The best way to detect fraud is by constantly monitoring your account activity. Financial impact is lowest when fraud is detected as soon as possible. A good way to monitor your accounts easily is to use online banking. Customers who access their accounts online, use email alerts, and receive electronic statements maximize the timely notification of activity on their accounts and also reduce the risk of fraud. Here are some ways that you can recognize if you may have been a victim of identity theft:
- You did not receive your statement by mail as expected.
- There are charges on your account that are not familiar.
- You receive credit cards and you did not apply for credit.
- You find new accounts on your credit report that are not yours.
- Posted checks on your account appear significantly out of sequence.
- You receive calls from creditors regarding services you did not buy.
- You are denied credit for no apparent reason.
When it comes to guarding against Identity Theft, perhaps the most important tool at your disposal is your credit report. It details all of your credit transaction accounts, and will be the first place that unusual charges or entirely new accounts will appear. The good news is that you can monitor your credit report for FREE! But you must exercise this option through specific channels.
Since you are entitled to a free report from each of the three major credit reporting agencies annually, security experts advise you to get a free report from a different one of the three agencies, every four months. That way, you can keep an eye on your personal account safety year round.
To order your free credit report go to the only authorized source: www.annualcreditreport.com or call 1-877-322-8228.
Phishing is a scam where Internet fraudsters send spam or pop-up messages to lure personal and financial information from unsuspecting victims. Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. To avoid getting hacked:
- Don't reply to email or pop-up messages that ask for personal or financial information, and don't click on links in the message. Don't cut and paste a link from the message into your Web browser — phishers can make links look like they go one place, but that actually send you to a different site.
- Some scammers send an email that appears to be from a legitimate business and ask you to call a phone number to update your account or access a "refund." Because they use Voice over Internet Protocol technology, the area code you call does not reflect where the scammers really are. If you need to reach an organization you do business with, call the number on your monthly statements or on the back of your credit card.
- Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly.
- Don't email personal or financial information.
- Review credit card and bank account statements as soon as you receive them to check for unauthorized charges.
- Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
- Forward phishing emails to firstname.lastname@example.org – and to the company, bank, or organization impersonated in the phishing email.
Spear Phishing is a variation of phishing. With phishing, criminals might send a single, mass e-mail to thousands of people. Spear phishing attacks are customized and sent to a single person at a time. The spear phishing email usually contains personal information such as your name or some disarming fact about your employment.
A spear phishing email usually includes a link leading to a fake web site that requests personal information. The phony email may contain a downloadable file. They often appear to come from an employer or another seemingly legitimate source. But the file contains malware, and once downloaded to your computer, collects your personal information and transmits it to the criminal.
You can protect yourself by understanding that these attacks are usually limited to corporate targets. Nearly all of the spear phishing complaints that have been investigated have come from corporate employees. If you receive a suspicious email like this, go directly to HR or to your company’s technical people to learn whether the email is legitimate.
Smishing is yet another variation of phishing, the name is a combination of SMS (Short Message Service, the technology used in text messaging) and phishing. In this scam, the fraudster uses cell phone text messages to lure you to a website… or perhaps to use a phone number that connects to an automated voice response system.
The smishing text message typically urges your immediate attention. For example, it might say it is confirming an order for a large computer purchase, and you need to follow the scammer’s directions in order not to be charged for the item. Once you click on the URL or call the phone number, you are asked to provide card numbers, account numbers, PIN numbers, etc.
You can protect yourself by assuming that no legitimate business would contact you by text message with a request of this nature. If the message seems credible, use your phone to call 411 for the correct phone number, then call their customer service and ask about the message.
Vishing is the name for phishing attacks using the telephone. The term is a combination of voice and phishing, and is typically used to steal credit card numbers, bank account numbers and passwords. You might receive a phone call advising you that your credit card has been used illegally, and to call a certain number to “verify” your account number.
You can protect yourself by being suspicious of any phone call asking you to provide credit card or bank numbers. Rather than provide the information, contact Midtown Bank or your credit card company directly to verify the validity of the message.
Debit & Credit Card Skimming attempts to hijack your personal information and your identity by tampering with machines where you swipe/insert your Debit or ATM card. Fraudsters set up a device that is capable of capturing the cards magnetic stripe and keypad information from the swiping machine, then sell this information to criminals who use it to create new cards with your account number.
You can protect yourself first by reducing your risk at machines where your card can be swiped – use machines from places you know and trust. A thief has to be able to attach and retrieve a skimming device to use the data it’s gathered, which is easier in settings where there’s less traffic and no surveillance cameras. Additionally, if you notice a change at a machine you use routinely, such as a color difference in the card reader or a gap where something appears to be glued onto the slot where you insert your card, that’s a warning sign to find another machine.
Fake Check Scams use technology to create realistic cashiers checks. These checks are used by scammers to pay for online purchases or most notoriously, some form of foreign lottery that you are told you won. The scam always involves your accepting the faked cashiers check, which is for more than the purchase price, then your sending the difference in a separate check to the scammer. You keep the worthless fake check… and the scammer keeps your real check (with your real money).
You can protect yourself using basic common sense. If you are selling something, insist the buyer pay by traditional means. Remember that if you didn’t enter the lottery, you would not win it. And of course, never accept a check for more than the amount due.
Corporate account takeover occurs when a criminal obtains electronic access to your bank account and conducts unauthorized transactions. The criminal obtains electronic access by stealing the confidential security credentials of your employees who are authorized to conduct electronic transactions on your corporate bank account.
How are confidential security credentials stolen?
There are several methods being employed to steal confidential security credentials. One is to mimic the look and feel of a legitimate financial institution’s website. Users provide their credentials to these sites without knowing that a perpetrator is stealing their security credentials through a fictitious website which appears to be their financial institution.
A second method is malware that infects computer workstations and laptops via infected emails with links or document attachments. In addition, malware can be downloaded to a user’s workstation and laptop from legitimate websites, especially social networking sites. Clicking on the documents, videos or photos posted there can activate the download of the malware. The malware installs software on the computer, which allows the perpetrator to capture the user’s ID and password as they are entered at the financial institution’s website.
Other viruses are more sophisticated. They alert the perpetrator when the legitimate user has logged onto a financial institution’s website, then trick the user into thinking the system is down, or not responding. During this perceived downtime, the perpetrator is actually sending transactions in the user’s name.
What does corporate account takeover look like?
If multifactor authentication is not used and a user’s credentials are stolen, the perpetrator can take over the account of the business. To the financial institution, the credentials appear to be the legitimate user. The perpetrator has access to and can review the account details of the business, including account activity and patterns and ACH and wire transfer origination parameters such as file size and frequency limits and Standard Entry Class (SEC) codes.
With an understanding of the permissions and the limits associated with the account, the perpetrator can transfer funds out of the account using wire transfers or ACH files. With ACH, the file would likely contain PPD (Prearranged Payments & Deposits) credits routed to accounts at one or more receiving depository financial institutions (RDFI’s). These accounts may be newly opened by accomplices or unwitting “mules” for the express purpose of receiving and laundering these funds. The accomplices or mules withdraw the entire balances shortly after receiving the money and send the funds overseas via wire transfer or other popular money transfer services.
Perpetrators also send ACH files containing debits in order to collect additional funds into the account that can subsequently be transferred out. The debits would likely be CCD (Cash Concentration & Disbursement) debits to other small business accounts for which the perpetrator has also stolen the credentials or banking information. Given the 2-day return timeframe for CCD debits and the relative lack of account monitoring and controls at many small businesses, these debit transactions often go unnoticed until after the return timeframe has expired.
What can business customers do to protect themselves (best practices)?
Business customers can take many steps to protect themselves against account takeover:
- One of the most effective, yet basic, controls is for business customers to always initiate ACH and wire transfer payments under dual control. For example, one individual initiates the creation of the payment file, and another approves the file for release.
- Using multiple factors to prove identity is very effective in preventing a successful attack. Multiple factors are more challenging to compromise. For example, the use of 1) something the person knows (user ID, PIN, Password), and 2) something the person has (password-generating token, USB token) can substantially reduce the vulnerability to an attack. Tokens that generate single-use codes are among the best practices.
- Restrict functions that authorized employees may perform to specific computer workstations and laptops that are used solely for online banking and payments. This will help prevent the inadvertent downloading of malware or other viruses by users.
- Ensure that your company’s operating system and its components are up to date with current software patches. For example, the use of the most current firewalls, malicious code filtering, virus protection and spyware removal software will aid in the control of network intrusion tactics.
- Business customers should reconcile their bank accounts daily. Many business customers, particularly small businesses, may not typically reconcile their bank account on a daily basis, and therefore may not recognize fraudulent activity until it is too late to take action. Electronic Funds Transfer Act (Regulation “E”) is a consumer regulation and does not protect business clients from fraudulent electronic funds transfers (EFT’s).
- Business customers should train all staff who interact with the online banking system on corporate account takeover.
- Business customers should consider completing a risk assessment and controls evaluation periodically to mitigate any risk findings.
If you are a victim of identity theft, take the following four steps as soon as possible and keep a record with the details of your conversations and copies of all correspondence.
- Place a fraud alert on your credit reports, and review your credit reports.
Fraud alerts can help prevent an identity thief from opening any more accounts in your name. Contact the toll-free fraud number of any of the three consumer reporting companies below to place a fraud alert on your credit report. You only need to contact one of the three companies to place an alert. The company you call is required to contact the other two, which will place an alert on their versions of your report, too. If you do not receive a confirmation from a company, you should contact that company directly to place a fraud alert.
Once you place the fraud alert in your file, you're entitled to order one free copy of your credit report from each of the three consumer reporting companies, and, if you ask, only the last four digits of your Social Security number will appear on your credit reports. Once you get your credit reports, review them carefully. Look for inquiries from companies you haven't contacted, accounts you didn't open, and debts on your accounts that you can't explain. Check that information, like your Social Security number, address(es), name or initials, and employers are correct. If you find fraudulent or inaccurate information, get it removed. See Correcting Fraudulent Information in Credit Reports to learn how. Continue to check your credit reports periodically, especially for the first year after you discover the identity theft, to make sure no new fraudulent activity has occurred.
- Close the accounts that you know, or believe, have been tampered with or opened fraudulently.
Call and speak with someone in the security or fraud department of each company. Follow up in writing, and include copies (NOT originals) of supporting documents. It's important to notify credit card companies and banks in writing. Send your letters by certified mail and return receipt requested, so you can document what the company received and when. Keep a file of your correspondence and enclosures.
When you open new accounts, use new Personal Identification Numbers (PINs) and passwords. Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your Social Security number or your phone number, or a series of consecutive numbers.
If the identity thief has made charges or debits on your accounts, or has fraudulently opened accounts, ask the company for the forms to dispute those transactions:
- For charges and debits on existing accounts, ask the representative to send you the company's fraud dispute forms. If the company doesn't have special forms, use a simple letter to dispute the fraudulent charges or debits. In either case, write to the company at the address given for "billing inquiries," NOT the address for sending your payments.
- For new unauthorized accounts, you can either file a dispute directly with the company or file a report with the police and provide a copy, called an “Identity Theft Report,” to the company.
- If you want to file a dispute directly with the company, and do not want to file a report with the police, ask if the company accepts the FTC’s ID Theft Affidavit (PDF, 56 KB). If it does not, ask the representative to send you the company's fraud dispute forms.
- However, filing a report with the police and then providing the company with an Identity Theft Report will give you greater protection. For example, if the company has already reported these unauthorized accounts or debts on your credit report, an Identity Theft Report will require them to stop reporting that fraudulent information. Use the cover letter to explain to the company the rights you have by using the Identity Theft Report. More information about getting and using an Identity Theft Report can be found here.
Once you have resolved your identity theft dispute with the company, ask for a letter stating that the company has closed the disputed accounts and has discharged the fraudulent debts. This letter is your best proof if errors relating to this account reappear on your credit report or you are contacted again about the fraudulent debt.
- File a complaint with the Federal Trade Commission.
You can file a complaint with the FTC using the online complaint form; or call the FTC's Identity Theft Hotline, toll-free: 1-877-ID-THEFT (438-4338); TTY: 1-866-653-4261; or write Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Be sure to call the Hotline to update your complaint if you have any additional information or problems.
By sharing your identity theft complaint with the FTC, you will provide important information that can help law enforcement officials across the nation track down identity thieves and stop them. The FTC can refer victims' complaints to other government agencies and companies for further action, as well as investigate companies for violations of laws the agency enforces.
Additionally, you can provide a printed copy of your online Complaint form to the police to incorporate into their police report. The printed FTC ID Theft Complaint, in conjunction with the police report, can constitute an Identity Theft Report and entitle you to certain protections. This Identity Theft Report can be used to (1) permanently block fraudulent information from appearing on your credit report; (2) ensure that debts do not reappear on your credit report; (3) prevent a company from continuing to collect debts that result from identity theft; and (4) place an extended fraud alert on your credit report.
- File a report with your local police or the police in the community where the identity theft took place.
Call your local police department and tell them that you want to file a report about your identity theft. Ask them if you can file the report in person. If you cannot, ask if you can file a report over the Internet or telephone. See below for information about Automated Reports.
If the police are reluctant to take your report, ask to file a "Miscellaneous Incident" report, or try another jurisdiction, like your state police. You also can check with your state Attorney General's office to find out if state law requires the police to take reports for identity theft. Check the Blue Pages of your telephone directory for the phone number or check www.naag.org for a list of state Attorneys General.
When you go to your local police department to file your report, bring a printed copy of your FTC ID Theft Complaint form, your cover letter, and your supporting documentation. The cover letter explains why a police report and an ID Theft Complaint are so important to victims.
Ask the officer to attach or incorporate the ID Theft Complaint into their police report. Tell them that you need a copy of the Identity Theft Report (the police report with your ID Theft Complaint attached or incorporated)to dispute the fraudulent accounts and debts created by the identity thief. (In some jurisdictions the officer will not be able to give you a copy of the official police report, but should be able to sign your Complaint and write the police report number in the “Law Enforcement Report” section.)
In the event of fraudulent or suspicious activity please contact Midtown Bank at 404-969-4400.