Corporate Account Takeover (CATO) is a type of business identity theft where cyber thieves gain control of a business’ bank account by stealing employee passwords and other valid credentials.  Thieves can then initiate fraudulent wire and ACH transactions to accounts controlled by the thieves.  It is important for businesses to take extra precautions to safeguard their computers and login credentials to prevent fraudulent transactions.  Below is list of external sources with information and best practices to help safeguard against a potential compromise.

Internet Crime Complaint Center (IC3) “Fraud Advisory for Business” is a helpful document to better understand Corporate Account Takeover and how to best prevent it and educate your employees.

The Better Business Bureau’s website provides information on their website on data security and important cyber security.

Federal Trade Commission (FTC) is a national resource to help you deter, detect and defend against identity theft.

NACHA – The Electronic Payment Association’s website provides tools, resources and sound business practices to help businesses mitigate Account Takeover risk.

1. The FDIC does not directly contact bank customers (especially related to ACH and wire transactions, account suspension, or security alerts), nor does the FDIC request bank customers to install software upgrades. Such messages should be treated as fraudulent and the account holder should permanently delete them and not click on any links.

2. Messages or inquiries from the Internal Revenue Service, Better Business Bureau, NACHA, and almost any other organization asking the customer to install software, provide account information or access credentials is probably fraudulent and should be verified before any files are opened, software installed, or information is provided.

3. Phone calls and text messages requesting sensitive information are fraudulent.  If in doubt, account holders should contact the organization at the phone number the customer obtained from a different source (such as the number they have on file, that is on their most recent statement, or that is from the organization’s website). Account holders should not call phone numbers (even local prefixes) that are listed in the suspicious email or text message.

We’ve assembled a variety of excellent resources that can help you learn more about privacy and security issues.  Please note that these sites are not associated with Grinnell State Bank and that by using them you are governed by their own privacy policies.

Identity theft resources  

• Federal Trade Commission (FTC) Identity Theft–A national Resource to help you deter, detect and defend against identity theft.
• Identity Theft Resource Center (ITRC)–Step-by-step resolution instructions, form letters and other resources to assist identity theft victims

Online Fraud Resources

• National cyber Security Alliance (NCSA) Stay Safe Online–A nonprofit, public-private partnership focused on promoting cyber security, safety awareness and safe online behavior.
• Microsoft Security at Home–A Microsoft site committed to providing you with easy steps and resources to secure your computer at home.

Credit score monitoring resources

• Free Annual Credit Reports–Information provided by the FTC on how you can request and receive a free copy of your credit report every 12 months from each of the national credit reporting companies.
• Equifax–Website of one of the 3 largest American credit reporting agencies.
• Experian–Website of one of the 3 largest American credit reporting agencies.
• TransUnion–Website of one of the 3 largest American credit reporting agencies.

Additional privacy and security resources

• • Federal Deposit Insurance corporation (FDIC) consumer Protection–Offers a variety of information for consumers on financial topics, form understanding financial privacy to filing complaints.
  • OnGuardOnline.gov–Information from the federal government about avoiding scams, securing your computer and protecting kids online.
  • Privacy Rights Clearing House–A nonprofit consumer organization focusing on both information and advocacy.The PRC’s goals include raising awareness of how technology affects personal privacy and empowering consumers to take action to control personal information by providing practical tips on privacy protection.

Below is a list of possible issues your computer may have if it has been compromised

• • Inability to log into online banking (thieves could be blocking customer access so the customer won’t see the theft until the criminals have control of the money.)
  • Dramatic loss of computer speed
  • Changes in the way things appear on the screen
  • Computer locks up so the user is unable to perform any functions
  • Unexpected rebooting or restarting of the computer
  • Unexpected request for a one-time password (or token) in the middle of an online session
  • Unusual pop-up messages, especially a message in the middle of a session that says the connection to the bank system is not working (system unavailable, down for maintenance, etc.)
  • New or unexpected toolbars and/or icons
  • Inability to shut down or restart the computer

Secure your computer

Here are some ways you can secure your computer to help protect your information.

Equip your computer with:

• Comprehensive spyware and virus-protection software.
• Up-to-date browser software.
• Firewall software that prevents unauthorized users from gaining access to your computer or monitoring transfers of information to and from the computer

Consider installing:

• Anti-keylogging software that can detect hidden keystroke logging malware and encrypt the keystrokes made on your computer keyboard
• Be sure to download software or applications form well-known or trusted sources.  You should download and install any operating system and software updates (sometimes called patches or service packs) in a timely manner.

Monitor your account activity

Checking your account activity frequently can help to detect fraud earlier.  You can receive information quickly about activity in your accounts when you set up Alerts.  In addition to Alerts that are automatically already turned on for your protection, you can set up additional Alerts to stay on top of your balances, payments and transactions.

Create strong passwords

• Avoid the use of personal information like birthday or a pet’s name
• Don’t choose passwords using dictionary words, names or parts of names, phone numbers, dates, etc.
• Chose passwords that aren’t easy to guess
• Never share them or write them down
• Choose a different password for each account.  For example, using the same password on bank accounts and social media may increase risk of identity theft or fraud.
• Create passwords per the website requirements

Browse safely

• To help ensure you’re on the real Grinnell State Bank site before you sign in, check your browser bar.
• Ensure proper security settings are in place like up-to-date antivirus software as well as updated applications and operating systems
• Be cautious about downloading applications.  Only install applications that come form trusted, well-known sites
• Understand the risks of using public or free Wi-Fi and sending information over unprotected connections
• Turn on the browser’s pop-up blocker
• Avoid accessing financial accounts from multiple computers or devices
• Never proceed with processing an online shopping transaction if a certificate error is received.  If multiple errors occur and the transaction can’t be completed, consider calling the company or finding another company that offers the same product.
• Don’t select “remember passwords”.  If this is chosen, anyone with access to your computer can sign-in as you.
• Don’t allow websites to keep credit or debit card information

Be smart about social networks

• Think before you share personal information.  Don’t share what you don’t want to be forwarded or seen by the public.
• Resist the temptation to post out-of-town plans, “check in” at physical locations or post vacation photos while you are away from home
• Avoid posting photos that reveal an address or a specific location
• Set privacy settings to allow only friends to see content
• Only accept requests from actual friends

Stay informed

Follow internet security issues in the news and discuss them with friends, family and colleagues.  Explore online resources like the National Cyber Security Alliance and Microsoft Security At Home websites that provide comprehensive information about topics such as securing your computer and safe online behavior.

Phishing and spoofing 

Phishing and spoofing emails ask you to go to a fake website that looks like Grinnell State Bank and provide your account information.  These emails may even ask you to call a phone number and provide account information.

Ways to identify phishing and spoofing emails include:

• Requests for personal information.  Grinnell State Bank emails will never ask you to reply in an email with any personal information, account numbers or login credentials.
• Urgent appeals.  We will never claim your account may be closed if you fail to confirm, verify or authenticate your personal information via email.
• Messages about system and security updates.  We will never claim the need to confirm important information due to upgrades and state that you much update your information online.
• Offers that sound too good to be true.  For example, you may be asked to fill out a short customer service survey in exchange for money, then be asked to provide your account number to receive the credit.
• Obvious typos and other errors.  These are often the mark of fraudulent emails and websites.  Be on the lookout for typos or grammatical errors, awkward writing and poor visual design.
• Odd-looking URLs.  Many mail programs will display the destination URL of a link when you place your cursor on the link.  (Caution:  Do not click the link.)  They often include URLs that include a legitimate company’s name or website address.

Why criminals send fraudulent email

One of the ways criminals try to trick people into providing personal account information for identity theft purposes is to send email that appears to have been sent by Grinnell State Bank, but has been sent by the criminal.

The phone email asks you to go to a website that looks like Grinnell State Bank site, but is a site the criminal has set up asking you to provide your personal account information.  Sometimes the email may ask you to call a phone number and provide account information.

Ways to protect against phishing and spoofing:

• To help ensure you’re on the real Grinnell State Bank site before you sign in, check your browser bar for www.grinnellbank.com, green text/shading or a lock icon.
• Delete any suspicious email you receive before click any inks or replying to it.

Malware

Malware, short for malicious software, includes viruses, spyware and Trojans that are designed to infiltrate or damage a computer system, steal personal information and commit fraud.  There are several easy ways you can minimize malware risk:

• Never download any file or attachment unless you are certain what it is and who provided it
• Never click on an advertisement that asks for personal or financial information
• Update your security and system software to protect your computer from malware threats

Vishing

Vishing uses Voice over Internet Protocol (VoIP) to leave an automated recording on your phone that says your account has experienced unusual activity.  The message instructs you to call what appears to be a Grinnell State Bank phone number (in fact, the caller ID has been fooled into displaying “Grinnell State Bank”).  Sometimes criminals also end emails and text messages containing fraudulent phone number.  Rather than provide any information, you should contact us immediately to verify the validity of the message.

Fake Mobile Banking apps

Criminals may develop and publish fake mobile banking applications that look like official Grinnell State Bank apps but are in truth designed to steal your online banking credentials.  Here are tips for recognizing an unofficial Grinnell State Bank app.

• The developer or author of the applications is not Fiserv Solutions, Inc.
• The app is being promoted on a third-party site, somewhere other than the official app store for your mobile device
• There is a charge for downloading the app—Grinnell State Bank does not currently charge for mobile app downloads.

To help protect your accounts and information, never download or install a Grinnell State Bank Mobile Banking app if you spot any of these warning signs.

SMShing

SMShing and smishing are like phishing (which typically happens via email), but take place via SMS text message.  A criminal sends you a text message that tries to trick you into replying with financial or personal information or clicking on links that will sneak viruses onto your mobile device.  Don’t respond to a text message that requests personal or financial information.  Grinnell State Bank will never ask you to provide your information in this way.

Lost and stolen devices

Mobile phones and tablet devices offer convenience, but they’re also easy to lose or steal, which can put your information at risk.  Here are some ways you can protect yourself now in the even your device is lost or stolen later:

• Password-protect your device so it can’t be accessed unless the password is entered
• Enable an automatic screen locking mechanism to lock the device when it’s not actively being used
• Consider using a remote wipe program that gives you the ability to send a command to your device that will delete any data
• Keep a record of the device’s make, model and serial number in case it’s stolen

Traditional online threats

Viruses, malware and other programs intended to steal your personal information or financial details can infect some mobile devices.  If your table supports a traditional anti-virus product, consider installing that software.  Backup the device’s data and keep the copy in a safe and secure location.  This will allow you to restore your data in the event you need to wipe the device clean to remove a harmful software threat.

A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.

Things to know if you are a victim of a data breach:

The actions you’ll need to take will depend on the type of data compromised.

• If affected, you should receive a letter—via mail or email—telling you exactly what information was exposed and when. Federal law requires banks to inform customers of breaches; 46 states have laws mandating that other companies do the same, though large firms typically contact all customers regardless of state residency.
• (Bear in mind that “phishing” scammers often take advantage of breaches, purporting to be from the breached company in hopes of getting people to reveal personal information. So to be safe, don’t click through any emails or take any direct phone calls, but visit the official company website to learn about the breach and access help.)
• Notices—even legitimate ones—tend to be reassuring in tone, but don’t be fooled. Nearly one in three data breach victims also became a fraud victim in the same year, reports Javelin Strategy & Research.

If the compromised data was…

• …A password Change your password for that account immediately. If you use the same code for other accounts, change those as well.
• …Email address Watch your inbox for messages requesting information or requesting you to click on a link. If you receive a suspicious email from a company you do business with, call the sender to verify that they did indeed send it.
• …Credit card number Call the creditor and ask for a new card with a new number. Some creditors will automatically reissue cards to affected customers in wide-scale breaches. Know however that because the number rather than the card itself was stolen, you are not liable for any authorized purchases under the Fair Credit Billing Act.
• …Debit card number Since the card was not lost, you are not liable for any unauthorized transactions if you report them within 60 days of receiving your statement. Still, you should cancel the card and change your pin. If the bank account number was also exposed, close the account and open a new one with a new number. Consider asking for a verbal password, too, which prevents bank personnel from discussing your account with anyone unable to provide that password.
• …Social Security number. Contact one of the three major credit reporting agencies and have them place a fraud alert on your account. That agency will then be legally bound to notify the other two agencies to do the same. An alert lets lenders know to take extra care verifying personal information before issuing credit and entitles you to a complimentary credit report from each agency. Review this for suspicious activity. You should also place a credit freeze on your account, which will prevent a credit reporting company from releasing your credit report or score without your consent.

Sometimes the letters from breached companies also contain offers for free credit report monitoring provided by the company. While these programs are not generally worth paying for—since you can monitor your own credit for free—you may as well accept it if it’s being handed out. Monitoring services will alert you to some uses of your SSN quicker than you may be able to spot through your credit report, meaning you can resolve any problems quicker.

If you believe you’ve been a victim of a social engineering scam or any type of fraudulent activity, contact us immediately to protect your account.

You can also report social engineering scams to:

The U.S. Computer Emergency Readiness Team (US CERT)

The Federal Trade Commission (FTC); forward phishing emails to spam@uce.gov

Internet Crime Complaint Center (IC3)

Here are some ways to help you protect your Social Security number:

• Carry only necessary identification with you.  Don’t carry your social security card
• Never provide your Social Security number unless you have initiated the contact and have confirmed the business or person’s identity
• Do not use your full or partial Social Security number as a Personal Identification Number (PIN) or as a password
• If you must send your Social Security number in an email, ensure that the email is encrypted
• Only enter your Social Security number into internet websites when the site is secure and you know how the recipient will protect it
• Be cautious of your surroundings when disclosing your Social Security number into internet websites when the site is secure and you know how the recipient will protect it
• Do not transmit your Social Security number over the Internet unless you know that the connection is secure or you have encrypted the Social Security number
• Be cautious when faxing your Social Security number, double check the fax number to ensure it is the correct number
• Do not record your Social Security number on a check, traveler’s check, gift certificate, money order or other negotiable instrument unless required by law.

Elder abuse (also called “elder mistreatment,” “senior abuse,” “abuse in later life,” “abuse of older adults,” “abuse of older women,” and “abuse of older men”) is “a single, or repeated act, or lack of appropriate action, occurring within any relationship where there is an expectation of trust, which causes harm or distress to an older person.”

It is generally divided into the following categories:

• Physical abuse is physical force that results in bodily injury, pain, or impairment. It includes assault, battery, and inappropriate restraint.
• Sexual abuse is non-consensual sexual contact of any kind with an older person.
• Domestic violence is an escalating pattern of violence by an intimate partner where the violence is used to exercise power and control.
• Psychological abuse is the willful infliction of mental or emotional anguish by threat, humiliation, or other verbal or nonverbal conduct.
• Financial abuse is the illegal or improper use of an older person’s funds, property, or resources.
• Neglect is the failure of a caregiver to fulfill his or her care giving responsibilities. Self-neglect is failure to provide for one’s own essential needs.

Financial abuse is the fastest growing form of elder abuse.  Elder financial abuse spans a broad spectrum of conduct, including:

• Taking money or property
• Forging an older person’s signature
• Getting an older person to sign a deed, will, or power of attorney through deception, coercion, or undue influence
• Using the older person’s property or possessions without permission
• Promising lifelong care in exchange for money or property and not following through on the promise
• Confidence crimes (“cons”) are the use of deception to gain victims’ confidence
• Scams are fraudulent or deceptive acts
• Fraud is the use of deception, trickery, false pretence, or dishonest acts or statements for financial gain
• Telemarketing scams. Perpetrators call victims and use deception, scare tactics, or exaggerated claims to get them to send money. They may also make charges against victims’ credit cards without authorization.

Who are the perpetrators?

• Family members, including sons, daughters, grandchildren, or spouses.
• Predatory individuals who seek out vulnerable seniors with the intent of exploiting them.
• Unscrupulous professionals or businesspersons, or persons posing as such.

Who is at risk?

The following conditions or factors increase an older person’s risk of being victimized:

• Isolation
• Loneliness
• Recent losses
• Physical or mental disabilities
• Lack of familiarity with financial matters
• Family members who are unemployed and/or have substance abusers problems

What are the indicators?

Indicators are signs or clues that abuse has occurred. Some of the indicators listed below can be explained by other causes or factors and no single indicator can be taken as conclusive proof. Rather, one should look for patterns or clusters of indicators that suggest a problem.

• Unpaid bills, eviction notices, or notices to discontinue utilities
• Withdrawals from bank accounts or transfers between accounts that the older person cannot explain
• Bank statements and canceled checks no longer come to the elder’s home
• New “best friends”
• Legal documents, such as powers of attorney, which the older person didn’t understand at the time he or she signed them
• Unusual activity in the older person’s bank accounts including large, unexplained withdrawals, frequent transfers between accounts, or ATM withdrawals
• The care of the elder is not commensurate with the size of his/her estate
• A caregiver expresses excessive interest in the amount of money being spent on the older person
• Belongings or property are missing
• Suspicious signatures on checks or other documents
• Absence of documentation about financial arrangements
• Implausible explanations given about the elderly person’s finances by the elder or the caregiver
• The elder is unaware of or does not understand financial arrangements that have been made for him or her

Resources if you suspect Elder Abuse

• National Center on Elder Abuse
• Suspect Abuse?  Get Help, here are some resources.
• State Resources

Sign your cards immediately

Sign the signature panel on your credit and debit cards as soon as you receive them.

Monitor your debit card transactions

Grinnell State Bank offers GSB Card Control, an app which will allow you to setup alerts on your debit card activity, so you can easily monitor your purchases.  Signing up for GSB Card Control is easy, download the GSB Card Control app in the App Store or Play Store.

Check your statements

Save the receipts from your charges and keep them in a safe location.  Check your statements to verify that they properly reflect the amounts you have authorized.  Report any fraudulent transactions immediately.  Once you have reconciled your statements, shred up all receipts and discard them.

Go paperless with Online Banking

Access your Grinnell State Bank statements through Online Banking and ask us to stop sending paper.  Checking your balances and viewing your account statements online is safer than having information sent through the mail.

Keep a list of all your card account numbers

Keep the list in a safe and secure place and include the telephone numbers to call if your cards are ever lost or stolen.

Use ATMs safely

Use ATMs with surveillance cameras and be aware of people and your surroundings.  When you enter, or exit an ATM in an enclosed area, be sure you close the entry door completely.  Do not open locked ATM vestibule doors for others or allow any unknown persons to enter the ATM area while you are making your transaction.  Shield the ATM keypad with your hand or body while entering your PIN.  Secure your card and cash after completing your transaction and before exiting the ATM area.  Count your cash later in the safety of your locked car or home.  Your ATM/Debit card is like cash, so keep it in a safe place

Always be cautious

Never provide credit or debit account information to anyone who calls you.  Grinnell State Bank will never reach out to you in this way to request sensitive account information.

View your MasterCard Guide to Benefits for Debit Cardholders.

As more people bank and shop online, proper internet security is more important than ever.  Safeguarding your information can be as simple as consistently reviewing your bank accounts and reporting any suspicious activity.  But there are a number of other things you can do to stay safer online.  Here are ten tips to help protect you and your money.

1. Use strong passwords.  A strong password (one that is not easily guessed by human or computer) will have eight or more characters, including letters, numbers and symbols.  Make sure to use different user IDs and passwords for you financial accounts and for any other sites you use online.
2. Be mindful of the numbers you use.  Don’s use any part of your Social Security number (or any other sensitive information, such as credit card numbers or birthdays) as a password, user ID or personal identification number (PIN).  If someone gains access to this information it may be among the first things used to get into your account.
3. Look out for strange emails.  Don’t respond to emails that claim to be from your bank (or any other company) requesting your account details.  No bank is ever likely to approach you this way to ask for personal information.
4. Beware of email attachments.  It’s never a good idea to click on email attachments or free software from unknown sources.  You could end up exposing your computer (and the information on it) to online fraud and theft.  Keep in mind that links you receive in emails or in messages on social networking sites can be harmful or fraudulent, even if they appear to come from friends.
5. Watch how much you share online.  The more you post about yourself on social networking sites, the easier it might be for someone to use that information to access your accounts, steal your identity and more.  Maximizing your privacy settings on social networking sites can also help protect your personal information.
6. Be careful about what (and where) you click.  Look for security-enabled website addresses that start with “https” (the extra “s” indicates security).  These sites take extra measures to help secure your information.  This is particularly important if you’re making purchases using your credit or debit card.  If you receive requests for personal information while surfing the web, or calls for immediate action, these are almost always scams.  Avoid clicking on suspicious links. They might give you a virus or steal personal data.  If the link was sent to you, talk to the sender directly to verify where it came from.
7. Secure your smartphone.  Many mobile devices give you the option of locking your screen, which helps keep data stored on them secure.  Depending on your phone, this can come in the form of a passcode, a pattern you draw on your phone’s touch screen or even your fingerprint.
8. Don’t keep sensitive information on your phone.  Sensitive information includes your bank account numbers, identification information, passwords and other personal details such as answers to your security questions.  If you bank via our mobile app, don’t worry.  We won’t expose your account information or passwords.
9. Think before you download apps.  It’s a good idea to review the privacy policy and understand what personal data an app can access before you download.  It’s best to purchase or download apps from authorized stores.
10. Keep your technology up to date.  Make sure to update your computer’s operating system, your internet browser and the software on your mobile devices.  Updates generally include the lastes security patches.  Be sure to also use antivirus and anti-spyware software:  These programs help find and remove malicious programs from your computer.

By following these online and mobile security tips, you can help protect your personal information from falling into the wrong hands.  If you suspect information related to your bank account has been compromised, contact us immediately for assistance addressing the issue.

Free Public Wifi is everywhere.. hotels, airports, coffee shops, restaurants and even stores; but should you use it?

Experts advise that you should never enter personal and confidential information into your phone or laptop while using public wifi and to avoid public wifi altogether when dealing with confidential information. This includes credit card information, logins, passwords, etc. Hackers can set up a bogus wifi access and name it “free public wifi” and have instant access to your phone or laptop once you connect.

A business offering wifi access that requires a password, that is a much safer bet; but you are usually much better off waiting to do anything with sensitive information until you are on your cellular service or at home.

If you notice your card is lost or stolen during normal bank hours, please contact the bank. If it is outside of normal bank hours, please call 800-383-8000, to report your card lost or stolen with Shazam, our debit card company.

With more commerce occurring online the Cybersecurity and Infrastructure Security Agency (CISA) reminds shoppers to remain vigilant. Be especially cautious of fraudulent sites spoofing reputable businesses, unsolicited emails claiming to be from charities, and unencrypted financial transactions.

CISA encourages online holiday shoppers to review the following resources:

• CISA’s Online Shopping Tip
• CISA’s Holiday Online Shopping page
• CISA’s Social Engineering and Phishing Attacks Tip
• The Federal Bureau of Investigation’s (FBI’s) ‘Tis the Season for Holiday Online Shopping Scams – Don’t Be a Victim Announcement

If you believe you are a victim of a scam, consider the following actions:

• Report the incident to your local police, and file online reports at the Federal Trade Commission’s Report Fraud page and the FBI’s Internet Crime Complaint Center (IC3) page.
• Watch for unexpected or unexplained charges to your account. If any appear, contact your financial institution immediately and close any accounts that may be compromised.
  • See CISA’s Preventing and Responding to Identity Theft Tip for more information.
• Change any passwords you might have revealed immediately. Avoid reusing passwords.
  • See CISA’s Choosing and Protecting Passwords Tip for more information.