Security Center


Security Overview

TIAA-CREF Tuition Financing, Inc. serves as program manager for Michigan Education Savings Program (the “Program”). Ascensus College Savings Recordkeeping Services, LLC provides recordkeeping and account processing services.

Our cybersecurity response program is designed to help keep your financial information safe and is intended to comply with applicable federal and state laws. Online security is a shared responsibility between you, the account owner, and us, the service provider. Safeguarding your assets, your personal information, and privacy is one of our fundamental priorities. We utilize a variety of controls to detect and prevent unauthorized access to our network and sensitive information.

Our Security Promise

We are committed to keeping your financial information secure. Please know that we'll never call or email you to ask you for your login credentials. If you receive a suspicious message, don't click on any of the links or respond with personal information. Please report suspicious activity by calling your program’s customer service at 1-877-861-6377.


Safeguarding your own information: Account owner security checklist

While we strive to keep your information and transactions safe, there are actions you can take to contribute to your own security. The following are some best practices to follow.

Protect your account

  • Do not use your Social Security Number (SSN), in full or in part, for a password or PIN.
  • Review your credit reports frequently (at least once a year). Verify the information listed about you is up to date and accurate and that it includes only those accounts and activities you've authorized. Work with the credit reporting agencies to have any inaccurate information removed.
  • Store your Social Security card, other identification cards, checks, and accounts statements in a safe and secure location.
  • Do not carry your Social Security card, passport, or birth certificate with you unless absolutely needed.
  • Do not share your personal or financial information over the phone or in person unless the information is absolutely necessary and you can confirm that the individual and company are legitimate.
  • Frequently monitor your financial accounts and report any suspected fraudulent transaction immediately.
  • Retrieve and review your mail promptly.
  • Shred financial documents no longer needed, pre-approved credit offers, receipts, and other documents that may contain financial and personal information.

Protect your computers, cell phone, and other mobile devices

  • Install and set your anti-virus and anti-malware software to update automatically.
  • Activate all operating system security features on your internet capable devices.
  • Make sure your personal computer and home network are properly protected from malware by setting up your firewall. Check to see that the firewall has been properly installed or enabled if it came bundled with your operating system.
  • Make sure to keep your web browser software up to date by installing the most recent version.
  • Keep the operating system for your computer or mobile device up to date.
  • Never leave your computer, cell phone, or other mobile devices logged on and/or unattended in public.
  • Password protect and lock your computers, cell phone, or other mobile devices when not in use.
  • Only download applications from reputable sources. Be suspicious when installing applications that require you to provide information that has nothing to do with the application's purpose.
  • If you believe your mobile device is infected with malware, contact your service provider.

Keep your information secure

  • If you have any doubts about the authenticity of an email, which appears to be from TIAA-CREF Tuition Financing, Inc., or the Michigan Education Savings Program, or involves your Program account, call the Program’s customer service at 1-877-861-6377. Then be sure to delete the suspicious emails from your mailbox.
  • Do not click on links or attachments if an email seems suspicious, especially if they tell you the problem is urgent. This is known as scareware and intended to make you react without thinking.
  • Do not give out personal information. Check a website's privacy policy before you give them your email address.
  • Create strong passwords. Make your password hard for others to guess by using a combination of letters, numbers, and symbols that are meaningful only to you. Avoid using the same password for multiple websites, particularly financial websites, and be sure to change your password often (at least annually). See also "Create a strong password" below.
  • Account owners should also avoid using the same password for multiple sites and may want to consider using a password manager (software to securely hold multiple passwords) to securely manage passwords.
  • Never share your password with anyone.
  • Do not include personal or sensitive data in, or in response to, an email.
  • Monitor your account activity closely and watch for unusual activity.
  • Promptly review all transaction confirmations, account statements, and any email or paper correspondence sent by your plan.
  • When you finish your online and/or mobile banking sessions, be sure to log out. Simply closing the browser window does not equate to logging out. By clicking on the X to close the browser window your online session may still be open.
  • Shred documents containing personal information.
  • Protect your mail from theft. If you are planning to be away from home, call or go online to contact the U.S. Postal Service and request a vacation hold.
  • Be aware of your surroundings when making purchases or using the ATM. Thieves have been known to copy credit card information or take pictures of cards on their cell phones.

Practice safe web browsing

  • Only allow pop-ups from sites that you authorize.
  • Only make online purchases using secure sites that encrypt your information. Instead of following links, go directly to the store's web site and navigate to find the special sale items. To help ensure that your information is protected when shopping or banking online, look for an unbroken key or padlock at the bottom of your web browser or within the address bar. When you are asked to provide payment information, the beginning of the web site's URL address should change from http to https, indicating that the purchase is encrypted or secured.
  • Never access a website from a link in a suspicious email.
  • Access online financial sites by typing the address directly into the browser's address bar instead of clicking the link. It is recommended that once you've typed the address into your browser that you bookmark the site. By doing this you can reference the bookmark the next time you need to login to the site without retyping the address into your browser.
  • Think before you click. Be cautious about clicking on links, especially in emails, and be sure they link to a trusted website. Get in the habit of hovering over links to see the underlying web address. If you're unsure about a link, you can go to the firm's website by typing the correct address in your web browser.

When buying online, look for online merchants who are members of a seal-of-approval program that sets voluntary guidelines for privacy-related practices, such as TRUSTe, Verisign, or BBB online.

  • Be extremely cautious when using public computers to access financial and other sensitive personal information online. If possible, instead use only known devices, such as your own personal computer that you know has the necessary protections and security features installed.
  • Do not save private information onto public computers. If you're accessing a private account at the library or another public place, be sure to sign out completely from your accounts and don't autosave sign-in information like your username or password.
  • Be wireless-wise. Don't use public Wi-Fi to access websites with sensitive information such as financial records, banking transactions, business-related documents, or other personal information. When setting up your home network, follow the manufacturer's security recommendations to be sure your wireless signal is properly encrypted.
  • Be cautious of clickable advertisements, pop-up windows, or fake dialogue boxes with urgent messages. These are often tactics that fraudsters use to try and access and steal your personal information.
  • Do not give out personal information to blogs, forums, and other social networking sites.
  • Beware phishing attempts and unsolicited requests; these don't just happen via email. They can also arrive via social media. Be suspicious of messages or promotions you did not sign up to receive.
  • Be careful about what you post personally and professionally—too much information can help scammers reach their goals.
  • Always make sure to log out of the website before you close the window. Online fraud can happen when you move from one website to another without logging out of the previous one. When you are logging into a secure website, do so in a new browser window.

Create a strong password

  • The strongest passwords are long and employ a mix of numbers, upper- and lower-case letters, and special characters. Passphrases are typically longer than passwords for added security and contain multiple words that create a phrase.
  • Your password shouldn't contain any personal or easily attainable information, such as your name, your birthday, Social Security number, or wedding anniversary. In addition, don't use a component of your username in your password.
  • Make sure you use different and unique passwords for all of your online accounts. Reusing a single password for multiple web sites is never a good idea. If a hacker obtains your password, the first thing he or she is going to do is check whether that password works for other web sites. It's also a good idea to periodically change your passwords.
  • Do not give out your passwords to anyone, including family members.
  • Remembering a multitude of unique passwords is difficult and writing them down on paper isn't secure. Consider installing a password manager. A password manager is a software application that helps a user store and organize passwords. The password manager stores the passwords encrypted, requiring the user to create a master password, a single, ideally very strong password which grants the user access to their entire password database.

Stay informed on the latest fraud threats

  • Phishing is a cyber-threat by which individuals send messages to lure personal information (credit card numbers, bank account information, Social Security numbers, passwords, or other sensitive information) from unsuspecting victims. Phishing may occur through fraudulent emails, fake web sites, text messages, or direct phone calls claiming to be a financial institution or another company you have a customer relationship with, asking you for your personal information.
  • SMiShing is the cell phone version of "Phishing." Using fake company e-mails, scammers send text messages that appear to be from well-known companies but contain links to counterfeit web pages that have been made to look nearly identical to legitimate companies' sites. The text messages suggest that there is an urgent need for you to take action to update personal information to avoid an unwanted service charge or another potential threat to your account. The web sites then ask you to enter financial and personal information like user IDs, Social Security numbers, or bank or credit card account numbers.
  • Malware, short for "malicious software," includes viruses and spyware. These are small software applications that can be installed on your computer, phone, or mobile device without your consent. Malware is used to steal your personal information, send spam, and commit fraud. Without your consent it can download itself during a transaction via your online session and attempt to steal your sensitive data.
  • Many legitimate charities use telemarketing, direct mail, email, and online ads to ask for contributions. However, following major disasters, scammers send email purporting to be from a charitable organization, urging consumers to follow a link and donate or even send cash. Email may also come from individuals claiming to be a victim asking for a donation.

Criminals are using new schemes that incorporate old techniques to try to trick people to provide personal information or account details. These social engineering attempts include use of sophisticated email and text messages appearing to be from legitimate sources and phone calls appearing to be from authentic individuals or service providers, etc. Carefully scrutinize any requests to divulge personal or account details. Understand your surroundings and be wary of those watching and listening. If you can't verify a request or confirm that it is authentic, take the utmost caution in releasing any information.

About Identity Theft

About Identity Theft

Identity theft involves the impersonation of an individual through the fraudulent use of his or her personal and account information, e.g., driver's license, Social Security number, bank account and other numbers, as well as usernames and passwords.

Identity thieves obtain information in a number of ways:

  • From the trash
  • By stealing mail, purses, and other personal items
  • By copying credit card or other information during a transaction
  • Through phishing attacks
  • By submitting false address changes

Avoid being a victim of a social engineer or scam artist by being an educated and aware online consumer. Learn more by visiting OnGuard Online, a service of the U.S. Federal Trade Commission and other federal agencies. OnGuard Online provides information about avoiding scams, understanding mobile apps and Wi-Fi networks, securing your home computer, and protecting family members.

If you are a victim of an internet crime, report it to IC3, a service of the U.S. Federal Bureau of Investigation and the National White Collar Crime Center. You should also report attempted identity theft to the local authorities as well as to the Federal Trade Commission's Complaint Assistant Application.

Identity theft prevention and protecting your personal information

While there is no way to completely eliminate the risks of fraud or identity theft, there are things that you can do to help protect yourself and minimize the risk.

  • Protect your Social Security number. Remove your Social Security number printed on anything, such as checks. Keep your Social Security card not in your wallet, but in a secure place within your home.
  • Don't give out personal information to unknown callers. If an unknown caller asks for your personal or financial information, tell them you will call them back to confirm the inquiry, and then either verify that the company is legitimate, or if it's a bank or credit card company, call them back using a number from your bill or your card.
  • Regularly review bills and account statements. Make sure you recognize and authorize all charges, checks, and/or withdrawals. If a regular bill doesn't arrive, call the company to find out why—it could mean that a thief has redirected your mail to another address.
  • Protect important documents at home. Keep your personal information and important documents in a secure place in your home, like a locked file cabinet or a safe.
  • Shred documents containing personal information. Once you've paid your bills and reconciled your accounts, shred old account statements, bills, receipts, pre-approved credit offers, and other documents that contain personal information before you throw them away.
  • Protect your mail from theft. Don't leave outgoing mail (like bill payments) in an unsecured mailbox. Use a locking mailbox or take it to a post box or your local post office. If you are planning to be away from home, call or go online to contact the U.S. Postal Service and request a vacation hold.
  • Streamline your wallet. Carry only the credit and/or debit cards, checks, and/or cash that you need for the day.
  • Be aware of your surroundings. Be conscious of people standing nearby when you are making purchases or using an ATM. Thieves have been known to copy credit card information or take pictures of cards with the camera of their mobile phone.
  • Check your credit report regularly (at least once each year). Make sure the information about you is accurate and that it includes only those accounts and activities you've authorized.

Safeguarding your information and online transactions with strong technologies and technical controls

We use the following methods to help keep your online transactions and personal information safe and secure.

Username and password requirements

To help prevent unauthorized access, we prompt you to create a unique username and password when you first access your account. A password is a string of characters used to access information or a computer. Passwords help prevent unauthorized people from accessing files, programs, and other resources. When you create a password, you should make it strong, which means it should be difficult to guess or crack. See below for hints in creating a password that would be difficult to crack.

A Strong Password

  • Minimum of eight characters long
  • Includes numbers, symbols, upper-case and lower-case letters
  • Does not contain your username, real name, or company name
  • Does not contain a dictionary word
  • Significantly different from the previous passwords

Image verification during login

Before you enter your online password, we ask that you verify your personalized security image. This image would be one that you selected during the creation of your web account. Once the image you have selected is displayed, you can be confident that you are accessing our web site, as opposed to a fake site that may be attempting to "phish" for your personal information. If you ever log in and do not see the image you've selected or the image is incorrect, STOP, do not input your password. Please immediately report this to your plan's customer service team.

Note that for some sites where there exists a partner relationship, some users may seamlessly sign in to their financial institution's web site without seeing a security image. This occurs because of an industry standard technology called federated authentication, which exists between your financial institution and us. When you securely log in to your financial institution's site and wish to then view your 529 plan account, you will seamlessly and securely be transitioned to the Program’s website. Users should familiarize themselves with their financial institution's security and login process to be more able to effectively identify when the process behaves differently than expected.

Security Questions

If you forget your password, answering the security questions you selected when creating your account will allow you to reset your password online. The security questions are designed to be personal to you. The answers should also be easy for you to remember but hard for others to guess. We highly recommend that you do not use questions that may be answered by someone viewing your social media profiles or other information that may be publicly available.

Customer verification

Whether you visit us online or by phone, we always verify your identity before granting access to your accounts.

Strong encryption

Transport Layer Security (TLS) technology is used to establish an encrypted connection between your browser and our web applications. TLS websites start with "https://" instead of "http://" and signify that you are in a secure online session with us. For your protection, we require a modern version of TLS and industry standard encryption strength—these are supported by current versions of all modern browsers.

Systems surveillance

We're on the lookout for suspicious irregularities across our network and infrastructure every day, all day.


Firewalls are protective barriers that defend our networks and computer systems from hackers and cyber-attackers trying to gain access into our systems. We use some of the strongest firewalls available in the industry to guard the information housed in our servers.


System activity is logged in order to preserve the information necessary to validate the transmission of data or the completion of a transaction.

Fraud detection

We monitor transactions for suspicious and unusual behavior to help verify that they are authentic and legitimate.

Restricted access to data

We limit access to systems containing customer data to only those employees who need it to conduct business or support key business functions. Access is continually monitored and only granted to new associates as their role may require.

Employee education

We make sure that our employees know and adhere to our security policies. We require all associates to participate in ongoing security training, including how to handle sensitive data and to be aware of security risks.

Regularly refine and update security features

We review industry security standards and perform system testing on an ongoing basis to help identify and implement the most up-to-date techniques and technologies and verify that our systems are performing as expected.