Financial Intelligence

Feb 07
Don’t Get Swept Up by a Sweetheart Scam

Love.png 

 

The internet has given us many ways to reconnect with old friends and meet new ones online. From social media and online dating sites to chat rooms and smartphone apps, there are countless sites that require you to create a profile before using their services. These profiles allow you to share the basic information about yourself quickly and easily. Sometimes, though, websites make it too easy to share false information. And that can lead to trouble.

Recently, I came across an article from the Iowa Attorney General on scams that are prevalent on dating websites. The "Sweetheart Scam" begins when two online dating users start a relationship and ends with heartbreak after the scammer steals money and ends the "relationship." Read the full article to learn more about what to look for in this type of scam, and see how many of the "signs" of a scammer can apply to any online profile – not just those on dating sites.

Jan 26
Nine Steps to Conduct an Annual Privacy Review

Between email and social media accounts, you have a lot of privacy settings to keep track of. And this doesn't even count the numerous other website and programs you use that require login information, such as your online banking or credit cards, media subscription services and your devices.

The National Cyber Security Alliance annually sponsors Data Privacy Day (DPD) on January 28. DPD is focused on promoting a safer, more secure and trusted internet, and educating the public on how to stay secure. Both businesses and individuals can benefit from privacy awareness, which can protect them from serious issues such as data loss or identity theft. In fact, according to the Ponemon Institute, 110 million Americans – roughly half of the nation's adults – have had their personal information exposed by hackers in the last 12 months alone.

We know it's hard to keep track of all your accounts, so we created simple steps you can follow to conduct your own privacy review every year.

Login Information

  • Update passwords on all your accounts to be strong and unique passwords. See our tips for creating a strong password.
  • When available, take advantage of two-factor authentication, which requires you enter both a password and a one-time number or phrase that is sent to you, or biometric login, which requires your fingerprint.
  • Make sure you are not using the same username and passwords for your email, financial and health-related accounts.
  • Clear any login information stored within your web browser. Do not allow websites to automatically save or log you in to any accounts, especially your email and financial accounts.

Social Media Accounts

  • Manually check the security and privacy settings on all your accounts, so you know who can see what you share. Particularly on social media websites, it's OK to limit your posts to "Friends Only" or "Private." Some sites even allow you review photos and links you are tagged in before they are posted to your profile.
  • Review the information you have shared on your profile, and remove anything that could be used for your security questions or other Personal Identifying Information, such as birthdate and years, anniversaries or other special dates, your mother's maiden name, pet names, your grade school, addresses, etc.
  • Delete any smartphone or tablet applications you no longer use. These applications may store data that could be used against you if your device is hacked, so if you do not need the app anymore, remove it from your device.

Device Security

  • Make sure your operating system is current. These patches typically contain important updates that maintain the system's security.
  • Update other systems and applications as needed, such as:
    • Firewall
    • Web browsers
    • Spam filters
    • Other security software

Find more DPD information, privacy tips and resources via StaySafeOnline.org, or contact us if you have concerns regarding your personal banking security.


 

Jan 06
How to Avoid Losses from Counterfeit Checks

For many of us as individuals, writing checks is mostly a thing of the past. But for businesses, checks are still very common. And, unfortunately, counterfeiting continues to be a common practice for criminals trying to steal from businesses. Luckily for your organization, there are steps you can take to minimize your risk of losing money through counterfeit checks.

Counterfeiting typically starts when the business writes a legitimate check to a vendor. A shady individual, or the company itself, then copies the check themselves or sells the information to a third party or criminal. Once fraud is detected on an account, it's not unusual for that account to be bombarded by counterfeit attempts.

Counterfeit Check Prevention

The name of the program may vary, but nearly all financial institutions should have a program or service in place to help business and commercial clients spot fraudulent checks. At Bankers Trust, we encourage our clients to use a service called Positive Pay. Businesses will receive a list of all checks issued from their account and are able to compare it to a list of checks that have been written. Each business's accounting team can then mark which checks are illegitimate and direct their financial institution to not pay the check.

Alternatively, a business's accounting team can do this work manually by checking their accounts online and monitoring for any money withdrawals that should not have occurred. This approach takes more time for the individual responsible for monitoring, won't catch items presented at the teller line, and leaves greater risk for missing fraudulent checks coming through.

What about counterfeit checks for retail customers?

For the average person, it's much less common to experience counterfeit checks. This is primarily because so many people have switched to using their credit and debit cards and aren't writing as many checks as they used to. Nowadays, it's best to leave your checkbook at home if you know you won't need it. Continue monitoring your monthly statements to make sure you're not seeing any fraudulent checks post to your account.

For individuals who do experience counterfeit checks on their account, most financial institutions will mandate you close your account and open a new one. After counterfeiting happens, your account number will be flagged as having the potential for fraud, and that account number will likely be blocked from a wide variety of retailers. Opening a new account avoids any issues the next time you check out at your favorite store.

As always – whether you are a commercial or retail customer – contact your financial institution immediately if you suspect suspicious activity has occurred on your accounts.

Dec 22
What Happens After a Card Compromise?

​As has been reported in the news, Central Iowa has seen a great deal of skimmers in the last several months. These scams put our customers, and community as a whole, at risk. With the holidays upon us, consumers are swiping their cards left and right, making last minute purchases for food and gifts. Now more than ever, it's important to be mindful of your financial security.

Skimmers are devices that are stuck on to card readers at places like gas stations and ATMs and allow criminals to steal data from the card's magnetic strip as it is swiped through the card reader. The data is commonly sold to criminals who will create a counterfeit card and use it at ATMs or merchants to make purchases and cash withdrawals. Learn how to spot a skimmer in our previous post.

Steps We Take After a Compromise

For many, the more important question after a card compromises is, "What happens next?" While some financial institutions may have their own process, the steps should be similar no matter your institution. At Bankers Trust, as soon as we are made aware of a card compromise we take the following steps:

  • Alert the customer – A Bankers Trust employee will call to alert you of suspicious activity on your account.
  • Cancel the card – Whether it's a debit card or credit card, Bankers Trust will cancel your card upon confirming the activity is fraudulent. If the compromised card was a debit card and tied to your checking account, that account may also be closed.
  • Review account activity – Bankers Trust will recommend that you review all recent activity on your accounts via online banking. Especially during the holidays, it's a good idea to review your accounts for suspicious activity daily so you can catch and report any fraudulent activity as soon as possible.
  • Recover stolen funds – One of our branch employees will send you a form to fill out, which allows you to recover funds stolen from your account. It's important to note that consumers have zero fraud liability whether money was stolen from a debit card or a credit card, as long as the financial institution is notified within 60 days of receiving your statement. After the form is returned to any branch, you have the opportunity to discuss further concerns with our staff if needed.
  • Open new card – Bankers Trust will send you a new debit or credit card. This prevents additional fraudulent use of your card since the card number will no longer be active.

​Remember, the holidays are the most important time of year to be monitoring your accounts. Consider checking your online or mobile banking accounts once a day to review for suspicious activity. Not only will this give you peace of mind, but you'll be able to take action early if any fraudulent attempts should occur. If you do see fraudulent activity, alert your financial institution immediately.

Nov 10
Tips for Small Businesses to Protect Against Ransomware Attacks

We have focused this blog on answering your questions about how to safeguard against hacking attempts. While our last post is geared toward individuals, today's we'll discuss security tips for small businesses.

While we often hear about large companies, such as Target and Home Depot, being the victims of security breaches, small businesses are not exempt from this threat. In fact, Symantec's 2016 Internet Security Threat Report revealed that, in 2015, 43 percent of cyber-attacks targeted small businesses. Fortunately, there are a variety of resources available online, which small businesses can use to help protect against these attacks. Here are a few to get you started:

American Banking Association – The ABA provides five tips for small businesses to thwart ransomware attacks in its recent press release, which also includes an infographic and six-step checklist.

Small Business Association – Small businesses can find information and tips for cybersecurity on the SBA website, including toolkits, tips lists and other resources.

Financial Intelligence – In the past months, we've shared a number of steps small businesses can take to help avoid ransomware and other cybersecurity attacks. Learn more in our post on how to avoid business email compromise and how to add depth to your internet defense.

This is the ideal time to re-evaluate the precautions your company is taking to avoid ransomware and other cyber-attacks. Even taking the basic steps can go a long way in protecting your business. As always, remember to contact your financial institution, IT department and file a complaint with the Internet Crime Complaint Center (IC3) if your company has been targeted by a ransomware attempt.

Oct 04
Answers to Common Cybersecurity Questions

With October being National Cyber Security Awareness Month, I want to use this blog to answer some of the common cybersecurity questions as they relate to banking. I receive these kinds of questions from coworkers, friends and family – so chances are any questions you've wondered about will also be included. Take a look at these cybersecurity basics below, and let me know if you have any additional questions.

Q: What kind of scams should I be on the lookout for?

A: Unfortunately, cyber criminals try to steal your identity in a number of ways. Some of these include social engineering and phishing attacks, where you're sent an email that looks like it's coming from someone you know. The email usually asks for money via a wire transfer or includes a link, which contains malware that will spread on your computer if clicked. Others can be viruses or software that enter your computer through other links, clicks and other online activity.

Q: What are the types of ID theft?

A: ID theft can include unauthorized transactions on your existing accounts, a criminal taking over your existing account, or the creation of a new account using your name and information.

Q: What do ID thieves look for?

A: ID thieves look for the basic information about you, such as your name, address, date of birth, Social Security and drivers license numbers, your mother's maiden name, bank account numbers, and card expiration dates. Additionally, they'll try to obtain your internet passwords, personal identification numbers (PIN), user IDs for any online accounts you may have and the security code on the back of your debit/credit cards.

Q: What are the warning signs of fraud?

A: Unauthorized or unfamiliar charges on your credit card or account statement are the most common signs of fraud. Calls from collection agencies regarding unpaid bills, or even calls from your financial institution regarding transactions, should also be treated as suspicious. If you're annually checking your credit report (which I do recommend), seeing an account you did not open listed is another sign of identity theft.

Q: How can my identity be stolen?

A: Aside from the non-"cyber" ways of stealing an identify, through a lost or stolen wallet, mail theft, dumpster diving, scam telephone calls and even shoulder surfing, your identity can be stolen through online impersonation (via social engineering),  phishing, spyware and more.

Q: Is online banking safe?

A: Yes, online banking through your financial institution's internet banking portal can be safe, if done securely. I'll offer three tips: 1. Make sure all your online banking activity is done on a private, secure Wi-Fi network, which likely includes your home internet. 2. Use unique login information (user ID and strong passwords) you do not use for any other accounts, and make sure this information is not written down or shared anywhere – not even in your home. 3. Install (and keep up-to-date) antivirus software on your computer and devices.

Q: Is using public Wi-Fi for banking safe?

A: No. Since anyone has access to public Wi-Fi, the chances of hacking – even without clicking on malicious links – are much higher. Avoid logging into your accounts until you're at home or using another secure network.

Q: What can I do to help avoid cyber fraud?

A: There are many ways you can help safeguard yourself against cyber fraud. Some of these include:

  • Enable multi-factor authentication any time you log in to your account. Multi-factor authentication can include a text message with a PIN that's entered during the login process, or using your thumbprint to log in on a mobile device.
  • Avoid using public computers or public Wi-Fi for your internet or mobile banking.
  • Download antivirus software and any additional security software your financial institution offers. For example, Bankers Trust offers security software called Trusteer Rapport at no cost to its customers.
  • Delete emails from unknown senders. If you receive emails that look suspicious, do not open them, click links or open attachments.
  • Monitor your account statements regularly and look for suspicious activity.
  • Remove unnecessary information (Social Security cards, etc.) from your purse or wallet.
  • Do not write down PINs, online banking user IDs or passwords.
  • Do not give out personal identification information over the phone or internet if you did not initiate the call.

Q: What do I do if I become a victim of ID theft?

A: Contact your financial institution as soon as possible, contact local law enforcement, and file a complaint with the Federal Trade Commission. Additionally, you may want to contact the three main credit reporting agencies, Equifax, Experian and Transunion, to make sure there's no fraudulent activity reflected on your credit report/credit score.

These are just the most common questions I receive on cybersecurity. Taking a few additional steps to ensure your identity and finances remain safe can, and will, be worthwhile. Learn more about National Cyber Security Awareness Month at StaySafeOnline.org.

Sep 21
Safeguarding Against Mobile Banking Hackers

With online and mobile hacking attempts becoming the new normal, it's not just up to financial institutions to protect customers against attacks. A variety of recent research has revealed consumers themselves play a key role in safeguarding against hacks, especially in mobile banking.

The reason I say "especially in mobile banking" is because smartphones are easily forgotten or dismissed, with individuals assuming their operator will take care of their mobile network's security. On the other hand, online security, on both laptops and desktop computers, has been drilled into customers' minds for years. While phishing and scams are still very prevalent via computers, mobile banking hackers are on the rise.

A recent Wall Street Journal article reported on this topic, explaining how two malicious software programs, Acecard and GM Bot, are stealing banking credentials from smartphone users. The malware enters a smartphone when the user clicks on a link within a text message or an advertisement on a website. Once the malware is on the phone, it can create an overlay that masks the user's mobile banking application and track usernames and passwords the next time the app is opened and used. Additional research has revealed 15-30 percent of all online and mobile users are infected with this type of malware, which is referred to as client-side injected malware (CSIM), according to the ABA Banking Journal.

The trouble here is financial institutions cannot prevent these attacks – it's up to users and the protections they have on their devices; for example, antivirus software (both Android and Apple have security software built-in to their operating systems but additional safeguards are recommended), passkeys to unlock the phone and installing regular updates. Interestingly, consumers are not always proactive when it comes to taking these precautions. A 2015 report revealed the following:

  • 70 percent of consumers update mobile operating system when updates become available.
  • 31 percent use antivirus or antimalware software.
  • 25 percent change their password periodically.

Given these statistics, it's crucial for not just financial institutions, but also individuals, to take a proactive approach to safeguarding themselves against mobile banking cybercriminals.

Stay Up-to-Date On the Latest Banking Security News

We've created a hub to help keep you up-to-date on the latest banking security news, which includes tips to help secure your smartphone. Take a look at the tips, and remember to contact your financial institution immediately if you suspect your account has been compromised.

Aug 25
How to Avoid Business Email Compromise

Private citizens aren't the only targets of identity theft. Businesses are also facing fraud attempts, and many have fallen victim to criminals who steal hundreds of thousands of dollars. Known as business email compromise (BEC), fraudsters impersonate company executives and request wire transfers over email. While BEC is increasing, the FBI estimates this type of scam has already cost U.S. businesses more than $3.1 billion between October 2013 and May 2016.

Knowing how to spot malicious business email compromise attempts is the key to preventing criminals from receiving company funds. Here's what you can do to avoid BEC:

  • Educate employees to spot and report scams. While not every department may be targeted by criminals, everyone can play a role in keeping your company safe from any type fraud. The more employees know about spotting suspicious emails – and the more practice they have through regular trainings – the more they'll be able to help you prevent attacks.
  • Do not click. Not all BEC emails look the same. Part of your employee training should include how to interact with spam emails. The simplest rule is don't. Don't open the email, click any links, open attachments or respond. Any of these actions could put malware onto your computer or invite more action from the criminal.
  • Watch for altered email addresses. Criminals will try to trick employees by making their emails look as similar to the actual email address as possible. This includes putting letters such as r and n together in place of an m, or a capital i in place of a lowercase l. Look carefully at the email addresses listed in any requests for financial information, passwords or funds.
  • Question suspicious requests for funds or wire transfers. Wire transfers are the primary way BEC criminals try to steal from businesses. Any time a request for a wire transfer comes through, especially when it's not a common payment practice in your company, should be a red flag.
  • Verify all monetary requests. No matter who or where the request comes from, make sure to verify all requests for funds, payments and transfers via another form of communication. A simple phone call or walking over to your coworker's office could save your company significantly.

Putting these practices into place can help your company avoid BEC attempts. However, if your company is targeted, remember to immediately alert your financial institution, IT department and file a complaint with the Internet Crime Complaint Center (IC3).

Aug 11
How to Spot Credit Card Skimmers

All too frequently, we hear about the next company or group of individuals victimized by credit card fraud. Aside from hackers obtaining secured information from corporate databases, more and more fraud is happening closer to home – with credit card skimmers at the gas station down the road or the ATM at the mall.

Skimmers read the magnetic strip from credit or debit cards as they're swiped through a card reader.  They're usually devices that fit over the top of the normal reader. In some cases, the criminal will also have a camera nearby watching as you input your PIN. Not only is this method of stealing your credit card information becoming more popular, but the skimmers themselves can be hard to spot. Luckily, there are precautions you can take every time you swipe your card to avoid fraud.

Here are a few things to watch for or try before using your credit or debit card:

  • Visually inspect the machine – Does it look like the card reader or ATM has been tampered with? If you notice that parts of the machine are a different material or color than others, especially around the card reader or keypad, don't use the machine. Also make sure the security seal on the gas pump isn't broken.

 

  • Wiggle each part – Because skimmers are added on top of the machine's parts, they'll often move around or feel loose if wiggled.
  • Cover your hand when entering your PIN – If you didn't detect a skimmer, it's still a good idea to hide the keypad as you enter your PIN. This way, any cameras set up around the machine won't be able to tell which numbers you are pushing.

Any time you see something suspicious or out of the ordinary, make sure to notify an associate or call the organization if no one is available in person. They'll check the machine and report any malicious activity. Alternate payment options, such as the EMV chip card or Apple Pay, can reduce the chances of fraud, so consider them when available. Regardless of the payment option you choose, remember to check your statements regularly, and contact your financial institution if you see something unusual or suspect fraud.

Jul 12
Naked Security

More layers, adding depth to defense

Before you wonder what I was surfing when I found this resource, let me just say what caught my eye in the Naked Security column was the point Paul Ducklin makes regarding not only having online security defense, but rather defense in depth.

While it's similar to my mantra of adding layers of security (my visual - the many layers of an onion), sometimes a different playbook on the same end goal is valuable. Here's an abbreviated excerpt of Ducklin's 5 security tips that I found helpful for businesses and individuals alike.

1. DIVIDE AND CONQUER
Firewalls aren't for "your network" and "the internet" any more. Why have your cash register on the same network as your web developer? Why have your accountant on the same network where you keep active on social media? And so on.

If a crook gets into the network where your web developer works, that's bad because they might be able to steal your intellectual property. But why make it easy for them to go from there into your accounts network, where they might be able to steal personally identifiable information (PII) belonging to your customers!

2. PATCH EARLY, PATCH OFTEN

Brand new vulnerabilities and exploits hog the limelight of security news.

Because you couldn't have patched ahead, they're known scarily as "zero-days." But if you're worried about brand new attacks from cutting-edge crooks, you should definitely also worry about automated attacks against old holes that are well-known and easy to exploit.

3. IMPROVE LOGIN HYGIENE AND CONSIDER TWO-FACTOR AUTHENTICATION
Come up with a checklist that you use before giving someone remote access to your network. Remember that it's not enough to trust the person: you also have to trust their computer, because a PC with malware on it that connects to your network is essentially letting cybercriminals in with it.

And consider requiring all remote users to have two-factor authentication (2FA). It costs a little more, and it is slightly less convenient when you come to log in. But it helps to prevent egregious attacks where a criminal steals (or guesses, or buys) one of your user's passwords today and then uses it at their leisure to raid your whole network.

​4. HEED WARNINGS AND LOOK AT YOUR LOGS

Don't collect logs just so you can look back and cry over spilt milk after a breach. Use them proactively to watch out not only for attacks, but also for otherwise-innocent behaviors you want to improve anyway.

If the logs from your patch assessment tool are trying to tell you that your remote sales guy in Kuala Lumpur somehow missed out on the last three Microsoft Word updates, do something about it!

5. USE ENCRYPTION EVERYWHERE, NOT JUST WHEN REQUIRED BY LAW
Regulators are becoming increasingly strict about encrypting sensitive data, to the point that the US Appeals Court recently ruled that it is unfair business practice not to protect your customers' information.

Nevertheless, many small businesses stick to encryption as an unavoidable cost that goes with compliance, rather than as an investment that helps keep the business healthy. Similarly, home users often avoid encryption because they've heard stories that it may slow down their computer or cause compatibility problems.

However, wisely used, encryption gives you a valuable extra layer of protection against hackers, eavesdroppers, intellectual property thieves and many other sorts of cybercriminal.

Put these tips into practice and you'll have not only defense, but also what's known as defense in depth.

1 - 10Next

 

Jodi L. Selby, CAMS, CBSM, CAFP

Vice President/Financial Intelligence Department

Jodi Selby joined Bankers Trust Company in January 2000. Her primary responsibilities include Security, Information Security, and Bank Secrecy Act/Anti-Money Laundering Compliance.  She has over 24 years of experience in the Banking industry.

Jodi holds a bachelor’s degree in Business Administration and is currently a Certified Community Bank Security Professional (CCBSP) Certified Anti-Money Laundering Specialist (CAMS), and Certified Financial Services Security Professional (CFSSP).

. . . . . . . . . . . .

 

Security-Blog-Bankers-Trust