Buzz Points

Business Fraud Education Banner

 

 


Recent Fraud Alerts

Microsoft Internet Explorer Vulnerability

QNB would like to make you aware of recent news regarding a Microsoft Internet Explorer vulnerability. The vulnerability affects all versions of Internet Explorer (IE), from IE6 - IE11. The US Department of Homeland Security is advising people to avoid using Internet Explorer for web browsing until Microsoft has issued a patch. We, here at QNB, would like to let you know that QNB-Online is compatible with other browsers like Chrome, Safari or Firefox. For more information on the Microsoft Internet Explorer security flaw please see Microsoft Corp. website, the US Department of Homeland Security website or contact your local technical support company.

     "Man-in-the-Email" Fraud Could Victimize Area Businesses

Tech Support Calls Purportedly From a Wire Transfer Company

Pennsylvania Department of State Warns of Corporate Compliance Scam

The Small Business Guide to Corporate Account Takeover

Fraud Advisory for Businesses: Corporate Account Takeover


Secure Email Awareness Program

Read about our new email security service from Zixcorp. Learn how to register to receive messages from us.

Just click here for a step-by-step guide: Guide to Zixcorp Secure Email

 


 

5 Tips to Stay Safe on Public Wi-Fi

Check out this great article by Kim Komando that appeared in USA Today. These are great tips to follow to protect yourself while accessing public Wi-Fi.

Read the article 5 Tips to Stay Safe on Public Wi-Fi

 


 

Internet Crime Complaint Center's (IC3) Scam Alerts

June 19, 2013 

This report, which is based upon information from law enforcement and complaints submitted to the IC3, details recent cyber crime trends and new twists to previously-existing cyber scams.

TECH SUPPORT CALLS PURPORTEDLY FROM A WIRE TRANSFER COMPANY

The IC3 has recently received complaints from businesses regarding telephone calls from individuals claiming to be with a wire transfer company’s tech support. One complainant reported that the wire transfer company’s name was displayed on their caller ID. The callers instructed the victims to go to a particular website to run an application which allows the caller to remotely access the victim’s computer. Once remote access was established, the victims were instructed to open their wire transfer program and log-in to their accounts, so the callers could update the system. The victims were then told to turn off their monitors, to avoid interference with the update. The victims later discovered the subjects made wire transfers to NetSpend accounts. One victim noticed something downloading onto his computer once the caller gained remote access. This made the victim suspicious, so he turned off his computer. Later, he discovered the caller had loaded $950 on a prepaid credit card from the victim’s account. Another victim reported money transfers were made to various states and individuals, but the caller reassured the victim that no transfers were actually being processed. No other details were provided.


Corporate Account Takeover: Business Online Banking Identity Theft

 

What is Corporate Account Takeover? 

Corporate Account Takeover is a type of business identity theft in which a criminal entity steals a business’s valid online banking credentials. Criminals can then initiate fraudulent banking activity, including wire transfers and ACH payments. Corporate Account Takeover Fraud involves compromised identity credentials and is NOT about compromises to the Wire System, ACH Network or Bank systems. Small to mid-sized businesses remain the primary target of criminals, but any business can fall victim to these crimes.

 

How is an account “Taken Over”?

Criminals employ various methods to obtain access to legitimate banking credentials from businesses such as mimicking a financial institution’s website, using malware and viruses to compromise the business’s system, or using social engineering to trick employees into revealing security credentials or other sensitive data.

A business’s systems may be compromised by:

      • An infected document attached to an email
      • A link within an email that connects to an infected website
      • Employees visiting legitimate websites – especially social networking sites – and clicking on the infected documents, videos, or photos posted there
      • An employee using a flash drive that was infected by another computer

Attacks are typically perpetrated quietly by the introduction of malware through a simple email or infected website. For many businesses, the malware introduced onto its system may remain undetected for weeks or even months. In each case, criminals exploit the infected system to obtain security credentials that they can use to access a company’s business accounts. The criminal can then initiate funds transfers by ACH or wire transfer to the bank accounts of their associates within the U.S. (often called ‘money mules’) or directly overseas. - NACHA Bulletin dated April 25, 2011, “Corporate Account Takeover: What You Need to Know”

 

How can I protect myself and my business from this criminal activity?

Education, risk assessment, security measures and training increase your protection against Corporate Account Takeover. 

QNB strongly recommends that you, as a business owner, take time to read important information on ways you can mitigate Corporate Account Takeover as recommended by NACHA, the Electronic Payments Association.

NACHA Corporate Account Takeover Resource Center

Some sound business practices may not be appropriate for or applicable to all businesses. Accordingly, each business must identify its own risks and design and implement appropriate security measures to prevent and mitigate risks associated with Corporate Account Takeover.

Introducing layered security processes and procedures, technological and otherwise, can help protect businesses from criminals seeking to drain accounts and steal confidential information.  No single security measure alone is likely to be effective in preventing or mitigating all risks associated with Corporate Account Takeover.  

 

What is QNB doing to help?  

    1. Education is Key:  One of the first steps to preventing this criminal activity from happening to you is learning about Corporate Account Takeover. Once you know the threat is there, you can take steps to prevent it from happening to you.  QNB is a community bank that truly cares about serving our customers and the community.  We want to make sure you are informed of these important issues that affect your financial assets.
    2. Layered Security Measures for QNB Online Customers: QNB has a multi-layered security platform for our online banking customers.  One of our financial representatives can go over the different measures we have in place today, ranging from account activity alerts you can use to warn you when high risk activity going on in your account,  to alternative authentication mechanisms for additional security. 

QNB believes the only way to truly mitigate the risk of Corporate Account Takeover is through cooperative learning and communication between financial institutions and their corporate account holders to help combat these attacks. You can help us reduce the risk of these attacks by taking an active role in training your staff and implementing prudent security controls in the use of electronic financial transactions. 

 


OnGuard Online Web Site Provides Valuable Online Security Info

OnGuardOnline.gov is the federal government’s website to help you be safe, secure and responsible online.

The Federal Trade Commission manages OnGuardOnline.gov, in partnership with the federal agencies listed below. OnGuardOnline.gov is a partner in the Stop Think Connect campaign, led by the Department of Homeland Security, and part of the National Initiative for Cybersecurity Education, led by the National Institute of Standards and Technology.

Click the following link to access OnGuard Online: OnGuardOnline.gov.

 


Social Engineering - Phishing, Vishing and Smishing!!!

Social Engineering

Social Engineering is the act of manipulating people into performing actions or divulging confidential information. The term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

Types of Social Engineering

“Phishing” is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication or email. 
Example Scenario:
1. A criminal will send email messages to a list of email addresses stolen from a financial institution. 
2. The email messages alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity. 
3. The email message instructs the victims to call a phone number or click on a link to visit a website where their personal information is requested. 
4. Once the victim calls the phone number in the text message or visits the website and provides the information requested, the “Phisher” has the information necessary to make fraudulent use of the card or access the account.

“Vishing” is a combination of Voice and phISHING. Vishing is the criminal practice of using social engineering over the public telephone system. 
Example Scenario: 
1. A criminal will call a list of phone numbers stolen from a financial institution. 
2. When the victim answers the phone, an automated message is played to alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity. 
3. The automated message instructs the victim to “call the following phone number immediately”. The same phone number is often shown in the spoofed caller ID and given the same name as the financial company they are pretending to represent. 
4. When the victim calls the number provided, it is answered by automated instructions to enter their credit card number or bank account number on the key pad. 
5. Once the victim enters their credit card number or bank account number, the “Visher” has the information necessary to make fraudulent use of the card or to access the account.

“Smishing” is a combination of SMS and phISHING. SMS (Short Message Service) is the technological protocol used for sending and receiving text messages on cell phones. Smishing is the criminal practice of using social engineering over the cellular phone system. 
Example Scenario: 
1. A criminal will send text messages to a list of cellular phone numbers stolen from a financial institution. 
2. The text messages alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity. 
3. The text message instructs the victims to call a phone number or visit a website where their personal information is requested. 
4. Once the victim calls the phone number in the text message or visits the website and provides the information requested, the “Smisher” has the information necessary to make fraudulent use of the card or access the account.

PROTECT YOURSELF against Social Engineering, malware, viruses, etc…

    • Be skeptical of suspicious e-mail, text messages, unfamiliar sites and links and any unprompted requests for personal information.
    • Protect your personal information. Keep your user names and passwords secret and be skeptical of any requests for personal information.
    • Always look for "https://" in the address of any site where you enter personal information; this indicates a secure connection.
    • Do not click on links contained within e-mails. Open a new browser window and type the address yourself.
    • Do not reply to phishing, smishing or vishing attempts. Never reply to phone calls, e-mail, or text messages asking for personal or financial information unless you can confirm the requestors identity.
    • Keep security software (antivirus, anti-malware) up-to-date and keep firewall settings active.

Click on the following link for more detailed information on phishing scams and how to protect yourself.

 


Protect Yourself and Your Computer

There are many nasty things that can happen to your computer resulting in loss of data and/or unintended divulgence of personal information. Following are things that could make you and your PC very unhappy and some recommended ways to protect yourself…

Viruses/Worms

Definition:

A program or piece of computer code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses are capable of replication to other computers. Viruses can compromise computer and network resources and bypass security systems. Some people distinguish between general viruses and worms. A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs.

Protection:

- Purchase Antivirus (AV) software – AV software detects and removes viruses/worms from your computer (McAfee, Symantec).

- Purchase Firewall software - firewall software protects your computer from anything (or anyone) on the Internet that tries to access or alter files on your PC without your permission (McAfee, Symantec).

    • Regularly update the virus definition files associated with the AV software.
    • Regularly scan your computer for viruses.
    • Do not click on or follow hyperlinks you are not familiar with or do not trust.
    • Do not open e-mail attachments sent from a source you are not familiar with or do not trust.

 

Spyware/Adware/Malware/Keyloggers

Definition:

Software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are inadvertently installed when visiting a website or clicking a hyperlink. Once installed, spyware monitors user activity on the Internet and transmits that information covertly to someone else. Spyware can also gather and transmit personal information (e-mail addresses, passwords, credit card numbers, etc…). Spyware can also cause problems with computer resources causing PC's to run slowly or erratically.

Protection:

    • Purchase software that protects your computer from anything (or anyone) on the Internet that tries to access or alter files on your PC without your permission (AdAware, Spybot).
    • Minimize unnecessary “surfing” on the Internet
    • Do not click on or follow hyperlinks you are not familiar with or do not trust.
    • Do not open e-mail attachments sent from a source you are not familiar with or do not trust.

Spam

Definition:

Electronic junk mail or junk newsgroup postings. Some people define spam even more generally as any unsolicited e-mail. E-mail advertising for some product sent to a mailing list or newsgroup.

Protection:

    • Purchase Anti-Spam Software - this software filters your e-mail for SPAM and either deletes it or directs it to a destination of your choosing. There are many companies who offer anti-spam software packaged with AV software (McAfee, Symantec).
    • Utilize SPAM filters provided by your email provider.

 


Government Agency Links