Keep your computer safe
- Maintain active, up-to-date anti-virus, anti-spyware and firewall protection.
- Keep your operating system, browser and other applications updated with the latest security patches.
- Do not open emails from unknown sources.
- Never respond to or click on any hyperlink within a suspicious email.
- Educate your staff about current scams and loss-prevention steps.
- When your computer is not in use, shut it down or disconnect it from the Internet.
- Consult with IT experts on how to best secure the computers in your business environment.
Know who you are doing business with
- Check website addresses carefully. Never click on a website link from within an email.
- If you land on a site that looks suspicious, close out of it immediately.
- Beware of free websites and downloads.
- Be alert for scam emails, even if they appear to come from a trusted source.
- Open email attachments only when you know the sender and are expecting an attachment.
- Never respond to an email that requests your login credentials or personal information.
- Do not send sensitive personal or financial information via email or through a website unless it is encrypted.
Safeguard your online banking
- Use Dual Control for all ACH and wire transactions OR designate and restrict one computer dedicated to online banking transactions.
- Review ACH and/or wire limits periodically to ensure they are appropriate for your activity level.
- Monitor emails for ACH and wire transfer confirmations. Immediately report any unauthorized activity to the Bank.
- Use a strong password and change it regularly.
- Use a different password for each website.
- Never reveal your confidential login IDs, passwords or answers to security questions to anyone who initiates contact with you. Never respond to a request for this information over the phone, by email or enter it online at an untrusted site.
- Regularly review authorized users and update online banking functions. Ensure authorized users are deleted from the system when job functions change or users leave the company.
- Ensure the online banking website you are logging into is secure and starts with https://
- Check website addresses carefully and set up favorites for frequently accessed websites.
- Never use someone else's computer to access your account unless it has anti-virus protection.
- Avoid logging into online banking at wireless hotspots and internet cafés.
- Always use the sign off button to end your online banking session.
- Check your account activity daily. Report any unauthorized transactions immediately.
- Inability to log into online banking (thieves could be blocking customer access so the customer won't see the theft until the criminals have control of the money)
- Dramatic loss of computer speed
- Changes in the way things appear on the screen
- Computer locks up so the user is unable to perform any functions
- Unexpected rebooting or restarting of the computer
- Unexpected request for a one time password (or token) in the middle of an online session
- Unusual pop-up messages, especially a message in the middle of a session that says the connection to the bank system is not working (system unavailable, down for maintenance, etc.)
- New or unexpected toolbars and/or icons
- Inability to shut down or restart the computer
- Email account flooded with spam
- Unexpected email alerts related to password changes, new payees, or ACH/Wire initiation/approvals.
Incident Response Plan
- Conduct periodic assessments of your internal controls
- Use layered security for system administrators
- Initiate enhanced controls for high-dollar transactions
- Provide increased levels of security as transaction risks increase
- Take advantage of additional verification procedures offered by the Bank
- The direct contact numbers of key bank employees;
- Steps the business should consider to limit further unauthorized transactions, such as:
- Changing passwords;
- Disconnecting computers used for Internet banking; and
- Requesting a temporary hold on all other transactions until out-of-band confirmations can be made;
- Information the business will provide to assist the bank in recovering their money;
- Contacting their insurance carrier; and
- Working with computer forensic specialists and law enforcement to review appropriate equipment.
While urging business account holders to conduct additional assessments and incident response plans, rest assured that Florence Bank uses multi-factor authentication to protect your online account(s). Whenever increased risk to your transaction security might warrant it, we have additional verification procedures such as:
- Fraud detection and monitoring
- Dual customer authorization
- Out-of-wallet challenge questions for high risk transactions
- Transaction value thresholds
- Internet protocol reputation based tools
- Policies and practices for addressing customer devices
- Account maintenance controls
Types of Fraud
Phishing – The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise to scam the user into surrendering private information that will be used for identity theft. This also includes more targeted attacks such as spear phishing and whaling.
Vishing – The telephone equivalent of phishing. Vishing is the act of using the telephone to scam the user into surrendering private information that will be used for identity theft.
Spamming – Electronic junk mail or junk newsgroup postings.
Spoofing – A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host.
Ransomware - a type of malicious software designed to block access to a computer system until a sum of money is paid.
ATM Skimming - A method used by criminals to capture data from the magnetic stripe on the back of an ATM card. Devices used are smaller than a deck of cards and are often fastened in close proximity to, or over the top of the ATM's factory-installed card reader. ATM skimming is a world-wide problem.
Debit Card Fraud - Debit card fraud occurs when a criminal gains access to a customer’s debit card number and, in some cases, PIN, to make unauthorized purchases and/or withdraw cash from the customer’s account.
Smishing - A compound of 'phishing' and 'SMS'. SMiShing (SMS phishing) is a type of a phishing attack where mobile phone users receive text messages containing a Web site hyperlink, which, if clicked would download a Trojan horse to the mobile phone.
ICC Cyber Security Guide for Businesses (Guide can be accessed and downloaded by clicking here.)