Security Education

Member Security Education

You and your family use the internet every day for browsing, shopping, checking email, social media – even streaming movies and music. It’s up to you to protect your data, privacy and identity.

At Armco CU, we care about your financial wellness. We know you are aware of cyber security, but as a financial institution we detect fraudulent activity on a regular basis. Yes, fraud does occur in Butler County! We just want to remind you to keep your guard up and be vigilant when you are using technology. Remember, Armco CU will never call, text or email you to ask for personal account information. If you ever question a phone call from someone claiming to be from the credit union, hang up and call your branch office.

Test your Cyber Security IQ. Check out our Internet Safety interactive course.


Jump to section:

Social Engineering


Password Protection

Social Engineering

It is defined as the act of influencing a person to accomplish goals that may or may not be in the “target’s” best interest. This may include obtaining information, gaining access, or getting the target to take certain action. It may also include positive forms of communication such as with parents, therapists, children, spouse and others.

Every time you try to get someone to do something that is in your interest and not theirs, you are engaging in social engineering. From children trying to get a toy from their parents to adults trying to land a job or score the big promotion, all of it is a form of social engineering.

The following are the most common types of Social Engineering:

Phishing is similar to fishing in a lake, but instead of trying to capture fish, phishers attempt to steal your personal information. They send out e-mails that appear to come from legitimate websites such as eBay, PayPal, or banking institutions. The e-mails state that your information needs to be updated or validated and ask that you enter your username and password, after clicking a link included in the e-mail. Some e-mails will ask that you enter even more information, such as your full name, address, phone number, social security number, and credit card number. However, even if you visit the false website and just enter your username and password, the phisher may be able to gain access to more information by just logging in to your account.

Phishing is a con game that scammers use to collect personal information from unsuspecting users. The false e-mails often look surprisingly legitimate, and even the Web pages where you are asked to enter your information may look real. However, the URL in the address field can tell you if the page you have been directed to is valid or not. For example, if you are visiting a Web page on eBay, the last part of the domain name should end with “” Therefore, “” and “” are valid Web addresses, but “” and “” are false addresses, which may be used by phishers. If URL contains an IP address, such as, instead of a domain name, you can almost be sure someone is trying to phish for your personal information.

If you receive an e-mail that asks that you update your information and you think it might be valid, go to the website by typing the URL in your browser’s address field instead of clicking the link in the e-mail. For example, go to “” instead of clicking the link in an e-mail that appears to come from PayPal. If you are prompted to update your information after you have manually typed in the Web address and logged in, then the e-mail was probably legitimate. However, if you are not asked to update any information, then the e-mail was most likely a spoof sent by a phisher.

Most legitimate e-mails will address you by your full name at the beginning of the message. If there is any doubt that the e-mail is legitimate, be smart and don’t enter your information. Even if you believe the message is valid, following the guidelines above will prevent you from giving phishers your personal information. If the message is sent by a person or business you normally deal with – call them with the contact information you have used on a regular basis to confirm they were the true originator of the message.

Vishing is an umbrella term for any scam that attempts to trick consumers into revealing personal information over the phone. Commonly, attackers will pose as representatives from legitimate companies or organizations and try to obtain information such as credit card numbers and Social Security numbers.

If you own a phone, you could be a target. Vishing scams can happen to just about anyone. Many criminals will use an automated service to call a massive group of phone numbers, hoping that even a few targets will answer the calls and divulge personal information.

Fraudsters are getting better and better at disguising themselves. Now, more than ever, you’ll have to put in some extra effort when you’re screening calls. As a rule of thumb, don’t give out any information over the phone if you’re unsure of who’s calling. If you have any doubts at all, hang up. Credit cards, bills and bank statements should all feature customer service numbers that you can use to see if the call you just received was legitimate.

SMiShing is a combination of the terms “SMS” and “phishing.” It is similar to phishing, but refers to fraudulent messages sent over SMS (text messaging) rather than email.

The goal of SMiShing is to capture people’s personal information. In order to do this, “smishers” send out mass text messages designed to capture the recipients’ attention. Some messages may be threatening, I.E., “Visit this URL to avoid being charged $5.00 per day,” while others may provide a fake incentive, such as “You have won a free gift card, visit this website to claim your prize.” If you click on a link in the text message, you will be directed to a fraudulent website that will ask you to enter your personal information, such as your name, address, phone number, and email address. In some cases, a SMiShing website will ask you to enter your bank account information or social security number.

SMiShing has become increasingly common now that smartphones are widely used. Many smartphones allow you to simply click on a link in a text message to view the website in your phone’s browser. This makes text messages an effective “bait” for luring unsuspecting users to fraudulent websites. Therefore, just like when you receive email spam, is best to not visit websites mentioned in text messages from unknown sources.

Pharming is another way hackers attempt to manipulate users on the Internet. While phishing attempts to capture personal information by getting users to visit a fake website, pharming redirects users to false websites without them even knowing it.

While a typical website uses a domain name for its address, its actual location is determined by an IP address. When a user types a domain name into his or her Web browser’s address field and hits enter, the domain name is translated into an IP address via a DNS* server.

The Web browser then connects to the server at this IP address and loads the Web page data. After a user visits a certain website, the DNS entry for that site is often stored on the user’s computer in a DNS cache**. This way, the computer does not have to keep accessing a DNS server whenever the user visits the website.

One way that pharming takes place is via an e-mail virus that “poisons” a user’s local DNS cache. It does this by modifying the DNS entries, or host files. For example, instead of having the IP address direct to, it may direct to another website determined by the hacker. Pharmers can also poison entire DNS servers, which means any user that uses the affected DNS server will be redirected to the wrong website. Fortunately, most DNS servers (LIKE BAECU) have security features to protect them against such attacks. Still, we are not necessarily immune, since hackers continue to try to find ways to gain access to them.

While pharming is not as common as phishing scams are, it can affect many more people at once. This is especially true if a large DNS server is modified. So, if you visit a certain website and it appears to be significantly different than what you expected, you may be the victim of pharming. Restart your computer to reset your DNS entries, run an antivirus program, then try connecting to the website again. If the website still looks strange, contact your Internet service provider and let them know their DNS server may have been pharmed.

*DNS stands for “Domain Name System.” The primary purpose of DNS is to keep Web surfers sane. Without DNS, we would have to remember the IP address of every site we wanted to visit, instead of just the domain name. Can you imagine having to remember “” instead of just “”?
**Cache is pronounced “cash” (not “catch” or “cashay”). Cache stores recently used information so that it can be quickly accessed at a later time. Browser cache – Most web browsers cache webpage data by default. For example, when you visit a webpage, the browser may cache the HTML, images, and any CSS or JavaScript files referenced by the page. When you browse through other pages on the site that use the same images, CSS, or JavaScript, your browser will not have to re-download the files. Instead, the browser can simply load them from the cache, which is stored on your local hard drive.
***ISP stands for “Internet Service Provider.” In order to connect to the Internet, you need an ISP. It is the company that you (or your parents) pay a monthly fee to in order to use the Internet.


In 2020, 4.72 million reports were filed for fraud, identity theft, or other types of activity, up from 3.24 million in 2019 (an increase of 45%) with the Federal Trade Commission (FTC).  The top 3 report categories were identity theft, imposter scams, and online shopping/negative review scams.  All of these reports amounted to $3.3 billion in fraud losses.  Below is an extended list of fraud categories and explanations for the most common forms.

Top 10 Fraud Categories from 2020:

Category# of ReportsTotal $ Loss
Imposter Scams502,829$1,227.3 M
Online Shopping and Negative Reviews364,063$250.4 M
Internet Services128,779$179.6 M
Prizes, Sweepstakes, and Lotteries116,391$167.3 M
Telephone and Mobile Services85,559$32.9 M
Travel, Vacations, and Timeshare Plans76,669$186.7 M
Business and Job Opportunities59,394$172.6 M
Health Care53,666$22.8 M
Foreign Money Offers and Fake Check Scams39,010$47.3 M
Investment Related26,483$419.0 M

Source: FTC Consumer Sentinel Network Report, 2020

The latest of attempts from scammers to use personal information is to apply for benefits, similar to the large fraud attempt in June in which L&I mailed the Notice of Pandemic Unemployment Assistance Claim Filed to all claimants in the PUA system to provide further guidance if they did not submit a PUA application. This guidance still applies if you believe you have been targeted in the latest phishing attempts or scams.

If you were a victim of ID Theft, it is very important to report the PUA fraud activity to the Department and return the money.  Doing so will remove these fraudulent payments from being reported as income on the end of the year 1099G distribution.

How to return checks for benefits for which you did not apply

Anyone who receives a paper check in the mail and did not file for unemployment benefits in Pennsylvania should not cash the checks.  Cashing the checks knowing that you have not applied for PUA or any other UC program may be deemed fraud and repayment will be required.

Individuals should write “void” on the check and return it to:

Pennsylvania Treasury Department
651 Boas Street
Room 400 L&I Building
Harrisburg, PA 17120

Please include a brief signed statement with the reason you are returning the check and include your printed name, address, last four of your social security number, phone number, and email address.

How to return direct deposit for benefits for which you did not apply

Anyone who receives a direct deposit and did not file for unemployment benefits in Pennsylvania should not use the funds.  Using the funds knowing that you have not applied for PUA or any other UC program may be deemed fraud and repayment will be required.

The funds should be returned to:

Department of Labor and Industry
651 Boas St., Room 500
Harrisburg, PA 17121

Payments must be made by personal check, cashier’s check, certified check, or money order to the “PA UC Fund”.  Please include a brief signed statement with the reason you are sending in the payment and include your printed name, address, last four of your social security number, phone number, and email address.

How to report someone filing for benefits using your identity

Report Online: To report someone who has filed for UC benefits using your personal information such as your name, Social Security Number, and date of birth without your knowledge or consent, please visit the UC Benefits Website and click “Report Fraud” at the bottom of the page to complete and submit the Identity Theft Form. Do not log in. 

  • Note: You will not receive an auto-response/confirmation when you report fraud online. This does not mean your report was not received. If the department needs additional information, a representative will contact you.

Phone: Call the PA Fraud Hotline at 1-800-692-7469, review the Identity Theft form above to ensure you have all the information prepared to provide your report.

You may also want to file a police report with the municipality you resided in at the time the unemployment benefits in question were paid. A copy of the police report must be provided to the Office of Unemployment Compensation.

You can read the full article by clicking here.

Social Security Scam Calls

Romance Scams

IRS Imposter Scams

Nanny and Caregiver Imposter Scams

Family Emergency Scams

Tech Support Scams

Grandkid Scams

When local stores ran out of the supplies we needed to manage  COVID-19, many of us turned to online sources. According to a new Data Spotlight, scammers ran online sites and took orders for scarce items, but didn’t deliver. In April and May, more people reported problems with online shopping to the FTC than in any other months on record, and more than half of them said they never got what they ordered.

Reports show that early in the pandemic, shady sellers put up websites offering hard-to-find products. People ordered facemasks, sanitizer, toilet paper, thermometers, and gloves. When customers asked about their orders, scammers said the pandemic was causing shipping delays, and then stopped responding. When people reported undelivered orders to the FTC in April and May, facemasks were the #1 missing item.

Reports about online shopping issues aren’t new for the FTC. In fact, the number of those reports has grown every year since 2015. In 2019, people filed more than 86,000 reports about online shopping issues, including reports about orders that never arrived. People have reported losing a total of almost $420 million dollars related to online shopping issues since 2015.

To avoid problems when you shop online:

  • Check out a seller before you buy. Type the website or company name into a search engine with words like “scam,” “complaint,” or “review.”
  • Pay by credit card. If you’re charged for an order you never got, contact your credit card company and dispute the charge.
  • Keep copies of the product description, price, receipt, and emails between you and the seller, including messages about shipping delays.

Cyber crooks are calling Internet users claiming to be their Internet Service Provider, warning them that their Internet connection will be disconnected unless the recipient of the call follows the caller’s instructions.

In most cases, this scam comes in the form of an automated phone call saying the recipient’s Internet will be disconnected. The phone call will ask the recipient to press 1 on their keypad or call another number to speak to a customer agent to solve the problem.

These scams can vary but the most common variants are:

  • A phone call claiming the Internet will be disconnected due to illegal activity
  • A phone call claiming the Internet connection has been compromised
  • A phone call claiming the recipient’s router has been compromised

The scam is designed to either trick a recipient into installing malware onto their computer, or trick a recipient into giving away personal details about themselves over the phone.

If a recipient contacts a “customer agent”, they will actually be talking to a scammer. The scammer may claim the customer’s Internet connection, router or computer is infected with malware or has been compromised by crooks. They may also claim the connection is being disabled due to “illegal activity” detected on the recipient’s Internet connection.

This is to panic the recipient and trick them into following the scammer’s instructions over the phone. The scammer may ask the recipient to install remote desktop software, which gives the scammer access to a person’s computer and can allow them to install malware.

Alternatively the scammer may ask the recipient to provide sensitive and personal information, including banking information and passwords, which can subsequently lead to identity fraud.

If you get an unexpected call either from a real person or an automated messages claiming that your Internet connection will be disconnected for whatever reason, hang up the phone.

You can contact your Internet Service Provider from their official website or any documentation you have to check if the call was genuine, and because it is you that called your ISP, you know it really is your ISP that you’re talking to.

You get a call, email, or letter saying you won a sweepstakes, lottery, or prize — like an iPad, a new car, or something else. But you can tell it’s a scam because of what they do next: they ask you to pay money or give them your account information to get the prize. If you pay, you’ll lose your money and find out there is no prize.

3 Signs of a Prize Scam

Who doesn’t dream of winning a lot of money or a big prize? That’s why scammers still use the promise of a prize to get your money or personal information. The good news is that there are ways to tell you’re dealing with a scam.

Here are three signs of a prize scam:

  1. You have to pay to get your prize. But real prizes are free. So if someone tells you to pay a fee for “taxes,” “shipping and handling charges,” or “processing fees” to get your prize, you’re dealing with a scammer. And if they ask you to pay by wiring money, sending cash, or paying with gift cards or cryptocurrency to get your prize, don’t do it. Scammers use these payments because it’s hard to track who the money went to. And it’s almost impossible to get your money back.
  2. They say paying increases your odds of winning. But real sweepstakes are free and winning is by chance. It’s illegal for someone to ask you to pay to increase your odds of winning. Only a scammer will do that.
  3. You have to give your financial information. There’s absolutely no reason to ever give your bank account or credit card number to claim any prize or sweepstakes. If they ask for this information, don’t give it. It’s a scam.

How Scammers Try To Trick You

Scammers will say anything to get your money. Here are ways they try to trick you into thinking you really won a prize.

  • Scammers say they’re from the government when they’re not. Scammers try to look official. They want you to think you’ve won a government-supervised lottery or sweepstakes. They make up fake names like the “National Sweepstakes Bureau,” or pretend they’re from a real agency like the Federal Trade Commission. The truth is, the government won’t call you to demand money so you can collect a prize.
  • Scammers use names of organizations you might recognize. Scammers might pretend to be from well-known companies that run real sweepstakes. But no real sweepstakes company will contact you to ask for money so you can claim a prize. If you’re unsure, contact the real company directly to find out the truth. And look up the real company’s contact information yourself. Don’t rely on the person who reached out to you to provide you with the real contact information.
  • Scammers send you a message (via text, email, or social media) to get your personal information. You might be told that you won a gift card or a discount code to a local store. Or the message may say you won something expensive, like an iPad or a new car from your local dealership. Scammers hope you’ll respond with your personal information or click on links that can take your personal information or download malware onto your device. Don’t respond.
  • Scammers make it seem like you’re the only person who won a prize. But the same text, email, or letter went to lots of people. If your message came by mail, check the postmark on the envelope or postcard. If your “notice” was mailed by bulk rate, it means many other people got the same notice, too. For other types of messages, check online to see if others are reporting that they got the same message.
  • Scammers say you’ve won a foreign lottery, or that you can buy tickets for one. Messages about a foreign lottery are almost certainly from a scammer — and it’s a bad idea to respond. First, it’s illegal for U.S. citizens to play a foreign lottery, so don’t trust someone who asks you to break the law. Second, if you buy a foreign lottery ticket, expect many more offers for fake lotteries or scammy investment “opportunities.” Finally, there are no secret systems for winning foreign lotteries, so don’t believe someone who tells you they can help you win.
  • Scammers pressure you to act now to get a prize. Scammers want you to hurry up and pay or give them information. They tell you it’s a limited time offer or you have to “act now” to claim your prize. They don’t want you to have time to evaluate what’s really happening. Don’t be rushed — especially if they want you to do something to get your prize.
  • Scammers send you a check and ask you to send some of the money back. This is a fake check scam. If you deposit the check, it can take the bank weeks to figure out that it’s fake. In the meantime, the bank has to make the funds available, so it can look like the money is in your account. But once the bank finds out the check is fake, they’ll want you to pay back the funds. Read How to Spot, Avoid, and Report Fake Check Scams for more tips.

If you’re not sure about a contest or the company sending you a prize notification, search online to see if you find anything about them. Type the name with terms like “review,” “complaint,” or “scam.”

What To Know About Real Contests and Prizes

Plenty of contests are run by reputable marketers and non-profit organizations. But there are some things to know before you drop in a quick entry or follow instructions to claim a prize.

  • Real sweepstakes are free and by chance. It’s illegal to ask you to pay or buy something to enter, or to increase your odds of winning.
  • Contest promoters might sell your information to advertisers. If you sign up for a contest or a drawing, you’re likely to get more promotional mail, telemarketing calls, or spam.
  • Contest promoters have to tell you certain things. If they call you, the law says they have to tell you that entering is free, what the prizes are and their value, the odds of winning, and how you’d redeem a prize.
  • Sweepstakes mailings must say you don’t have to pay to participate. They also can’t claim you’re a winner unless you’ve actually won a prize. And if they include a fake check in their mailing, it has to clearly say that it’s non-negotiable and has no cash value.

A special note about skills contests. A skills contest — where you do things like solve problems or answer questions correctly to earn prizes can ask you to pay to play. But you might end up paying repeatedly, with each round getting more difficult and expensive, before you realize it’s impossible to win or just a scam. Skills contests can leave contestants with nothing to show for their money and effort.

What To Do if You Paid a Scammer

Scammers often ask you to pay in ways that make it tough to get your money back. No matter how you paid a scammer, the sooner you act, the better. Learn more about how to get your money back.

Report Prize Winnings and Lottery Scams

If you think you’ve been targeted by a prize scam:

Password Protection

Clifford Colby, Sharon Profis,

The key to your online security is to have strong passwords, but the challenge is to create distinct passwords that you can actually remember — or else you may fall into the bad habit of using the same login credentials for multiple accounts. According to LogMeIn, the company behind the LastPass password manager, you could very easily have 85 passwords for all your accounts once you count all of your social media, streaming, bank accounts and apps.

If your data is compromised, weak passwords can have serious consequences, like identity theft. Companies reported a staggering 5,183 data breaches in 2019 that exposed personal information such as home addresses and login credentials that could easily be used to steal your identify or commit fraud. And that pales in comparison with the more than 555 million stolen passwords that hackers on the dark web have published since 2017.

The identity protection of a post-password world isn’t here for most of us. So in the meantime, try these best practices that can help minimize the risk of your data being exposed.

Use a password manager to keep track of your passwords

Strong passwords are longer than eight characters, are hard to guess and contain a variety of characters, numbers and special symbols. The best ones can be difficult to remember, especially if you’re using a distinct login for every site (which is recommended). This is where password managers come in.

A trusted password manager such as 1Password or LastPass can create and store strong, lengthy passwords for you. They work across your desktop and phone.

The tiny caveat is that you’ll still have to memorize a single master password that unlocks all your other passwords. So make that one as strong as it can be (and see below for more specific tips on that).

Browsers like Google’s Chrome and Mozilla’s Firefox also come with password managers, but our sister site TechRepublic has concerns about how browsers secure the passwords they store and recommends using a dedicated app instead.

Password managers with their single master passwords are, of course, obvious targets for hackers. And password managers aren’t perfect. LastPass fixed a flaw last September that could have exposed a customer’s credentials. To its credit, the company was transparent about the potential exploit and the steps it would take in the event of a hack.

Yes, you can write your login credentials down. Really

We know: This recommendation goes against everything we’ve been told about protecting ourselves online. But password managers aren’t for everyone, and some leading security experts, like the Electronic Frontier Foundation, suggest that keeping your login information on a physical sheet of paper or in a notebook is a viable way to track your credentials.

And we’re talking about real, old-fashioned paper, not an electronic document like a Word file or a Google spreadsheet, because if someone gains access to your computer or online accounts, they can also gain access to that electronic password file.

Of course, someone could also break into your house and walk off with the passkeys to your entire life, but that seems less likely. At work or at home, we recommend keeping this sheet of paper in a safe place — like a locked desk drawer or cabinet — and out of eyesight. Limit the number of people who know where your passwords are, especially to your financial sites.

If you travel often, physically carrying your passwords with you introduces greater risk if you misplace your notebook.

Find out if your passwords have been stolen

You can’t always stop your passwords from leaking out, either through a data breach or a malicious hack. But you can check at any time for hints that your accounts might be compromised.

Mozilla’s Firefox Monitor and Google’s Password Checkup can show you which of your email addresses and passwords have been compromised in a data breach so you can take action.

Avoid common words and character combinations in your password

The goal is to create a password that someone else won’t know or be able to easily guess. Stay away from common words like “password,” phrases like “mypassword” and predictable character sequences like “qwerty” or “thequickbrownfox.”

Also avoid using your name, nickname, the name of your pet, your birthday or anniversary, your street name or anything associated with you that someone could find out from social media, or from a heartfelt talk with a stranger on an airplane or at the bar.

Longer passwords are better: 8 characters is a starting point

8 characters are a great place to start when creating a strong password, but longer logins are better. The Electronic Frontier Foundation and security expert Brian Kerbs, among many others, advise using a passphrase made up of three or four random words for added security. A longer passphrase composed of unconnected words can be difficult to remember, however, which is why you should consider using a password manager.

Don’t recycle your passwords

It’s worth repeating that reusing passwords across different accounts is a terrible idea. If someone uncovers your reused password for one account, they have the key to every other account you use that password for.

The same goes for modifying a root password that changes with the addition of a prefix or suffix. For example, PasswordOne, PasswordTwo (these are both bad for multiple reasons).

By picking a unique password for each account, hackers that crack into one account can’t use it to get access to all the rest.

Use two-factor authentication (2FA) … but try to avoid text message codes

If thieves do steal your password, you can still keep them from gaining access to your account with two-factor authentication (also called two-step verification or 2FA), a security safeguard that requires you enter a second piece of information that only you have  (usually a one-time code) before the app or service logs you in.

This way, even if a hacker does uncover your passwords, without your trusted device (like your phone) and the verification code that confirms it’s really you, they won’t be able to access your account.

While it’s common and convenient to receive these codes in a text message to your mobile phone or in a call to your landline phone, it’s simple enough for a hacker to steal your phone number through SIM swap fraud and then intercept your verification code.

A much safer way to receive verification codes is for you to generate and fetch them yourself using an authentication app like Authy, Google Authenticator or Microsoft Authenticator. And once you’re set up, you can choose to register your device or browser so you don’t need to keep verifying it each time you sign in.

When it comes to password security, being proactive is your best protection. That includes knowing if your email and passwords are on the dark web. And if you discover your data has been exposed, we guide you through what to do if hackers have gained access to your banking and credit-card accounts.