Important Security Alert: Credit Cards Released on Dark Web

Members: We have been notified that a dark web carding market has released a massive dump of 1,221,551 credit cards, allowing anyone to download them for free to conduct financial fraud.

The threat actors announced the credit card dump on Sunday to promote their new domains. The freely circulating file contains a mix of “fresh” cards expiring between 2023 and 2026 from around the world, but most entries appear to be from the United States. Analysts claim the cards mainly come from web skimmers, which are malicious scripts injected into checkout pages of hacked e-commerce sites. 

Currently, we are working with our security partners to analyze the file of credit cards. If any active cards issued by us are found, we will contact the member immediately. 

Please know: There is no charge to members for this service, and all cards are automatically covered by default. You do not have to register to have the peace of mind that your First Education debit and credit cards are being monitored. 

If you would like more information on this member benefit, please call us at (307) 432-7400, send an email to ms@firstedfcu.com, send a text to (307) 432-7400, or start a conversation in AirTeller. Remember to never include personal information in an email or text message. 

How to Spot Phishing Attempts

Phishing is when criminals use fake emails to lure you into clicking on them and handing over your

personal information, or installing malware on your device.

When criminals go phishing, you don’t have to take the bait.

It’s easy to avoid a scam (phishing) email when you know what to look for! 

The signs can be subtle, but once you recognize a phishing attempt, you can avoid falling for it.

Know the signs of a fake phishing email

  • The offer inside is too good to be true
  • Language is urgent, alarming, or threatening
  • Writing is poorly crafted, with misspellings and bad grammar
  • Greetings that are ambiguous or very generic
  • Requests to send personal information
  • Urgency to click on an unfamiliar hyperlinks or attachment
  • Strange or abrupt business requests
  • Sending e-mail address doesn’t match the company it’s coming from

What to do if you get a phishing email

If you’re at the office and the email came to your work email address, report it to your IT manager or

security officer as quickly as possible.

If you’re at home and the email came to your personal email address, do not click on any links (even the unsubscribe link) or reply back to the email. Just delete it! 


For more information on blocking and reporting phishing attempts, check out this post from the National Cybersecurity Alliance.

Why to Make Software Updates Right Away

One of the best ways to keep your information secure is also one of the easiest: Keep your software and apps updated! 

When updates become available for your phone, computer, tablet, or other device, make them right away.

We know how tempting it can be to click “remind me later,” but here’s why that’s not the best idea. 

These updates are pushed out to fix general software problems and provide new security patches where criminals might get in. (Cyber criminals are always looking for new ways to steal your data through software, and updating your software is an easy way to stay a step ahead.)

How to make software updates easy 

Software from legitimate companies usually provides an option to update your software automatically.

When there’s an update available, you’ll get a reminder to easily start the process.

Watch for fakes!

When visiting a website or opening software, have you seen those pop-up windows that urgently ask you to download something or fill out a form? Those are fakes! 

Luckily, if these type of pop-ups are detected, most website browsers will warn you not to move forward or stay on a specific web address. 

Now that you understand the importance of software updates, it’s time to take care of business!

If you’ve been putting off any updates on your phone, computer, or other device… now’s the time to get those downloaded and installed.

Why You Need a Password Manager

Over the years, we’ve gone from having just a couple of passwords to keep track of, to managing upwards of 100 passwords or more.

If you’re like most people, you’re probably using the same password for most of your accounts—and that’s not safe.

If that one password gets stolen because of a breach, it can be used to gain access to all your accounts… and any personal or financial information they contain.

That’s why we recommend using a password manager!

What is a password manager?

A password manager is software designed to manage all your online credentials, like usernames and passwords. It stores them all in a safe, encrypted database, and it can even generate new passwords when needed.


The biggest benefit of a password manager is that you won’t need to memorize hundreds of passwords or keep that secret password paper in your drawer! You’ll only need to remember the one password that unlocks your password manager vault.

What are the advantages of a password manager?

  • Saves time
  • Works across all your devices and operating systems
  • Protects your identity
  • Notifies you of potential phishing websites

For a list of suggested password manager options straight from the National Cybersecurity Alliance, click here.

Why to Use Multi-Factor Authentication

First things first:

What is multi-factor authentication?

Multi-factor authentication (MFA) is a security measure that requires anyone logging into an account to complete a two-step process to prove their identity. 

In short, multi-factor authentication makes it twice as hard for criminals to access an online account!

How does multi-factor authentication work?

By requiring two steps instead of one to log in, multi-factor authentication greatly increases the security of any account.

When MFA is activated, you’ll log in to your account with your username and password like normal, then complete an additional security step to finish the login process.

Examples of MFA methods include:

  • Entering an additional code emailed to an account or texted to a mobile number
  • Entering an extra PIN (personal identification number)
  • Entering an answer to an extra security question like, “What’s your favorite pet’s name?”
  • A biometric identifier, like facial recognition or a fingerprint
  • A yes/no button or unique number generated by an authenticator app (like those from Microsoft, Google or Duo)
  • A secure token, which is a separate piece of hardware (like a key fob that holds information) that verifies a person’s identity with a database or system

Not every account offers MFA, but it’s becoming more popular every day. You’ll see it on many accounts that hold either financial or personal information, including banks, financial institutions, online stores, and social media platforms.

Simply put: When MFA is available, always turn it on.

It’s easy to do, and it greatly increases your account security.

Peer to Peer (P2P) Payment Services

Peer to Peer or Person to Person (P2P) payment services are an easy way to send funds directly from your account to another person. These services are available through several providers via websites and mobile apps.  Funds can be sent quickly often using only a phone number or email address.

However, P2P transactions have risks and do not have the same consumer protections as other transactions. Unlike credit card and debit card transactions, there are no chargeback rights on P2P payment services. This means if you send someone money, even someone who has defrauded you, we may not refund your money.  Your money may also not be refunded if you entered incorrect information and the funds were sent to the wrong person. You will need to work directly with the service provider to have your money refunded.

We may also not refund money for P2P payment services done by a third-party if you provided the third-party with access credentials or other information for your account or device.  This means if you give anyone, directly or indirectly, your username, password, security code, or other information that allows them to access your account or device and they withdraw money from your account using P2P payment services, we may not refund your money.  You will need to work directly with the service provider to have your money refunded.

Never give anyone information that would allow them to access your account or device and only use P2P payment services with people and companies you know and trust.

Cyber-Safe Travel Tips

Summer is a popular time to travel, whether for a relaxing overnight or a week spent exploring a new destination. You’ll likely be taking along your smartphone or other device to assist with directions, locating or identifying points of interest, and capturing that special photo.

Practicing good cyber hygiene before, during, and after your trip will help secure your devices and allow you to connect with confidence when you’re away from home!

Before You Travel

Update your devices. Updating devices will fix security flaws and help keep you protected. Whether it’s your computer, smartphone, or gaming device, be sure to update your operating system, applications, antivirus and malware software, and the like. If you haven’t already turned on automatic updates, now is a good time to consider doing so.

Back up your devices. Back up information such as contacts, financial data, photos, videos, and other data in case a device is compromised during travel and you have to reset it to factory settings.

Lock your device. Make sure to lock your device when you are not using it. Set your devices to lock after a period of time and use strong PINs and passwords. 

Enable multi-factor authentication (MFA). Add an extra layer of protection so that the only person who has access to your account is you. For more information on MFA, see https://www.cisa.gov/mfa.

During Your Travel

Guard your devices. Your devices are valuable, but your sensitive information is as well. Always keep your devices close at hand and secure in taxis, security checkpoints, airplanes, rentals homes, and hotel rooms. 

Securely recharge. Never plug your phone into a public USB charging station—such as those in the airport or in hotel room lamp or clock radio inputs—as these cannot be trusted. Malicious individuals can hijack your session or install malware on your device through those seemingly-harmless means. Always connect using your own power adapter connected to a power outlet.

Delete data from your rental car. If you connect your phone to a rental car for navigation or other purpose, be sure to securely remove the device so that other individuals do not have access to your address book, device name, text messages (hands free calling), or other sensitive information. 

Avoid public Wi-Fi. While public networks are convenient, they are a security risk. Avoid connecting to public Wi-Fi unless absolutely necessary. Instead, consider using your phone carrier’s internet connection or use your phone as a personal hotspot if your plan allows. 

If you do need to connect to public Wi-Fi, verify with the establishment the name of the network and use a virtual private network (VPN), software that will encrypt your internet traffic and prevent others from stealing your data. Verifying the network name is important as often times malicious individuals create similar connection points with a slight misspelling, hoping you will instead connect to their network. 

Turn off auto connect. While auto connect is enabled, devices will seek out and connect to available networks or Bluetooth devices. This could allow cyber criminals to access your device without you knowing it. Disable auto connect, Bluetooth connectivity and near field communication (NFC), like airdrop, so that you can select the network and you can control the connection.

Limit what you share. Limit the information you share on social media while on vacation and consider posting updates about your trip after you return. Revealing too much information while away can put you and others at risk. Criminals can gain useful information from such posts, like knowing you are away from your home. Scammers may even attempt to contact your family and friends with a variety of scam tactics. Additionally, consider setting your social media accounts to only allow friends to view your posts.

Avoid the use of public computers. Public computers such as hotel business centers and internet cafes are often poorly managed and provide minimal security protection for users. If you must use a public computer, do not enter any username or password on the computer and do not connect or transfer data via thumb drive/USB.

When You Return Home

Shred your boarding pass and luggage tag. Scannable codes on boarding passes and luggage tags include full name, date of birth, and passenger name record. These can also contain sensitive data from your airline record, like passport number, phone number, email address, and other information that you wouldn’t want to share publicly. For this same reason, never post boarding passes on social media.

Scan for virus and malware. It’s best to update your security software when you return home and scan for virus and malware to be sure your device has not been compromised while you were away. 

Note about business equipment: It’s best that you leave your work devices behind, however, if you can’t leave home without them, ensure that you are following your organization’s policies and procedures for protecting the devices and the information they contain while traveling.

Celebrate World Password Day!

Every first Thursday in May, we celebrate World Password Day: An occasion to implement (or brush up on) good password habits to protect your digital information.

Not even the best security measures will keep your data safe if someone (or something) guesses your password. 

Here are our recommendations to make your passwords less vulnerable. 


Let’s start with the “do’s” of a good password.

DO use multi-factor authentication (MFA) whenever available.

DO increase the length to create stronger passwords.

DO change your password whenever you think it may have been compromised.


What are some password “don’ts”?

DON’T use names or dates associated with you or your family. This includes the names of your pets and any information available on social media.

DON’T reuse passwords across multiple systems or accounts.

DON’T share passwords — not with your family, friends, or coworkers.

Keeping personal information private is everyone’s responsibility.  Do your part by using strong passwords.  

View Post