Internet Banking Security Information

About scams and spoofs

Many financial institutions that do business on the Internet have become the target of fraudulent email and website scams. Every Internet user should know about these spoof (also called phishing or hoax) e-mails that appear to be from a well-known company but can put you at risk.

Even if you don't provide what they ask for, simply clicking the link could subject you to background installations of key logging software or viruses.

How to identify online fraud

It is difficult to distinguish if an email is legitimate. Scammers have become increasingly sophisticated in creating fraudulent emails and websites that look authentic. These emails and Websites often appear to be from legitimate companies and include images and logos of these organizations.

Characteristics of fraudulent emails and websites

Our bank will never send out an email requesting you to provide, update or confirm sensitive data.

Spoofs often have a sense of urgency telling clients that if they fail to update, verify or confirm their personal or account information, access to their accounts will be suspended.

Spoof emails typically ask for personal or account information such as:

• Account numbers
• Credit and check card numbers
• Social Security Numbers
• User IDs and passwords
• Mother's maiden name
• Date of birth
• Other sensitive information

They often include links that include a legitimate company's name or website address. The fraudulent emails will disguise or forge the sender's email address so they appear to be from a legitimate company.

How to protect yourself from online fraud

• Never provide personal or financial information to unsolicited email, phone or pop-up website requests.
• Type the Website addresses (URL) into browsers instead of clicking on links in emails.
• Change User IDs and passwords every 30 days.
• Keep anti-virus and anti-spam filtering software on your computer up to date.

If you suspect an email to be a spoof

If you suspect that you've received a fraudulent email, please forward it to us immediately and then delete it from your inbox.

Our e-mail address is: ContactUs@commbk.net

What is Corporate Account Takeover?

Corporate Account Takeover is an evolving electonic crime typically involving the exploitation of businesses of all sizes, especially those with limited computer safeguards and minimal or no disburesment controls for use with their bank's online business banking system.  These businesses are vulnerable to theft when cyb er thieves gain access toits computer system to steal confidential banking information in order to impersonate the business and send unauthorized wire and ACH transactions to accounts controlled by the thieves.  Municipalities, school districts, large non-profit organizations, corporate businesses, and any customers that perform electronic transfers are potential targets.  Losses from this form of cyber-crime range from the tens of thousands to the millions iwth the majority of these thefts not fully recovered.  These thefts have affected both large and small banks.

This type of cyber-crime is a technologically advanced form of electronic theft.  Malicious software, which is available over the internet, automates many elements of the crime including circumventing one time passwords, authentication tokens, and other forms of multi-factor authentication.  Awareness of online threats and education about common account takeover methods are helpful measures to protect against these threats.  However, due to the dependence of banks on sound computer and disbursement controls of its customers, there is no sigle measure to stop these thefts entirely.  Multiple controls or a "layered security" approach is required.

BASIC ONLINE SECURITY PRACTICES

• Education is Key - Trian you employees
• Secure your computer and networks
• Limit Administrative Rights - Do not allow employees to install any software without receiving prior approval.
• Install and Maintain Spam Filters
• Sure the Internet carefully
• Install & maintain real-time anti-virus & anti-spyware desktop firewalls & malware detection & removal software.  Use these tools regularly to sacn your computer.  Allow for automatic updates and scheduled scans.
• Install routers and firewalls to prevent unauthorized access to your computer or network.  Change the default passwords on all network devices.
• Install security updates (patches) to operating systems and all applications as they become available.
• Block pop-ups
• Use strong password policies
• Do not open attachments from email. Be on the alert for suspicious email
• Do not use public internet access points
• Monitor and reconcile bank accounts daily, especially near the end of the day
• Note any changes in the performance of your computer, dramatic loss of speed, computer locks up, unexpected rebooting, unusual pop-ups, etc.
• Make sure taht your employees know how and to whom to report suspicious activity to at your company and the bank

Contact the Bank if you:

• Suspect a Fraudulent Transaction
• If you are trying to process an Online Wire or ACH Batch and you receive a maintenance page
• If you receive an email claiming ot be fromt he BAnk and it is requesting personal or company information

Incident Response Plan

Since each business is unique, customers should write their own incident response plan.  A general template would include:

1. The direct contact numbers of key bank employees (including their after hours numbers);
2. Steps the account holder should consider to limit further unauthorized transactions, such as:
   • Changing the passwords;
   • Disconnecting computers used for internet banking; and
   • Requesting a temporary hold onall other transactions until out-of-band confirmation can be made;
3. Information the account holder will profide to assist the bank in recovering their money;
4. Contacting their insurance carrier; and
5. Working with computer forensic specialist and law enforcement ot review appropriat equipment.