Help protect yourself from online fraud
Conducting financial transactions over the Internet can be risky. You can reduce this risk by taking some precautions. These precautions include properly maintaining your operating system and Internet browser and using certain hardware and/or software to protect you and your family from disreputable parties.
- Secure your home computer
- What is phishing?
- Tell The Principal® about phishing or other fraudulent emails
- What is pharming?
Secure your home computer
There are several things you can do to improve the security of your home computer, so your personal information is protected while you are online. The following suggestions provide information about some of the things that can help to prevent problems. Some of these items may require a certain level of technical expertise. If you're not sure about what to do, or if you have questions, contact your internet service provider or other computer professional for assistance.
- Make sure you use the correct website address. Do not send sensitive personal or financial information from your computer unless it is encrypted on a secure website (look for https:// at the beginning of the website address or the lock icon in the corner of your browser). Look for the correct address for the website you visiting. For example, the correct website for logging into your personal accounts at The Principal is https://secure05.principal.com/authentication/loginPage.jsp. Make sure it is the website address that you expect and not a look-alike.
- Update your operating system. Newer operating system versions (those less than five years old) provide a higher level of protection than older versions. Operating system manufacturers frequently issue security updates that help to make the system more secure. Some manufacturers can notify you through email when updates are available, or the updates can be installed on your computer through your Internet connection.
- Use a personal firewall. Your computer's operating system may have a software firewall in place, but a third party hardware or software firewall is recommended as they provide more protection. Hardware firewalls are generally included in routers that you may use with your broadband connection (Cable/DSL). All Internet users regardless of how they connect to the Internet should use software firewalls. There are free versions available for consumers.
- Use anti-virus software. Anti-virus software works by identifying potentially harmful computer viruses before they can infect your computer. Most anti-virus software manufacturers frequently update their software in response to new threats. You should update your anti-virus software frequently or have the program automatically update itself.
- Scan your computer for spyware. Spyware (or adware) programs can record your website activity and can relay that information to another party. There are free spyware removal programs available; try searching on the terms "spyware" or "adware". Be sure to confirm that a program is from a legitimate source before you download and install it. Some anti-spyware providers may select to “allow” certain spyware to be installed on your computer, so be careful on which anti-spyware program you select. Most anti-spyware software can be configured so it does not block or remove wanted items.
- Don't download software from questionable or unknown sources. Some programs you may find online might contain spyware, viruses, or other malicious applications. These can cause damage to your computer, or expose your personal information. Be sure you know and trust the website that is distributing the software before you download and install it.
- Use a current browser and keep it up to date. The Principal Financial Group will only allow communications through Internet browsers that use the Transport Layer Security (TLS) communication protocol. TLS is a set of rules that tell computers the steps to take to improve the security level of communications. These rules are designed for the following:
- Encryption. Transmitted data is scrambled with an encryption scheme that guards against eavesdropping. An intermediary who somehow "listens in" on TLS communications cannot tell what is being communicated...it looks like gibberish.
- Data Integrity. TLS uses a Message Authentication Code to verify data sent has not been altered in transit.
- Authentication. This guards against impersonation. Internet server sites that employ TLS have unique digital signatures that cannot be forged, thus proving there is no hacker between the customer and Principal Financial Group's computer systems. A certificate is used to validate this authentication. You can view our certificate at any time by double-clicking the padlock icon in the bottom-right hand corner of your browser. When you view our certificate you should see the details tab. In that tab the Issuer should be S1.com.
- Block pop-up windows. Some browsers can be configured to block pop-up windows from displaying. There are also free, publicly available programs exist that will block all pop-up windows from occurring while you are online. You can find these programs by searching online for the phrase “pop-up blocker”. Some search engines and Internet Service Providers may also provide pop-up blockers. Be sure to confirm that a program is from a legitimate source before you download and install it. Some blockers can be configured to allow pop-ups on certain sites that you choose. Others allow you to allow pop-ups on a one-time basis by holding down a specific key (like “Control”). Check the pop-up blocker’s documentation for specifics.
- Shop and conduct business on secure websites. Secure websites offer encryption of your data. Generally there will be a lock symbol in the lower right-hand corner of the browser window. The URL of the page may also begin with “https://...”. The “s” stands for “secured” and means the Web page uses encryption. The Principal Financial Group provides 128-bit encryption - the highest level available commercially.
- Don't stay connected when you don't need to. Dedicated Internet connections such as DSL or cable provide a constant connection between your computer and the Internet. When you aren't going to be online, disconnect from the Internet to avoid unwanted access to the information on your computer. This step can help provide additional protection over and above that provided by your firewall.
Online fraud occurs when someone poses as a reputable company to obtain sensitive personal data and illegally performs transactions on your existing accounts or uses your information for other sorts of fraud. Often called “phishing” or “spoofing,” the most recent methods of online fraud include fake emails, websites, Trojan horses and pop-up windows or any combination of these.
Phishing is a fraudulent email scam that is used in an attempt to get consumers to disclose or verify their account numbers, personal identification numbers (PIN), social security numbers, passwords, or other sensitive information. This email typically resembles correspondence from a familiar company and may have a similar Internet address to that company in the text; however, it will usually have a couple of letters transposed. Some phishing attacks look very authentic. Be very cautious and don’t provide sensitive information if you didn’t initiate the request.
Principal Financial Group has a policy of never sending email requiring customers to send personal information to us via email or pop-up windows. Principal Financial Group emails may provide an Internet address for you to use within our communications but we will ask you to type it in yourself so that you have assurance that it is a valid Principal Financial Group site. Look for information on that communication that only you and The Principal® would know (e.g., the last four digits of your Social Security Number, part of your account number with us, etc.) Any unexpected request for Principal Financial Group account information you receive through emails, websites, or pop-up windows should be considered fraudulent and reported immediately. If you have any questions about any email that you receive from us, please call (800) 986-3343.
- Pop-Up Windows
A pop-up window is a small window or ad that suddenly appears over or under the window you are viewing. Pop-up windows can be a type of on-line fraud used to obtain personal information.
- Trojan Horses and Viruses
A Trojan horse is another form of fake email that may contain a virus (an undesirable computer program) that can record your keystrokes. The virus can live in the attachment or be accessed via a link available within the email. Some Trojan horses have been reported to work even if the user views their email through the preview pane in Microsoft Outlook. Experts recommend not viewing email through the preview pain method for this reason.
- Many times there is a feeling of urgency in the email. For example: The email may say that your account will be closed or suspended from use.
- There are often obvious spelling and grammatical errors, although several recent emails look very professional.
- The email will appear to be from a legitimate source. Links within the email may take you to phishing sites where you may be asked to enter, update or verify personal information. The phishing sites may look very similar to the actual sites, but the URL, certificate, and other information may not be the same.
- A pop up window may appear that asks for personal information.
If you suspect you have received a fraudulent email from the Principal Financial Group or any of its subsidiary companies, please contact us. If you believe you are a victim of identity theft because of this fraudulent email, please call (866) 858-4433 immediately.
If you suspect a breach of your account with The Principal, call our fraud hotline at (800) 642-3788 or report unethical or fraudulent activity online.
What is pharming?
Pharming is a more complex development of the Phishing scam and is best restricted by securing your home computer.
Pharming attacks hide behind the scenes in a network-connected computer and redirect the users’ regular Web surfing activities. Users requesting a bona fide website are unknowingly sent to a fake website that mirrors a legitimate site. Once the pharming scheme is planted, malicious activity can be launched against a wide number of sites that the user may visit on a regular basis totally unknown to that user.
- Login process, verification or information on the website will not look exactly as it does on the legitimate site.
- The site will most likely ask for additional verification or personal information that is not normally required.
- Legitimate website sessions will be encrypted but phishing sites may be as well. Look for the padlock icon at the bottom of your browser and click on it to verify it is secure by verifying the TLS certificate’s issuer
- Look at your URL site address. A legitimate website will have https//: in the address.
- A spoofed TLS certificate should cause your browser to display a security alert message. Watch for these messages and take this as an obvious sign of a fraudulent website.
- If you attempt to authenticate to a website and it fails and you know that you provided the right information, it could be pharming.