Security Corner

All You Need to Know About TikTok

All You Need to Know About TikTok

With more than 2 billion downloads around the world, TikTok is wildly popular. The short video app is hip, fun and addictive. But is it safe?

Let’s take a look at the way TikTok operates and the security concerns.

How does TikTok work?

TikTok is a free social media platform allowing users to watch, create and share videos — often with a music soundtrack — right from their phones. On TikTok, it only takes 15 seconds to become a star.

TikTok is owned by the Chinese tech company, ByteDance.

What are the safety concerns with TikTok? 

Like all social media platforms, TikTok encourages users to share slivers of their personal life. The app also captures user data by tracking likes, dislikes, friends, consumer patterns, locations and more. While other major platforms do the same, TikTok is the first Chinese-owned app to gain such broad popularity in the United States, raising new privacy concerns for users.

There have been some claims that TikTok is a cover for Chinese spyware that steals users’ information and sends it back to China, but these allegations have been mostly unfounded.

Another concern is the app’s occasional release of new software with security vulnerabilities needing to be urgently fixed. While they’ve all been patched quickly, the small window of time between the release of the software and the security patch-up can pose a serious risk to TikTok users.

Will TikTok be banned in the U.S.?

On Aug. 6, President Donald Trump signed an executive order to ban TikTok in the United States. Trump is pressuring ByteDance to sell the app to an American company before the ban goes into effect on Sept. 15. Microsoft is currently under negotiations with ByteDance to purchase 30% of the app, but the administration is pushing for complete ownership by an American company. As the deadline for a deal approaches, TikTok continues to insist that its platform is secure.

Should users delete the app?

There’s no black-and-white answer to this loaded question, but you may want to delete the app just to be on the safe side.

If you decide to keep TikTok, be sure to exercise caution. Keep all potentially vulnerable information off the videos you share and keep the app’s settings to private.

“TikTok is led by an American CEO, with hundreds of employees and key leaders across safety, security, product, and public policy here in the U.S.,” the company said in a statement. “We have no higher priority than promoting a safe and secure app experience for our users. We have never provided user data to the Chinese government, nor would we do so if asked.”

8 Ways to Spot a Counterfeit Bill

Security Corner - 8 Ways to Spot a Counterfeit Bill

Everyone loves a stash of cash — unless it’s fake. Unfortunately, there’s been a surge in the spread of counterfeit bills during the coronavirus pandemic. Bogus bills can be difficult to spot. Here are some signs to help you determined if it’s the real thing:

  • When held up to light, the hologram on the bill should match the face on the front of the note.
  • Holding a genuine bill up to light will reveal a thin vertical strip of text spelling out the bill’s denomination.
  • If you tilt any of the new-series bills (except for fivers) back and forth, the numeral in the lower right hand corner will shift from green to black to green again.
  • The watermark of the bill can be seen in an unprinted space to the right of the portrait when held up to light.
  • When held up to light, a security strip near the portrait can be seen.
  • When held up to an ultraviolet light, authentic bills will glow: $5 bills glow blue, $10 bills glow orange, $20 bills glow green, $50 bills glow yellow and the $100 bill glows red.
  • Look for tiny microprinting on the bill’s security thread, which spells out its denomination.
  • Look for very fine lines behind the portrait and on the other side of the bill as well.

What to do if you’ve been passed a counterfeit bill

If a note you’ve been passed does not hold up to the authenticity tests, and you believe it’s a counterfeit bill, the U.S. Treasury advises the following course of action:

  • Do not put yourself in a position of danger.
  • Do not return the bill to the passer.
  • If possible, delay the passer with an excuse.
  • Take note of the passer’s physical appearance and record their vehicle license plate if possible.
  • Contact your local police department or call your local Secret Service office.
  • Write your initials and date in the white border area of the suspected counterfeit note.
  • Do not handle the counterfeit note. Place it inside a protective cover until you can pass it on to an identified Secret Service agent.

Beware of Back-to-School Tuition Scams

Security Corner - Beware of Back-to-School Tuition Scams

Back-to-school season means a flurry of shopping — and scams. As you get ready for school, look out for these scams targeting college students and parents of private school students that tend to peak before the start of the school year.

The tuition fee scam

How it plays out: A college student, or the parent of a private school student, gets a phone call from a caller introducing themself as an administrator at their school or their child’s school. The caller claims the student or parent owes tuition fees and will not be allowed to return to school unless the fees are paid. The caller provides the victim with information for wiring money or dropping off cash at a private address. Once the money is sent, it will never be seen again.

Protect yourself: Most schools will not insist on immediate payment or payment through a wire transfer. If you receive a call like this, ask the caller detailed questions about the school, their position and the money owed. If it’s a scam, the caller will not be able to answer well. You can also insist on calling the school directly to make the payment.

The student tax scam

How it plays out: Someone allegedly representing the IRS calls a college student at a public university claiming they neglected to pay their student tax. The caller explains that failure to pay can result in disqualification from class and possible imprisonment. They also insist on immediate payment by prepaid gift card or wire transfer.

Protect yourself: You can spot this scam by remembering that the IRS will always first contact people by mail. Also, the IRS won’t insist on being paid through gift card or wire transfer.

The scholarship scam

How it plays out: A scammer reaches out to a college student telling them they’ve been guaranteed approval for a scholarship, but must pay a fee to receive it. Unfortunately, the scholarship is bogus.

Protect yourself: Student scholarships don’t charge for eligibility. Also, no company will guarantee approval for a scholarship; there is always a vetting process of some kind before eligibility is determined.

Scammers are out in full force before the start of the school year. Don’t let them make the grade! Stay alert and stay safe.

Watch Out for these Scams as the Country Moves Towards Reopening

Security Corner - Watch Out for these Scams as the Country Moves Towards Reopening

With states making bold moves toward reopening after coronavirus lockdowns, as usual, scammers aren’t far behind.

Watch out for these trending scams as the country reopens:

Account Takeovers

Shorter hours and percentage-capacity rules mean many consumers are still shopping remotely. This leads to an increase in online retail scams, like account takeovers, where scammers hack a company’s database to break into a customer’s account. Using the customer’s remembered payment information, the scammer goes on to place large orders to their own address — all on the client’s dime.

Protect yourself: Account takeovers are most commonly pulled off on dormant accounts. Outsmart the scammers by checking your retail accounts for sudden orders, or deleting remembered information on accounts you rarely use.

Job Scams

The FBI is warning against a surge in scams in which cybercriminals pose as employers by spoofing websites and posting bogus job openings on online boards. Sometimes, they’ll even conduct “interviews” with applicants. The scammers ask for personal information, and may demand payment before the “application” can be processed. Of course, there is no job waiting for the applicant, their information is in danger of being abused and they’ll never see that money again.

Protect yourself: Beware of outrageous job claims that promise big money for little work. Never share sensitive information online with an unverified source. Finally, before agreeing to an interview, research an alleged company on the BBB website.

The Contact Tracer Scam

The FTC is warning of a new ruse in which scammers impersonate a COVID-19 contact tracer and reach out to people via phone call or text message. They’ll ask for the victim’s personal information, including their Social Security number, claiming they need it for their work. They’ll use this information to pull off identity theft or hack the victim’s accounts. Sometimes, the scammer will ask the victim to click on an embedded link, which will grant them access to the victim’s phone.

Protect yourself: Contact tracers will always identify themselves and their department. If a contact tracer reaches out to you, verify authenticity by researching this information. Most importantly, they have no need for your Social Security number nor will they ask for it.

Stay aware and stay safe!

Bitcoin Theft

Security Corner - Bitcoin Theft

The FBI is warning of a rise in Bitcoin ransom scams in which scammers use scare tactics and extortion to squeeze money out of victims in the form of Bitcoin payments.

Fraudsters are leveraging increased fear and uncertainty during the COVID-19 pandemic to steal your money and launder it through the complex cryptocurrency ecosystem,” the FBI warns.

Unfortunately, the cryptocurrency payment leaves no room for reclaiming the lost funds.

Here’s all you need to know about these scams and how to best protect yourself.

How the scams play out

In some Bitcoin ransom scams, scammers hijack an email address associated with a business website and contact a client of the business. The email informs the victim that a hacker has found a vulnerability in the company’s website and is holding the victim’s data hostage until a Bitcoin payment is made for its release. The victim, fearing monetary loss, may comply with the scammer and make the payment. In reality, though, the scammer has only hacked into the company’s email database. They have no access to the customer’s sensitive information.

While the scammer can hijack any website that has access to clients’ sensitive information, financial institutions like Olean Area Credit Union, are especially vulnerable to this scam. We utilize strict protective measures, like encryption and updated security software to protect our members’ information, but fraudsters may still try to scam members by persuading them that their data is at risk of being exposed.

In another variation of the Bitcoin ransom scam, scammers use “sextortion” to take the victims for money. They’ll claim to have evidence of the victim engaging in questionable internet usage and threaten to share this information with the victim’s contacts unless a ransom payment is made immediately. Some criminals have taken this scam a step further during the COVID-19 pandemic. In addition to the threat of releasing the information they supposedly have on the victim, they’ll also promise to infect the victim and their family with the coronavirus unless a payment is sent to a Bitcoin wallet.

Protect yourself 

Fortunately, ransom scams are easy to spot.

If you receive an email allegedly sent from a business you use, and it contains a message similar to what’s described above, do not respond. You can contact the company yourself to ask if there has been a data breach. You will likely learn there has not been any sort of breach within the company.

Similarly, if you receive an email threatening to expose your internet usage history and/or to infect you or your family with the coronavirus, do not respond. Mark the email as spam and delete it promptly.

If you’ve been scammed

Unfortunately, cryptocurrency transactions pose an extra risk by being absolutely final. There’s no way to cancel a cryptocurrency payment, back out of a purchase or trace the Bitcoin wallet to its owner.

However, if you believe you’ve been targeted by a Bitcoin ransom scam, you can help prevent others from falling victim by reaching out to the appropriate authorities.

If the scammer posed as representatives of Olean Area Federal Credit Union, be sure to let us know! We’ll send out a warning to all of our members and caution them not to respond to any emails claiming to have hacked our database or to have accessed our members’ sensitive information. If the scammer is posing as a representative of a different company, it’s a good idea to let them know about it, too.

It’s equally important to alert law enforcement agencies about every scam attempt. The FBI’s Criminal Investigative Division has a team that’s dedicated to preventing and fighting cryptocurrency laundering and fraud. If you are the victim of a cryptocurrency scam or you’ve been targeted by one, be sure to contact your local FBI field office or visit the bureau’s Internet Crime Complaint Center .

You can also alert the Federal Trade Commission at

Many people are struggling with financial hardships due to the economic fallout of COVID-19. Unfortunately, scammers are trying to make a difficult time even harder by extorting victims for money. Stay alert and stay safe!

Beware of Unemployment Scams

Security Corner - Beware of Unemployment Scams

As the economy reels from the impact of COVID-19, a record 22 million Americans have filed for unemployment insurance in the four weeks leading up to April 11.

Unfortunately, when there’s bad news, scammers aren’t far behind. The panicked rush to fill out claims, along with the overloaded unemployment websites and phone lines, provide the perfect cover for con artists looking to grab a dollar.

Here’s all you need to know about the circulating unemployment scams.

How the scams play out 

An unemployment scam can involve a con artist filing a claim in someone else’s name and then collecting their benefits or claiming to be employed in a place of business where they have never held a job. The victim will thus be denied their own benefits.

These cons can also take the form of a scammer impersonating a government employee offering to help the victim fill out their application for unemployment insurance. Unfortunately, the scammer is only out to get information to nab the victim’s benefits. Or worse, the scammer may use this information to steal the victim’s identity. Other times, while allegedly helping the victim fill out their forms, the scammer asks the victim to make a payment via credit card to receive their benefits. Of course, this money will go straight into the scammer’s pocket and the victim’s unemployment claim is never filed.

In yet another variation of the unemployment scam, fraudsters create bogus websites that look like official sites used to claim benefits. They lure victims to the sites via social media posts or emails. The victim willingly shares information and assumes they are actually filling out their unemployment forms

How to spot an unemployment scam

First, it’s important to note that there is no fee involved in filing or qualifying for unemployment insurance.

Second, government officials will never ask you to share personal information over the phone unless a phone appointment was preplanned and scheduled for a specific date and time.

Finally, sensitive information should never be shared on a site without first verifying its security. Look for the lock icon next to the URL and for the “s” after the “http” in the web address.

Protect Your Account & Money: Best Practices for Debit and Credit Cards

Security Corner - Protect Your Account & Money: Best Practices for Debit and Credit Cards

In these trying times it is important to keep your account, money and personal information safe from professional con-artists. Criminals utilize many techniques to trick you, such as disguising their phone number to look like a local caller or worse, make it look like they are calling from the Credit Union. Here are a few tips to help you keep your money safe.

If the Credit Union calls you regarding your debit or credit card:

  1. We will NOT ask you for personal information such as your Social Security Number, date of birth, address, unless we feel we need to identify you as the member.
  2. We will NOT ask you for your pin number, account number, credit or debit card number, username or passwords!
  3. Our third-party fraud department works 24/7 to help us monitor your account for any suspicious activity done with your debit or credit card. When they try to contact you, they will send a text, follow up with an email, call the home phone and then call your cell phone, usually within 5 minutes of each other. Make sure you respond to the contact information given to you. The following will then occur:
    • They will list the last 4 or 5 transactions for you to verify whether they are ones that you have done.
    • If they are all legitimate transactions, they will unblock your card.
    • If there have been any unauthorized transactions, they will block the card to prevent any further transactions, start the dispute process if necessary and tell you to call the Credit Union to get a new card.
    • They will NOT ask you personal information. 
  4. Whenever in doubt as to whether a call is legitimate, you should tell the caller you need to call them back.  We then recommend that you call the credit union directly to verify the call and the fraud activity on your card.

Best Practices:

  1. Please make sure your contact information is current with the Credit Union so that our card fraud department can contact you when needed: Address, phone numbers and a current email address. 
  2. If you call the Credit Union, we need to verify that we are talking to you, our member, and not an impostor. We may ask your personal information that we already have on file for you including date of birth, Social Security number and other information that only you should know.  
  3. Be cautious when signing up for “Free Trials or Discounted Offers.” This presents a perfect opportunity for criminals to obtain your information. When signing up for a “free trial,” please keep in mind that nothing is free. The fine print usually describes what needs to be done in order to prevent further charges in the future, such as, cancelling by a certain date, or returning the unused portion of the product.  Unfortunately, unless you follow their directions, these transactions are not disputable.

We want to help our members stay safe during these trying times. Please call Olean Area Federal Credit Union at 716-372-6607 or 800-854-6052 with any concerns or if you think you may have received a call from someone attempting to get your information. 

Use caution when using the digital payment network, Zelle

Security Corner - Use caution when using the digital payment network, Zelle

Recently fraudsters initiated a sophisticated 2-step scam targeting Zelle users:

  • The scam started with fraudsters sending account alerts to users via text message appearing to come from a financial institution warning them of suspicious debit card transactions on their accounts.
  • For those who responded to the text, the fraudsters called the Zelle users via telephone from a deceiving phone number and claimed they were from a financial institution’s fraud department. To verify the identity of the user, the fraudster told them they would receive a passcode via text message which would need to be provided over the phone.
  • The fraudsters use the “forgot password” feature for online banking which triggered multi-factor authentication and the passcode was sent via text. Users then gave it to the scammer. In other cases, the fraudsters triggered a Zelle transaction but needed the passcode to complete the transaction. They then immediately used the passcode to login to the user’s accounts.
  • Once logged into the account, fraudsters used Zelle to transfer funds out.

In a few cases, if users refused to provide the passcode, the impostors impersonated the user and social engineered their mobile phone carrier and were successful in porting the users’ mobile phones to a different carrier.  This allowed them to receive the passcode by using the “forgot password” feature.

  • Some institutions reported that these scammers successfully social engineered their service call center employees into changing mobile phone numbers on accounts, which allowed them to receive the one-time password (OTPs). In some cases, email accounts were hacked to intercept OTPs sent via email. Do we want to delete this section so members don’t think this happened here?

If you’ve been a target of this type of scheme or any other please contact the credit union immediately.  We would not ask for your personal information if we initiated the call to you.