Commercial Customer Education
Be Aware of False Google Ads
An emerging trend used by cybercriminals is the purchasing of Google Ads that link to a fraudulent website in an attempt to steal login credentials to a financial institution's online banking website.
How does it work?
The criminals create a fraudulent site that looks exactly like the legitimate online banking site. They then purchase Google Ads with a stolen identity and link these ads to the fraudulent site. Customers then perform a search for their institutions website and the first result will be the Google Ad. Once the customer has clicked on the link, they proceed to the login page where they enter their username and password. Once they have entered their credentials, they are presented with what appears to be an error message or something similar. At this point, the criminals now have the online banking credentials and can access the customers online banking account.
How can I protect myself?
The simplest way to protect yourself against this type of fraud is to simply bookmark or favorite the institutions website. When you need to access the site, simply click on the bookmark or favorite and know that you will be taken to the legitimate site. Another way to help ensure you are accessing the legitimate site is to type in the URL of the site in the address bar. For First State Bank of DeQueen customers, you can type "fsbdequeen.com" in the address bar and access our site directly.
If you do perform a search to find our website, do not click on any Ads. These are typically denoted with the word "Ad" immediately before the website name.
What should I do if I feel I have fallen victim to this?
Contact your financial institution immediately. They can reset your password which should block access using your credentials, or they can disable your account altogether. Once this is done, continue to monitor your account for any suspicious activity. If there are transactions that are suspicious, report them to you institution immediately.
Corporate Account Takeover (CATO)
What is it?
Corporate Account Takeover (CATO) is a type of identity theft where thieves gain access to a commercial customer's online banking credentials (username and password). Once the thieves have access to the credentials, the can then log into the customer's online banking account to initiate fraudulent wire and ACH transactions. These transactions will re-direct the customer's funds to accounts that are controlled by the thieves.
Businesses of all sizes are susceptible to this type of crime, ranging from commercial farm accounts to governmental entities. The size of the theft can range from a few hundred dollars to several million. Small to medium-sized businesses are viewed as easier targets as many do not have the infrastructure or monitoring in place to help detect this type of theft. While the pay-off per theft may not be as great, thieves will often target the easiest path to complete their crime.
How does it happen?
The most common method of gaining access to online banking credentials is through the use of "phishing" emails. A "phishing" email is a specially crafted email that appears to be from a legitimate source. If often will contain either a link to a malicious website or attachments for it's recipient to click or open. Once the recipient has fallen for the bait, malware in the form of "key-loggers" can be installed on the unsuspecting victims computer which will be used to steal the credentials. In some cases, the malicious site will mimic the actual online banking website, tricking the victim into entering their credentials.
Once the criminals have access to the victim's online banking account, they can initiate wire transfers or ACH transactions that will move the victim's funds to an account that the criminal controls. Once the criminal has received the funds, they will typically wire the funds to an international account making recovery difficult, if not impossible.
Other possible sources of theft include:
- Clicking on infected documents, videos, or links on legitimate sites, especially social networking sites, from a computer used to log into online banking
- Inserting an infected USB device in a computer used to access online banking
- Phone calls impersonating bank employees requesting online banking credentials due to a system upgrade or potential fraud being monitored on the account
What protections does First State Bank of De Queen have in place?
First State Bank of De Queen provides the following protections to Cash Management ACH Originators1:
- Complex Passwords We require the use of strong, complex passwords for Cash Management users. We know that changing passwords can be a burden, but we highly recommend that users periodically change their passwords.
- Multifactor Authentication (MFA) Users of Cash Management are required to utilize MFA. This is accomplished through the use of a "hard" token or a "soft" token, which is an application installed on the users phone or desktop. This token generates a random 6 digit code every 30 seconds that must be entered during user login.
- Dual Controls Cash Management requires the use of dual controls. This type of control prevents a single user from both creating an ACH batch, and then approving the batch.
- Challenge/Security Questions Every Cash Management user is required to establish security questions/answers when setting up their account. The user will be prompted with these questions when transactions that are abnormal are created. Examples would be batches submitted during closed hours, sharp increases in amounts, or a login attempt from different state or county than normally used to access Cash Management.
- Exposure Limits Exposure limits are set to establish the maximum allowed daily dollar limit for ACH Origination files. Separate limits, up to the maximum, may be applied individually among a company's Cash Management users.
- Time Restrictions Time restrictions can be set per user to allow access to Cash Management during specified times each day.
- Bank Release of New Users When a new user is created, the bank must enable the account before it can be used. This prevents a criminal from taking over an administrator account and creating new users for immediate use.
- Internal Monitoring of ACH Origination Activity The bank has internal processes that detect any abnormal ACH Origination activity. These processes allow us to respond to any abnormal behavior quickly.
It is important to note, that while the protections we have in place provide a good deal of protection, they are not fool-proof and the risk from this type of crime remains high.
How can you help protect yourself against CATO Fraud?
While First State Bank of De Queen employs the protections above, it is vitally important that customers also implement controls and practices to prevent falling victim to CATO.
- Use a dedicated workstation for Cash Management/Online Banking that is not used for email or other activity. Lock down use of USB/Thumb drives.
- Use anti-virus on all workstations with real-time scanning and regularly scheduled scans. Keep definitions updated.
- Keep your workstations up-to-date with operating system patches. Microsoft Windows provides settings to automatically download and install Windows patches as they are released.
- Prevent workstation access after work hours.
- Limit administrative access to the workstations.
- Ensure firewalls are enabled on all workstations. Utilize a firewall on your internet connection that allows only certain traffic into/out of your network.
- Download software only from trusted, secured sources.
- Treat all email as malicious. Do not click on links or open attachments that you were not expecting, even if the sender is a trusted sender.
- Lock computers when not in use.
- Only visit trusted web sites.
- Avoid password re-use. Create unique usernames and passwords for all of the sites you visit. You can utilize a password vault to keep up with your passwords. Most will automatically generate long complex passwords that you don't have to remember, you can just copy and paste.
- Avoid saving your username and password in your browser. Many browsers will offer to "store" your username and password, this should be avoided.
- Never share your username and/or password.
- Review daily ACH Origination activity.
- Limit access to Cash Management to only those users that need it
- Develop an Incident Response Plan that defines what your response will be to a CATO event. Include how you will monitor for activity, who is responsible for implementing the activities of the plan, who you will contact, etc.
- Sign up for text/email alerts for ACH Origination activity on your account.
- Notify the bank immediately if you suspect fraud.
- Perform periodic user reviews, to include whether or not access is still needed, daily limits, time restrictions, and account restrictions.
- First State Bank of De Queen will never email or call requesting your account credentials. If you believe your credentials have been compromised, contact the bank immediately.
- Educate your employees on the threat of a CATO attack.
Business Email Compromise (BEC)
What is it?
Business Email Compromise (BEC) is a type of fraud where a criminal will gain control over an email account, or "spoof" an email account, and send an email requesting the transfer of funds to a designated account controlled by the criminal. Most often, the means of transferring funds is via a wire transfer.
How does it work?
A criminal impersonates the email address, either by taking over the account or making it look like the email is sent from the account, of someone with authorization to request wire transfers. This can be an internal person (CEO, CFO, business line manager, owner, etc.), or an external person (Vendor, contractor, etc.). The email will come at a busy time of the day, say opening on a Monday, or closing on a Friday, and will typically have a sense of urgency. It will instruct the wiring of funds to a designated account. Due to the urgency and the believable email, the victim will initiate the wire transfer to the account requested. Once the criminal has received the funds, they will wire the money to an international account, most likely preventing recovery of funds.
How can I prevent it?
First State Bank of De Queen does not accept wire transfers through its Cash Management product. As ACH Origination can also provide a means of transferring funds, here are some steps that can be taken to mitigate the risk of BEC:
- Simply don't accept Wire/ACH requests via email.
- Develop internal processes and procedures to verify request to transfer funds that do NOT involve the use of email.
- Be cautious of requests where the Wiring/ACH instructions are foreign, or they are not part of your normal businesses that you wire money to.
- Require written supervisory approval of Wires prior to initiating the Wire/ACH Origination request.
- Impose a cut-off time for submitting Wire/ACH transfers
1First State Bank of De Queen Cash Management does not provide the capability to generate wire transfers