There’s a good chance you’ve received an email that just didn’t look – or feel – right. Maybe it was from someone you didn’t know. Or perhaps it had bad grammar or spelling mistakes. Responding to a suspect email – or clicking on an unknown link – can be a big mistake.
Reprinted from FDIC Consumer News – Winter 2016
In today’s world, it’s important for small business owners to be vigilant in protecting their computer systems and data. Among the reasons: Federal consumer protections generally do not cover businesses for losses they incur from unauthorized electronic fund transfers. That means, for example, your bank may not be responsible for reimbursing losses associated with an electronic theft from your bank account — for instance, if there was negligence on the part of your business, such as unsecured computers or falling for common scams. (To learn more about the rules pertaining to electronic theft, including losses involving a business debit card, see How Federal Laws and Industry Practices Limit Losses From Cyberattacks).
Here are tips to help small business owners and their employees protect themselves and their companies from losses and other harm. Several of these tips mirror basic precautions we have suggested elsewhere in this issue for consumers.
Protect computers and Wi-Fi networks. Equip your computers with up-to-date anti-virus software and firewalls to block unwanted access. Arrange for key security software to automatically update, if possible. And if you have a Wi-Fi network for your workplace, make sure it is secure, including having the router protected by a password that is set by you (not the default password). The user manual for your device can give you instructions, which are also generally available online.
Patch software in a timely manner. Software vendors regularly provide “patches” or updates to their products to correct security flaws and improve functionality. A good practice is to download and install these software updates as soon as they are available. It may be most efficient to configure software to install such updates automatically.
Set cybersecurity procedures and training for employees. Consider reducing risks through steps such as pre-employment background checks and clearly outlined policies for personal use of computers. Limit employee access to the data systems that they need for their jobs, and require permission to install any software.
And, train employees about cybersecurity issues, such as suspicious or unsolicited emails asking them to click on a link, open an attachment or provide account information. By complying with what appears to be a simple request, your employees may be installing malware on your network. You can use training resources such as a 30-minute online course from the Small Business Administration (SBA).
Require strong authentication. Ensure that employees and other users connecting to your network use strong user IDs and passwords for computers, mobile devices and online accounts by using combinations of upper- and lower-case letters, numbers and symbols that are hard to guess and changed regularly. Consider requiring more information beyond a password to gain access to your business’s network, and additional safety measures, such as requiring confirmation calls with your financial institution before certain electronic transfers are authorized.
Secure the business’s tablets and smartphones. Mobile devices can be a source of security challenges, especially if they hold confidential information or can access your company’s network. In the case of the latter, require employees to password-protect their devices, encrypt their data and install security apps to prevent criminals from accessing the device while it is connected to public networks. Also develop and enforce reporting procedures for lost or stolen equipment.
Back up important business systems and data. Do so at least once a week. For your backup data, remember to use the same security measures (such as encryption) that you would apply to the original data. In addition, in case your main computer becomes infected, regularly back up sensitive business data to additional, disconnected storage devices.
Use best practices for handling card payments online. Seek advice from your bank or a payment processor to select the most trusted and validated tools and anti-fraud services. This may include using just one computer or tablet for payment processing.
Be vigilant for early signs something is wrong. “Monitor bank account balances regularly to look for suspicious or unauthorized activity,” suggested Luke W. Reynolds, chief of the FDIC’s Outreach and Program Development Section.
There is a telephone phishing scam underway in our area that we want our customers to be aware of. The victims of this scam receive a bogus text or telephone message that is supposedly from their bank, which is mentioned by name. The message claims that the customer’s debit card has been deactivated, and tells them to call a phone number provided in the message. When the customer calls that number, they are told to enter their debit card information and a replacement card will be issued.
Under no circumstances would MutualOne Bank contact you in this manner. If you receive such a message or experience any other suspicious or questionable activity regarding your account, please notify us immediately by calling us directly at (508) 820-4000.
It’s that time of year again – food, fun, parties, and lots of online shopping. Online shopping can be a savior, allowing you to find the perfect gift while saving time, but it can also end with identity theft, malware on your computer, and other cyber unpleasantness. Rather than letting it ruin your holiday season, you can take a few simple security precautions, and be careful where you shop, to help reduce the chances of you being a cyber victim.
When purchasing online this holiday season—and all year long—keep these tips in mind to help minimize your risk:
- Be cautious what devices you use to shop online.
- Mobile devices, such as smartphones and tablets, make shopping convenient at anytime and place, but they frequently lack the security precautions of a regular computer. If you use a mobile device to shop, make extra sure you are taking all the precautions listed below.
- Do not use public computers or public wireless for your online shopping.
Public computers and wireless networks may contain malicious software that steals your information when you place your order, which can lead to identity theft.
- Secure your computer and mobile devices.
Be sure to keep the operating system, software, and/or apps updated/patched on all of your computers and mobile devices. Use up-to-date antivirus protection and make sure it is receiving updates.
- Use strong passwords.
The use of strong, unique passwords is one of the simplest and most important steps to take in securing your devices, computers, and online accounts. If you need to create an account with the merchant, be sure to use a strong, unique password. Always use more than ten characters, with numbers, special characters, and upper and lower case letters. Use a unique password for every unique site.
- Know your online shopping merchants.
Limit your online shopping to merchants you know and trust. If you have questions about a merchant, check with the Better Business Bureau or the Federal Trade Commission. Confirm the online seller’s physical address, where available, and phone number in case you have questions or problems. Do not create an online account with a merchant you don’t trust.
- Pay online with one credit card.
A safer way to shop on the Internet is to pay with a credit card rather than debit card. By using one credit card, with a lower balance, for all your online shopping you also limit the potential for financial fraud to affect all of your accounts. Always check your statements regularly and carefully, though.
- Look for “https” when making an online purchase.
The “s” in “https” stands for “secure” and indicates that communication with the webpage is encrypted. This helps to ensure your information is transmitted safely to the merchant and no one can spy on it.
- Do not respond to pop-ups.
When a window pops up promising you cash or gift cards for answering a question or taking a survey, close it by pressing Control + F4 for Windows and Command + W for Macs.
- Be careful opening emails, attachments, and clicking on links.
Be cautious about all emails you receive, even those purportedly from your favorite retailers. The emails could be spoofed and contain malware.
- Do not auto-save your personal information.
When purchasing online, you may be given the option to save your personal information online for future use. Consider if the convenience is really worth the risk. The convenience of not having to reenter the information is insignificant compared to the significant amount of time you’ll spend trying to repair the loss of your stolen personal information.
- Use common sense to avoid scams.
Don’t give out your personal or financial information via email or text. Information on many current scams can be found on the website of the Internet Crime Complaint Center: http://www.ic3.gov/ and the Federal Trade Commission: http://www.consumer.ftc.gov/scam-alerts.
- Review privacy policies.
What to do if you encounter problems with an online shopping site?
Contact the seller or the site operator directly to resolve any issues. You may also contact the following:
- Your state’s Attorney General’s Office or Consumer Protection Agency
- The Better Business Bureau – bbb.org
- The Federal Trade Commission – http://www.ftccomplaintassistant.gov
Americans live in a mobile society, relying on smartphones, tablets and computers to gather news, make purchases, interact with friends and family, and connect with financial institutions. Increasingly, cybercriminals compromise the networks that support these devices. This often results in identity theft, which can also yield financial losses and safety for consumers. In fact, a recent report from the Center for Strategic and International Studies (CSIS) found that computer hackers have stolen the personal information of approximately 40 million U.S. residents.
October is Cyber Security Awareness Month, and the Independent Community Bankers of America® (ICBA) and MutualOne Bank are offering tips to help consumers avoid having their online financial information disrupted or stolen:
When sending sensitive information via the Internet, make sure “https:” appears in the address bar. This means the information you are transmitting is encrypted.
Ensure the wireless network you use is password-protected, and choose a strong password and update it frequently for your work and home wireless networks. Likewise, always use a passcode on your mobile phone or tablet to stop an unauthorized user from accessing your device.
Don’t enter sensitive information into your phone when others can see what you’re entering.
Set the privacy settings on frequented social network sites. Cybercriminals often learn about people and their families and friends via social media in an attempt to spoof or phish you and your network.
Remain cautious of someone who isn’t who they say they are or if the name and area don’t match what appears on caller ID. This is often how spoofing occurs.
Never respond to text messages, emails or phone calls from companies alleging to be your bank, government officials or business representatives that request your banking ID, account numbers, user name or password.
Similarly, don’t click on links sent to you from unknown sources via text message because they are likely malware.
Beware of “get rich quick” schemes; never voluntarily give out your bank account information or security credentials.
You can learn more about Cyber Security Awareness Month by visiting the Stay Safe Online website.
Password reuse occurs when someone uses the same password on multiple websites or accounts. This is a vulnerability if the password is exposed in coordination with other information that identifies who is using the password – such as first and last names, login names, or email addresses.
Avoiding password reuse can be challenging because of the number of websites and accounts that require passwords, some of which require updating your password every 30 days. There are two ways to avoid password reuse and to ensure any password meets the recommended password complexity requirements.
The first technique is to use a password manager to remember each unique password. Password managers are applications that can be stored on a computer, smartphone, or in the cloud, and will securely track passwords and where they are used. Most password managers can also generate complex random passwords for each account if you choose to do so. As long as the password to access the password manager is sufficiently complex, this technique can be affective. However, if the company running the password manager is compromised (which does happen!) it is possible that all your passwords will also be compromised. If you choose a password manager that is local to your computer or smartphone, that information may be compromised if malware gets on your computer or you lose your smartphone. When choosing a password manager, ensure it is from a known, trustworthy company.
The second technique is to choose a repeatable pattern for your password, such as choosing a sentence that incorporates something unique about the website or account, and then using the first letter of each word as your password. For example the sentence: “This is my August password for the Center for Internet Security website.” would become “TimAp4tCfISw.” Since a strong password is complex, and includes upper and lower case letters, numbers, and a symbol, this password keeps the capitalization within the sentence, translates the word “for” to the number “4,” and adds the period to include adding a symbol. The vulnerability in this technique is that if multiple passwords from the same user are exposed it may reveal the pattern.
Regardless of how a unique password is chosen, it is critically important that every password is unique. Some companies, such as Facebook, have begun programs to identify password reuse. Facebook’s program to identify password reuse involves monitoring for lists of compromised usernames, emails, and passwords, and attempting to match those to the usernames or email addresses of existing Facebook users. If a match is found Facebook asks the user to reset their Facebook password.
How Password Reuse is a Threat
Password reuse is a threat because malicious actors can take advantage of a reused password if there is other associated information that identifies you. This typically occurs through one of two potential scenarios:
In the first, and most common scenario, the malicious actors can search for other accounts you use and try to login with the same password. In some cases the actors might try to find personal accounts such as Facebook, Twitter, or banking websites. If they can identify those accounts, and you reuse your password, they can login as you. In other instances the malicious actors may try to determine where you are employed and attempt to use it for remote access, such as through a remote email or timecard access.
A second scenario involving a malicious website is much less common, but still poses a threat. In this scenario the malicious cyber-actor sets up a website that spoofs a legitimate web site, which requests you enter an email address, password, and potentially other information to gain access. Once you have done that, they know who you are and can search for your other accounts where you used the same password.