the past. Don't be a sad sack, and don't be a drama queen. Just be ready to take immediate action to preserve your identity, accounts, computers, dignity, cash or all five.