CLEAR LAKE BANK & TRUST COMPANY Internet Banking Customer Awareness & Education Program For Businesses

Transcription

1 CLEAR LAKE BANK & TRUST COMPANY Internet Banking Customer Awareness & Education Program For Businesses

2 Introduction Clear Lake Bank & Trust Company is committed to protecting your business, personal, and confidential information which you have entrusted in our care. We take the trust you have placed in us very seriously and have created this Internet Banking Customer Awareness & Education Program to inform you of important information to assist you in keeping your information safe. Commercial Account Takeover (CATO) Corporate Account Takeover is a form of identity theft in which criminals steal your valid online banking credentials. The attacks are usually stealthy and quiet. Malware introduced onto your systems may go undetected for weeks or months. Account draining transfers using stolen credentials may happen at any time and may go unnoticed depending on the frequency of your account monitoring efforts. The information in this document is intended to assist you in your efforts to prevent commercial account takeover. However, the contents of this document are not intended to cover every aspect needed to protect your business from commercial account takeover. Requests for Information Clear Lake Bank & Trust Company will never request personal & confidential information from you by telephone, mail, , or text message. This includes requests for your account number, Social Security number, personal identification number (PIN), debit card number, etc. Requests for this information by anyone should be considered suspicious. Please contact us immediately at (641) if someone claiming to be from Clear Lake Bank & Trust Company requests personal and confidential information from you. We will contact you on an unsolicited basis for the following reasons: Suspicious activity on your account. Suspicious activity on your debit card. Unclaimed property or a dormant account. Past due loan payments or fees due. To confirm changes on your account or contact information. Self Assessment Clear Lake Bank & Trust Company strongly encourages business customers to complete an annual selfassessment that focuses on its online banking practices and network security. We offer an online, interactive, self assessment tool for business customers via the following link: technology self assessment.htm 2

3 Social Engineering In terms of information security, social engineering is a broad term used to describe tools and techniques that criminals use to learn more information about an individual or a business, and the technology they use. It relies heavily on human interaction and often involves tricking people to breaking normal security procedures, thus providing the criminal with important information that can be used to commit fraud. Social engineering can take on many different forms. Some examples of social engineering include, but are not limited to: s o o o With viruses/malware/spyware attached or that includes a link to viruses/malware/spyware. That notifies the recipient of a suspended debit/credit card that requests a card number, PIN, or other information. Claiming the recipient has won a lottery or is listed as an heir in a will. Phone Calls o Pretending to be a representative of their financial institution and requesting personal and confidential information, such as Social Security number, account number, personal identification number (PIN), etc. o Pretending to be a lottery presentative who notifies you that you have won money in a lottery. o Pretending to be your grandchild who is in a foreign country and needs money wired for a problem they have encountered. The caller typically asks the grandparent not to contact mom or dad because they will be mad about the situation. The caller often sounds like the grandchild and uses sympathy as means of convincing the grandparent to wire money. o For any reason, asks you to send a wire transfer from a non bank. Bank employees are trained to recognize fraud and criminals know a wire is more likely to be completed when a bank is not involved. o Automated phone call (also known as a robocall) notification of some sort of problem with your bank account or debit/credit card, and asks you to enter your PIN or card number. Text Messages o Claiming your debit/credit card is suspended or that fraud has been detected, and asks you to reply with your card number, PIN, or other confidential information. Dumpster Diving o The criminal goes through your garbage when placed outside for collection, looking for confidential information about you or your family. 3

4 Media Drop o Criminal leaves flash drives or CDs in a public area hoping someone picks up the item and uses their computer to see what is on the media. Simply using the media loads a virus, malware, or spyware on your PC. Securing Your Business Is your company keeping information secure? Are you taking steps to protect sensitive information? Safeguarding sensitive data in your files and on your computers is just plain good business. After all, if that information falls into the wrong hands, it can lead to fraud or identity theft. A sound data security plan is built on five key principles: Take stock. Know the nature and scope of the sensitive information contained in your files and on your computers. Scale down. Keep only what you need for your business. Lock it. Protect the information in your care. Pitch it. Properly dispose of what you no longer need. Plan ahead. Create a plan to respond to security incidents. The following information is provided by the Federal Trade Commission, Bureau of Consumer Protection. Take Stock Know the nature and scope of the sensitive information contained in your files and on your computers. Take inventory of all file storage and electronic equipment. Where does your company store sensitive data? Talk with your employees and outside service providers to determine who sends sensitive information to your business, and how it is sent. Consider all of the methods with which you collect sensitive information from customers, and what kind of information you collect. Review where you keep the information you collect, and who has access to it. Scale Down Keep only what you need for your business. Use Social Security numbers only for required and lawful purposes. Don t use SSNs as employee identifiers or customer locators. Keep customer credit card information only if you have a business need for it. Review the forms you use to gather data like credit applications and fill in the blank web screens for potential customers and revise them to eliminate requests for information you don t need. Change the default settings on your software that reads customers credit cards. Don t keep information you don t need. Truncate the account information on any electronically printed credit and debit card receipts that you give your customers. You may include no more than the last five digits of the card number, and you must delete the card s expiration date. 4

5 Develop a written records retention policy, especially if you must keep information for business reasons or to comply with the law. Lock It Protect the information that you keep. Put documents and other materials containing sensitive information in a locked room or file cabinet. Remind employees to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day. Implement appropriate access controls for your building. Encrypt sensitive information if you must send it over public networks. Regularly run up to date anti virus and anti spyware programs on individual computers. Require employees to use strong passwords. Caution employees against transmitting personal information via e mail. Create security policies for laptops used both within your office, and while traveling. Use a firewall to protect your computers and your network. Set access controls to allow only trusted employees with a legitimate business need to access the network. Monitor incoming Internet traffic for signs of security breaches. Check references and do background checks before hiring employees who will have access to sensitive data. Create procedures to ensure workers who leave your organization no longer have access to sensitive information. Educate employees about how to avoid Phishing and phone pretexting scams. Pitch It Properly dispose of what you no longer need. Create and implement information disposal practices. Dispose of paper records by shredding, burning, or pulverizing them. Defeat dumpster divers by encouraging your staff to separate the information that is safe to trash from sensitive data that needs to be discarded with care. Make shredders available throughout the workplace, including next to the photocopier. Use a wipe utility programs when disposing of old computers and portable storage devices. Give business travelers and employees who work from home a list of procedures for disposing of sensitive documents, old computers, and portable devices. Plan Ahead Create a plan for responding to security incidents. Create a plan to respond to security incidents, and designate a response team led by a senior staff person(s). Draft contingency plans for how your business will respond to different kinds of security incidents. Some threats may come out of left field; others a lost laptop or a hack attack, to name just two are unfortunate, but foreseeable. Investigate security incidents immediately. 5

6 Create a list of who to notify inside or outside your organization in the event of a security breach. Immediately disconnect a compromised computer from the Internet. Additional Tips Below are some additional tips to protect your business: Use layered system security measures: Create layers of firewalls, anti malware software and encryption. One layer of security might not be enough. Install robust anti malware programs on every workstation and laptop. Keep the programs updated. Manage the security of online banking with a single, dedicated computer used exclusively for online banking and cash management. This computer should not be connected to your business network, should not retrieve any e mail messages, and should not be used for any online purpose except banking. Educate your employees about cybercrimes. Make sure your employees understand that just one infected computer can lead to an account takeover. Make them very conscious of the risk, and teach them to ask the question: Does this e mail or phone call make sense? before they open attachments or provide information. Block access to unnecessary or high risk websites. Prevent access to any website that features adult entertainment, online gaming, social networking and personal e mail. Such sites could inject malware into your network. Establish separate user accounts for every employee accessing financial information, and limit administrative rights. Many malware programs require administrative rights to the workstation and network in order to steal credentials. If your user permissions for online banking include administrative rights, don't use those credentials for day to day processing. Use approval tools in cash management to create dual control on payments. Requiring two people to issue a payment one to set up the transaction and a second to approve the transaction doubles the chances of stopping a criminal from draining your account. Review or reconcile accounts online daily. The sooner you find suspicious transactions, the sooner the theft can be investigated. 6

7 Security Tips (Personal & Business) Mobile Device Security Configure your device to require a passcode to gain access if this feature is supported in your device. Avoid storing sensitive information. Mobile devices have a high likelihood of being lost or stolen so you should avoid using them to store sensitive information (e.g. passwords, account numbers, etc.). If sensitive data is stored, enable encryption to secure it. Keep your mobile device s software up to date. These devices are small computers running software that needs to be updated just as you would update your PC. Use the automatic update option if one is available. Review the privacy policy and data access of any applications (apps) before installing them. Only download apps from trusted app stores (Apple, Google Play). Disable features not actively in use such as Bluetooth, Wi Fi, and infrared. Set Bluetoothenabled devices to non discoverable when Bluetooth is enabled. Delete all information stored on a device before the device changes ownership. Use a hard factory reset to permanently erase all content and settings stored on the device. Sign out or Log off when finished with an app rather than just closing it. Utilize antivirus software where applicable (i.e. Android, Windows, etc.). Do not jailbreak or otherwise circumvent security controls. Online Security Never click on suspicious links in s, tweets, posts, or online advertising. Links can take you to a different website than their labels indicate. Typing an address in your browser instead of clicking a link in an is a safer alternative. Only submit sensitive information to websites using encryption to ensure your information is protected as it travels across the Internet. Verify the web address begins with (the s is for secure) rather than just Some browsers also display a closed padlock. Do not trust sites with certificate warnings or errors. These messages could be caused by your connection being intercepted or the web server misrepresenting its identity. Avoid using public computers or public wireless access points for online banking and other activities involving sensitive information when possible. Always sign out or log off of password protected websites when finished to prevent unauthorized access. Simply closing the browser window may not actually end your session. Be cautious of unsolicited phone calls, s, or texts directing you to a website or requesting information. If you download anything from the Internet (such as music, pictures, videos, software, etc.), make sure you download only from a trusted source. Downloaded files can contain harmful threats to your PC, such as viruses, malware, spyware, etc. Make online purchases only from trusted web sites. Research unknown companies before making an initial purchase. The Better Business Bureau is a good resource. 7

8 General PC Security Maintain active and up to date antivirus protection provided by a reputable vendor. Schedule regular scans of your computer in addition to real time scanning. Update your software frequently to ensure you have the latest security patches. This includes your computer s operating system and other installed software (e.g. web browsers, Adobe Flash Player, Adobe Reader, Java, Microsoft Office, etc.). Automate software updates, when the software supports it, to ensure it s not overlooked. If you suspect your computer is infected with malware, discontinue using it for banking, shopping, or other activities involving sensitive information. Use security software and/or professional help to find and remove malware. Use firewalls on your local network to add another layer of protection for all the devices that connect through the firewall (e.g. PCs, smart phones, and tablets). Require a password to gain access. Log off or lock your computer when not in use. Use a cable lock to physically secure laptops when the device is stored in an untrusted location. Keep your computer s operating system up to date with the latest security patches provided by the operating system vendor. Turn on automatic updates and keep your firewall on at all times. Take immediate action if you see signs of spyware on your PC. This includes pop up ads, icons on your desktop, error messages, sluggish/slow PC performance. Passwords Create a unique password for all the different systems/websites you use. Otherwise, one breach leaves all your accounts vulnerable. Never share your password over the phone, in texts, by , or in person. If you are asked for your password it s probably a scam. Use unpredictable passwords with a combination of lowercase letters, capital letters, numbers, and special characters. The longer the password, the tougher it is to crack. Use a password with at least 8 characters. Every additional character exponentially strengthens a password. Passphrases are most effective. A passphrase is a short sentence and generally easier to remember. Avoid using obvious passwords such as: o Names (your name, family member names, business name, user name, etc.) o Dates (birthdays, anniversaries, etc.) o Dictionary words Choose a password you can remember without writing it down. If you do choose to write it down, store it in a secure location. Security Scrutinize s carefully before clicking on links or opening attachments in s, even if they appear to be from someone you know. Many times, these s will appear to be 8

9 authentic and claim to be from your bank, credit card company, or another trusted source. They may ask you to verify information about your account. DO NOT respond to these s, DO NOT click on links in these s, and DO NOT open attachments in these s. Do not call phone numbers provided in a suspicious . It is likely a fake phone number monitored by a criminal. Always contact your bank, credit card company, or other trusted business using a phone number provided on their published website or other trusted source. is not secure, and you should never send an to your bank that contains confidential information. At Clear Lake Bank & Trust Company, you can send us confidential information electronically as follows: o Log in to Internet Banking and click SEND US A SECURE MESSAGE in the upper right corner of the screen. o Use our SECURE program at .htm Other Tips Balance your bank account on a monthly basis to ensure all transactions that appear on your account are legitimate. Remember, you only have 60 days after receiving your statement to report and recover unauthorized charges on your account. Sign up for text message balance alerts to receive your account balance on a daily or weekly basis automatically. Sign up for Internet banking so you can check your account activity from your PC or mobile device at any time. Don t use your mail box for outgoing mail as criminals often monitor mailboxes in an effort to steal important information, bills, or checks you are sending via mail. Use a cross cut paper shredder to destroy all documents that contain personal and/or confidential information. Straight line cut paper shredders are less effective than cross cut paper shredders. Don t write your PIN anywhere on your debit card or keep your PIN in your wallet or purse. Place your garbage out for collection in the morning instead of at night. This reduces opportunities for dumpster divers to steal information that may be in your garbage. Regulation E: Electronic Funds Transfer Regulation E protects individual consumers engaging in electronic fund transfers (EFT). Non consumer (or business) accounts are not protected by Regulation E. As a result, it is critical that business/commercial clients implement sound security practices within their places of business as outlined in this Program to reduce the risk of fraud and unauthorized transactions from occurring. Good practices can keep business/commercial client s information secure. 9

10 Contact Information If you notice suspicious activity on your account or experience information security related events, please contact us immediately at (641) Individuals responsible for bank information security and electronic banking activities are: Matt Ritter Vice President/Cashier (641) Sarah Thein Assistant Cashier (641)

11 Resources FDIC Electronic Funds Transfers (Regulation E) html Protecting Personal Information: A Guide for Business personal information Business Peer to Peer File Sharing: peer file sharing Protecting Your Business from Fraud: your business fraud Consumer Action: Complaints FDIC Consumer Protection FDIC Consumer Alerts: ID Theft NACHA Fraud Resources Phishing Resources US Department of Homeland Security cert.gov/home and business/ Federal Communication Commission Business Cyber planner: On Guard Online: Stay Safe Online: Better Business Bureau Security United States Computer Emergency Readiness Team: CERT.gov SANS Information, Network Computer Security Training: 11

12 Center for Internet Security (CIS) National Institute of Standards and Technology 12