Staying Safe Online
Protecting your personal financial information is a top priority for us at Sawyer Savings Bank. Please see the below information about staying safe from scams and protecting your personal information:
Your Authorized Access to Online Banking
When you use Sawyer Savings Bank’s Online Banking platform, you can be confident that we have technology in place to help prevent unauthorized access by others. This technology will recognize if your computer has been used before to access the system. We also utilize a secure behind the scene process to validate your device (PC, laptop, tablet, mobile phone), username and password. With this enhanced technology, we have built in additional layers of security in the event you login from a device that has not been used in the past. You will be asked to validate your identity through a one-time security code via a phone call or SMS message. If a phone is not available, you will be asked to answer a series of questions to validate your identity. These enhanced security features help safeguard your information.
Did you know that Account Takeover is on the Rise?
What is an Account Takeover (ATO)?
Account takeover is an attack in which cybercriminals take ownership of online accounts using stolen passwords and usernames. These cybercriminals then use these credentials to commit fraud. These bad actors purchase cardholders’ Personally Identifiable Information (PII) via the dark web—typically gained from social engineering, e.g., phishing, vishing, or smishing attacks (detailed below) or data breaches. Stolen PII (e.g., name, address, email, phone number, date of birth, business name, cellphone provider, social media and login accounts and passwords) provides the necessary credentials for a fraudster to pose as a cardholder.
With this information fraudsters can engage with the cardholder’s financial organization and make changes to accounts or card settings to execute fraud. They may make demographic changes (e.g., phone numbers, emails, passcodes), or apply for increased limits, Personal Identification Number (PIN) changes and/or travel exemptions to suppress or interfere with our fraud-monitoring tools.
The activities described above are most commonly associated with merchant data breaches described in media reports. However, in the case of account takeover, the stolen data is not obtained from a payment system.
Schemes that Contribute to Account Takeover
Skimming and Malware
Skimming and deployment of POS terminal malware continue to be widespread methods for stealing data. Smaller, local merchants are now more likely to be compromised than in years past. Stolen data, which is collected using POS malware, is passed to criminal networks through remote, wireless technologies with increasing speed. By reacting to fraud events quickly, your organization can significantly mitigate losses
Phishing
The prevalence of phishing (tricking cardholders into revealing confidential information) and its variants continue to rise. Phishing schemes are becoming more targeted (such as “spear-phishing”) and more difficult to identify than in the past. Instead of using only suspicious links in poorly designed emails, phishing emails are mimicking legitimate websites and appear more polished and credible. The use of web address shortening tools, such as TinyURL, make detection of suspicious links more difficult, even by savvy users. It is important to remind cardholders to safeguard their financial data and their online banking credentials against criminals trying to harvest it.
Vishing and Smishing
Smishing and Vishing schemes use sophisticated methods combined with social engineering to deceive cardholders into revealing critical information and disregarding legitimate fraud warnings. Smishing is the fraudulent practice of sending text messages claiming to be from reputable companies to induce individuals to reveal personal information, such as passwords or credit card numbers. Vishing is the fraudulent practice of making phone calls or leaving voice messages claiming to be from reputable companies to induce individuals to reveal personal information, such as bank details and credit card numbers. Cardholders may be sent a voice or text message with transaction details and requesting the cardholders confirm. When they respond, they may be questioned for account details, or they may be asked to call back a number to provide account information. In some instances, they are sent a one-time passcode (OTP). The caller or text message then instructs the cardholder to reply “No Fraud” to text/voice messages.
It is important to be on the lookout for these kinds of fraudulent messages that disguise themselves as legitimate fraud notifications. These schemes use sophisticated methods combined with social engineering to deceive cardholders into revealing critical information and disregarding legitimate fraud warnings. Additional red flags of note include hyperlinks and grammatical and punctuation mistakes.
Malicious Software
Malicious software, including software which compromises account-holder computers locally via Man-in-the-Browser (MitB) attacks are a significant threat to the security of financial data. Man-in-the-Browser attacks install malicious software in the background via “drive by download.” This malware is then able to monitor and hijack user web sessions to then transfer funds or harvest payment cards and online banking credentials, while redirecting the legitimate cardholder to a fictitious error page. This type of malware often deploys automatically when a user visits a compromised website.
Maintaining a secure, up-to-date operating system along with robust security and anti-malware software are critical first steps in preventing this type of fraud. Availability and deployment of automation and crime-ware is increasing in the card fraud world. Both all-in-one malware packages designed to compromise computer systems (e.g., Zeus, Citadel, Tilon) as well as individual tools able to crack passwords and to automatically carry out brute force attacks are available for purchase on underground websites and on criminal forums. Heavy reliance on one type of security tool or on older tools could lead to more fraud loss. We recommend a dynamic, multi-layered detection and prevention strategy.
What should you do to protect yourself?
Recommendations
- Be aware of what information you are choosing to submit online and never easily provide your personal information.
- If you are concerned about an automated message, you should not respond to the call, text, or email. You should contact the company in question using the official customer service number on your own card or contact information listed on the company’s legitimate website. You should not contact any number provided by the fraud call or message and should not click on links in text messages.
- You should always keep two-factor authentication codes private. Do not provide them via phone, text, or email. These codes should only be used to sign into the banking, merchant, or payment account when the you are trying to access it.
User ID and Password Guidelines
- Create a “strong” password with at least 8 characters that includes a combination of mixed case letters, numbers, and special characters.
- Change your password frequently.
- Never share username and password information with third-party providers.
- Avoid using an automatic login feature that saves usernames and passwords.
Tips to Avoid Phishing, Spyware and Malware
- Do not open e-mail from unknown sources. Be suspicious of e-mails purporting to be from a financial institution, government department, or other agency requesting account information, account verification, or banking access credentials such as usernames, passwords, PIN codes, and similar information. Opening file attachments or clicking on web links in suspicious e-mails could expose your system to malicious code that could hijack your computer.
- Never respond to a suspicious e-mail or click on any hyperlink embedded in a suspicious e-mail. Call the purported source if you are unsure who sent an e-mail.
- If an e-mail claiming to be from your financial organization seems suspicious, checking with your financial organization may be appropriate.
- Online Banking does not use pop-up windows to display login messages or errors. They are displayed directly on the login screen.
- Online Banking never displays pop-up messages indicating that you cannot use your current browser.
- Online Banking error messages never include an amount of time to wait before trying to login again.
- Be advised that repeatedly being asked to enter your user ID and password are signs of potentially harmful activity.
- Being asked challenge questions if your computer was previously registered is a sign of potentially harmful activity.
- Install anti-virus and spyware detection software on all computer systems. Free software may not provide protection against the latest threats compared with an industry standard product.
- Update all your computers regularly with the latest versions and patches of both anti-virus and anti-spyware software.
- Ensure computers are patched regularly, particularly operating systems and key applications.
- Install a dedicated, actively managed firewall, especially if using a broadband or dedicated connection to the internet, such as DSL or cable. A firewall limits the potential for unauthorized access to your network and computers.
- Check your setting and select, at least, a medium level of security for your browser.
- Clear the browser cache before starting any Online Banking session to eliminate copies of web pages that have been stored on the hard drive. How the cache is cleared depends on the browser and version you are using. This function is generally found in the browser’s preferences menu.
Ways you can protect yourself:
- Update your browser
- Computer Safety
- Protect your business
- Keep your contact information current
- Changed addresses, email or phone numbers? Another way to keep your personal information secure is to ensure that Sawyer Savings Bank has the most up to date contact information for every account holder. Much of this information can be updated in online banking or when you stop into a branch or call our Customer Service Center. Keeping your email, address and mobile number up to date will help us keep you secure online!
General Guidelines
- Do not use public or other unsecured computers for logging into Online Banking.
- Users should check the last login date/time every time they log in.
- Review account balances and detail transactions regularly (preferably daily) to confirm payment and other transaction data and immediately report any suspicious transactions to your financial institution.
- View transfer history available through viewing account activity information.
- Whenever possible, use Bill Pay instead of checks to limit account number dissemination exposure and to obtain better electronic record keeping.
- Take advantage of and regularly view system alerts; examples include
- Balance alerts
- Transfer alerts
- Password change alerts
- Do not use account numbers, your social security number, or other account or personal information when creating account nicknames or other titles.
- Whenever possible, register your computer to avoid having to re-enter challenge questions and other authentication information with each login.
- Review historical reporting features of your Online Banking application on a regular basis to confirm payment and other transaction data.
- Never leave a computer unattended while using Online Banking.
- Never conduct banking transactions while multiple browsers are open on your computer.
Tips for Wireless Network Management
Wireless networks can provide an unintended open door to your network. Unless a valid business reason exists for wireless network use, it is recommended that all wireless networks be disabled. If a wireless network is to be used for legitimate business purposes, it is recommended that wireless networks be secured as follows:
- Change the wireless network hardware (router/access point) administrative password from the factory default to a complex password. Save the password in a secure location as it will be needed to make future changes to the device.
- Disable remote administration of the wireless network hardware (router/ access point).
- If possible, disable broadcasting the network SSID.
- If your device offers WPA encryption, secure your wireless network by enabling WPA encryption of the wireless network. If your device does not support WPA encryption, enable WEP encryption.
- If only known computers will access the wireless network, consider enabling MAC filtering on the network hardware. Every computer network card is assigned a unique MAC address. MAC filtering will only allow computers with permitted MAC addresses access to the wireless network.
Remember, Sawyer Savings Bank will NEVER call you and ask for your personal account information. If you receive a call from anyone who claims to be from the Bank please hang up and notify us immediately.