FBI and Other Law Enforcement Agencies Issue a Fraud Advisory for Businesses
WARNING: SMiShing SCAMS ARE HITTING CELL PHONE USERS NATIONWIDE
Due to information Oak View National Bank has received recently on the increase in SMiShing scams in Virginia, we are issuing a warning to our clients. SMiShing is the use of cell phone text messages to solicit personal information such as ATM pin codes and credit card three-digit security codes.
The text messages often appear to come from a legitimate source, such as a bank or e-commerce website. The intent of the message is to trick the victim into clicking on a link or calling a particular phone number that could lead to requests for personal information used to steal the victim’s identity.
Oak View National Bank never solicits information from our clients using text message technology. If you are a recipient of this type of text message reported to be from our bank, do not answer any questions or call / email the sender using the contact information in the message. Please contact your local branch directly to report this incident.
Your security is important to us here at Oak View National Bank. That's why we're providing you with the tools and resources listed below to help protect you from Identity Theft and educate you on security. Please take a moment to review this important information by clicking on the links below.
Online Security Guidance
What is Phishing?
What is Spoofing?
How to Report Phishing
Phishing Victims Assistance
Disclosed Credit/Debit/ATM Card Info
If You Have Given Out Your Account Information
If You Have Downloaded a Virus or Trojan Horse
If You Have Given Out Your Personal Identification Information
How to Contact Credit Bureaus
Additional Actions to Take
Identity Theft Resources
How to Practice Safe Computing
Online Security Guidance
Best Practice Guidelines for Businesses
1. Employ defense-in-depth strategies: Emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated firewalls, as well as gateway antivirus, intrusion detection, intrusion protection systems, and Web security gateway solutions throughout the network.
2. Monitor for network threat, vulnerabilities and brand abuse. Monitor for network intrusions, propagation attempts and other suspicious traffic patterns, identify attempted connections to known malicious or suspicious hosts. Receive alerts for new vulnerabilities and threats across vendor platforms for proactive remediation. Track brand abuse via domain alerting and fictitious Web site reporting.
3. Antivirus on endpoints is not enough: On endpoints, signature-based antivirus alone is not enough to protect against today’s threats and Web-based attack toolkits. Deploy and use a comprehensive endpoint security product that includes additional layers of protection including:
- Endpoint intrusion prevention that protects against un-patched vulnerabilities from being exploited, protects against social engineering attacks and stops malware from reaching endpoints;
- Browser protection for protection against obfuscated Web-based attacks;
- Consider cloud-based malware prevention to provide proactive protection against unknown threats;
- File and Web-based reputation solutions that provide a risk-and-reputation rating of any application and Web site to prevent rapidly mutating and polymorphic malware;
- Behavioral prevention capabilities that look at the behavior of applications and malware and prevent malware;
- Application control settings that can prevent applications and browser plug-ins from downloading unauthorized malicious content;
- Device control settings that prevent and limit the types of USB devices to be used.
4. Secure your websites against MITM attacks and malware infection: Avoid compromising your trusted relationship with your customers by:
- Implementing Always On SSL;
- Scanning your website daily for malware;
- Setting the secure flag for all session cookies;
- Regularly assessing your website for vulnerabilities;
- Choosing SSL Certificates with Extended Validation to display the green browser address bar to website users;
- Displaying recognized trust marks in highly visible locations on your website to inspire trust and show customers your commitment to their security.
- Make sure to get your digital certificates from an established, trustworthy certificate authority who demonstrates excellent security practices.
5. Protect your private keys: Implement strong security practices to secure and protect your private keys, especially if you use digital certificates. Symantec recommends that organizations:
- Use separate Test Signing and Release Signing infrastructures,
- Store keys in secure, tamper-proof, cryptographic hardware devices, and
- Implement physical security to protect your assets from theft.
6. Use encryption to protect sensitive data: Implement and enforce a security policy whereby sensitive data is encrypted. Access to sensitive information should be restricted. This should include a Data Loss Protection (DLP) solution, which is a system to identify, monitor, and protect data. This not only serves to prevent data breaches, but can also help mitigate the damage of potential data leaks from within an organization.
7. Use Data Loss Prevention to help prevent data breaches: Implement a DLP solution that can discover where sensitive data resides, monitor its use and protect it from loss. Data loss prevention should be implemented to monitor the flow of data as it leaves the organization over the network and monitor copying sensitive data to external devices or Web sites. DLP should be configured to identify and block suspicious copying or downloading of sensitive data. DLP should also be used to identify confidential or sensitive data assets on network file systems and PCs so that appropriate data protection measures like encryption can be used to reduce the risk of loss.
8. Implement a removable media policy. Where practical, restrict unauthorized devices such as external portable hard-drives and other removable media. Such devices can both introduce malware as well as facilitate intellectual property breaches—intentional or unintentional. If external media devices are permitted, automatically scan them for viruses upon connection to the network and use a DLP solution to monitor and restrict copying confidential data to unencrypted external storage devices.
9. Update your security countermeasures frequently and rapidly: With more than 403 million unique variants of malware detected by Symantec in 2011, enterprises should be updating security virus and intrusion prevention definitions at least daily, if not multiple times a day.
10. Be aggressive on your updating and patching: Update, patch and migrate from outdated and insecure browsers, applications and browser plug-ins to the latest available versions using the vendors’ automatic update mechanisms. Most software vendors work diligently to patch exploited software vulnerabilities; however, such patches can only be effective if adopted in the field. Be wary of deploying standard corporate images containing older versions of browsers, applications, and browser plug-ins that are outdated and insecure. Wherever possible, automate patch deployments to maintain protection against vulnerabilities across the organization.
11. Enforce an effective password policy. Ensure passwords are strong; at least 8-10 characters long and include a mixture of letters and numbers. Encourage users to avoid re-using the same passwords on multiple Web sites and sharing of passwords with others should be forbidden. Passwords should be changed regularly, at least every 90 days. Avoid writing down passwords.
12. Restrict email attachments: Configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF, and .SCR files. Enterprises should investigate policies for .PDFs that are allowed to be included as email attachments.
13. Ensure that you have infection and incident response procedures in place:
- Ensure that you have your security vendors contact information, know who you will call, and what steps you will take if you have one or more infected systems;
- Ensure that a backup-and-restore solution is in place in order to restore lost or compromised data in the event of successful attack or catastrophic data loss;
- Make use of post-infection detection capabilities from Web gateway, endpoint security solutions and firewalls to identify infected systems;
- Isolate infected computers to prevent the risk of further infection within the organization;
- If network services are exploited by malicious code or some other threat, disable or block access to those services until a patch is applied;
- Perform a forensic analysis on any infected computers and restore those using trusted media.
14. Educate users on the changed threat landscape:
- Do not open attachments unless they are expected and come from a known and trusted source, and do not execute software that is downloaded from the Internet (if such actions are permitted) unless the download has been scanned for viruses;
- Be cautious when clicking on URLs in emails or social media programs, even when coming from trusted sources and friends;
- Do not click on shortened URLs without previewing or expanding them first using available tools and plug-ins;
- Recommend that users be cautious of information they provide on social networking solutions that could be used to target them in an attack or trick them to open malicious URLs or attachments;
- Be suspicious of search engine results and only click through to trusted sources when conducting searches—especially on topics that are hot in the media;
- Deploy Web browser URL reputation plug-in solutions that display the reputation of Web sites from searches;
- Only download software (if allowed) from corporate shares or directly from the vendors Web site;
- If users see a warning indicating that they are “infected” after clicking on a URL or using a search engine (fake antivirus infections), have users close or quit the browser using Alt-F4, CTRL+W or the task manager.
- Advise users to make sure they are using a modern browser and operating system and to keep their systems current with security updates.
- Instruct users to look for a green browser address bar, HTTPS, and trust marks on any websites where they login or share any personal information.
Best Practice Guidelines for Consumers
1. Protect yourself: Use a modern Internet security solution that includes the following capabilities for maximum protection against malicious code and other threats:
- Antivirus (file and heuristic based) and malware behavioral prevention can prevents unknown malicious threats from executing;
- Bidirectional firewalls will block malware from exploiting potentially vulnerable applications and services running on your computer;
- Intrusion prevention to protection against Web-attack toolkits, unpatched vulnerabilities, and social engineering attacks;
- Browser protection to protect against obfuscated Web-based attacks;
- Reputation-based tools that check the reputation and trust of a file and Web site before downloading; URL reputation and safety ratings for Web sites found through search engines.
- Consider options for implementing cross-platform parental controls, such as Norton Online Familyxlii.
2. Keep up to date: Keep virus definitions and security content updated at least daily if not hourly. By deploying the latest virus definitions, you can protect your computer against the latest viruses and malware known to be spreading in the wild. Update your operating system, Web browser, browser plug-ins, and applications to the latest updated versions using the automatic updating capability of your programs, if available. Running out-of-date versions can put you at risk from being exploited by Web-based attacks.
3. Know what you are doing: Be aware that malware or applications that try to trick you into thinking your computer is infected can be automatically installed on computers with the installation of file-sharing programs, free downloads, and freeware and shareware versions of software.
- Downloading “free,” “cracked” or “pirated” versions of software can also contain malware or include social engineering attacks that include programs that try to trick you into thinking your computer is infected and getting you to pay money to have it removed.
- Be careful which Web sites you visit on the Web. While malware can still come from mainstream Web sites, it can easily come from less reputable Web sites sharing pornography, gambling and stolen software.
- Read end-user license agreements (EULAs) carefully and understand all terms before agreeing to them as some security risks can be installed after an end user has accepted the EULA or because of that acceptance.
4. Use an effective password policy: Ensure that passwords are a mix of letters and numbers, and change them often. Passwords should not consist of words from the dictionary. Do not use the same password for multiple applications or Web sites. Use complex passwords (upper/lowercase and punctuation) or passphrases.
5. Think before you click: Never view, open, or execute any email attachment unless you expect it and trust the sender. Even from trusted users, be suspicious.
- Be cautious when clicking on URLs in emails, social media programs even when coming from trusted sources and friends. Do not blindly click on shortened URLs without expanding them first using previews or plug-ins.
- Do not click on links in social media applications with catchy titles or phrases even from friends. If you do click on the URL, you may end up “liking it” and sending it to all of your friends even by clicking anywhere on the page. Close or quit your browser instead.
- Use a Web browser URL reputation solution that shows the reputation and safety rating of Web sites from searches. Be suspicious of search engine results; only click through to trusted sources when conducting searches, especially on topics that are hot in the media.
- Be suspicious of warnings that pop-up asking you to install media players, document viewers and security updates; only download software directly from the vendor’s Web site
6. Guard your personal data: Limit the amount of personal information you make publicly available on the Internet (including and especially via social networks) as it may be harvested and used in malicious activities such as targeted attacks and phishing scams.
Configure your home Wi-Fi network for strong authentication and always require a unique password for access to it.
- Never disclose any confidential personal or financial information unless and until you can confirm that any request for such information is legitimate.
- Review your bank, credit card, and credit information frequently for irregular activity. Avoid banking or shopping online from public computers (such as libraries, Internet cafes, etc.) or from unencrypted Wi-Fi connections.
- Use HTTPS when connecting via Wi-Fi networks to your email, social media and sharing Web sites. Check the settings and preferences of the applications and Web sites you are using.
- Look for the green browser address bar, HTTPS, and recognizable trust marks when you visit websites where you login or share any personal information.
What is Phishing?
Phishing is a high-tech scam that uses spam or pop-up messages to attempt to deceive you into disclosing your credit card numbers, bank account information, Social Security number, passwords, and other sensitive information. Phishing is the term coined by hackers who imitate legitimate companies in e-mails to entice people to share passwords or credit card numbers. Oak View National Bank will never send e-mails requesting personal information. We will never ask you to verify personal financial information through an e-mail. We will never ask you to click on a special site link to do so. While emails of this nature may look like they are from us, and may even use our logo, they are likely a “phishing” scam. Do not answer them. If you receive an email purporting to be from us, do not hesitate to call us to confirm it.
What is Spoofing?
Pretending to be something it is not, on the Internet, usually an e-mail or a Web site.
How to report Phishing?
We suggest reporting phishing e-mails or spoofed Web sites to the following groups:
Recommended Actions if You’ve become a Victim of a Phishing Scam
If You Have Given Out Your Credit, Debit, or ATM Card Information
- Report the incident to the card issuer as quickly as possible.
- Report using toll-free numbers and 24-hour service that many companies have established to deal with such emergencies.
- Request your card issuer close your compromised account number and reissue you a new card with a different number.
- Monitor your account activity and review account statements carefully after the information loss.
- If any unauthorized charges appear, call the card issuer immediately and follow up with a hard copy letter via a traditional delivery service such as the U.S. Postal Service (keep a copy for yourself) describing each questionable charge.
If You Have Given Out Your Bank Account Information
- Report the theft of this information to the bank as quickly as possible.
- Request the bank close the compromised account and re-open a like account with a different account number.
If You Have Downloaded a Virus or Trojan Horse
Some phishing attacks use viruses and/or Trojan Horses to install programs called “key loggers” on your computer. These programs capture and send out any information that you type to the phisher, including credit card numbers, user names and passwords, Social Security numbers, etc. If this happens, it’s likely you may not be aware of it until you notice unusual transactions in your account. To minimize the risk, you should:
- Install and/or update anti-virus and personal firewall software.
- Update all virus definitions and run a full scan.
- If your system appears to have been compromised, repair it and then change your password again, since you may well have transmitted the new one to the hacker.
- Check your other accounts. The fraudsters may have helped themselves to many different accounts: eBay account, PayPal, your e-mail ISP, online bank accounts, online trading accounts and other e-commerce accounts, and everything else for which you use online passwords.
If You Have Given Out Your Personal Identification Information
If you believe you have given out personal information such as your name, address, and Social Security number to someone who may use it for fraud:
Contact the three major credit reporting agencies – Experian, Equifax, and Trans Union – and do the following:
- Request that the agencies place a fraud alert and a victim’s statement in your file.
- Request a free copy of your credit report to check whether any accounts were opened without your consent.
- Request that the agencies remove inquiries and/or fraudulent accounts stemming from the theft.
Major Credit Bureaus
Equifax – www.equifax.com
- To order your report, call: 800-685-111 or write: P.O. Box 740241, Atlanta, GA 30374-0241.
- To report a fraud, call: 800-525-6285 and write: P.O. Box 740241, Atlanta, GA 30374-0241.
- Hearing impaired call: 800-255-0056 and ask the operator to call the Auto Disclosure Line at 800-685-1111 to request a copy of the report.
Experian – www.experian.com
- To order your report, call: 888-EXPERIAN (397-3742) or write: P.O. Box 2002, Allen, TX 75013.
- To report fraud, call 888-EXPERIAN (397-3742) and write: P.O. Box 9530, Allen, TX 75013. TDD: 800-972-0322.
Trans Union – www.transunion.com
- To order your report, call: 800-888-4213 or write: P.O. Box 1000, Chester, PA 19022.
- To report fraud, call: 800-680-7289 and write: Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92634 TDD: 877-553-7803.
Additional Actions to Take
- If bank accounts were set up without your consent, close them.
- Contact your local police department to file a criminal report.
- Contact the Social Security Administration’s Fraud Hotline to report the unauthorized use of your personal identification information.
- Notify the Department of Motor Vehicles of your identity theft.
- Check to see whether an unauthorized driver’s license number has been issued in your name.
- Notify the passport office to be on the lookout for anyone ordering a passport in your name.
- File a complaint with the Federal Trade Commission. Ask for a free copy of “ID Theft: When Bad Things Happen in Your Good Name,” a guide that will help you guard against and recover from your theft – and guard against it in the future.
- File a complaint with the Internet Crime Complaint Center (IC3) by visiting their Web site: www.ic3.gov. IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), with a mission to address fraud committed over the Internet. For victims of Internet fraud, the Center provides a convenient and easy-to-use reporting mechanism that alerts authorities of a suspected criminal or civil violation.
- Document the names and phone numbers of everyone you speak to regarding the incident. Follow up your phone calls with letters. Keep copies of all correspondence.
Identity Theft Resources
How to Practice Safe Computing
The number and sophistication of phishing and spoofing scams sent out to consumers is continuing to increase dramatically. While online banking is widely considered to be as safe as or safer than in-branch or ATM banking, as a general rule you should be careful about giving out your personal financial information over the Internet. Remember, no reputable financial institution will ever request your personal information via e-mail.
Here is a list of recommendation to follow in order to avoid becoming a victim of scam:
- Be suspicious of any e-mail with urgent requests for personal financial information. Phishers have been known to include upsetting or enticing (but false) statements in their e-mails to get people to react immediately. More recently, some phishers have toned down their language, as e-mail recipients have become more aware of the use of this tactic. Either way, the e-mail typically asks for information such as user names, passwords, credit card numbers, Social Security numbers, etc.
- Be careful of e-mails that are not personalized and/or may contain spelling errors and/or awkward syntax and phrasing. Many phishing e-mails are sent in great bulk and, therefore, are not personalized. If you are suspicious of an e-mail claiming to be from Oak View National Bank that is not personalized, please disregard the e-mail and delete it immediately. Remember, Oak View National Bank never will send e-mails requesting personal information. Many e-mails also are being sent from other countries from individuals for whom English is a foreign language, thus resulting in misspelled words and awkward syntax and phrasing.
- Be careful of personalized e-mails that ask for personal financial information. Be suspicious of any e-mail that contains some personal financial information, such as a bank account number and asks for other information, such as PIN. Oak View National Bank will never ask for or send you personal financial information by e-mail.
- Do not use links in an e-mail to get to any Web page. Instead, call Oak View National Bank on the telephone to confirm the address, or log onto the Web site directly by typing in the Web address, www.OakViewBank.com, in your browser.
- Do not complete forms in e-mail messages that ask for personal financial information. Oak View National Bank will never ask you to complete such a form.
- Only communicate information, such as credit card numbers or account information, via a secure Web site or the telephone. When submitting financial information to a Web site. Look for the padlock or key icon at the bottom of your browser, and make sure the Internet address begins with “https.” A secure Web server designation can be found by checking the beginning of the Web address in your browser’s address bar – the address should begin “https://…” rather than just “http://…” While you cannot be completely sure that a Web site is secure when its address starts with “https,” you can be sure the Web site is not secure when it does not start with “https.”
- Regularly log on to your online accounts and check your bank, credit and debit card statements to ensure that all transactions are legitimate. One of the real advantages of banking online is being able to regularly review your account for unauthorized or unusual activity. If anything is suspicious, contact Oak View National Bank immediately.
- Ensure that your browser is up to date and security patches are applied. Always visit your browser’s home page to download the latest security updates even if they don’t alert you to do so.
- Use online statements to reduce the volume of paper mailed. Paper today is the cause of more actual instances of identity fraud than are electronic thefts.
How does phishing work? What is phishing?
The term phishing (FISH-ing) refers to a scam thieves attempt to undertake to steal victims’ personal financial information. Most often the scammer sends an e-mail to thousands of people asking for information such as Social Security numbers, credit card numbers, bank account numbers, and personal identification numbers (PINs). Although it seems obvious, the trick to phishing is creating a counterfeit Web site of a trusted financial or other company Web site to which the unsuspecting consumer is directed. The subjects of these e-mails are often “Account Information Update Required” or other phrasing that suggests that the account with the “spoofed” company has been compromised or will be canceled. The counterfeit Web sites register the data entered by the victim and scammers can then use this information to commit fraud and steal the victim’s identity by charging purchases and opening new accounts.
Where did the term phishing come from?
The term phishing (FISHing) was coined because thieves are fishing for your personal financial information. They send out thousands of lures and hook only a few victims. The “ph” comes from a common hacking term. The first type of hacking was called “phreaking.” In the mid-1990s, America Online accounts were some of the first hacked accounts and were called “phish”. These phish were treated as a form of currency where scammers could trade phish for hacking software.
What is spoofing?
Spoofing is something pretending to be something it is not, on the Internet, usually an e-mail or Web site. Typically, it is a technique used to gain unauthorized access to computers, whereby the intruder hijacks a target’s root Internet address (known as an Internet Provider or IP address) to make it appear as though fraudulent e-mails are from a trusted source. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify its identifying information on the Internet. Spoofers can be anyone. They can be ordinary criminals out to steal money, competitors trying to cripple your business, disgruntled employees or irate customers. Attacks can be personally motivated or simply random. Spoofing of a bank Web site is nothing more than just another attempt to rob the bank.
Are people falling for phishing scams?
Because most people have grown increasingly aware of this scam, most phishing e-mails are deleted. However, the sheer quantity of attacks has increased, thus reaching more victims – and the technology the criminals employ has become more sophisticated. Overall, the number of successful attacks is small in comparison to the number of e-mails that are sent out each day as lures. Yet, it’s still important to note that roughly 3% to 5% of people who receive phishing scams take the bait.
How do you know if an e-mail or phone call is phishy?
If the e-mail or phone call you receive is unsolicited and from a company with which you do no business, you know it is a scam. If you receive an unsolicited e-mail or phone call from a company you hold an account with, you know it’s a scam it they asks for personal information the company should already have on file about you. Remember, Oak View National Bank will never ask for personal information by e-mail. If you’re still not sure about the legitimacy of an e-mail, call the company at a phone number you know to be accurate.
What should you do if you’ve given personal information to phishers?
Act immediately. Contact your bank and any companies you deal with and make them aware of the problem as well. Check you bank and credit card statements and contact all credit reporting agencies, such as Experian, Equifax, and TransUnion if appropriate. Change all of your online user names and passwords associated with personal accounts.
How do phishers get your e-mail address?
Phishing e-mails are essentially dangerous spam. Spammers utilize a variety of techniques to gather e-mail addresses – web sites, newsgroups, guesswork and list trading. These are the same methods used by phishers. Phishers do not gather e-mail addresses from bank records; unfortunately, one common misconception by consumers is that their bank actually provided the criminals with their names and e-mail addresses. This is simply not the case.
How do I report a phishing attack?
The Internet Crime Complaint Center and the Anti-Phishing Working Group register phishing scams and are a good resource for more information on what to do if you’re a victim of phishing.
What is pharming?
Pharming is a scam that often relies on infected, hacked, or otherwise compromised computers. Once a computer has been compromised, customers attempting to navigate to a legitimate bank’s Web site will be re-directed to a spoofed Web site. This can be accomplished in a number of ways. A virus or malware on a PC can re-route a customer to a spoofed Web site even when the customer has directly entered the address on their browser. Domain Name System (“DNS”) cache poisoning (altering DNS re-routing) by phishers causes customers to be re-directed by the Domain Name System. DNS addresses are text, such as www.google.com, but these are translated into numeric addresses. Pharmers attack the translation process and redirect your computer to the scamming IP address and Web site. The sites will likely look similar and the information you enter will be sent to the scammer, not to your trusted site.
What is Malware?
Malware (malicious software) is software that is surreptitiously installed on a private computer’s hard drive that is designed to harm or take unauthorized control over a computer system or to steal the data it contains. Malware is often distributed as an attachment to spam and phishing e-mails. When a customer reads the e-mail, they unknowingly install the malware on their computer. Numerous terms are used for different types of malware, usually based upon how they spread and what they are intended to do. Computer viruses, Trojans, and worms can all be used to install malware on a vulnerable computer. Monikers such as spyware, adware, key loggers, and back doors refer to the goal of the malware. Some malware attacks attempt to capture the actual keystrokes entered by an individual on their computer’s keyboard. The primary purpose of malware is to steal private information that can be exploited in some way.
What can be done to stop phishing?
Educating customers, installing fraud detection software, and working with industry coalitions, can accomplish combating phishing. These coalitions, along with law enforcement agencies at local, state, and federal and international levels, are working together to find phishers, shut down their Web sites and prosecute them to the full extent of the law. Since these anonymous scammers are so elusive – and often based outside the United States – consumer education is extremely important. The more people know about phishing and other identity theft scams, the fewer victims will be affected by these scams.
Is online banking still safe despite phishing and pharming?
Online banking is a safe and effective way to manage your money; however, just as you would not share your financial information with a stranger who knocked at your front door, so should you be guarded when online. Treat unsolicited e-mails asking for information with extreme caution and do not click on links within e-mails. Go to the Web addresses you know to be accurate and confirm that the sites you are visiting are secure – shown by a padlock in the bottom right corner or “https” at the beginning of the Web address. Also, make sure your computer’s security software is current and that you download the most recent updates.