Fraud Awareness

• Protect your PC
  Before going online, ensure that your computer is completely protected from phishing and other malicious spyware. Clean your browsers, temporary files, and cookies often as these would contain your buying data which may become good information for scammers. Use virus, spyware, malware, and other PC protection software.
• Protect your passwords
  Never share your important passwords, user data, or account details with others. Use complex passwords. Do not the same password and log-in ID across multiple websites. If one of those websites is compromised, it is a short leap for cybercriminals to see if your password can be used for all of your financial logins as well.
• Avoid using public computers
  Don’t use an Internet cafe or public library or shared computers for doing financial transactions as there is every possibility of scammers tracking your details. If you have a public computer, check if the computer is well-protected and delete your data/cookies after being online.
• Do your homework
  Read on the hazards of buying online. Find out which site or Internet security label shows that the site you are using is secure for money transactions. Do your homework on harmful scams, Internet phishing sites, and also on useful, online shopping sites.
• Don’t click suspicious emails
  Avoid clicking on suspicious emails – and NEVER use links in e-mails if you are not absolutely certain you know where they are taking you! Many scammers use email to attract customers. Often you get an email announcing you have won a lottery or one that says your account in a particular shopping site/bank is about to be suspended. Such an email may carry a link and may ask you to click it to retrieve your account. Often it may lead to a PayPal or Bank account login page. If you log in through the site, your account details will be stored in the scammer’s database and you will become a victim online.

If you are a business owner, and you are granting certain employees the ability to access your accounts online in order to manage your banking and financial objectives – OR – are conducting online transactions such as ACH processing, then the following information is absolute MUST READ.

Corporate Account Takeover

What is it?
Corporate Account Takeover is a type of business identity theft in which a criminal entity steals a business’s valid online banking credentials. Small to mid-sized businesses remain the primary target of criminals, but any business can fall victim to these crimes. Attacks today are typically perpetrated quietly by the introduction of malware through a simple email or infected website. For a business that has low resistance to such methods of attack, the malware introduced onto its system may remain undetected for weeks or even months. Introducing layered security processes and procedures, technological and otherwise, and other tightened security efforts, can help protect businesses from criminals seeking to drain accounts and steal confidential information. These increased security procedures may help reduce the number of incidents, mitigating financial losses, business risks, and reputational damage that can result from such attacks.

How Does it Happen?
Hackers often take aim at small firms’ computers because they are easier to infiltrate than banks’ systems. For example, a business’ systems may be compromised by:

• An infected document attached to an email
• A link within an email that connects to an infected website
• Employees visiting legitimate websites – especially social networking sites – and clicking on the infected documents, videos, or photos posted there
• An employee using a flash drive that was infected by another computer

Once the employee opens the attachment or goes to the Web site, malware is installed on the computer – in each case, fraudsters exploit the infected system to obtain security credentials that they can use to access a company’s business accounts. Once embedded, it can even seek out others within the network to gain secondary access or credentials. While up-to-date antivirus software offers substantial protection against malware, it isn’t 100% effective. According to the FBI, there is no single deterrent that is 100% effective against fraud, viruses, and malware.

What is the Risk?
The bank’s ability to protect you is severely undermined when your online credentials are compromised by a data breach initiated within your computer system. Once your computer is compromised, any action you can take from your online banking, a criminal will attempt to do fraudulently. Bill Pays, ACH Transfers, Wires, Copies of

checks and signatures, etc. Any possible way to financially defraud you will not be overlooked by smart criminals with the intent to steal your money or personal information.

What To Look For

• Monitor and report suspicious activity! Ongoing monitoring and timely reporting of suspicious activity are crucial to deterring or recovering from these frauds. A business should report anything unusual to the financial institution, such as log-ins at unusual times of day, new user accounts, unauthorized transfers, etc., so the financial institution can immediately block the account and monitor activity.
• Be wary of distractions designed to camouflage a takeover: Robo-calls flooding your phone lines, designed to keep the bank from contacting you – or preventing you from dialing out. Or an email “dump” – flooding your inbox with literally thousands of emails, designed to hide any automatic alerts from the online banking system regarding password changes, security changes or transaction alerts.
• Evergreen National Bank will never ask you for any personal or identifying information through an email link.
• Only use the address that you have used before or start at your normal homepage – NEVER through a link.
• Always report fraudulent or suspicious email to your Internet Service Provider. Reporting instances of spoof web sites will help get those bogus websites shut down before they can do any more harm.
• Most companies require you to log in to a secure site. Look for the lock at the bottom of your browser and “https” in front of the website address.
• Take note of the header address on the website. Most legitimate sites will have a relatively short internet address that usually depicts the business followed by .com, .net or .org. Spoof sites are more likely to have an excessively long string of characters in the header with a legitimate business name somewhere in the string, or possibly not at all.
• If you have any doubts about an email or website, contact the legitimate company directly. Make a copy of the questionable web site’s URL address, send it to the legitimate business and ask if the address is legitimate.
• When creating your passwords, don’t use information that could easily be linked to you (i.e. phone number, your date of birth, address numbers).
• Do not share your passwords or PINs with anyone, or store them where they can be found.

Partner With Evergreen National Bank
We are committed to protecting your online banking information and security, and are required by our regulators to maintain strong security standards. Evergreen National Bank is constantly improving and upgrading security measures to help protect our customers. But the overwhelming majority of fraud starts at the Business/Customer level, which makes the steps YOU take more critical than ever.

Take Steps to Defend Your Business!
If you or any employees use computers to access accounts or initiate transactions, then you must make identity and data security an operational cornerstone of your daily business. If you don’t have the time or knowledge to do so, then you should seek out professional security and network professionals who can provide ongoing monitoring and protection on your behalf –OR- choose not to conduct financial activity online.

• Use firewalls, security suites, anti-malware and anti-spyware on all computers
• Only access your bank accounts through a computer that isn’t used for anything else—no email or Web surfing—and isn’t connected to the local network.
• Do not allow the dedicated computer to be used in Wi-Fi hotspots, including airports or Internet cafes, and disallow workstations to be used for general Web browsing.
• Dual control — for example, file creation by one employee and file approval and release by another employee on a different computer.
• Assign the task of daily reconciliation of your account – one of the best tools for identifying any type of fraudulent activity on your accounts.
• If you use Microsoft’s Internet Explorer browser, make sure you have the latest version, which includes security features to help prevent attacks. Consider using Explorer in “protected mode,” which restricts files that try to install on a computer without the user’s consent, and set your “Internet zone security” to “high,” which disables some of Explorer’s less-secure features, according to Microsoft.
• Educate your employees! If they don’t know what to be suspicious of, you are leaving the door open for Corporate Account Takeover. Also create and use a company/employee internet usage policy, and enforce it.
• Use email alerts and notifications. Email alerts will be sent to the addresses you specify according to the transaction or activity criteria you choose. These are a great place to start, but do not rely on them exclusively! They are the first items a criminal will try to change if they have gained access to your online banking.

If You Believe Your Computer Has Been Compromised

• Immediately cease all online banking activity if the online banking application appears different and not legitimate. Do not continue and contact the Bank immediately.
• Disconnect your internet access to that computer.
• Use another computer – out of network if you are on a network – to immediately change all of your passwords.
• If your business is networked to multiple computers, be suspicious and alert to the fact that ALL networked computers are potentially compromised.
• If you are unable to contact the Bank (after hours or weekends), leave a message at the Bank to close your internet banking down immediately and contact you ASAP.

Most websites you visit will feature some sort of advertising, such as ad banners on the side of the page or a video playing within the page itself. These ads can grab your attention with outrageous claims, promotions, or promises of free products. Some ads are based on your past browsing history, making you even more likely to click!

What is Malvertising?

Malicious advertising, known as malvertising, is when cybercriminals use ads to spread malware or use ads to trick users into providing sensitive information. When browsing a webpage, if you click on a malicious ad, you may be taken to a phony login page or a fake retail website that will ask for your sensitive information. Some malvertising can even download malicious files onto your system.

How do Cybercriminals Gain Access to Ads?

Most websites don’t choose who advertises on their page. Instead, they use ad networks that manage the advertisers, traffic, and payments. Cybercriminals can take advantage of this system by fooling the ad networks into thinking that they are a legitimate advertiser. Once part of the ad network, the bad guys use their ads to target anyone willing to click. Remember that just because you are on a reputable, well-known website does not mean that the ads on the website are safe to click as well.

Follow these tips to stay safe from harmful ads:

• Think before you click! If something seems too good to be true, it probably is.
• Stay up-to-date with security patches on your device and your browser.
• Install a reputable ad blocker for your browser. Ad blockers help protect you from malvertising by preventing ads from being displayed.

Whether you work from home or work in an office, the security of your organization must be one of your top priorities. While these two locations can feel quite different, you can use the same precautions no matter whether you’re working from the office or at home. Let’s look at some important cybersecurity rules and how they can be used both in the office and when you are working at home.

Only Use Secure Devices

• Remember that your device is only as secure as the apps that are running on it. Never install an application or plugin without first checking with your IT department.
• Only use your work devices for work. If you are using your personal computer for work, we recommend that you create a separate user account with a unique username and password.
• In the office, network security is probably managed by your IT department. To help keep your home internet connection secure, use a complex password on your router. If your organization offers access to a Virtual Private Network (VPN), connect to that as well.

Protect Your Physical Workspace

• In the office, watch out for piggybacking and tailgating. A piggybacker is someone who claims to be part of your organization and follows you into a secure area without the use of a badge or entry code. A tailgater is someone who waits for you to enter or exit a secure area and then sneaks in while the door is still open. Be suspicious of anyone who you do not recognize and don’t be afraid to ask for identification.
• At home, find a private and comfortable workspace, where no one can view your screen while you work. You must keep all sensitive information out of sight for any unauthorized persons, including your partners, children, and friends.
• Always lock your computer when you step away from your desk. If you leave your computer unlocked, anyone can use it to access sensitive data, steal your login credentials, or even install malware.

Think Before You Click

• Never click a link or download an attachment from an email that you weren’t expecting. Even if the sender appears to be part of a legitimate organization, the email address could be spoofed.
• When an email asks you to log in to an account or online service, navigate to that service through your browser. Never click the link in the email. Navigating to the site directly ensures that you’re logging in to the real website and not a look-alike site.
• When in doubt, call the sender of the email to be sure the request, link, or attachment is legitimate. Do not call the phone number provided within the email as it may be a fake number.

In a recent scam, cybercriminals impersonated the telecommunications provider, Verizon. The logo for Verizon is the company name, followed by a red asymmetrical “V” that resembles a checkmark. Cybercriminals imitated this logo by using mathematical symbols, such as the square root symbol (√).

Using their fake logo, cybercriminals sent a phishing email that was disguised as a Verizon voicemail notification. The email directs you to click the “Play” button to listen to the voicemail. If you click the button, you are taken to a phony look-alike Verizon webpage. Before you can listen to the voicemail, you are directed to log in to your Microsoft Office 365 account for authentication. Unfortunately, if you enter your credentials, you’ll give the cybercriminals full access to your Microsoft Office 365 account.

Use the tips below to stay safe from similar scams:

• This type of attack isn’t exclusive to Verizon. Cybercriminals could easily use this technique for other brands. Always think before you click.
• Watch out for anything out of the ordinary. A Verizon webpage asking you to log in using your Microsoft Office 365 account is quite unusual.
• If you receive an unexpected notification, open your browser and navigate to the provider’s website. Then, you can log in to your account knowing that you are on the real website and not a phony look-alike website.

Facebook now has over a billion users, that’s a mind-boggling number of people who check their page regularly. The bad guys are irresistibly attracted to a population that large, and here are the top five scams they are trying to pull off every day of the year.

1. Who Viewed Your Facebook Profile: This scam lures you with messages from friends or sometimes malicious ads on your wall to check who has looked at your profile. But when you click, your profile will be exposed to the scammer and worse things happen afterward.
2. Fake Naked Videos: There are tons of fake naked videos being posted all the time using the names of celebrities like Rihanna or Taylor Swift that sometimes make it past the Facebook moderators. These scams are in the form of an ad or a post and have a link to bogus YouTube videos. That site then claims your Adobe Flash player is broken and you need to update it – but malware is installed instead!
3. Viral Videos: Viral videos are huge on social media platforms. If you click on one of these “videos” you’ll be asked to update your video player (similar to the scam above) but a virus will be downloaded and installed instead. To avoid this, type the name of the video into Google and if it doesn’t have a YouTube or other legitimate site link, it’s likely a scam.
4. Fake Profile Scam: Scammers are stealing the name and pictures from an existing profile and “friending” the real person’s friends in an effort to scam friends and family by faking an emergency. Be very cautious of accepting friend requests from someone you’re already friends with.
5. Romance Scams: A specific type of “Fake Profile Scam” where con artists create a fake profile using the photos and stories of another person and then develop “relationships” with their victims over posts, photos, and Facebook messenger. These scammers typically shower you with romantic language, promise happiness, and eventually con you into giving up personal information, or even money. Avoid personal and financial heartbreak, don’t “friend” people you don’t know in real life.

Using free public WiFi at a coffee shop or airport hot spot is great for convenience, but bad for security. Most free access points do not make use of encryption. This is done for convenience and ease of access. If every person had to ask the barista or gate attendant for the WiFi key, it would get unruly, and no actual work would get done. Keep in mind that you are sharing those wireless airwaves with anyone that is within range of your wireless communications.

There is technology out there that allows you to view the wireless computer communications that are within range of your device. To the bad guys, this technology lets them see what you are doing, the data you are passing to websites, and your usernames and passwords.

UNLESS

• You are on websites with ‘https’ … the little S is for secure. Its like speaking a language that only two people can understand (your computer, and the website).
• You are using VPN software to encrypt all your wireless communications.
• You are using a wireless device from your cell phone provider, 3G or 4G network access… This is not WiFi, and is not subject to WiFi Security Policies.

Using a VPN client to encrypt and route your wireless communications allows you to create a secure channel for your computer to communicate. Even if you are accessing a website without HTTPS, your communication to that website is secured through your VPN connection. If there are any bad guys around you listening in on your wifi traffic, it will be safe.

VPN stands for Virtual Private Network. It is good practice to use a VPN when in a public networking spot such as wifi hot spots. This will create a virtual tunnel for your computer to communicate securely through the public network.

Before traveling for work, consult with your IT department about their data security policies when on the road, how to set up your VPN connection (if your company has VPN access), or how to obtain a 3G/4G cellular network card.

Today, data breaches are more common than ever. A data breach is a leak of sensitive or confidential information, whether intentional or unintentional. It is almost a guarantee that at least one of your passwords, past or present, has been exposed by a data breach.

When passwords are exposed, hackers can buy them for a small sum, giving them unlimited access to your accounts and sensitive information. And, if you’ve used that password for multiple online accounts, bad guys could access those accounts too. So, if you’re still using your old MySpace password for your Facebook account, change that password immediately!

Here are some tips to keep in mind when creating new passwords:

• Make your passwords complex
  • Complex passwords use at least eight characters with a combination of upper and lower case letters, numbers, and symbols.
    • Example: a3D$8k0*
• Use passphrases
  • Passphrases are a phrase or sentence. Don’t use the lyrics of your favorite song or a quote from a book! Make it unique but make it something you can remember.
    • Example: Pa$$wordSafety1sC0ol
• Use a password generator
  • Password creators such as LastPass and 1Password can generate passwords for you.
• Don’t use variations of your old passwords
  • Hackers know that untrained users will do this, so they use automated tools to figure out these variations.
    • As a simple example, if your password is “Password”, don’t make it “Password1”. Hopefully, none of your passwords are actually “Password”!

Whether or not you’re sure that your password has been exposed, make the safe choice and make all of your passwords unique. Not sure how to keep track of all of these unique passwords? Ask your IT team or supervisor if they can recommend a password or credential manager that you can use.

Most of us have a smartphone, but how many of us really think about the security threats faced by these mobile devices? Mobile devices are vulnerable to many different types of threats. The bad guys are increasing attacks on mobile devices and targeting your phone using malicious applications. Using these methods, they can steal personal and business information without you having any idea what’s going on.

Even if you’ve downloaded a security or antivirus application, securing your smartphone goes beyond these services. Improving your mobile security practices is your best defense against the privacy and security issues associated with your mobile device.

How can I improve my mobile security practices?
Always remember these best practices to minimize the risk of exploits to your mobile devices:

1. Ensure your phone’s operating system is always up to date. Operating systems are often updated in order to fix security flaws. Many malicious threats are caused by security flaws that remain unfixed due to an out-of-date operating system.
2. Watch out for malicious apps in your app store. Official app stores regularly remove applications containing malware, but sometimes these dangerous apps slip past and can be downloaded by unsuspecting users. Do your research, read reviews, and pay attention to the number of downloads it has. Never download applications from sources other than official app stores.
3. Ensure applications are not asking for access to things on your phone that are irrelevant to their function. Applications usually ask for a list of permissions to files, folders, other applications, and data before they’re downloaded. Don’t blindly approve these permissions. If the permission requests seem unnecessary, look for an alternative application in your app store.
4. No password or weak password protection. Many people still don’t use a password to lock their phones. If your device is lost or stolen, thieves will have easy access to all of the information stored on your phone.
5. Be careful with public WiFi. The bad guys use technology that lets them see what you’re doing. Avoid logging in to your online services or performing any sensitive transactions (such as banking) over public WiFi.