Commercial Businesses Information Security Awareness
Monthly SANS OUCH! Newsletters
The SANS Institute describes their monthly newsletter as “Carefully researched and developed by the SANS Securing The Human team, SANS instructors and members of the community. Each issue focuses on and explains a specific topic and actionable steps people can take to protect themselves, their family and their organization.”
For more information, visit https://www.sans.org/security-awareness-training/ouch-newsletter
|January 2018||February 2018||March 2018||April 2018|
Additional Security Awareness Topics
- Mobile Banking Security Tips
- Online Security
- Virus Protection
- What is “Phishing?”
- Who Are Cyber-Criminals?
- How Cyber-Criminals Operate
- Security Commitment
- Security Notices
BUSINESS BANKING RED FLAGS
The vast majority of cyber thefts begin with the thieves compromising the computer(s) of the business account holders. Iowa State Bank customers should be alert for the following red flags that may indicate your system/network may have been compromised:
- Inability to log into online banking (thieves could be blocking customer access so the customer won’t see the theft until the criminals have control of the money);
- Dramatic loss of computer speed;
- Changes in the way things appear on the screen;
- Computer locks up so the user is unable to perform any functions;
- Unexpected rebooting or restarting of the computer;
- Unexpected request for your one time password (or token) in the middle of an online session;
- Unusual pop-up messages, especially a message in the middle of a session that says the connection to the bank system is not working (system unavailable, down for maintenance, etc.);
- New or unexpected toolbars and/or icons; and
- Inability to shut down or restart the computer.
Please contact Iowa State Bank immediately to report any suspicious activity, including, but not limited to the following:
- You suspect a fraudulent transaction.
- You receive a maintenance page while trying to process an online wire or ACH batch.
- You receive an email claiming to be from Iowa State Bank and it is requesting personal/company information.
Be alert for fraudulent (sometimes called “phishing”) emails. They may appear to come from a reputable business or a trusted friend but are actually designed to trick you into downloading a virus to your computer or directing you to a Web site to disclose sensitive or personal information.
- Immediately delete any email that requests your personal information; do not reply to it. Reputable businesses never request personal information (Social Security or credit card numbers, for example) via email.
- Never send your personal information via unsecured email. Unsecure email is more like sending an online postcard. If Iowa State Bank needs information beyond your name, address, email address and phone number, we will provide you with a secure email form.
- If an email from an unknown – or unsolicited – sender contains an attachment of any kind, do not open it. Delete the email immediately.
- Be cautious when clicking on a link in an email that you receive. It may be fraudulent, even though the URL may be identical to the actual company’s Web site. To check the ownership of the destination page, open a new browser window (Internet Explorer or Netscape) and manually type in the URL provided in the email. If they don’t match, immediately delete the email with the suspicious link.
- Large numbers of recipients are being “spammed,” without actual knowledge of their banking affiliation, with fraudulent emails. They request and collect email addresses and other confidential information like financial account numbers, IDs and passwords. The cyber-criminals have copied the logos and the content styles of widely known and respected financial institutions in an attempt to elicit a response from a recipient who may or may not be a customer of that financial institution.
Mobile devices (smart phones and tablets) are computers with software that have led to many conveniences, such as mobile banking, accessing email, and web browsing from the devices. Unfortunately, cyber threats have also continued to increase. The following tips can help protect you and your mobile device.
- Lock Your Device. Use the keypad lock or phone lock function on your mobile device so that when it is not in use, no one else can use it or view your information. Be sure to keep your device in a secure location when you are not using it to protect it from being stolen or used by an unauthorized party.
- Use Your Mobile Phone’s Security Features. Enable encryption and remote wipe capabilities if available. Consider using additional security software and antivirus solutions that may be available for your type of mobile phone. Refer to your phone’s user manual or contact your mobile provider for more information on these features.
- Do NOT Follow Links Sent in Suspicious Email or Text Messages. Do not follow these links as it may lead you to websites that cause malicious code to be downloaded to your device. Never reveal account information or passwords in an email or text message claiming to be from the bank. We will NEVER ask you for this information via text or email.
- Do NOT Store Sensitive or Personal Information on Your Mobile Device. If an unauthorized party accesses your mobile device, you will be more vulnerable if you store personal information such as passwords and account numbers on the device. It is a good idea to delete browser history, text messages and files from your device regularly.
- Be Careful When downloading Apps. Download apps only from reputable sources such as your provider’s app store to avoid downloading apps with malware or malicious code.
- Disable Bluetooth, Infrared, or Wi-Fi when not in use. Attackers have been known to exploit weaknesses in software that uses these interfaces.
- Set Bluetooth-Enabled Devices to Non-Discoverable. When in discoverable mode, your Bluetooth-enabled devices are visible to other nearby devices which may include a cyber-attacker’s device.
- Avoid Joining Unknown Wi-Fi Networks or Public Wi-Fi Hotspots. Attackers can create fictitious Wi-Fi hotspots designed to attack mobile phones and may monitor public Wi-Fi networks for unsecured devices.
- Protect Your Money. When banking and shopping, check to be sure the site is security enabled. Look for web addresses with “https://” or “shttp://”, which means the site takes extra measures to help secure your information.
- Notify the Bank if your Mobile Phone is Lost or Stolen. If your mobile phone is lost or stolen, contact the bank to have your mobile app deactivated on the lost device. If necessary, wipe the phone. Some mobile service providers offer remote wiping, which allows you or the provider to remotely delete all data on the phone.
- Delete all information stored in a device prior to discarding it. Check the website of the devices’ manufacturer or as your service provider for information about securely deleting data. Your service provider may also have useful information on securely wiping your device.
Please Click Here for a printable list of Mobile Banking Security Tips
You can help protect yourself against online fraud and identity theft by following these guidelines:
- If you suspect a Web site is not what it claims to be, leave it immediately. Do not follow any of the instructions it presents.
- Only do business with the companies you know and trust.
- Be aware! Phony “look-alike” Web sites are designed to trick consumers and collect their personal information. Make sure the sites you transact business on post their privacy and security statements. Review the statements carefully.
- Provide sensitive personal or financial information only when you have initiated it and only if the page is secure.
- Make sure the Web site is certified with a digital security certificate by clicking on the “closed lock” or “solid key” image located in the bottom bar of your browser window. A small frame with site security information will appear. Click the word ‘Subject’ for Internet Explorer to verify you are on the correct Web site, and make sure the registered owner matches the site. To verify the site certification authority, click the ‘Issuer’ tab. For Netscape, click on “View Certificate” to view subject and issuer details.
- Choose passwords or Personal Identification Numbers (PINs) that are difficult for others to guess (NOT your birthday or street address or the last four digits of your Social Security number), and use a different password for each of your Internet accounts. Change these passwords frequently. Use both letters and numbers and a combination of lower- and upper-case letters if the passwords are case-sensitive.
- Maintain current versions of your computer’s operating system and Internet browsers.
- When you’re not online, always disconnect from the Internet.
- Always back up the files on your computer.
- Install a personal firewall to help prevent unauthorized access to your home computer, especially if you connect to the Internet via a cable modem or a digital subscriber line (DSL) modem.
- Keep your anti-virus software up-to-date. Anti-virus software needs frequent updates to guard against new viruses. Download the anti-virus updates as soon as you’re notified that a download is available. Some antivirus programs offer an “auto-update” feature, where regular updates are made automatically for you.
“Phishing” refers to a person or a group of cyber-criminals who create an imitation or copy of an existing legitimate Web page to trick users into providing sensitive personal information. Responding to “phishing” emails put your accounts at risk.
WHO ARE CYBER-CRIMINALS?
“Phishing” cyber-criminals solicit personal data from unsuspecting victims via the internet – like personal IDs, passwords, card numbers and PINs – and sell this information to other criminals who use it for financial gain. They can also access a customer’s accounts through online banking and set up false bill payments that send checks to the criminal or a conspirator. In other cases, criminals transfer funds from all available customer accounts, including credit cards, savings accounts and home equity loans into their checking account. A copy of the customer’s credit card or check card is then used with their PIN at ATMs around the world to withdraw cash from their checking account.
To increase the number of responses, cyber-criminals include upsetting or exciting statements in their emails. They want people to react immediately and respond with the desired information without thinking. To protect yourself, take the time to examine the claims made in the email. If you receive an email requesting sensitive information, check its authenticity by contacting the company that appears to be the originator of the email.
At Iowa State Bank, we’re committed to protecting your privacy and security. We will never initiate a request for sensitive information from you via email (ie., Social Security Number, Personal ID, Password, PIN or account number). We strongly suggest that you do not share your Personal ID, Password, PIN or account number with anyone, ever.