NBC 5 Responds

How to avoid ‘credential harvesting'

FBI warns of text messages impersonating state toll service

NBC Universal, Inc.

A text, claiming you owe a balance on your toll road account, may be a trick. The FBI says criminals are working to get your login information.

Read on for what you should know about credential harvesting.

TOLL BALANCE MESSAGES

The FBI put out this warning about text messages you may get about a toll road violation. Generally, the message instructs consumers to click on a link to settle a late fee. The FBI said the link leads consumers to a website impersonating a state toll service.

FBI agent Keith Custer told our Telemundo colleague, Liz Gonzalez, that criminals want you to type in your toll authority account username and password. Crooks know some consumers use the same username and password for different online accounts.

Custer explains the information you plug into a bogus toll road website could help hackers crack your other accounts.

“The scammers are essentially doing what’s called credential harvesting. They’re trying to collect these usernames and passwords and then use them at Bank of America or Wells Fargo or Charles Schwab, anywhere where someone might have a financial account,” Custer said. “Once they access those accounts, they can do some damage.”

On the North Texas Tollway Authority’s website, a banner tells consumers: don’t click on or reply to suspicious messages. For account questions, go to the ntta.org or call directly. An NTTA spokesperson said it is monitoring this issue, seeing it nationwide. It says it tightly guards user information.

SIGNS OF A SCAM

Some messages won’t always look like an obvious scam. A common red flag? A message rushes you to respond immediately. Slow down and validate suspicious texts. Don’t contact the person texting you. Look for a phone number printed on your actual account statements.

Never click on a link from an unknown source.

Practice good password hygiene. Don’t use the same password for different accounts.

If one password is compromised, that would mean your other accounts are in danger too.

The Identity Theft Resource Center recommends at least 12 characters in a password. Include a combination of symbols, upper and lower-case letters.

HOW TO ADD AN EXTRA LAYER OF PROTECTION

Add multi-factor authentication to your online accounts where it’s available. This may include your financial accounts, email and social media. Go to each account and look for the option to enable two-factor authentication (also known as 2FA or two-step authentication) or multi-factor authentication. Depending on the type of account, you may find this option in settings, privacy or security.

When you enable 2FA or MFA, you’re requiring an extra step to log into an account. If someone has your login and password, they would not be able to log into an account without the extra step. This extra step may look like a numeric code sent by text, email or phone call. Some people use a separate authenticator app.

Remember: hackers may still steal your information by tricking you into sharing your MFA code. Never share the code with anyone. If you receive an MFA code you didn’t request, someone may have your password. Change your password.

Here are links to the instructions for setting up multifactor authentication for Google accounts, Facebook, Microsoft accounts.

If you’ve given your information to a scammer, the FTC offers step-by-step instructions on what to do next here – depending on the type of information exposed.

NBC 5 Responds is committed to researching your concerns and recovering your money. Our goal is to get you answers and, if possible, solutions and a resolution. Call us at 844-5RESPND (844-573-7763) or fill out our customer complaint form.

Contact Us