Close up of hands holding a smartphone

Customer Security Awareness

Keeping Your Information Safe Today Can Be a Challenge. We Want You to Have the Best Information to Help you Navigate a Digital World Safely.

Even though mobile devices – such as smart phones, tablets, and laptops – offer a range of conveniences, users should be mindful of potential threats and vulnerabilities while using them.

On November 20th, 2018 United States Computer Emergency Readiness Team (US-CERT) published cyber-security tips for electronic devices that we would like to share with you.

Why does cyber-security extend beyond computers?
Actually, the issue is not that cyber-security extends beyond computers; it is that computers extend beyond traditional laptops and desktops. Many electronic devices are computers—from cell phones and tablets to video games and car navigation systems. While computers provide increased features and functionality, they also introduce new risks. Attackers may be able to take advantage of these technological advancements to target devices previously considered "safe." For example, an attacker may be able to infect your cell phone with a virus, steal your phone or wireless service, or access the data on your device. Not only do these activities have implications for your personal information, but they could also have serious consequences if you store corporate information on the device.

What types of electronics are vulnerable?
Any piece of electronic equipment that uses some kind of computerized component is vulnerable to software imperfections and vulnerabilities. The risks increase if the device is connected to the internet or a network that an attacker may be able to access. Remember that a wireless connection also introduces these risks. The outside connection provides a way for an attacker to send information to or extract information from your
device.

How can you protect yourself?
  • Remember physical security – Having physical access to a device makes it easier for an attacker to extract or corrupt information. Do not leave your device unattended in public or easily accessible areas.
  • Keep software up to date – If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities.
  • Use strong passwords – Choose devices that allow you to protect your information with passwords. Select passwords that will be difficult for thieves to guess, and use different passwords for different programs and devices. Do not choose options that allow your computer to remember your passwords.
  • Disable remote connectivity – Some mobile devices are equipped with wireless technologies, such as Bluetooth, that can be used to connect to other devices or computers. You should disable these features when they are not in use.
  • Encrypt files – If you are storing personal or corporate information, see if your device offers the option to encrypt the files. By encrypting files, you ensure that unauthorized people can't view data even if they can physically access it. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.
  • Be cautious of public Wi-Fi networks – Follow these recommendations when connecting to any public wireless hotspot—like on an airplane or in an airport, hotel, train/bus station or café:
    • Confirm the name of the network and exact login procedures with appropriate staff to ensure that the network is legitimate.
    • Do not conduct sensitive activities, such as online shopping, banking, or sensitive work, using a public wireless network.
    • Only use sites that begin with “https://” when online shopping or banking. Using your mobile network connection is generally more secure than using a public wireless network.
FDIC Security Tips
 
FDIC also issued some suggestions to help you be safe and secure as you use mobile banking and payment products and services:
Be proactive in how you protect the data on your mobile devices. Start by using "strong" passwords and PINs.

Avoid using an unsecured Wi-Fi network, often found in public places, such as coffee shops, because fraudsters might be able to access the information you are transmitting or viewing. Log out of your bank account or mobile app when it's not in use. Just like with your laptop, use a mobile security/anti-virus software and keep it updated.

Take additional precautions in case your device is misplaced, lost or stolen. Set the screen on your mobile phone to lock after a certain amount of time and use a PIN or password and/or a biometric indicator (for example, a fingerprint or facial recognition) to unlock your mobile phone. Likewise, use PINs or other security features enabled on your smartwatch, such as one that will lock the watch if it is not on your wrist or too far from your mobile phone. Don't store your PINs or passwords on your mobile phone or tape it to the underside of your smartwatch or mobile phone.

Consider signing up for transaction alerts from your credit card, bank and mobile app provider. These messages can help you identify unauthorized activity quickly. Alternatively, check your transactions regularly on your cards, bank account and mobile app website.

Research any mobile app before downloading and using it. Make sure you are comfortable that the mobile app is from a reputable source. Going to the bank's or company's website to find directions for downloading their app can help to ensure you are downloading a legitimate app.

Be on guard against fraudulent emails or text messages. These communications typically appear to be from a government agency or a legitimate business in order to trick you into divulging valuable personal information (including your birthday, Social Security number, passwords and PIN numbers) that can be used to commit identity theft. The emails and texts could also ask you to click on a link that will install malicious software on your mobile phone and enable the fraudster to gain access to your mobile banking apps.

"To protect yourself, never provide passwords, credit or debit card information, Social Security numbers and similar personal information in response to an unsolicited text message or email," said Michael Benardo, manager of the FDIC's Cyber Fraud and Financial Crimes Section. "If you have any questions regarding the legitimacy of an email or a text, call your bank or mobile app provider, or the business or government agency that claims to have sent the email or text, and be sure to use a phone number you have looked up on your own and not what is in the email or text in question."

Note: These messages are often called "phishing" emails and "smishing" text messages. Phishing is a term given to fraudulent emails "fishing" for valuable personal information, and "smishing" is a variation of that when referring to "Short Message Service" or "SMS" text messages. "Security experts for years have warned consumers about smishing scams, but as more people have smartphones, smishing is becoming more common," Benardo said.
Growing Threats To Your Business – Are You Aware?
Corporate Identity Theft (Corporate Account Takeover) is the business equivalent of personal identity theft and occurs when criminal hackers use software, often referred to as malware, to control your computer devices and steal your online business credentials. The criminals then use your online business credentials to initiate fraudulent banking activity.

Your devices can become infected with malware when you attempt to open an infected document attached to an email – or an infected website link within an email. Malware can also be downloaded to a device when you visit a legitimate site, especially a social networking site, and attempt to open a document, video, or photo posted there. Once the malware infects one device, it often has the ability to quickly and efficiently identify and infect other devices within an internal business network – often without detection.

What You Can Do To Protect Yourself and Your Company?
Although Icon Business Bank uses technologies such as two-factor authentication and encryption methods that help mitigate the risk of fraudulent banking activity, these technologies cannot protect against malware that attack your devices. There are additional controls that you should consider implementing to further mitigate the risk of Corporate Account Takeover and fraud.

  • Never provide your account information or password over the phone or email. We will never ask you to enter personal or account information via email or to download an attachment from email, nor ask you for your password or other security credentials via email or phone.
  • Initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer.
  • Employ best practices to secure computer systems. If possible, carry out all online banking activities from a stand-alone, hardened, and completely locked-down computer
    system from which email and web browsing is not possible. When finished, turn it off or disconnect it from the internet.
  • Be suspicious of emails purporting to be from a financial institution, government department, or other agency requesting account information, account verification, or banking access credentials such as usernames, passwords, token codes, and similar information. Opening file attachments or web links in suspicious emails could expose
    your entire network to malware.
  • Install a dedicated, actively managed firewall, especially if your business has a dedicated connection to the Internet. A firewall limits the potential for unauthorized access to a network and computers.
  • Create strong passwords with at least 10 characters that include a combination of mixed case letters, numbers, and special characters. Use a unique password for each financial institution site that is accessed and change that password regularly. Avoid using dictionary words in your passwords.
  • Educate employees on good cyber-security practices, including how to avoid malware infections on business computers.
  • Never access bank, brokerage, or other financial services information using public Wi-Fi at airports, hotels, cafes, libraries, etc. Unauthorized software may have been installed to trap account numbers and sign-on information, leaving you vulnerable to possible fraud.
  • Install commercial antivirus and desktop firewall software on all computer systems. Free software may not provide protection against the latest threats when compared to an industry-standard product. Ensure computers are patched regularly, particularly operating system, web browsers, and key applications with security patches. It may be possible to sign up for automatic updates for operating systems, browsers, and many applications.
What We Do to Help Mitigate Your Risk
 

POSITIVE PAY

Icon Business Bank offers this important product that helps you detect and prevent check fraud.

  • Save time by using this automated online tool to review and decision any check that doesn’t match your Check Issues list.
  • Conveniently upload your Check Issue information through our secure online portal.
  • Gain greater control of your cash flow by proactively monitoring all checks that clear your business accounts.

OUT OF BAND AUTHENTICATION

Out of Band provides greater protection from fraudulent access to user account information.

  • First-time users logging into their Digital Banking Account will be prompted to confirm their identity through the Digital Banking Advanced Login Authentication solution, also known as Out of Band.
  • Allows users to authenticate using their username and two additional methods: their password and a one-time security code.

DUAL CONTROL ENVIRONMENT

Icon Business Bank strongly recommends that our clients operate in a Dual Control environment when initiating ACH and Wire Transfers, as well as Self-Administration tasks. Business Digital Banking provides our clients with the ability to entitle users with specific privileges, such as Initiators and Approvers.

SUSPICIOUS ACTIVITY

Report unauthorized transactions on your account immediately. You may report the activity in person or at our branch location or by calling 888-383-1954. If you are a victim of internet fraud you should file a complaint at the Internet Crime Complaint Center a partnership between the National White Collar Crime Center and the FBI.

IT’S ABOUT YOU

We hope you’ve found this informative and helpful. All of us at Icon Business Bank remain devoted to safeguarding and ensuring your security while banking with us. We also welcome the opportunity to talk to you about meeting and exceeding any and all business and personal banking needs you may have.
Substantial measures are in place at Icon Business Bank to protect your identity and your accounts against theft and personal fraud. Our bank privacy policies protect your personal and financial information while password protection for online activity helps to ensure online security. Encryption of online transactions also help protect you against hackers.

Listed below are some simple precautions you can take to help keep your personal information safe:
  • Beware of mail, e-mail and telephone solicitations
  • Invest in a shredder to destroy documents
  • Never leave receipts at ATMs, gas pumps, or bank workstations
  • Check all personal and business accounts frequently
  • Shield your PIN number when using an ATM
  • Educate yourself about Identity Theft

What to Do If You're a Victim
Contact Icon Business Bank immediately. Our customer service team will help you through the process. We will also help close your accounts and create new passwords for any new accounts.
Beyond contacting Icon Business Bank, the following steps are encouraged:
  • File a police report with your local police department and obtain a copy.
  • Check your online accounts such as eBay, Amazon, PayPal, online banking accounts, etc.
  • Contact the three major credit bureaus to request a "fraud alert" or a security freeze to be placed on your
    credit report.
  • Check with the post office for any unauthorized change of address requests.
  • File a complaint with the Federal Trade Commission (FTC)

Identity Theft Links

Icon Business Bank is committed to protecting your personal information. With our secure mobile apps, customers can feel more at ease that our services offer the following:
  • Secure technology: Our fraud prevention and security systems help protect you with the latest encryption technology.
  • Secure access to your accounts: The mobile banking service utilizes best practices such as HTTPS, 128-bit SSL encryption, device profiling, password access and application time-out when your mobile device is not in use.
  • Only mobile devices that are personally enrolled in the service can access their accounts.
  • No account data is ever stored on your mobile device.

What if my device is lost or stolen?
If you are concerned about any misuse of your mobile device, contact your mobile service provider immediately to stop all wireless service. In addition, call the Bank's Cash Management Department to disable or remove your device. You may also call 888-383-1954 (Customer Service: 9:00 am - 5:00 pm Pacific Time, Mon. - Fri.)

Ways to Avoid Online Security Threats

Personal Identifying Information
  • Check your bank accounts regularly.
  • Do not give any of your personal identifying information over the telephone, through the mail or online unless you have initiated the contact or know and trust the person or company to whom it is given.

Usernames and Passwords
  • Memorize your usernames and passwords and keep them confidential.
    Create difficult passwords to include numbers, uppercase letters and special characters.
  • Change your passwords periodically.
  • Avoid selecting usernames and passwords that will be easy for an identity thief to figure out.
  • Do not carry usernames and passwords in your wallet or purse or keep them near your online access devices such as PCs or smartphones.

Online Access Devices
  • Be careful when downloading applications or programs to your Online Access Devices. If it looks like spam, if it's free, or if it comes pre-loaded with advertisement, it may not be worth downloading as it may collect personal information.
  •  Lock your computer when you walk away.
  • Know who is around when you access your account.
    Dedicate one computer for online banking business.
  • Encrypt all data stored on your portable devices and laptops.
    Install/update firewalls and anti-virus software.
  • Ensure all computer software is up-to-date and contains the most recent patches.
  • When setting up a wireless network, make sure the default password is changed and make sure you encrypt your wireless network.

Online Security Threats

Clickjacking: These attacks use maliciously created pages where the true function of a button is concealed beneath an opaque layer showing something entirely different. Typical to Facebook users, often sharing or "liking" the content in question sends the attack out to contacts through news feeds and status updates, propagating the scam.

Phishing/Smishing/Vishing: The act of sending an e-mail (Phishing) , text (Smishing) or voicemail (Vishing) to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail, text or voicemail usually directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Website, however, is bogus and set up only to steal the user's information.

Spear phishing: This is more likely to occur via regular e-mail; but you may also be hit by a spear through a Facebook or Twitter message. Spear phishing (or spear phishing) works through an e-mail or message that seems quite personal, it may appear to be from a person or company with whom you normally communicate; however, it will lead you to a poisoned site. It is similar to "phishing" scams but rather than just getting a message from your e-mail provider saying your inbox is full or you have to verify your identity and so on it takes it a step further by adding personalized information to lull your suspicions.

Pharming: In this latest version of online ID theft, a virus or malicious program is secretly planted in your computer and hijacks your web browser. When you type in the address of a legitimate website, you're taken to a fake copy of the site without realizing it. Any personal information you provide at the phony site, such as your password or account number, can be stolen and fraudulently used.

Ways To Avoid These Threats
  • Look at who is sending the email. If it seems odd, delete it.
    Verify the text or voicemail is coming from a known phone number. If it seems odd, delete it.
  • Keep your browsers up to date; updated browsers are doing a better job screening out dangerous stuff.
  • Do not click on links that ask for your personal information. If it is from a company or bank call the company or bank directly to ask about the issue stated in the emails, text or voicemail.
  • Do not click on links if you do not know who the sender is.
  • Make sure you know who you are accepting as a friend on social networking sites.
  • Be cautious when typing in web addresses to ensure you are directed to the site intended.

What The Bank Is Doing to Help Protect Our Customers
  • The Bank has added extra security layers with more layered controls to our online banking (multi-factor authentication) and cash management products (dual control).
  • The Bank monitors our customer account activity for any unusual or suspicious transactions.
 
Ways The Bank May Contact You
  • Icon Business Bank never requests a customer's account number, Social Security number, or password through email. If you should receive an email requesting such information that appears to be Icon Business Bank, do not respond to the email and contact your account branch immediately.
  • If we need to contact you we will contact you by phone, email, text, voicemail or mail. We will never ask for personal information if we contact you; this includes emails, text, voicemail or mail sent from the Bank.

Security Measures For Commercial Customers
  • The Bank strongly suggests that commercial customers perform a related risk assessment and controls evaluation periodically. This is done to ensure that all risks to the company have mitigation facts lowering the risk to the company.
  • Available Resources from NACHA Corporate Account Takeover Resource Center.

A Summary of Your Rights Under Regulation E (Consumers Only)
  •  Regulation E is applicable to all consumer deposit accounts.
  • Regulation E provides a basic framework that establishes the rights, liabilities, and responsibilities of participants in electronic fund transfer systems. "Electronic fund transfer" general refers to a transaction initiated through an electronic terminal, telephone, computer, or magnetic tape that instructs an institution to either credit or debit a consumer account.

Error Resolution Summary
In case of errors or questions about your electronic transfers, call us immediately. If you think your statement or receipt is wrong or if you need more information about a transfer on the statement or receipt. We must hear from you no later than 60 days after we sent you the FIRST statement on which the error or problem appeared.
  • Tell us your name and account number (if any).
  • Describe the error or the transfer you are unsure about and explain as clearly as you can why you believe it is an error or why you need more information.
  • Tell us the dollar amount of the suspected error.
  • We will investigate your complaint and will correct any error promptly. If we take more than 10 business days to do this, we will credit your account for the amount you think is in error, so that you will have the use of the money during the time it takes us to complete our investigation.

Here is what the Federal rules require: If you report the losses within 2 days of receiving your statement, you can be liable for the first $50. After 2 days, the amount increases to $500. After 60 days, you could be legally liable for the full amount.

Business accounts are not subject to the same protections as consumer accounts under Regulation E. However, if you have any questions or notice a fraudulent activity please contact us immediately.

See our Electronic Funds Transfer Disclosure for more information.