Your Online Security
- Protect Yourself Against Phishing
- ATM Security Tips
- Avoid Identity Theft
- Types of Online Scams
- Corporate Account Takeover Fraud
Don't Get Caught By a Phishing Scam
When fraudsters impersonate a business in order to trick you into giving out their personal information, it’s called “phishing.” Don’t reply to email, text, or pop-up messages that ask for your personal or financial information. Don’t click on links within them either—even if the message seems to be from an organization you trust. Legitimate businesses don’t ask you to send sensitive personal information through unsecure channels.
You open an email or text, and see a message like this:
"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."“Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
The senders are phishing for your information so they can use it to commit fraud.
Delete email and text messages that ask you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords, etc.). Legitimate companies don't ask for this information via email or text.
The messages may appear to be from organizations you do business with – banks, for example. They might threaten to close your account or take other action if you don’t respond.
Don’t reply, and don’t click on links or call phone numbers provided in the message, either. These messages direct you to spoof sites – sites that look real but whose purpose is to steal your information so a scammer can run up bills or commit crimes in your name.
Area codes can mislead, too. Some scammers ask you to call a phone number to update your account or access a "refund." But a local area code doesn’t guarantee that the caller is local.
If you’re concerned about your account or need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card.
You can take steps to avoid a phishing attack:
- Use trusted security software and set it to update automatically.
- Don't email personal or financial information. Email is not a secure method of transmitting personal information.
- Only provide personal or financial information through an organization's website if you typed in the web address yourself and you see signals that the site is secure, like a URL that begins https (the "s" stands for secure). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
- Review credit card and bank account statements as soon as you receive them to check for unauthorized charges. If your statement is late by more than a couple of days, call to confirm your billing address and account balances.
- Be cautious about opening attachments and downloading files from emails, regardless of who sent them. These files can contain viruses or other malware that can weaken your computer's security.
ATM Safety Tips
- Observe your surroundings before using an ATM. If the machine is obstructed from view or poorly lit, visit another ATM..
- Take a friend with you - especially at night.
- Have your card out and ready to use.
- Shield the screen and keyboard so anyone waiting to use the ATM cannot see you enter your PIN or transaction amount.
- Put your cash, card and receipt away immediately. Count your money later, and always keep your receipt.
- If you see anyone or anything suspicious, cancel your transaction and leave immediately. If anyone follows you after making a transaction, go to a crowded, well-lit area and call the police.
- When using a drive-up ATM, make sure all passenger car doors are locked and windows are up.
- Do not leave your car unlocked or engine running when you get out to use an ATM.
- While many ATMs are available 24 hours a day, some may be open only during local business hours. To be on the safe side, plan your withdrawals ahead of time.
Protecting Your Card
- Keep your card in a safe place to avoid damage.
- Memorize your Personal Identification Number (PIN). Never write the PIN down on anything in your wallet or on the card itself.
- If selecting a PIN, avoid numbers and letters that relate to your personal information. For example, don't use your initials, birthday, telephone or Social Security number. If you have such a number, contact your bank and get a new PIN issued.
- Immediately report a lost or stolen card to your financial institution.
- To help guard against fraud, keep your ATM receipts until you check them against your monthly statement.
Beware of “Skimming” Scams!
- Thieves have targeted some stand-alone ATMs or retailers' point-of-sale machines for "skimming" scams. They rig the "swipe" machine with a device that can capture the magnetic stripe and keypad information.
- Be wary of nearby strangers or "good Samaritans" that offer to help you, particularly when an ATM "eats" your card. They could be trying to obtain your card and PIN. Also be wary of "shoulder surfing" where the person behind you is close enough to read the information you enter into the machine.
- If an ATM looks suspicious – for instance, if it has a discolored card reader or an unresponsive keypad – use another machine.
- Check your bank statements regularly. Make sure all payments are yours.
Contact your bank immediately if your card is lost, stolen or subject to fraudulent use.
Protect Yourself Against Fraud & Identity Theft
Ways you can protect yourself against fraud:
1. Protect your social security number, credit cards and debit card numbers, personal identification numbers (PINs), passwords, checking account numbers, and other personal information. A dishonest person can use these details to order checks and credit cards, apply for loans, or otherwise commit fraud using your name.
2. Never provide financial or other personal information in response to an unsolicited phone call, fax, letter, or e-mail. An unsolicited request could be coming from a fraud artist attempting to steal your personal information.
3. Keep sensitive information such as banking account statements, credit card statements, checks, etc. in a safe place at home or in a safe deposit box. These types of documents should be shredded before discarding.
4. Deal only with legitimate, reputable businesses. Whenever possible, try to do business with companies in your area that you know or that have been recommended to you by a person or persons you trust. Research any companies that you have never heard of by contacting the state Attorney General's office or logging on to the Better Business Bureau's website at http://www.bbb.com. To research an unfamiliar banking institution log on to http://www.fdic.gov.
5. Before agreeing to anything, ask for details in writing and review thoroughly. Never rely on a salesman's verbal representations for significant purchases or investments. If a salesman refuses to provide written information or tries to pressure you, this is your cue to say "goodbye".
6. Be wary of any deals requiring money upfront. If a "deal" seems too good to be true, more than likely it is. Beware of any offers stating "free", "get rich quick", etc.
7. Be extra cautious when providing personal information over the telephone or via the Internet. With the rapid pace of technology, scam artists are becoming more and more devious when it comes to developing ways to obtain your personal information via the Internet. Most legitimate businesses will never ask you to provide or verify personal information or passwords via the Internet. Also be sure to verify that a Website's address is the exact match as what appears in brochures and literature from the company. Scam artists can duplicate a legitimate Website that directs you to a fraudulent Website. When in doubt call the company directly to verify the authenticity of Websites and e-mails.
8. Safeguard your incoming and outgoing mail. This includes checks, credit card statements, credit card applications, bank statements, and any other document that includes information that would be useful to a thief. Remove incoming mail from your mailbox as soon as possible. When on vacation have a family member, friend, or neighbor pick up your mail for you. If you are expecting a check or other important document in the mail and it doesn't arrive in a reasonable period of time, call the sender.
9. Stop bandits from recycling your trash into cash. Thieves known as dumpster divers pick through garbage looking for credit card applications, bank statements, etc. Again, this information should be shredded as opposed to simply throwing them away. Also, be sure to erase all files from the hard drive of any computer you are disposing of. This can be done by purchasing special software.
10. Limit the amount of information that you carry in your wallet or purse. Carry only those credit cards, checks or other items you need. Never carry your passwords or PINs in your wallet or purse.
11. Review credit card statements and bank statements as soon as you receive them. If you notice something suspicious such as a charge or withdrawal you do not recall authorizing, contact the credit card company and/or financial institution immediately. While there are laws that limit your losses if you are victimized by financial fraud, sometimes your maximum liability depends on how quickly you report the problem.
12. Monitor your credit report at least annually for signs of fraud. Privacy laws now allow you a copy of your credit report annually. You may obtain a report from each of the three major credit reporting agencies:
- Equifax (800-685-1111, www.equifax.com)
- Experian (888-397-3742, www.experian.com)
- TransUnion (800-888-4213, www.transunion.com)
Or, you may obtain a free report annually via the internet at www.annualcreditreport.com.
Ways you can protect yourself against identity theft:
1. Reduce the number of credit cards you carry.
2. Check your credit cards statements carefully and immediately report unauthorized purchases.
3. Shred all credit card receipts and solicitation, cancelled checks, and financial documents before throwing them away.
4. Never provide any personal, bank account, or credit card information to anyone who contacts you through a telephone or e-mail solicitation.
5. Never write down PINs and passwords - memorize them and do not use any part of your social security number, date of birth, or address.
6. Guard your social security number. Do not carry it in your wallet or write it on checks.
7. Be careful at ATMs and when using phone cards.
8. Place passwords on all of your accounts.
9. Cancel unused credit cards.
10. Do not leave paid bills in your mailbox for the mail courier to pick up.
11. Check your credit report at least annually.
12. Call your credit card company if your card has expired and you have not received a new one.
13. Do not use your credit card account number on the Internet unless it is encrypted on a secure site.
Important Definitions to Know:
Phishing (pronounced fishing) - The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Website where they are asked to update personal information such as passwords and credit card, social security, and bank account numbers. The legitimate organization already has this information, thus should not be asking for verification of this information. The Website however, is bogus and set up only to steal the user's information.
Pharming (pronounced farming) - The process of redirecting Internet domain name requests to false Websites to collect personal information. Information collected from these sites may be used to commit fraud and identity theft.
For more information about Identity Theft and what you can do, go to the Federal Trade Commission’s website at http://www.consumer.ftc.gov or the Consumer Financial Protection Bureau’s website at http://www.consumerfinance.gov/learnmore.
Common Types of Online Scams
You may receive an email from a bank/online service provider/ financial institution that asks you to click a link and visit a website in order to provide personal information. Such an email is more than likely the type of Internet scam known as "phishing".
A phishing scam is one in which victims are tricked into providing personal information such as account numbers and passwords to what they believe to be a legitimate company or organization. In order to carry out this trick, the scammers often create a "look-a-like" website that is designed to resemble the target company's official website. Typically, emails are used as "bait" in order to get the potential victim to visit the bogus website. Be wary of any email that asks you to click on a link and provide sensitive personal information such as banking details. Information submitted on these bogus websites is harvested by the scammers and may then be used to steal funds from the user's accounts and/or steal the victim's identity.
Most legitimate companies would not request sensitive information from customers via email. DO NOT click on the links in these emails. DO NOT provide any information about yourself. If you have any doubts at all about the veracity of an email, contact the company directly.
You may receive an email/letter/fax that asks for your help to access a large sum of money in a foreign bank account. The message says that you will get a percentage of the funds in exchange for your help.
In all probability, the message is an example of the type of scam known as a Nigerian or "419" scam. The "large sum of money" does not exist. The messages are an opening gambit designed to draw potential victims deeper into the scam. Those who initiate a dialogue with the scammers by replying to the scam messages will eventually be asked for advance fees supposedly required to allow the deal to proceed. They may also become the victims of identity theft. The scammers use a variety of stories to explain why they need your help to access the funds.
- They may claim that political climate or legal issues preclude them from accessing funds in a foreign bank account.
- They may claim that your last name is the same as that of the deceased person who owned the account and suggest that you act as the Next of Kin of this person in order to gain access to the funds.
- They may claim that a rich merchant, who has a terminal illness, needs your help to distribute his or her wealth to charity.
If you receive one of these scam emails, it is important that you do not respond to it in any way. The scammers are likely to act upon any response from those they see as potential victims.
You may receive an email/letter/fax that claims that you have won a great deal of money in an international lottery even though you have never bought a ticket. The email may claim that your email address was randomly chosen out of a large pool of addresses as a "winning entry". Such emails are almost certainly fraudulent. In some cases, the emails claim to be endorsed by well-known companies or include links to legitimate lottery organization websites. Any relationships implied by these endorsements and links will be completely bogus.
There is no lottery and no prize. Those who initiate a dialogue with the scammers by replying to the messages will be first asked to provide a great deal of personal information. Eventually, they will be asked to send money, ostensibly to cover expenses associated with delivery of the supposed "winnings". They may also become the victims of identity theft. DO NOT respond to these messages. DO NOT supply any personal information what so ever to the scammers.
General Scam Indicators:
The scams described above are some of the most common types of Internet fraud. However, these fraudsters are clever people who may use many variations of the above scams to achieve their nefarious ends.
In general, be wary of unsolicited emails that:
- Promise you money, jobs or prizes
- Ask for donations
- Propose lucrative business deals
- Ask you to provide sensitive personal information
- Ask you to follow a link to a website and log on to an account.
By taking the time to educate yourself about these common types of scam, and/or by sharing this information with others, you can make a valuable contribution to the war against Internet fraud.
SMALL BUSINESS GUIDE TO CORPORATE ACCOUNT TAKEOVER (CATO)
What is Corporate Account Takeover?
Corporate account takeover is the business equivalent of personal identity theft. Corporate account takeover is a type of fraud where thieves gain access to a business’ finances to make unauthorized transactions, including transferring funds from the company, creating and adding new fake employees to payroll, and stealing sensitive customer information that may not be recoverable. Corporate account takeover is a growing threat for small businesses. The majority of these data breach cases affect businesses with 100 employees or less. It is important that businesses understand and prepare for this risk.
Cyber thieves target employees through phishing, phone calls, and even social networks. It is common for thieves to send emails posing as a bank, delivery company, court or the Better Business Bureau. Once the email is opened, malware is loaded on the computer which then records login credentials and passcodes and reports them back to the criminals.
Employee Education is Essential, but is Missing the Mark
You and your employees are the first line of defense against corporate account takeover. A strong security program paired with employee education about the warning signs, safe practices, and responses to a suspected takeover are essential to protecting your company and customers.
However, most small businesses have no formal internet security policy, with almost half indicating they provide no internet safety training to employees.
First National Bank and Trust encourages its business customers to perform a self-assessment of risks associated with the customer’s computer systems and business practices. This risk assessment should include an assessment of the risks associated with the following systems and other information technology that may apply, as well as mitigating controls that are in place to prevent the risks:
- Internet Usage
- Is a firewall utilized?
- Is an anti-virus protection provided?
- Are employees allowed to "surf" the internet?
- Does the company maintain a web page?
- Are employees allowed to visit social networking pages?
- Electronic Mail
- Is an anti-phishing system employed
- Are employees allowed to access personal email accounts?
- Is there a prohibition on sending non-personal company information, such as bank account numbers by unsecured email?
- Business Practices
- Are procedures utilized that require dual control over important functions?
- Are employees' duties clearly defined by job description?
- Are employees required to swap duties?
The underlying purpose for the self-assessment is to determine where weaknesses exist and to identify controls that may help to mitigate these risks.
Suggested Methods to Prevent Account Takeover Attacks
As a business owner, you need an understanding of how to take proactive steps and avoid, or at least minimize, most threats.
- Use a dedicated computer for financial transactional activity. DO NOT use this computer for general web browsing and email
- Apply operating system and application updates (patches) regularly
- Ensure that anti-virus/spyware software is installed, functional and is updated with the most current version
- Dual-factor biometric authentication, such as fingerprint readers, are effective in preventing these attacks. While it may not be convenient, biometric access is safe.
- Have host-based firewall software installed on computers
- Use latest versions of Internet browsers, such as Explorer, Firefox or Google Chrome with “pop-up” blockers and keep patches up to date
- Turn off your computer when not in use
- Do not batch approve transactions; be sure to review and approve each one individually
- Review your banking transactions and your credit report regularly
- Follow First National Bank and Trust’s security procedures. We do require originating ACH customers to call or email us when a file has been transmitted to us for processing. We will do a callback to verify the file, including the amount, before the file will be sent to the Federal Reserve for processing.
- Contact your Information Technology provider to determine the best way to safeguard the security of your computers and networks
Call us immediately at 606-877-2200, or toll-free at 844-244-9558, if you believe that your First National Bank and Trust account has been compromised.