Fraudulent Federal Reserve e-mails
| NCNB has been made aware of spam emails supposedly from the Federal Reserve. The spam email is written in plain text, no logo and the “From” address is obviously not from the Federal Reserve. Details of the "transaction" differ on each message, but the text is basically the same. Detail in the subject line varies, but could include “immediate transfer approved”, “same day transfer sent successfully”, “wire transfer sent successfully” or “immediate transfer complete”. If you receive an email message of this type delete it immediately. Please be aware that clicking on any associated link or attachments could expose you to malicious software, also known as malware potentially compromising your computer and online security.
Federal Reserve notice
Avoiding 'Card Skimming' at ATMs and Other Money Machines
Be wary when you use automated teller machines (ATMs) and other payment processing machines. Thieves may be using high-tech tools in scams to capture your account information to steal your money.
These scams, known as "card skimming," involve attaching devices to money machines that read the information on your debit and credit cards when you swipe them. When combined with a nearby concealed camera to record your personal identification number (PIN), the thieves can get everything they need to drain your account or to make unauthorized purchases. In addition to using the information directly, thieves may sell your information to others.
ATMs and automated payment machines in airports, convenience stores, hotel lobbies, and other well-traveled, public places may be most vulnerable to thieves who may think these machines are not regularly inspected by the machine owners. However, card skimming may take place at any ATM or card processing machine, including those on bank premises. As technology makes these devices smaller and more powerful, the risk of card skimming grows.
How High-Tech Thieves Operate
Thieves have many ways to steal your account information. They may attach a card skimmer that looks and acts like a genuine part of the ATM or other type of money machine. The device may be a simple, curved plastic sheath over the card slot. The skimmer reads the magnetic strip or computer chip on your card and transmits your account information to the thieves or saves the information until the skimmer is retrieved.
Thieves may also use a wireless camera concealed nearby in a box holding brochures or in a light fixture. The camera photographs or videotapes your fingers as they enter your PIN on a keypad or screen. Like a card skimmer, the camera can transmit images instantly or save them until the thieves retrieve the camera later. A camera and card skimmer can be used together.
Safeguarding Your Personal Bank Account Information
To help protect you, banks and retailers take measures to minimize the risk of fraudulent use of your debit or credit card, particularly when those purchases are made by telephone or online.
Before approving telephone purchases, retailers typically confirm your identity by asking for personal information. They may ask for your address, the last four digits of your social security number, or answers to security questions you created when you set up your account. Retailers also may ask for the three-digit security code printed on the front or back of your debit or credit card. To protect your online transaction from electronic fraud, many commercial Web sites require you to unscramble a word or a number displayed as a fuzzy or distorted image that is difficult for software to read.
Protecting Yourself With Common Sense Security Measures
Ultimately, you must protect yourself against thieves and the tools they use to access your accounts to steal from you. To protect yourself, follow these common-sense precautions.
Walk away from an ATM if you notice someone watching you or if you sense something wrong with the machine; immediately report your suspicions to the company operating the machine or a nearby law enforcement officer.
Before using an ATM, examine nearby objects that might conceal a camera; check the card slot for a plastic sheath before inserting your card.
Never keep a written copy of your PIN in your wallet or purse as it could be stolen; instead memorize your PIN and keep a paper record hidden at home.
When entering your PIN, stand close to the machine and hold your hand over the keypad or screen to make it more difficult for a person or camera to watch you.
Beware of strangers offering to help you with an ATM that appears disabled and notify someone responsible for the security of the machine.
Regularly review your account statements, either online or on paper, and check for unauthorized withdrawals and purchases. If you find one, immediately contact your bank or credit card provider, as this will limit your financial liability for fraudulent charges.
Federal laws limit your liability from debit and credit card fraud. Two federal laws, in particular, protect you.
The Truth in Lending Act generally limits your liability to $50 for any unauthorized use of your credit card. However, you are not responsible for unauthorized charges on your account—if you report a lost or stolen credit card before the card is used. Also, you are not responsible if the fraud results from someone using your credit card number alone rather than your credit card.
The Electronic Fund Transfer Act also limits your liability for unauthorized use of your debit or ATM cards—if you quickly report the lost or stolen card. You are not held responsible for unauthorized charges if you report the fraud before unauthorized transactions are made. If unauthorized transactions occur before you report your card missing or compromised, your liability depends on how quickly you report the loss.
The Federal Trade Commission provides more information on what to do if your card is lost or stolen in its fact sheet "Credit, ATM and Debit Cards: What to Do if They’re Lost or Stolen," at www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm.
The Office of the Comptroller of the Currency has answers about what to do about unauthorized charges and other banking issues at HelpWithMyBank.gov.
Epsilon security breach
Epsilon, the largest distributor of permission-based marketing email in the world, has revealed that millions of individual email addresses were exposed in an attack on its servers. While no other information was apparently compromised, security experts are warning users to brace for a tidal wave of more precise “spear phishing” attacks. The good news is that Epsilon seems to have detected the breach quickly, and did not waste any time notifying its customers. Those customers have subsequently not wasted any time communicating with individual users. While this breach has no connection to your relationship with NCNB, we want to remind you to be vigilant with any emails you receive, even if it is a company you are familiar with.
What Is The Risk?
The fact that the breach only exposed email addresses- and not any additional personal or account information- is great news. The primary risk is that the attackers now have a list of millions of verified active email addresses to target with spam and phishing attacks. Amol Sawarte, Vulnerabilities Lab Manager for Qualys, explains, “Phishing scams are the number one concern from this breach. Hackers could send fake emails pretending to be your bank, pharmacy, hotel or other business that were customers of Epsilon. The email will look real and will be convincing as attackers have the customer’s name and the company information that they did business with. The email could ask unsuspecting users to click on a link which can ask for credit card numbers, run malware, install spyware or carry out other attacks.”
How Can I Protect Myself?
Remember that email as a rule is not a trusted form of communication. An email can be easily forged or spoofed to appear as if it is from another entity. It seems likely that a surge in spear phishing attacks is inevitable. You should exercise a healthy dose of cautious skepticism for any emails- more than usual. Even if you are a customer of the company allegedly sending the email, and even if the email looks convincingly legitimate, don’t trust it.
Holiday Shopping Tips
This holiday season the Federal Bureau of Investigation ( FBI) is reminding people that cyber criminals continue to aggressively create new ways to steal money and personal information. Scammers use many techniques to fool potential victims including fraudulent auction sales, reshipping merchandise purchased with a stolen credit card, and sale of fraudulent or stolen gift cards through auction sites at a discounted price.
Fraudulent Classified Ads or Auction Sales
Internet criminals post classified ads or auctions for products they do not have. If you receive an auction product from a merchant or retail store, rather than directly from the auction seller, the item may have been purchased with someone else's stolen credit card number. Contact the merchant to verify the account used to pay for the item actually belongs to you.
Shoppers should be cautious and not provide financial information directly to the seller, as fraudulent sellers will use this information to purchase items for their scheme from the provided financial account. Always use a legitimate payment service to protect purchases.
As for product delivery, unfamiliar Web sites or individuals selling reduced or free shipping to customers through auction sites many times are deemed to be fraudulent. In many instances, these Web sites or sellers provide shipping labels to their customers as a service. However, the delivery service providers are ultimately not being paid to deliver the package; therefore, packages shipped by the victims using these labels are intercepted by delivery service providers because they are identified as fraudulent.
Diligently check each seller's rating and feedback along with their number of sales and the dates on which feedback was posted. Be wary of a seller with 100% positive feedback, if they have a low total number of feedback postings and all feedback was posted around the same date and time.
Gift Card Scams
Be careful about purchasing gift cards from auction sites or through classified ads. If you need a gift card, it is safest to purchase it directly from the merchant or another authorized retail store. If the gift card merchant discovers the card you received from another source or auction was initially obtained fraudulently, the merchant will deactivate the gift card number and it will not be honored for purchases.
Phishing and Smishing Schemes
Be leery of e-mails or text messages you receive indicating a problem or question regarding your financial accounts. In this scam, you are directed to follow a link or call the number provided in the message to update your account or correct the problem. The link actually directs the individuals to a fraudulent Web site or message that appears legitimate where any personal information you provide, such as account number and PIN, will be stolen.
Another scam involves victims receiving an e-mail message directing the recipient to a spoofed Web site. A spoofed Web site is a fake site or copy of a real Web site and misleads the recipient into providing personal information, which is routed to the scammer's computers.
Tips to avoid becoming a victim of cyber fraud
Make sure your computer and browser are secure. Set your firewall, anti-virus and anti-spyware software to automatically update and scan your PC.
Don’t create passwords that include easily accessed personal information, such as mother’s maiden name or date of birth. Instead, use something unique that only you know.
Don't give personal information over the phone, through the mail or on the Internet unless you know who you’re dealing with and preferably only if you've initiated the contact. Never give out Social Security or driver’s license numbers. If you must share personal information, confirm that you are dealing with a legitimate organization.
Look for secure sites with an "s" in the URL (https://) and a closed-padlock icon on the Web page.
Never respond to an offer by way of a spam or bulk e-mail. If something sounds too good to be true, it usually is.
Log on directly to the official Web site for the business identified in the e-mail, instead of "linking" to it from an unsolicited e-mail. If the e-mail appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information.
Contact the actual business that supposedly sent the e-mail to verify if the e-mail is genuine.
Always double-check the URL to be sure you are shopping with the company you intended to shop with. A simple typo can help identity thieves.
If you’re using a company’s site for the first time, consider checking it out with the Better Business Bureau (www.bbb.org).
Be cautious of e-mail claiming to contain pictures in attached files, as the files may contain viruses. Only open attachments from known senders. Virus scan the attachments if possible.
Avoid filling out forms contained in e-mail messages that ask for personal information.
Consumer protections in the federal Fair Credit Billing Act apply to online credit-card purchases. Keep records of all your purchases in case there’s a problem.
Avoid providing unnecessary information such as annual income, spending habits, hobbies and lifestyle data.
Shop with U.S.-based companies. Domestic state and federal consumer-protection laws apply. You’ll be protected and have recourse should something go awry.
Register your credit and debit cards at www.verifiedbyvisa.com or www.mastercardsecurecode.com for a more secure online shopping experience. Some credit-card companies offer virtual account numbers that are generated each time you make a purchase, and some e-mail providers let you create several aliases to protect your personal e-mail address.
To receive the latest information about cyber scams, please go to the FBI Web site and sign up for e-mail alerts by clicking on one of the red envelopes. If you have received a scam e-mail, please notify the IC3 by filing a complaint at www.IC3.gov. For more information on e-scams, please visit the FBI's New E-Scams and Warnings webpage at http://www.fbi.gov/cyberinvest/escams.htm.
Email claiming to be from the FDIC
The Federal Deposit Insurance Corporation (FDIC) has received numerous reports of a fraudulent e-mail that has the appearance of being sent from the FDIC.
The subject line of the e-mail states: “check your Bank Deposit Insurance Coverage.” The e-mail tells recipients that, "You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets.”
The e-mail then asks recipients to “visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage” (a fraudulent link is provided). It then instructs recipients to “download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage.”
This e-mail and associated Web site are fraudulent. Recipients should consider the intent of this e-mail as an attempt to collect personal or confidential information, some of which may be used to gain unauthorized access to on-line banking services or to conduct identity theft.
The FDIC does not issue unsolicited e-mails to consumers. Financial institutions and consumers should NOT follow the link in the fraudulent e-mail.
Local Debit Card Scam
Our customers have recently informed us that they have received phone call scams over the last few days involving their debit card. The scam goes like this: The caller reports that they are calling from either North Cascades National Bank or Cashmere Valley Bank, and tells the customer that their debit card has been compromised and the PIN has been changed. The customer is then asked to confirm their card number and old PIN before the new PIN can be issued. Some of the calls have utilized a computerized voice and some have had a live person with a foreign accent. NCNB will never call you and ask for your account number or PIN. If you receive any call that makes you suspicious, please do not provide any information and call the bank immediately to report the call.
SmiShing. . . .a text message scam
As you may know, SmiShing is a type of social engineering that uses cell phone text messages to persuade victims to provide personal information such as card number, CVV2 (3 digit verification number on the back of your card), and PINs. The text message may contain either a website address or more commonly, a phone number that connects to an automated voice response system, which then asks for personal information. An example of a SmiShing attempt may look something like this:
Text message originating from email@example.com:
firstname.lastname@example.org/VISA. (Card Blocked) Alert. For more information please call 1-877-269-XXXX
Although NCNB may at times ask you for personal information to confirm identification such as your name, date of birth or mother’s maiden name, we will never ask you for a CVV2 or PIN and we will not contact you via text messaging.
| In-session phishing is a type of attack that targets a users secure web browsing session through a popup window posing as a legitimate message.
Since this is a browser based attack, the best way to defend against it is to be aware of this type of phishing and to follow the "best practices" in browser security:
- Be suspicious of unprompted pop up windows that appear without clicking on a hyperlink.
- Deploy browser security tools and set security settings to disallow popups and certain scripts from running.
- Always log out of banking and other sensitive online applications and accounts before going to other websites so sessions do not remain active.
Please let us know if you have any questions about the security of your personal information. Stop by or call your local branch, or call us at 800-603-9342. We can also be reached by email at email@example.com.
Advance Fee Loan Scams
| The Federal Deposit Insurance Corporation (FDIC) is reminding consumers and financial institutions to be aware of advance fee loan scams. The FDIC has observed a significant increase in the number of unsolicited e-mails ("spam") advertising mortgage refinancing, debt consolidation and elimination, small business loans, and special loan programs for veterans and minorities. While some of these e-mails may advertise legitimate loan programs and lenders, advance fee loan scams are becoming more prevalent.
Advance fee loan scams prey on consumers who may be under financial duress and may be seeking quick and easy loan approval and funding. The scam typically involves the lender making false promises to arrange for a loan in return for fees paid upfront by the loan applicant. Scam artists may even design Web sites and online loan applications giving the appearance that the company is legitimate.
Fraudulent logos and letterhead of legitimate financial institutions or government agencies may also appear on documents that are faxed to the loan applicant. Potential borrowers may be asked to provide information through a Web site or be contacted by phone or e-mail by a "representative" who guarantees loan approval as soon as the borrower pays a required fee. The loan applicant may be told that the fees will be used to pay a third party for loan insurance or application processing, or to make the first month's loan payment. The loan applicant may also be told to send or wire transfer money to an individual overseas before receiving the loan proceeds.
In some cases, the loan applicant has been falsely directed to a legitimate financial institution with no knowledge of the transaction. In other cases, the loan applicant is told that the loan request was declined and is asked to forward additional money to qualify for a different loan program.
The following are warning signs that may indicate a loan offer is not legitimate:
- The loan approval is "guaranteed." Lenders do not typically guarantee loans before analyzing the applicant's financial condition, credit history and ability to repay.
- The loan applicant is required to pay upfront fees to a third party or individual. Loan fees are normally paid to a business after the loan has been approved.
- The lender or loan processor may be located outside of the United States.
- Fees are requested using a retail wire transfer system. A password is sometimes used by the overseas receiver to pick up the funds in an attempt to hide the true identity of the criminals and make funds more difficult to trace.
More information about fraudulent advance loan fee scams can be found at http://www.ftc.gov/bcp/conline/pubs/tmarkg/loans.shtm.
Vishing... A Local Scam
| You've heard of "phishing"... now get ready for "vishing". Vishing, like phishing, is the use of social engineering to gain personal and financial information - this time by phone. And just like the recent phishing scams in our area, vishing scams are being carried out locally. Several financial institutions have reported vishing scams targeting their customers in the Wenatchee area. Law enforcement is investigating.
To help protect our customers, we need to be prepared to answer their questions and let them know how to identify these scams and avoid becoming a victim. The FAQs listed below will help you address your customers on this issue.
What is vishing?
Standard phishing scams use email to direct potential victims to phony web pages to steal their identities. Phone vishing scams work a little differently. Instead of being directed to a web page, victims are prompted by email to call a customer support number OR are called directly by the perpetrators. On the other end of the phone line, a person or an audio response unit waits to take the victim's account number, personal identification number, password, or other valuable personal data. The perpetrators may claim the victim's account will be closed or other problems could occur if a response is not received.
In most cases, the perpetrators use fake caller ID to make it appear the call is from a legitimate bank or financial institution. They also often use pay phones, stolen cell phones, or hacked accounts.
How can I avoid becoming a victim?
- Treat all unsolicited email and phone messages with skepticism and avoid clicking on links.
- If you do receive one of these suspicious calls, hang up and call the organization at a familiar number.
- To determine actual customer support and other phone numbers, check the organization's web site. When you do your research, don't follow a link in an email - always type in the site URL address yourself.
- If available, refer to your hard copy records of past statements or invoices for legitimate contact phone numbers and other information. Creditor customer support phone numbers are also often listed on the back of credit cards.
- Scrutinize emails for telltale signs of a phishing attempt, such as poor grammar, typos, strange web addresses, or anything else that seems odd.
- In the United States, report suspicious email to the FBI, the Federal Trade Commission, and the Anti-Phishing Working Group.
How can I tell if an email or website is fake?
First off, note that NCNB will NEVER ask you to provide private, secure information through an email link.
Here are some tips on identifying fake emails or websites:
- Even if the site LOOKS like NCNB's online banking page, if the URL (web address) is not correct, it's a fake.
- If the email makes it sound urgent, wants you to change your information now, or "confirm" your information now, it's fake.
- If the email or website asks you for a credit card number, a PIN, a CVV number or your password, it's fake.
- If the email you've been sent asks you to help us "update our database," it's fake.
- If the email asks you to click on a link to "restore access to your account," it's fake.
- If the email provides you with a link asking you to change your password through that link, it's fake.
Protect Yourself from Identity Theft
| Here are our top tips for protecting yourself from this crime:
- Regularly review your monthly/periodic financial statements for any fraudulent activity- make sure you're the only one responsible for using your name and accounts.
- Shred all financial and personal documents with a cross-cut paper shredder before you dispose of them. This includes any pre-approved credit offers, letters, bills, receipts, and other personal articles that reveal any account numbers or financial information about you.
- Never give your Social Security number, bank account number, credit card numbers, or PIN number to anyone over the phone, even if you've been informed you won a prize or are eligible for an amazing offer. That's a common way crooks obtain confidential information they'll use to steal from you.
- Mail your bills from a locked mailbox or the post office. Thieves like to steal outgoing bill payments for the checks they know they'll find inside.
- Never give out confidential information like Social Security, bank account, PIN, and credit card numbers in response to an e-mail you've received. Such requests can be "phishing" expeditions for thieves looking to steal your identity.
- Commit your PIN numbers and passwords to memory, or at the very least, keep them separate from wallet or purse.
- When you order new checks from us, make sure they get delivered to a secure mailbox and ask us when to expect them. If your mailbox isn't secure, ask to pick them up at your local branch instead.
- When possible, keep your eye on your credit/debit cards when using them in a store or restaurant, and get your card back right away.
- Don't carry around your Social Security card, passport, or birth certificate unless you need it that day. Take out any credit cards you don't need as well, just in case your wallet is stolen or misplaced.
Keep a list at home of all credit cards and account numbers, along with the appropriate customer service and fraud department telephone numbers. That way, you'll have quick access to the information you need in case of theft.
How We Protect You
| NCNB is committed to protecting your personal financial information. Here are a few ways that we go the extra mile to protect you:
- Enhanced Login Security, an online security feature that helps prevent unauthorized access to your accounts by recognizing not only your login information but also your computer. If we don't recognize your computer, we will request additional information that is known only by you, to ensure authorized access.
- NCNB's Online Banking system will automatically log you off after specified time period of inactivity. This reduces the risk of others accessing your information from your unattended computer.
- NCNB will never ask you for personal financial information via email.
- NCNB's computer systems are protected 24 hours a day by powerful firewalls that block unauthorized entry.
- From the moment account information leaves your computer to the time it enters NCNB's system, all Online Banking and Bill Pay sessions are encrypted. We employ some of the strongest forms of encryption available today. Look for a "closed lock" icon in the lower right-hand corner (Microsoft Internet Explorer) to determine if encryption is being used on any Web page you are viewing. Any Web address beginning with "https://..." indicates the page you are viewing uses encryption. The "s" stands for "secured."
- To resist constantly evolving online threats, NCNB has adopted proven industry standards for technology to protect your account security.
Tips for Online Banking customers
| If you are an Online Banking user, we want to let you know that we are committed to keeping your financial information safe and secure. To aid in the protection of your financial information, we want to inform you of two types of online scams and how you can avoid being “hooked” by these scams.
Cyber-criminals use the personal information they gain from phishing and pharming to commit identity theft or fraud. Over time, cyber-criminals have learned to create messages that can seem to genuinely come from the legitimate site. They may “borrow” a company logo, copy the format and colors used on its web site, or imitate the language used in the organization’s real communications.
- Phishing is the practice of sending an e-mail that appears to be from a financial institution, an online store, or another organization with the goal of persuading online banking users to share sensitive information.
- Pharming redirects Internet users from a legitimate web site to a “spoofed” or imitation site. Computer users might think they are visiting a legitimate online shopping site, for example, but instead are taken to a different site with a similar name. This “pharming” site is used to steal information such as credit card numbers, account numbers, passwords or Social Security numbers.
Please note that we will never ask you to click on an e-mail link to share sensitive financial information. If you receive an e-mail that claims to be from North Cascades National Bank and asks you to share account numbers, Social Security numbers, passwords or other personal information, please report it to us immediately. We will give you instructions for changing your password and taking other steps to protect your accounts.
Five Rules for Online Safety
1. Never click on links in e-mail messages.
2. Enter web addresses in the browser bar instead of using e-mail links.
3. Never share financial or personal information by e-mail.
4. Tell us about suspicious e-mails that contain our name or logo.
5. Check accounts regularly to spot fraud or unauthorized account access.
Please let us know if you have any questions about the security of your personal information. Stop by or call your local branch, or call us at 800-603-9342. We can also be reached by email at firstname.lastname@example.org.