Common Issues and Defenses Against Fraud
At Inwood Bank, we are serious about protecting your personal and account information. It is also necessary for you to protect yourself when you use your computer or conduct business online. Protecting yourself online starts with knowing how to prevent Cyber Fraud.
Following is information generally considered industry standard. Inwood Bank generally follows these standards and encourages our customers to do the same.
- Ransomware
- How to Protect Yourself Against Cyber Fraud
- How to Protect Yourself Against Malware and Social Engineering Attacks
- Online Safety Tips
- How We Protect Your Online Security
- Types of Cyber Fraud
Ransomware
Ransomware is a form of malware that targets both human and technical weaknesses in organizations and individual networks in an effort to deny the availability of critical data and systems. Ransomware is frequently delivered through spear phishing e-mails to end users. When the victim organization determines they are no longer able to access their data, the cyber actor demands the payment of a ransom, at which time the actor will purportedly provide an avenue to the victim to regain access to their data. Recent iterations target enterprise end users, making awareness and training a critical preventative measure.
Prevention Considerations
- Implement an awareness and training program. Because end users are targeted, employees and individuals should be made aware of the threat of ransomware and how it is delivered.
- Patch operating systems, software, and firmware on devices, which may be made easier through a centralized patch management system.
- Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.
- Manage the use of privileged accounts. Implement the principle of least privilege: no users should be assigned administrative access unless absolutely needed; those with a need for administrator accounts should only use them when necessary.
- Configure access controls, including file, directory, and network share permissions, with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Disable macro scripts from office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications.
- Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
Business Continuity Considerations
- Back up data regularly, and regularly verify the integrity of those backups.
- Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might be securing backups in the cloud or physically storing offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization. Backups are critical in ransomware; if you are infected, this may be the best way to recover your critical data.
Other Considerations
- Implement application whitelisting; only allow systems to execute programs known and permitted by security policy.
- Execute operating system environments or specific programs in a virtualized environment.
- Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units.
The Ransom
The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. Paying a ransom emboldens the adversary to target other organizations for profit, and provides for a lucrative environment for other criminals to become involved. While the FBI does not support paying a ransom, there is an understanding that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.
In all cases the FBI encourages organizations to contact a local FBI field office immediately to report a ransomware event and request assistance. Victims are also encouraged to report cyber incidents to the FBI’s Internet Crime Complaint Center (www.ic3.gov).
How to Protect Yourself Against Cyber Fraud
In order to help prevent Cyber Fraud, you should be aware of potential external threats and leverage the security features and functionality available to you within Inwood Bank.
Do not respond or reply to an email, phone call or text message that:
- Requires you to supply personal or account information (such as a user ID, password, or account numbers) directly in the email, non-secure webpage or text message
- Threatens to close or suspend your account if you do not take immediate action
- Invites you to answer a survey that asks you to enter personal or account information
- States your account has been compromised, there are unauthorized charges on your account, or there has been third-party activity on your account, and then asks you to provide or confirm your personal or account information
- Asks another user to log on from your computer
- Asks you to confirm, verify or refresh your account, password or billing information
You should never:
- Open emails, launch links, or open attachments from unknown sources
- Update payment information based on an email or other message without confirming the change with a known contact at your vendor or beneficiary
- Share your user ID, password, secure token device or the answers to your security questions with anyone
- Leave written notes with your log-in credentials nearby your computer or in an easy-to-find place where they can be viewed by others
- Leave inactive user profiles online
- Allow multiple people to use the same computer to process a transaction
DO:
- Pay special attention to links and attachments
- Always log off at the end of a session
- Alert us of suspicious emails that appear to come from Inwood Bank
- Call your Inwood Bank contact immediately if repeatedly prompted for log on information
- Go Paperless so that statements with critical account information aren't sitting around in the office or in the trash
- Sign up for alerts to monitor account activity and review alerts whenever a payment is made or changed
- Keep anti-virus software up to date and use current versions of web browsers
- Set payment limits at a level reasonable for your typical activity and call us to arrange any exceptionally large payments
- Regularly review and confirm the entitlements of your users
- Regularly check your account activity for any suspicious transactions and contact us immediately about any suspicious or erroneous wires
- Complete our Treasury Resource Center Risk Assessment in the Resource Library Section of Inwood Bank website
If you become suspicious after sending a wire transfer, immediately contact your Inwood Bank representative.
Reminder: It is NOT our practice to:
- Send emails that require you to enter personal security information directly into the email
- Send emails threatening to close your account if you do not take the immediate action of providing personal or business information
- Send emails asking you to reply by sending personal or business information
- Share your name with any contacts outside our bank
How to Protect Yourself Against Malware and Social Engineering Attacks
Inwood Bank is aware of industry reports of fraudsters successfully installing on clients' computers malware that requests the user to make multiple log on attempts, enter token codes multiple times as part of the log on, or asks the user to have someone else log on from their machine. Many varieties of malware (such as computer viruses, worms, Trojan horses, spyware, dishonest adware and other malicious and unwanted software) are specifically focused on obtaining financial credentials and are often customized for specific individuals.
Reminder: Inwood Bank will never request that another user attempt to log on from your computer or ask you to enter multiple token codes as part of the log on process.
What to do if you suspect fraud or a cyber security attack
- Call your Inwood Bank representative immediately
- You should also contact your Security Administrator to inactivate your ID if you believe you might have inadvertently compromised your Inwood Bank User ID
Online Safety Tips
At Inwood Bank, we use a variety of technologies and techniques to help protect the security of our products and services. It also necessary for you to protect yourself when you use your computer or conduct business online.
Here are some of the steps you can take:
Computer Security
- Beware of emails you receive from senders you don't know. Don't open any email attachments or click on links until you have verified the sender
- Control physical access to your computer: o Log off or lock your workstation whenever you leave your computer
- Do not leave your computer and digital media in unsecured locations
- Select passwords that are difficult for others to guess
- Tips for password safety: o Change passwords frequently
- Use different passwords for different websites
- Do not base passwords on any personal information, such as your User ID, birthday, telephone number or other personal information that is easily guessed
- Do not give your passwords to anyone
- Do not save passwords on your computer
- Do not leave written notes with your password near your machine or in an easy-to-find place
- Never install software unless you are authorized, and/or know the source
- Do NOT open junk, spam, chain mail, or other suspicious email - DELETE immediately
- Use only trusted devices for online banking activities
- Be sure to use only software supported by Inwood Bank.
- When you access a system, check your "last logon date/time" periodically to see if your ID is being used by someone else
- Check your web session is secure by looking for the letters "https://" at the beginning of the website URL, which means that the web connection is secure
- If you notice suspicious activity relating to Inwood Bank accounts you access online, promptly contact your Inwood Bank representative
How We Protect Your Online Security
Internet Banking Services
Inwood Bank is serious about safeguarding your online business information and provides "defense in depth" for online websites, such as Inwood Bank. Key features of risk management for online system access include:
- Secure customer and user on-boarding processes
- Controlled user access with "separation of duties"
- Multi-factor user authentication security
- Increased security credential requirements for more sensitive functionalities
Additional Security Elements
Additional detailed security features include:
- Session inactivity timeout
- Token
- User education
- Alerts
- Blocking of unsupported operating systems and browsers
Inwood Bank Environment
Inwood Bank uses secured facilities in support of online banking operations. Key features include:
- Secured data centers
- Network firewalls
- Intrusion detection
- Network and system monitoring
- Disaster recovery with rapid-response capabilities
- Rigorous change management
- Penetration testing
Types of Cyber Fraud
Criminals and scammers use a variety of methods to obtain your personal or organizational information. These include:
Email Fraud
Email fraud is usually harsh, demanding and threatening. Please remember these are not legitimate messages; Do NOT reply to these messages.
Email spoofing: Forging an email header so that the message appears to have originated from someone or somewhere other than the actual source. Although most spoofed email falls into the "nuisance" category and requires little action
other than deletion, the more malicious varieties can cause security risks and other problems. For example, spoofed email may purport to be from someone within your company or a vendor with which your company has a relationship. These emails may contain new payment instructions or changes to the beneficiary account on a recurring payment.
- Be very suspicious of emails from the CEO, Director, etc. that direct you to transfer a large amount of funds
- Verify all instructions verbally with the sender
Phishing: When criminals use email to try to lure you to fake websites, where you are asked to disclose confidential financial and/or personal information.
How to recognize common Phishing tactics:
- You do not recognize the "From" email address as valid
- The email requests you to verify your account/personal information (account number, user ID, password, etc.)
- A hyperlink within the email address does not display the actual address
- The email conveys a sense of urgency or threatens some dire consequence if you do not respond
Never respond to any email that:
- Requires you to click a link, open an attachment, confirm, verify or refresh account information
- Asks for personal or organizational information
- Asks you to enter your user ID, password or account number(s) into an email or non-secure webpage
- Threatens to close or suspend your account if you do not take immediate action by providing specific information about you or your company
Impersonation Fraud
Occurs when someone assumes your identity to perform a fraud or other criminal act. Criminals can get the information they need to assume your identity from a variety of sources, such as the theft of your wallet, your trash or from credit or bank information. They may approach you in person, by telephone, text message or on the Internet and ask you for the information.
Remember:
- Inwood Bank will not send email notifications stating your account has been compromised or passwords need to be changed
- Inwood Bank will never ask you for your password
- We will never call you to offer log-in assistance unless you have contacted us first
- When you call Inwood Bank, only call your Inwood Bank representative