Your personal information is important and can be extremely valuable to those who want to take advantage and use it for criminal purposes. Losing control of your personal information can be financially challenging and emotionally draining.
To help safeguard your personal information, MBT Bank has created a series of educational briefings that provide important and actionable information you can put to use immediately. Discover the many simple things you can do to help keep your information safe.
» What You Should Know About "Social Engineering"
» Fraud & Data Breaches - How to Protect Yourself
» What Should You Do If You Suspect Your Computer Has Been Compromised?
» Why You Should Protect Your Computer?
» What Is Malware, Spyware, Spam, Phishing, Pharming, etc.?
» Password Security: What are the Best Practices to follow?
» Email Security: What are the Best Practices to follow?
» Corporate Account Takeover (CATO) Security Awareness
Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. Also "Social engineering is described as the art of using weaknesses in human behavior to gather information to breach security without the victim noticing that they have been tricked".
How Does Social Engineering Work
A social engineer will commonly use the phone, internet, engage in dumpster diving or psychological persuasion to trick people into revealing sensitive information or getting them to do something against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are the weak link” in security and this principle is what makes social engineering possible.
Social Engineering by Phone
The most common form of social engineering is conducted by phone. The attacker calls pretending to be someone important for the company or an outside consultant working for the company. Many times the attacker will have several scripts that he/she has rehearsed (known as pretext calling). The attacker gains customers’ trust and extracts important pieces of information from each customer. If the customer has no idea what information he/she can or cannot disperse, then the attacker can also play on the customer’s unawareness with respect to the disclosure of information.
Social Engineering by Internet
Online social engineering can take many forms. Many times the would-be attacker can send a customer an e-mail directly requesting the customer’s password or the attacker can send the customer an attachment. The attachment can be a “Trojan Horse” which records the customer’s keystrokes and sends them automatically to the attacker via e-mail. Furthermore, the attachment can install a pop-up window that looks like a legitimate network request for the customers to re-enter their username and password. When the customers re-enter this information the hacker captures the login information.
Social Engineering by Dumpster Diving
Another less glamorous form of social engineering is called dumpster diving. Here the attacker collects information about the customer or company from the trash that the customer or the company throws away. The customer or company dumpster can be a gold mine for the attacker, providing him/her with enough information to launch another form of social engineering attack, such as by phone.
Best Defense is to Protect Yourself…
Always be on the alert for suspicious questions and behaviors.
The best detector of fraud and identity theft is you. Through proactive monitoring, you can look for unusual activities and act fast before damage occurs.
Online Banking gives you quick access to your accounts, so fraudulent activities can be detected sooner. Additionally, by taking advantage of online bill pay, E-Statements and good old fashioned paper shredding, you can contribute to your own online safety.
How to detect fraud:
Monitor your accounts regularly
MBT Bank recommends frequently reviewing your account online for any unusual activity.
Recognize fraud and identity theft
Fraud is an act that occurs when someone uses your account to make unauthorized purchases, usually when the account number or card has been stolen.
It’s important to learn how to recognize activities that may indicate possible fraud or identity theft.
The following may be signs of fraud:
- If you did not receive an expected bill or statement by mail
- If unexpected charges occurred on your account
- If there are charges on your account from unrecognized vendors
- If posted checks appear on your account significantly out of sequence
Identity theft happens when a thief steals information such as your name, birth date or Social Security number to open credit cards, mortgages, and other accounts without your knowledge. Here is a great website with information and step-by-step instructions on what to do if you have been a victim of identity theft: www.identitytheft.gov
SHAZAM BOLT$ is a free service to our card holders that helps monitor your transactions. The service alerts cardholders to potential fraud is now enhanced with person-to-person money transfers and ATM locator. SHAZAM BOLT$ is a safe, easy and fast mobile solution. To learn more about the service, click here. You can enroll in SHAZAM BOLT$ by clicking here.
Check your credit report annually
By monitoring your credit report, you can make sure that no one has opened bank accounts or applied and been approved for loans in your name using stolen information.
Nationwide consumer reporting companies will provide you with a free copy of your credit report once every 12 months by visiting www.annualcreditreport.com.
You can also get an explanation of your rights from the Federal Trade Commission (FTC), the nation’s consumer protection agency.
A Compromised Computer is defined as any computing resource whose confidentiality, integrity or availability has been adversely impacted, either intentionally or unintentionally, by an untrusted source. Here are a few clues that may indicate your computer has been compromised.
If your computer begins to exhibit:
- A sudden reduction or unresponsiveness in the computer’s performance
- Unusual behaviors, such as windows briefly popping up and closing down
- Application programs terminating and restarting again or programs running that you are unfamiliar with
- Sporadic failed logins, even though you are certain you entered the password accurately
- If you own a business: An e-mail bounces back, you are unable to receive e-mails or traffic to your site or employee’s password doesn't work.
- Your computer may have had malicious software installed by a hacker that can capture sensitive information (including passwords), alter data or disrupt your service.
The following steps should be taken in response to an actual or suspected compromised computer:
- Disconnect the computer - Disconnecting the computer from the Internet or the network as soon as possible prevents a potentially untrustworthy source from taking further actions on the compromised computer
- Back-up or image the computer’s hard drive
- Perform a clean installation of Microsoft Windows - A format of the drive “should” be completed.
- Immediately update that installation with all of the latest patches.
- Use the latest anti-spyware or anti-virus detection to scan and clean any data that you want to recover from the backup
- Notify users of the computer (if any) of a temporary service interruption
- If the compromised computer provides some type of service, it is likely that users of this service will be impacted by the interruption brought on by disconnecting the computer from the network.
- Preserve any log-in information not resident on the compromised computer - All log files, pertaining to a compromised computer, that are stored on a secondary computer or on some type of external media should be preserved immediately.
- Contact your Company’s Help Desk for assistance (as applicable) - Contact your Help Desk for assistance in tracking down changes made by the hacker. They will determine the best course of action for the compromised computer.
Your computer is a popular target for intruders. Why? Because intruders want what you’ve stored there. They look for credit card numbers, bank account information, and anything else they can find. By stealing that information, intruders can use your money or credit to buy themselves goods and services.
How do intruders break into your computer? In some cases, they send you an e-mail with a virus. Reading that e-mail activates the virus, creating an opening that intruders use to enter or access your computer. In other cases, they take advantage of a flaw or weakness in one of your computer’s programs – a vulnerability – to gain access.
Once they’re in your computer, they often install new programs that let them continue to use your computer – even after you plug the holes they used to get onto your computer in the first place. These backdoors are usually cleverly disguised so that they blend in with the other programs running on your computer.
Whether your computer runs Microsoft Windows, Apple’s Mac OS, LINUX, or something else, the issues are the same and will remain so as new versions of your system are released. The key is to understand the security-related problems to think about the solutions.
Here is the list of tasks you need to do to secure your home computer:
- Install and Use Anti-Virus Programs
- Keep Your System Patched
- Use Care When Reading E-mail with Attachments
- Install and Use a Firewall Program
- Make Backups of Important Files and Folders
- Use Strong Passwords
- Use Care When Downloading and Installing Programs
- Install and Use a Hardware Firewall
'Malware' is a general term used to refer to a variety of forms of hostile, intrusive, or annoying software.
Malicious software (Malware) is software created by hackers to disrupt computer operations, gather sensitive information, or gain access to private computer systems.
Malware includes computer viruses, worms, trojan horses, spyware, adware, most rootkits, and other malicious programs.
Some forms of malicious software are:
Spyware is a type of malware (malicious software) installed on computers that collects information about users without their knowledge. The presence of spyware is typically hidden from the user and can be difficult to detect. Some spyware, such as keyloggers, may be installed by the owner of a shared, corporate, or public computer intentionally to monitor users.
While the term spyware suggests software that monitors a user's computing, the functions of spyware can extend beyond simple monitoring. Spyware can collect almost any type of data, including personal information like internet surfing habits, user logins, and bank or credit account information. Spyware can also interfere with user control of a computer by installing additional software or redirecting Web browsers. Some spyware can change computer settings, which can result in slow internet connection speeds, unauthorized changes in browser settings, or changes to software settings.
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately. While the most widely recognized form of spam is e-mail spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, web search engine spam, spam in blogs, wiki spam, online classified ads spam, mobile phone messaging spam, internet forum spam, junk fax transmissions, social networking spam, television advertising and file sharing network spam
Phishing is attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing e-mails may contain links to websites that are infected with malware. Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details on a fake website which looks are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.
Pharming is a hacker's attack intended to redirect a website's traffic to another, bogus site.
The term "pharming" is a new term based on the words "farming" and "phishing". Phishing is a type of social-engineering attack to obtain access credentials, such as user names and passwords. In recent years, both pharming and phishing have been used to gain information for online identity theft. Pharming has become of major concern to businesses hosting e-commerce and online banking websites.
Sophisticated measures known as anti-pharming are required to protect against this serious threat. Anti-virus software and spyware removal software cannot protect against pharming
Passwords are very important for maintaining your online identity, because they ensure that no one else can access your accounts and do things you wouldn't do. As such, you should make sure that your online passwords are as strong as possible.
The following best practices for password and account security focus on variety, length and complexity:
- Avoid dictionary words or simple to guess words, phrases, names or significant dates when generating a password.
- Variety is important. Don’t use the same password for multiple sites or accounts.
- Select strong passwords with ten or more characters, randomly adding capital letters, punctuation or symbols (if permitted).
- Substitute numbers for letters that look similar.
- Think of a meaningful song or quote and turn it into a complex password using the first letter of each word.
Here is some important information we want you to know about e-mail security:
- MBT Bank will never ask you to provide confidential information such as account numbers, Social Security numbers or passwords via the internet or e-mail.
- Do not respond to e-mails with questions about your accounts and do not include any personal information. You may use secure messaging within Online Banking to ask us account-related questions.
If you receive an e-mail that appears to be from MBT Bank but seems suspicious in any way, do not respond or click on any links it contains. Report your concerns by calling MBT Bank at (641) 585-4514.
Criminals may send you an e-mail or pop-up message that looks as though it comes from a trusted source. These phony messages may ask you to provide personal account information at a website that looks legitimate. They might even warn you that your account could be suspended if you don't respond.
This is the most common type of online fraud, called "phishing" or "spoofing." Criminals send you these phony e-mail messages — or direct you to a fraudulent website — for one reason only: to steal your personal and financial information.
What can you do?
- Do not open attachments or download software from sources you don’t know, they could contain viruses. If you receive an e-mail or pop-up message that looks suspicious, delete it immediately. Do not reply or click on any links it provides.
- Do not use e-mail to transmit confidential information such as your Social Security number, account numbers, passwords, PINs, etc.
- Never provide personal information in response to an unsolicited request. MBT Bank will never ask you to furnish confidential information via internet or e-mail.
- If you are a MBT Bank Online Banking customer, you may use secure messaging within Online Banking to ask us account-related questions.
What is Corporate Account Takeover?
- Fast growing electronic crime where thieves typically use some form of malware to obtain login credentials to Corporate Online Banking accounts and fraudulently transfer funds from the account(s).
- Online transfer methods used by thieves once access is gained to fraudulently move funds are Wire Transfers, ACH payments, Bill pay, and Payroll.
What is Malware?
- Short for malicious software, malware is software designed to infiltrate a computer system without the owner’s informed consent.
- Malware includes computer viruses, worms, Trojan horses, spyware, dishonest adware, crimeware, most rootkits, and other malicious and unwanted software.
How does it work?
- Criminals target victims by scams
- Victim unknowingly installs software by clicking on a link or visiting an infected Internet site
- Fraudsters began monitoring the accounts
- Victim logs on to their Online Banking
- Fraudsters Collect Login Credentials
- Fraudsters wait for the right time and then depending on your controls – they login after hours or if you are utilizing a token they wait until after you enter your code and then they hijack the session and send you a message that Online Banking is temporarily unavailable
Where does it come from?
Malicious websites (including Social Networking sites)
- P2P Downloads
- Ads from popular web sites
- Web-borne infections: According to researchers in the first quarter of 2011, 76% of web resources used to spread malicious programs were found in 5 countries worldwide – Unite States, Russian Federation, Netherlands, China, & Ukraine
What can you do to protect?
- Provide Security Awareness Training for our Employees and Customers
- Review Contracts
Make sure both parties understand their roles and responsibilities
- Make sure our Customers are aware of basic online security standards
- Attend webinars/seminars and other user group meetings
Develop a layered security approach
- Monitoring of IP Addresses
- Calendar File – frequencies and limits
- Dual Control
- Fax or out of band confirmation
- Secure Browser Key
What can Businesses do to protect?
- Education is key – Train your employees
- Secure your computer and network
- Limit Administrative Rights
- Install and maintain Spam filters
- Surf the internet carefully
- Install and maintain real-time anti-virus spyware / firewall & malware detection & removal software
- Install routers and firewalls to prevent unauthorized access to your computer or network
- Install security updates to operating systems and all applications as they become available
- Block pop-ups
- Do not open attachments from e-mail
- Do not use public internet access points
- Reconcile accounts daily
Note any changes in the performance of your computer
- Dramatic loss of speed
- Computer locks up
- Unexpected rebooting
- Unusual pop-ups
Make sure that your employees know how and to whom to report suspicious activity to at your Company and at MBT. Contact MBT if you:
- Suspect a fraudulent transaction
- If you are trying to process an ACH Batch and your receive a maintenance page
- If you receive an email claiming to be from MBT and it is requesting personal/company information