Online Security

In an increasingly digital age, protecting our customers’ data is one of OppFi’s top priorities. Our model for security comprises best in class talent, technology, data, and controls – to ensure you can do business with OppFi safely, securely and with confidence.

We’ve brought together experts in cybersecurity, fraud, physical security, crisis management, governance, and risk management to strengthen our ability to detect threats and continuously improve our response strategies. Cybersecurity is a very important aspect of our business – this work helps ensure that your data is secure.

We also know it is important to provide security guidelines around protecting your privacy and security to our customers. On this site you’ll find everyday security tips to help you avoid falling victim to identity theft or fraud.

Keeping your identity secure

One of your most valuable assets today is your identity. If fraudsters get access to your personal information, they can access your accounts, set up credit cards in your name, make purchases on your behalf, and much more. We need to work together to keep this information protected.

What information do you need to protect?

You need to protect any piece of information that can be used to identify you. Some examples include your Social Insurance Number (SIN), Personal Identification Numbers (PINs) to access accounts and verification questions and answers.

The only organizations you should share your SIN with are your employer, the federal government, and your financial institution.

Electronic Transactions

In this digital age, we can perform many of our financial transactions through mobile, online or by telephone. While it’s fast, easy and offers many conveniences, it can also open the door to fraudsters. Here are tips to help make sure you online safely, securely and with confidence:

• Keep your operating system software up to date. Fraudsters often target older versions of software to launch malicious programs; make sure you are using security software products that include firewall, antivirus, anti-spam, and anti-spyware.
• When making transactions online, make sure you’re accessing the true website by looking for the “closed lock” icon. The website should also start with “https.”
• Avoid using public computers – these include computers in libraries and internet cafes. They could be carrying malicious software that can record your information.
• Frequently delete your cookies as fraudsters can use them to access your private information.
• Make sure your wireless connection at home is encrypted and password-protected to ensure no one else can use your connection without your permission.
• Protect your mobile and tablet devices. Make sure no one is reading information from your device’s screen; don’t use public Wi-Fi for conducting financial transactions and don’t store your passwords on your device.
• Ensure your mobile devices are password-protected and locked when not in use. This ensures your information is protected if your device is lost or stolen.

Password and Personal Identification Numbers (PINs)

PINs and passwords are the gatekeepers to your money and accounts. They identify you as the authorized user of your accounts (debit card, credit card, online, telephone, etc.) and give you access to your money. It’s critical you create strong PINs and passwords and never share them with anyone.

Protecting Your Passwords & PIN

Never reveal your passwords to others. Your login credentials protect information as valuable as the money in your bank account.Nobody needs to know them but you—not even the IT department. If someone is asking for your password, it’s a scam. Here are password best practices:

• Use a different password/PIN for each account.
• Make your passwords at least 8 characters long, and include special characters and numbers, or better yet catchphrases.
  • Don’t use words from dictionaries, seasons, calendar dates or common phrases.
  • Don’t use dates personal to you that are easily guessed (e.g. birthday, anniversary).
• Use different passwords for different accounts. That way, if one account is compromised, at least the others won’t be at risk.
• Use multi-factor authentication (MFA) which adds another layer of protection in addition to your username and password. Generally, the additional factor is a token or a mobile phone app that you would use to confirm that you really are trying to log in.
• Use a password manager. Password management tools, or password vaults, are a great way to organize your passwords. They store your passwords securely, and many provide a way to back-up your passwords and synchronize them across multiple systems.

Protecting your passwords and PINs is one the most effective ways to protect yourself against fraud and identity theft. Here are some tips to keep your passwords safe:

• Don’t share your passwords with anyone.
• Don’t store them in easily accessible places such as your desk, car, wallet, or under your keyboard.
• When entering your Password or PIN make sure no one is watching you as you.

Phishing

Phishing is one of the most used and effective ways cybercriminals attack individuals everyday through email (phishing), text (smishing), or voicemail (vishing). Cybercriminals pretend to be a legitimate source, they try to obtain personal information from you, or encourage you to click a link or download an attachment that could install malware (malicious software) on your device.

Phishing, in general, casts a wide net and tries to target as many individuals as possible. However, there are a few types of phishing that hone in on particular targets.

Spear phishing

Spear phishing is a type of targeted email phishing. In a spear phishing attack, the social engineer will have done their research and set their sites on a particular user. By scouring through the target's public social media profiles and using Google to find information about them, the attacker can create a compelling, targeted attack.

Whaling

Whaling is another targeted phishing scam. However, in whaling, rather than targeting an average user, social engineers focus on targeting higher-value targets like CEOs and CFOs. Whaling gets its name due to the targeting of the so-called "big fish" within a company.

While phishing is used to describe fraudulent email practices, similar manipulative techniques are practiced using other communication methods such as phone calls and text messages.

Vishing

Vishing (short for voice phishing) occurs when a fraudster attempts to trick a victim into disclosing sensitive information or giving them access to the victim's computer over the telephone. One popular vishing scheme involves the attacker calling victims and pretending to be from the IRS. The caller often threatens or tries to scare the victim into giving them personal information or compensation. Vishing scams like the one often target older-individuals, but anyone can fall for a vishing scam if they are not adequately trained.

Smishing

Smishing (short for SMS phishing) is similar to and incorporates the same techniques as email phishing and vishing, but it is done through SMS/text messaging.

Here are some tips to help you avoid phishing attacks:

• Double-check links in emails by hovering over them with your cursor.
• Read emails carefully. Impersonal or generic greetings, spelling mistakes and grammatical errors are all signs of a potential scam.
• Don’t respond to emails, texts or phone calls from companies or people you don’t know.
• If you receive an email, text or call asking you to urgently reply, click on a link, verify your account, or reset your password, check with the company before you respond. Don’t feel pressured to respond to an urgent request.
• Don’t click on attachments from unknown sources.
• Don’t enter personal or credit information into a form that is linked in an email. If you think the email is legitimate, call the company or visit their website and log in securely before you enter the requested information.

Social Engineering

Social engineering attacks account for a massive portion of all cyber attacks, and studies show that these attacks are on the rise.

Social engineers are clever and use manipulative tactics to trick their victims into disclosing private or sensitive information. Once a social engineer has tricked their victim into providing this information, they can use it to further their attacks.

One of the best ways to keep yourself safe from a social engineering attack is to be able to identify them. Let's explore the six common types of social engineering attacks:

Pretexting

Pretexting is a type of social engineering technique where the attacker creates a scenario where the victim feels compelled to comply under false pretenses. Typically, the attacker will impersonate someone in a powerful position to persuade the victim to follow their orders.

During this type of social engineering attack, a bad actor may impersonate government agencies, police officers, higher-ups within the company, auditors, investigators or any other persona they believe will help them get the information they seek.

• Always use known means of contacting an agency or institution.
• Never provide someone with sensitive information if you cannot verify their identity.

Baiting

Baiting puts something enticing or curious in front of the victim to lure them into the social engineering trap. A baiting scheme could offer a free perk or gift in an attempt to trick the user into providing credentials.

A social engineer may hand out free USB drives to users at a conference. The user may believe they are just getting a free storage device, but the attacker could have loaded it with remote access malware which infects the computer when plugged in.

To prevent yourself from being baited:

• Don’t be tempted by free perks in exchange for information;
• Never use free drives or other devices given to you by someone you do not know.

Tailgating and Piggybacking

Tailgating is a simplistic social engineering attack used to gain physical access to access to an unauthorized location. Tailgating is achieved by closely following an authorized user into the area without being noticed by the authorized user. An attacker may tailgate another individual by quickly sticking their foot or another object into the door right before the door is completely shut and locked.

Piggybacking is exceptionally similar to tailgating. The main difference between the two is that, in a piggybacking scenario, the authorized user is aware and allows the other individual to "piggyback" off their credentials. An authorized user may feel compelled by kindness to hold a secure door open for a woman holding what appears to be heavy boxes or for a person claiming to be a new employee who has forgotten his access badge.

To avoid both tailgating and piggybacking scenarios:

• Never allow anyone you don’t know to enter a restricted space without proper credentials.
• Always be aware of your surroundings and lock secured areas after you enter.

Quid Pro Quo

Quid pro quo (Latin for 'something for something') is a type of social engineering tactic in which the attacker attempts a trade of service for information. A quid pro quo scenario could involve an attacker calling the main lines of companies pretending to be from the IT department, attempting to reach someone who was having a technical issue.

Once the attacker finds a user who requires technical assistance, they would say something along the lines of, "I can fix that for you. I'll just need your login credentials to continue." This is a simple and unsophisticated way of obtaining a user's credentials.

To protect yourself from Quid pro quo attacks:

• Never provide your credentials to anyone (OppFi or otherwise).
• Always call the company or person back at a known number before proceeding with any conversation about sensitive information.

Social media scams

Watch for fake friend requests and hidden URLs to “free” quizzes. Only engage with people you know. When you provide your information to anything “free” online, know that you are likely sharing it with third parties.

TIP! Remember, we’ll never contact you via unsolicited phone call, email, or text to ask you to confirm or provide your password, or for personal information or account details.

Contact information

If you notice suspicious activity of any kind on any of your OPPFI accounts, please let us know at fraud@oppfi.com. Report a lost or stolen card as soon as possible by calling the number on your account statement or OppFi website.