Category Archives: Fraud protection

Defenses Against Cybercrime

Through our work in cyber and information security, we have formed relationships with professionals at Secure the Villagescreen-shot-2016-09-13-at-11-07-51-am and Citadel Information Group.screen-shot-2016-09-13-at-11-07-51-am They have kindly allowed us to post on our blog site some of the articles they have authored about cyber security. This articlescreen-shot-2016-09-13-at-11-07-51-am provides a great overview of the business email compromise scam and how to avoid being taken in by it.

Business E-mail Compromise: Don’t Be a Victim

By Stan Stahl, PhD, President of Citadel Information Group, Inc. & Founder and President of Secure the Village

What to Do: Implement very strong controls on wire transfers

Screen Shot 2017-05-02 at 5.47.51 PMAssume all email or fax requests from a vendor to change bank accounts are fraudulent. Assume all email or fax requests from the company President or others are fraudulent. Assume all email or fax requests to set-up a new vendor are fraudulent. Pick up the phone, call the party in question and verify the request is legitimate.

If you discover you are a Business Email Compromise victim, immediately contact the FBI’s Southern California Cyber Fraud unit at sccf@leo.gov. They have established banking relationships and are often able to recover funds if they are notified within 72 hours.

And talk to your banker. Make sure they have your back.

It’s also a good idea to check with your insurance broker to ensure that business email compromise losses are covered.

Background

Not too long ago, email scams were relatively easy to detect. They were often from unknown contacts and referenced bank or credit card information which was clearly incorrect. Sometimes, the emails would simply contain a link. As time has passed, fraudulent attempts to gain control of your online banking, your critical information, and your identity have become more skillful and harder to spot. These days’ emails often appear to come from recognized accounts, are well written, and–at least at first glance–seem legitimate.

The newest — and one of the costliest — in a long line of fraudulent e-mail scams is “Business E-Mail Compromise” (BEC).

Business Email Compromise (BEC) is a very sophisticated attempt to induce a business to willingly hand over their money to a cybercriminal. In Business Email Compromise (BEC), crooks spoof communications from executives or vendors at the victim firm in a bid to initiate unauthorized wire transfers.

According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015. Business Email Compromise cost Ubiquiti Networks $46 million.screen-shot-2016-09-13-at-11-07-51-am

Collectively, Business Email Compromise has resulted in actual and attempted losses of over a billion dollars worldwide. The FBI reports, “…since the beginning of 2015 there has been a 270 percent increase in identified BEC victims. Victim companies have come from all 50 U.S. states and nearly 80 countries abroad.”

BECs can target businesses working with foreign suppliers or regularly performing wire transfer payments, although they have also targeted some that do not strictly fit this criterion. In order to solicit unauthorized transfers of funds, the scams compromise legitimate business e-mail accounts through social engineering or computer intrusion techniques. Prior to making contact, the scammers learn enough about their target to create emails that use language specific to the company and request wire transfers that seem legitimate.

For more information on BECs, see https://www.fbi.gov/news/stories/2015/august/business-e-mail-compromise/business-e-mail-compromisescreen-shot-2016-09-13-at-11-07-51-am and http://krebsonsecurity.com/2015/08/fbi-1-2b-lost-to-business-email-scams/screen-shot-2016-09-13-at-11-07-51-am

screen-shot-2016-09-28-at-7-28-21-pm

____________________________________________________________________________________________

screen-shot-2016-09-13-at-11-07-51-amLinking to Non-Grandpoint Bank Websites
This icon appears next to every link that directs to a third party website not affiliated with Grandpoint Bank. Please be advised that if you click this link you will be taken to a website hosted by another party, where you will no longer be subject to, or under the protection of, the privacy and security policies of Grandpoint Bank. We recommend that you review and evaluate the privacy and security policies of the site that you are entering. Grandpoint Bank assumes no liability for the content, information, security, policies or transactions provided by these other sites.

fbtwitterLinkedIngp

FBI: How to Protect Your Computer

2c646bd5f8933313e9b39c4449f76bed

Below are some key steps to protecting your computer from intrusion, as detailed on the Federal Bureau of Investigations’ cybercrime webpage:

Keep Your Firewall Turned On: A firewall helps protect your computer from hackers who might try to gain access to crash it, delete information, or even steal passwords or other sensitive information. Software firewalls are widely recommended for single computers. The software is prepackaged on some operating systems or can be purchased for individual computers. For multiple networked computers, hardware routers typically provide firewall protection.

Install or Update Your Antivirus Software: Antivirus software is designed to prevent malicious software programs from embedding on your computer. If it detects malicious code, like a virus or a worm, it works to disarm or remove it. Viruses can infect computers without users’ knowledge. Most types of antivirus software can be set up to update automatically.

Install or Update Your Antispyware Technology: Spyware is just what it sounds like—software that is surreptitiously installed on your computer to let others peer into your activities on the computer. Some spyware collects information about you without your consent or produces unwanted pop-up ads on your web browser. Some operating systems offer free spyware protection, and inexpensive software is readily available for download on the Internet or at your local computer store. Be wary of ads on the Internet offering downloadable antispyware—in some cases these products may be fake and may actually contain spyware or other malicious code. It’s like buying groceries—shop where you trust.

Keep Your Operating System Up to Date: Computer operating systems are periodically updated to stay in tune with technology requirements and to fix security holes. Be sure to install the updates to ensure your computer has the latest protection.

Be Careful What You Download: Carelessly downloading e-mail attachments can circumvent even the most vigilant anti-virus software. Never open an e-mail attachment from someone you don’t know, and be wary of forwarded attachments from people you do know. They may have unwittingly advanced malicious code.

Turn Off Your Computer: With the growth of high-speed Internet connections, many opt to leave their computers on and ready for action. The downside is that being “always on” renders computers more susceptible. Beyond firewall protection, which is designed to fend off unwanted attacks, turning the computer off effectively severs an attacker’s connection—be it spyware or a botnet that employs your computer’s resources to reach out to other unwitting users.

https://www.fbi.gov/investigate/cyberscreen-shot-2016-09-13-at-11-07-51-am

screen-shot-2016-09-28-at-7-28-21-pm__________________________________________________________________________________________________

screen-shot-2016-09-13-at-11-07-51-amLinking to Non-Grandpoint Bank Websites
This icon appears next to every link that directs to a third party website not affiliated with Grandpoint Bank. Please be advised that if you click this link you will be taken to a website hosted by another party, where you will no longer be subject to, or under the protection of, the privacy and security policies of Grandpoint Bank. We recommend that you review and evaluate the privacy and security policies of the site that you are entering. Grandpoint Bank assumes no liability for the content, information, security, policies or transactions provided by these other sites.

fbtwitterLinkedIngp

FBI Article: Ransomware

ransom

We receive a lot of positive feedback when we run articles from the FBI’s cyber crime division. We’re pleased the Bureau has encouraged us to share their articles on this topic, so we want to share a recent post from their website about ransomware. Ransomware refers to a malware that restricts access to the infected computer/network and demands that the operators pay some sort of ransom to regain control of their network. We hope this article is helpful to you. Please let us know if you have information or ideas on this topic that our readers may want to hear.

You can find this article, as well as many other articles you may find valuable to keep your business and staff secure against cybercrime, at this web address: https://www.fbi.gov/investigate/cyberscreen-shot-2016-09-13-at-11-07-51-am

For more information about fraud protection tools and product features provided by Grandpoint Bank, please visit our website.

Ransomware 

Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them.

The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation. Home computers are just as susceptible to ransomware and the loss of access to personal and often irreplaceable items— including family photos, videos, and other data—can be devastating for individuals as well.

In a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.

One the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.

Ransomware attacks are not only proliferating, they’re becoming more sophisticated. Several years ago, ransomware was normally delivered through spam e-mails, but because e-mail systems got better at filtering out spam, cyber criminals turned to spear phishing e-mails targeting specific individuals. And in newer instances of ransomware, some cyber criminals aren’t using e-mails at all—they can bypass the need for an individual to click on a link by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.

The FBI doesn’t support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee an organization that it will get its data back—there have been cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.

So what does the FBI recommend? As ransomware techniques and malware continue to evolve—and because it’s difficult to detect a ransomware compromise before it’s too late—organizations in particular should focus on two main areas:

  • Prevention efforts—both in both in terms of awareness training for employees and robust technical prevention controls; and
  • The creation of a solid business continuity plan in the event of a ransomware attack.

Tips for Dealing with Ransomware. While the below tips are primarily aimed at organizations and their employees, some are also applicable to individual users.

  • Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
  • Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
  • Disable macro scripts from office files transmitted over e-mail.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).
  • Back up data regularly and verify the integrity of those backups regularly.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

screen-shot-2016-09-28-at-7-28-21-pm


screen-shot-2016-09-13-at-11-07-51-am Linking to Non-Grandpoint Bank Websites
This icon appears next to every link that directs to a third party website not affiliated with Grandpoint Bank. Please be advised that if you click this link you will be taken to a website hosted by another party, where you will no longer be subject to, or under the protection of, the privacy and security policies of Grandpoint Bank. We recommend that you review and evaluate the privacy and security policies of the site that you are entering. Grandpoint Bank assumes no liability for the content, information, security, policies or transactions provided by these other sites.

fbtwitterLinkedIngp

We’re Working with You to Battle Cyber Crime

13709838_10154347665171477_7420849453516520435_n

Since 2013, cyber criminals have attacked over 22,000 businesses via business email scams with losses totaling over $3.1 billion. Businesses of any size are vulnerable. In the L.A. area, losses due to business email compromise alone total $14.6 million per month. Experts estimate that 80% of cyber attacks are avoidable through basic cyber hygiene.  By implementing a variety of safety and prevention measures, you can significantly reduce the chances of your business suffering losses due to cyber crime.

To help businesses understand the risks and the ways they can help protect themselves from this growing threat, we recently hosted a series of cyber security seminars in Los Angeles and Orange County. We want to share a few of the key takeaways from our panel of experts in law enforcement, information security and insurance. Here’s what we learned from Howard Miller, CRM, CIC, of L/B/W Insurance and Financial Services, Kimberly Pease, CISSP, of Citadel Information Group, Michael Sohn of the FBI’s Los Angeles Cyber Crime Outreach and Stan Stahl of Secure The Village.

  • Employee training throughout your organization is critical. Make sure you have clear policies about cyber security and that they are clearly communicated to your staff, contractors and anyone else who has the ability to expose your company to risk. Educate all of your employees about the risks of clicking on links in emails and sharing business information via phone or email with people they don’t know or trust.
  • Limit access to software to employees who really need it and make sure that each employee has their own log-in (don’t have employees share log-ins) so you can track activity back to a specific person.
  • Keep software updated regularly. Cyber thieves exploit vulnerabilities in older versions of software.
  • Use two-factor authentication to access your internet email and other sensitive applications such as online banking. Two-factor authentication requires you to use a one-time password in addition to your regular password, making it more difficult for hackers to hack.
  • Make sure your back-up files are capturing all of your critical data and that your employees are following your prescribed protocol for backing up their files. Also make sure you are backing up your files in a different physical location so you can use them in the event of a natural disaster.
  • Look at your third party vendor contracts to understand what cyber risk you might assume through your relationship with that vendor, particularly with cloud providers who typically accept little, if any, liability associated with cyber crime.
  • Take information security as seriously as operations and finance.
  • Create a VPN (virtual private network) to secure communications to your business network that are initiated by authorized employees using devices outside of your network.
  • Secure your wi-fi with a password and encryption.
  • Use different passwords for different sites and make them long and complex.
  • Check any existing cyber security insurance you may have to look for gaps or exclusions in the coverage. Business interruption is typically limited to physical causes so most insurance won’t cover business interruption due to a cyber attack.
  • Before your business is targeted by cyber criminals, establish a relationship with your local FBI office. They’re the lead federal agency for investigating these kinds of attacks.

For banking (online as well as offline), the following recommendations were made:

  • Use dual control for all ACH and wire transfers. Dual control means that another person or account has to authorize a transfer in addition to the person who initiates it.
  • Never trust wire instructions or other funds transfer instructions sent via email. Always call the person or company to verify the instructions.
  • Set up alerts that automatically notify you about log-ins, password changes, transfers, etc. This way if an unauthorized change is made, you know and can respond quickly.
  • Use Trusteer Rapport software (available free) to provide a secure web channel between your computer and the bank’s online banking site.
  • Use our ACH Fraud Protection Service, which enables business clients to review ACH transactions before they are complete and to choose to pay or return each item.
  • Use ACH blocks or restrictions, if you know you won’t be using these electronic payments, or if you want to limit ACH withdrawals to only specific vendors.

To address the risks of funds transfer fraud and cyber deception, our bank has also introduced a new way for our business banking clients to protect themselves through a first-of-its-kind cyber insurance group policy. The policy provides gap insurance, since most cyber crime insurance policies don’t cover losses for money sent out of a business banking account “voluntarily;” that is, when someone in your firm is tricked into sending funds to a cyber criminal posing as a trusted colleague or vendor. For more information on this policy, please visit grandpointinsurance.com.

Insurance Products are:
Screen Shot 2016-06-23 at 9.12.21 AM
Insurance Products are offered through Grandpoint Insurance Services, Inc., a non-bank insurance agency affiliate of Grandpoint Bank, and facilitated through LBW Insurance & Financial Services, Inc., an unaffiliated insurance agency.

screen-shot-2016-09-28-at-7-28-21-pm

fbtwitterLinkedIngp

Grandpoint Bank Makes First-of-its-Kind Cyber Crime Insurance Available!

cyber-security1-596x245

Grandpoint Bank has introduced a new way for its business banking clients to protect themselves from financial losses due to funds transfer fraud and cyber deception through a first-of-its-kind cyber insurance group policy.

We’ve created Grandpoint Insurance Services, Inc., a non-bank insurance agency affiliate, to develop the Client Cyber Crime Insurance product. The policy, offered to customers of Grandpoint Bank and its divisions, offers cyber crime loss coverage that is specifically geared to monetary losses. It was created as an affordable and easy alternative to individually underwritten, higher-priced commercial crime insurance policies.

The majority of businesses don’t realize that they have significantly more exposure for losses due to fraud than individual account holders, who are afforded certain regulatory protections. Businesses are often tricked into approving fraudulent transfers, notwithstanding internal controls to identify and prevent this kind of risk.  According to the FBI, since 2013, over 17,000 businesses have lost an aggregate of more than $2.3 billion to one type of cyber crime alone, known as the business email scam.

Even as monetary losses due to cyber crime have skyrocketed in recent years, many traditional commercial crime policies specifically exclude losses arising from cyber deception.

“We are excited to make this new coverage available to our business clients,” said Petra Griffith, Director of Product Development for Grandpoint Bank. “The policy focuses on the kinds of coverage that directly address the key fraud risks that businesses face – losses to their bank accounts through cyber crime.  Cyber crime is a major concern for businesses, especially since they are typically liable if cyber criminals steal funds from their business accounts. They often don’t have the appropriate insurance in place and are finding it more difficult to protect themselves in this ever evolving, increasingly sophisticated cyber crime environment.”

The Client Cyber Crime Insurance policy is available exclusively to business clients of Grandpoint and its divisions, Bank of Tucson, Regents Bank and The Biltmore Bank of Arizona, through Grandpoint Insurance Services, in partnership with LBW Insurance & Financial Services, Inc.  The policy is underwritten by Hiscox Inc., on behalf of Underwriters at Lloyd’s, London, which is rated A by A.M. Best. Insurance products are not a deposit, not FDIC insured, not federal government agency insured, not bank guaranteed.

The Client Cyber Crime Insurance group policy coverage helps reimburse funds in business deposit accounts lost due to funds transfer fraud and cyber deception and is offered at premiums that represent substantial savings from individual policies currently available on the market. Any business that has a deposit account at Grandpoint Bank or its divisions is automatically eligible to enroll in the policy and select from a range of coverages with premiums that start at $30 per month.

“Educating and alerting our clients, and the broader business community, about established and emerging cyber crime trends is a commitment we’re passionate about,” said Griffith. “We’ve been working for over a year to create a more powerful solution to help clients protect their financial assets against attacks by cyber criminals.”

For more information on the Client Cyber Crime Insurance, visit www.grandpointinsurance.com (California Insurance License #0K82434).

_____________________________________________________________________________________________________________

Insurance Products are:
Screen Shot 2016-06-23 at 9.12.21 AM
Insurance Products are offered through Grandpoint Insurance Services, Inc., a non-bank insurance agency affiliate of Grandpoint Bank, and facilitated through LBW Insurance & Financial Services, Inc., an unaffiliated insurance agency.

screen-shot-2016-09-28-at-7-28-21-pm

fbtwitterLinkedIngp

Cyber security alert … There are only two kinds, which one are you?

cybersecurity-banner

Thank you to article author Linda Drake of Trailblazer Advisors and to Inside Tucson Business for allowing us to republish this article on our blog.

A common meme in the imploding industry of information security is the assertion that there are only two kinds of companies:

Those that have been hacked and those who don’t know they’ve been hacked!

Which one are you?

There are some stunning statistics* that every small and medium-sized business should know that require your attention and action for your protection.

No business or organization can prevent data breaches. A single credit card data breach can cost your business $217 per incident

According to experts, the cost of a company-wide data breach costs a minimum of $10,000

92 percent of companies experiencing a breach did not know it (they were notified by a 3rd party)

75 percent of breaches occur in businesses with less than 100 employees.

Only 25 percent of breaches are IT or hacker-related; this means 75 percent of breach events are related to current/former employees, customers, vendors, contractors and organized crime or social engineering.

Yet, 83 percent of SMB’s do not have a formal cybersecurity plan.

Most importantly, 64 percent of companies with 500 or fewer employees go out of business within a year of being hacked!

If the last statement does not compel you to take action, close your business down now!

The age of the ‘Internet of Everything’ is upon us. Companies need to harness this technology as an asset or potentially endure irreparable harm.  According to Gartner Research, companies incur four times the expense to respond to data breach events than the installation of appropriate security technology to prevent it.  Of course, the actual expense of a breach does not include the correspondent frustration, aggravation and untold embarrassment.

As a business owner you may be asking yourself, am I really at risk?  “Indeed, you really are!” retorted Kathy Delaney Winger, Esq., an attorney who practices in the area of cybersecurity.   “All companies must protect ‘Personally Identifiable Information,’ commonly termed (PII).” PII can be defined as any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

“The truth is,” stated Kathy, “the definition of information is very broad, as is your obligation to protect it.  For example, even if a business owner hires a third party to perform services that involve the use of PII (such as payroll processors) the business owner may still be at risk if a breach occurs.”

According to Kathy, there are multiple factors that you should consider when thinking about cybersecurity and protecting your business.  “It’s critically important to be aware of the PII that your business is collecting, holding and/or sharing with third parties,” said Kathy.  “Once you’ve made yourself aware of it, you should take steps to protect the information and have a plan as to how you will handle matters (such as complying with your obligation to notify affected parties) in the event of a breach.”  Kathy recommends that business owners work closely with professionals who are knowledgeable in this area, including lawyers and companies that specialize in computer security.  According to Kathy, businesses should also discuss the issue with insurance professionals.  “I recommend that business owners consider purchasing cyber insurance that will protect the company should a breach occur,” said Kathy.  She continued “the statistics cited at the start of this article illustrate that, once a breach occurs, a company’s liability can be extensive.  Thus, business owners are well advised to insure against data breach losses just as they insure against many other kinds of losses.”

According to James Riley, CEO of JNR Networks, the number one technology virus is the user!  Most systems are compromised by users who knowingly or unknowingly create the vulnerability of access to your data.

So what steps should you take to protect your data and your company?

The first, most immediate action is modifying the approach to passwords.  Some IT experts suggest that you should treat passwords like underwear: don’t leave them where people can see them, change them often, do not lend them to others, and make sure they are a good “fit”. Further, the obfuscation of passwords is critical.

“Passwords should not include the obvious,” James suggests.  “Do not use passwords with your kids’ names, spouse, pets or anything that people know about you,” James commented. Passwords should be at least 8 characters that include upper and lower case, numbers and symbols.  The key to a unique and memorable password is the linking and twisting of terms that only have meaning to you.  “Spell words that are jumbled and have no relationship to each other, just to you.”

Beyond the password basics, James added, “All companies need at the very minimum, business grade (BG) antivirus software, BG firewalls, and BG equipment. But, all the best of these tools are nothing without the development of Acceptable Use Policies (AUP) that are established, reinforced and enforced in each company.”

One of our country’s greatest founding fathers had it right—

“By failing to prepare, you are preparing to fail.”

In the 18th century Ben Franklin had no idea that his words would be so applicable in this era coined, “The Third Wave of the Internet,” by AOL’s founder, Steve Case. The SMB bottom-line regarding cybersecurity is a simple message: explore, embrace, manage and, above all, control cyber technology before it controls you.

*Statistics presented by a panel of experts for AZ Tech Council at the recent Tech Junction Conference in Tucson.  Kathy Delaney Winger, Esq. of The Law Offices of Kathy Delaney Winger and James Riley, CEO of JNR Networks were two of the panelists.

Linda Drake is a 25 year, seasoned global entrepreneur, corporate executive, author and Certified Professional & Executive Coach.  As a CEO for CEO’s, Linda founded Trailblazer Advisors to catapult economic growth and leadership skills for business owners and senior management at any stage in the business lifecycle.  She believes that strong business leadership and entrepreneurism are the heart and promise of America. Linda is the President of the International Coaching Federation of Southern Arizona. 

Read the original article here:

http://www.insidetucsonbusiness.com/business_chatter/cyber-security-alert-there-are-only-two-kinds-which-one/article_993e8646-0d61-11e6-a13e-9bf1e63a7270.html↗

screen-shot-2016-09-28-at-7-28-21-pm


↗ Linking to Non-Grandpoint Bank Websites
This icon appears next to every link that directs to a third party website not affiliated with Grandpoint Bank. Please be advised that if you click this link you will be taken to a website hosted by another party, where you will no longer be subject to, or under the protection of, the privacy and security policies of Grandpoint Bank. We recommend that you review and evaluate the privacy and security policies of the site that you are entering. Grandpoint Bank assumes no liability for the content, information, security, policies or transactions provided by these other sites.

fbtwitterLinkedIngp

Treasury Management – Manage and Protect Your Funds More Effectively

Screen Shot 2016-04-25 at 11.51.43 PM

Moving money and executing transactions is easier than ever, but what is your business doing to make sure your funds aren’t at risk? From the most elaborate cyber attacks to a simple unauthorized alteration on a check, you could be vulnerable to all kinds of fraud.

Financial institutions have processes and procedures in place to help protect against fraud. But the increasing risk and sophistication of cyber crimes in particular, both at home and in the office, makes it especially important for everyone to be vigilant and cautious. That’s why Grandpoint continually invests in tools and resources to help detect potentially fraudulent transactions and accounts with a high potential for fraud. We believe it is equally important for our clients to understand the risks and be aware of the steps you can take to help protect your business assets. We want to share a few of the practices we follow and the products we offer to help you minimize your vulnerability.

With so many ways that passwords can be compromised – from inadvertent sharing with others to malware that mines your personal information — protecting the secure access to your online accounts is crucial. Ever heard of a keylogger? It’s malware that captures and records a user’s keystrokes. It can be used by a cyber-criminal to record your passwords and a variety of other information. As a deterrent to these kinds of compromises, Grandpoint business clients use a secure access code to access their accounts through online banking, and the associated password expires every 90 days. This precaution helps protect against a possible breach if your password falls into the wrong hands.

Most people know that Internet connections can be vulnerable to compromise. Various layers of protection are available, including firewalls, anti-virus software and network encryption, but cyber criminals are always working to try to break through these barriers. That’s why these programs are continuously updated and why keeping current with each new release is so critical. To provide a secure web channel between our client’s computer and the bank’s online banking site, so that no other user can get in the middle, we offer Trusteer Rapport software to our business clients. This free, downloadable software helps to prevent malware and phishing attacks and provides sustainable fraud protection.

One of the most frequent targets for cyber thieves are ACH payments – payments created when you give an originating party authorization to debit directly from your checking or saving account for the purpose of bill payment. To commit ACH fraud, all a cyber thief needs is your account number and the bank routing number, which can be taken directly from an unsuspecting victim’s check. Our ACH Fraud Protection Services enable business clients to review these transactions before they are complete and to choose to pay or return each item, to guard against fraudulent automatic withdrawals. If you know you won’t be using these electronic payments, we can set up an ACH block so that no ACH payments are allowed. Or, if you only expect ACH withdrawals from a handful of vendors, you can restrict your ACH authorization to just those few vendors.

As an added layer of protection, your online banking profile can also be IP address-restricted, meaning if a request to transfer funds from your Los Angeles-based company is issued by an IP address located in New York, the transaction will be rejected. Our Risk Fraud Analytics system reviews all of your company’s transactions for other anomalies as well. You also have the option to set a maximum dollar limit for transactions you may initiate. If that limit is exceeded, the transaction will automatically be rejected. In addition, you’ll be alerted if someone changes a password, user entitlements, dollar limits and more. Business clients can also set up dual control on their wires and ACH transactions. This can reduce employee fraud, but it also makes it more difficult for cyber criminals to complete a fraudulent transfer since two people within the business must sign off on these transactions.

One of the most prevalent types of fraud today is cyber deception, which is usually the result of human error – falling victim to complex scams in which criminals pose as a trusted colleague, business associate or vendor in order to gain access to your financial assets. It is particularly hard to detect. These schemes are typically executed via email, but cyber criminals have become increasingly adept at spoofing phones as well. What you believe to be a legitimate request could result in you unwittingly paying a crook. For more on this topic, please refer to the cyber security article from the FBI we republished on our blog.

Of course, fraud schemes aren’t always so sophisticated. If someone has altered a check you’ve issued, you might never notice – until it is too late. A simple safeguard against this kind of theft is our Positive Pay Service. You provide the bank with what is essentially a digital check register and we match it against the checks presented for payment. If we see any discrepancies, we notify you so that you can review and decide whether or not the check should be paid. All checks presented for payment are verified, including checks presented in person at our banking offices.

Businesses with a high volume of checks arriving through the mail are at risk of crooks intercepting these payments. We offer a layer of protection through our Lock Box Service, which streamlines the remittance process. Payments are sent to a secure post office box where they are collected by the bank several times a day and deposited directly into your Grandpoint account. The post office box and speedy collection system help minimize the opportunities for the check to be intercepted after it’s placed in the mail. The service also provides timely payment receipt reporting and provides you access to electronic and paper remittance images online to update your receivables or research customer questions.

To discuss how you can layer additional treasury management protections onto your business accounts, contact your Grandpoint Bank relationship manager or call any of our offices.

screen-shot-2016-09-28-at-7-28-21-pm

fbtwitterLinkedIngp

 

Identity Theft – A Practical Guide from the Federal Trade Commission

personal-identity-theft

Do you know the red flags of identity theft? The Federal Trade Commission↗ has published a very helpful guide to not only help you recognize identity theft, but also protect yourself and your business against it and to take action if it happens to you. You can download a copy of the brochure for free on their website.↗ The following are some highlights from the brochure we’d like to share with our readers.

Red Flags of Identity Theft

  • Mistakes on your bank, credit card or other account statements
  • Mistakes on the explanation of medical benefits from your health plan
  • Your regular bills and account statements don’t arrive on time
  • Bills or collection notices for products or services you never received
  • Calls from debt collectors about debts that don’t belong to you
  • A notice from the IRS that someone used your Social Security number
  • Mail, email or calls about accounts or jobs in your minor child’s name
  • Unwarranted collection notices on your credit report
  • Businesses turn down your checks
  • You are turned down unexpectedly for a loan or job

How to Protect Your Information

  • Read your credit reports. You have a right to a free credit report every 12 months from each of the nationwide credit reporting companies. To order, go to annualcreditreport.com or call 877-322-8228.
  • Read your bank, credit card and account statements, as well as the medical explanation of benefits from your health plan. If a statement has errors or doesn’t come out on time, contact the business.
  • Shred all documents that show personal, financial and medical information before you throw them away.
  • Don’t respond to email, text and phone messages that ask for personal information. Legitimate companies don’t ask for information this way. Delete the messages.
  • Create passwords that mix letters, numbers and special characters. Don’t use the same password for more than one account.
  • If you shop or bank online, use websites that protect your financial information with encryption. (An encrypted site has https at the beginning of the web address.)
  • If you use a public wireless network, don’t send information to any website that isn’t fully encrypted.
  • Use anti-virus and anti-spyware software, as well as a firewall on your computer.
  • Set your computer’s operating system, web browser and security system to update automatically.

If Your Identity Is Stolen

  • Call one of the nationwide credit reporting companies, and ask for a fraud alert on your credit report. The company you call must contact the other two so they can put fraud alerts on your files. An initial fraud alert is good for 90 days.
    • Equifax: 800‑525‑6285
    • Experian: 888‑397‑3742
    • TransUnion: 800‑680‑7289
  • Order your credit reports. Each report about you is slightly different, so order a report from each company. If you see mistakes or signs of fraud, contact the credit reporting company.
  • Create an Identity Theft Report. An Identity Theft Report can help you get fraudulent information removed from your credit report, stop a company collecting debts caused by identity theft and get information about accounts a thief opened in your name.

To create an Identity Theft Report:

  • File a complaint with the FTC at ftc.gov/complaint or 877-438-4338; TTY: 866-653-4261. Your completed complaint is called an FTC Affidavit.
  • Take your FTC Affidavit to your local police, or to the police where the theft occurred and file a police report. Get a copy of the police report.
    The two documents comprise an Identity Theft Report.

Identity theft can rob you of time, money and peace of mind. Implementing a methodical system to prevent, recognize and remedy it is your best line of defense. We hope this article helps you create or refine your plan.

screen-shot-2016-09-28-at-7-28-21-pm


↗ Linking to Non-Grandpoint Bank Websites
This icon appears next to every link that directs to a third party website not affiliated with Grandpoint Bank. Please be advised that if you click this link you will be taken to a website hosted by another party, where you will no longer be subject to, or under the protection of, the privacy and security policies of Grandpoint Bank. We recommend that you review and evaluate the privacy and security policies of the site that you are entering. Grandpoint Bank assumes no liability for the content, information, security, policies or transactions provided by these other sites.

fbtwitterLinkedIngp

EMV Chips – What They Mean To You

EMV-Chip-Card-Insider-Blog-Featured

Whether you are a merchant, a consumer or both, EMV chip technology is great news. Also known as smart chip technology, EMV is a global payment standard designed to reduce fraudulent transactions where payment cards are physically present at the time of the transaction.

EuroPay, MasterCard® and Visa® (thus the abbreviation EMV) developed the EMV chip technology to combat counterfeit card fraud. Outside the U.S., more than 130 countries in Asia, Europe and South America, as well as Canada and Mexico, have already embraced the technology, and counterfeit credit card fraud has declined noticeably in those countries.

Here in the U.S., credit cards enabled with an EMV chip are gradually replacing their magnetic strip ancestors. If your payment card has a chip, you will see a small metallic square on the front of the card. Cards still have magnetic strips, too, so that you can use them at merchants that don’t yet accept chip cards.

The difference between EMV cards and the traditional magnetic strip cards is that the EMV chip better protects against unauthorized use by generating a unique number for each sales transaction. The magnetic strips on traditional cards contain unchanging data. When an EMV card is used for payment, the card chip creates a unique transaction code that cannot be used again. If a counterfeiter steals the chip information from one specific point of sale, typical card duplication would not work because the stolen transaction number created in that instance wouldn’t be usable again, and the card would be denied. Therefore, even if card data and the one-time code are stolen, the information can’t be used to create a counterfeit card.

EMV cards can be used at stores or at ATMs. The readers may differ, but each includes a slot in which to insert the card – with the EMV chip facing up. Directions on the screen instruct the user about what to do next. Generally, the chip card stays in the machine until the transaction is complete. If your card has an EMV chip and you attempt to swipe the magnetic strip instead, an error will appear and you will be prompted to insert the card for chip processing instead.

Credit and debit card providers are now rolling out the EMV chip cards, providing customers with an extra layer of security and confidence. Grandpoint Bank card holders can expect to receive their new cards in the next few months. In the meantime, card holders can continue to use their magnetic strip cards at stores and ATMs.

For merchants, EMV software-equipped terminals offer the most secure way to accept in-store payments and reduce fraud liability risk, especially since the liability shifted to merchants on October 1, 2015 in the event that fraud occurs on a chip card presented in-store and chip card terminals weren’t used.

Additional information about EMV chip technology can be found here.↗

screen-shot-2016-09-28-at-7-28-21-pm


↗ Linking to Non-Grandpoint Bank Websites
This icon appears next to every link that directs to a third party website not affiliated with Grandpoint Bank. Please be advised that if you click this link you will be taken to a website hosted by another party, where you will no longer be subject to, or under the protection of, the privacy and security policies of Grandpoint Bank. We recommend that you review and evaluate the privacy and security policies of the site that you are entering. Grandpoint Bank assumes no liability for the content, information, security, policies or transactions provided by these other sites.

fbtwitterLinkedIngp

FBI Article: Ransomware on the Rise

We noticed that a lot of you really liked the last FBI cyber security article we ran. We’re pleased the Bureau has encouraged us to share their articles on this topic, so we’re happy to do so again. This article deals with a concerning type of cybercrime called ransomware, where a malware restricts access to the infected computer/network and demands that the operators pay some sort of ransom to regain control of their network. We hope this article is helpful to you. Please let us know if you have information or ideas on this topic that our readers may want to hear.

You can find this article, as well as many other articles you may find valuable to keep your business and staff secure against cybercrime, at this web address:

https://www.fbi.gov/news/stories/2015/january/ransomware-on-the-rise/ransomware-on-the-rise↗

For more information about fraud protection tools and product features provided by Grandpoint Bank, please visit our website.

Ransomware on the Rise
FBI and Partners Working to Combat This Cyber Threat

Your computer screen freezes with a pop-up message—supposedly from the FBI or another federal agency—saying that because you violated some sort of federal law your computer will remain locked until you pay a fine. Or you get a pop-up message telling you that your personal files have been encrypted and you have to pay to get the key needed decrypt them.

Screen Shot 2015-12-03 at 10.50.23 AMThese scenarios are examples of ransomware scams, which involve a type of malware that infects computers and restricts users’ access to their files or threatens the permanent destruction of their information unless a ransom—anywhere from hundreds to thousands of dollars—is paid.

Ransomware doesn’t just impact home computers.
Businesses, financial institutions, government agencies, academic institutions, and other organizations can and have become infected with it as well, resulting in the loss of sensitive or proprietary information, a disruption to regular operations, financial losses incurred to restore systems and files, and/or potential harm to an organization’s reputation.

Ransomware has been around for several years, but there’s been a definite uptick lately in its use by cyber criminals. And the FBI, along with public and private sector partners, is targeting these offenders and their scams.

Screen Shot 2015-12-03 at 10.47.22 AMWhen ransomware first hit the scene, computers predominately became infected with it when users opened e-mail attachments that contained the malware.
But more recently, we’re seeing an increasing number of incidents involving so-called “drive-by” ransomware, where users can infect their computers simply by clicking on a compromised website, often lured there by a deceptive e-mail or pop-up window.

Another new trend involves the ransom payment method. While some of the earlier ransomware scams involved having victims pay “ransom” with pre-paid cards, victims are now increasingly asked to pay with Bitcoin, a decentralized virtual currency network that attracts criminals because of the anonymity the system offers.

Also a growing problem is ransomware that locks down mobile phones and demands payments to unlock them.

The FBI and our federal, international, and private sector partners have taken proactive steps to neutralize some of the more significant ransomware scams through law enforcement actions against major botnets↗ that facilitated the distribution and operation of ransomware.

For example:

  • Reveton ransomware, delivered by malware known as Citadel, falsely warned victims that their computers had been identified by the FBI or Department of Justice as being associated with child pornography websites or other illegal online activity. In June 2013, Microsoft, the FBI, and our financial partners disrupted a massive criminal botnet built on the Citadel malware, putting the brakes on Reveton’s distribution. FBI statement↗ and additional details.↗
  • Cryptolocker was a highly sophisticated ransomware that used cryptographic key pairs to encrypt the computer files of its victims and demanded ransom for the encryption key. In June 2014, the FBI announced—in conjunction with the Gameover Zeus botnet disruption—that U.S. and foreign law enforcement officials had seized Cryptolocker command and control servers. The investigation into the criminals behind Cryptolocker continues, but the malware is unable to encrypt any additional computers. Additional details.↗

If you think you’ve been a victim of Cryptolocker, visit the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (CERT) CryptoLocker webpage↗ for remediation information.

The FBI—along with its federal, international, and private sector partners—will continue to combat ransomware and other cyber threats. If you believe you’ve been the victim of a ransomware scheme or other cyber fraud activity, please report it to the Bureau’s Internet Crime Complaint Center.↗

screen-shot-2016-09-28-at-7-28-21-pm


↗ Linking to Non-Grandpoint Bank Websites
This icon appears next to every link that directs to a third party website not affiliated with Grandpoint Bank. Please be advised that if you click this link you will be taken to a website hosted by another party, where you will no longer be subject to, or under the protection of, the privacy and security policies of Grandpoint Bank. We recommend that you review and evaluate the privacy and security policies of the site that you are entering. Grandpoint Bank assumes no liability for the content, information, security, policies or transactions provided by these other sites.

fbtwitterLinkedIngp