Cyber Security

INTERNET FRAUD & CYBER THREAT

Regardless of the ever changing threat environment that Banking is subject to, fraud remains a major threat, one that American Business Bank takes seriously. On an almost daily basis, users of the Internet are warned about the latest hacking or infectious spyware incident perpetrated by criminals who are seeking to profit illegally by obtaining your financial information and/or identity. By arming yourself with the knowledge to protect your identity and ensure your Internet security, we can fight back against this crime. Remember, it is always best to be on the defense when it comes to protecting your financial security.

Wire Fraud Is Growing Alarmingly

Wire Transfer Imposter Fraud is one of the costliest cybercrimes against corporations and small businesses. While this threat is real and growing, there are steps you can take to protect your business from these types of activities.

New Approaches to Wire Fraud

It has been called Imposter Fraud, Business Email Compromise, and CEO Fraud. It is a disturbing trend in fraud that has grown at epidemic rates since it was ﬁrst identiﬁed by the FBI in 2013. Imposter Fraud scams use email and social engineering to pose as a senior manager in order to trick employees into sending “urgent” and “conﬁdential” wire transfers directly to the fraudsters’ accounts. This type of fraud can manifest itself in a variety of methods.

Email Account Takeover/Business E-Mail Compromise (BEC)

The thief uses phishing or other means to install malware on an executive’s computer and gains access to the executive’s email account. Once they have this access, thieves will take time to understand the organization’s relationships and the ebb and ﬂow of routine wire transfer requests. They search the email account for words like “invoice,” “deposit,” or “president” to learn about the processes at the business for wire transfers, money movement, and vendor relationships. Once they have learned the organization’s standard practices, they use the compromised email account to create a money transfer request. The fraudsters continually monitor the email account and reroute emails questioning the wire transfer. The real executive is unaware of the request email and any email responses from employees.

Look-Alike Domain

In this case, the fraudster will use publicly available information to learn about the organization’s executives and activities. They will typically send emails to executives in an effort to receive out-of-ofﬁce replies. They attempt to understand when an executive will be unavailable or traveling. They create a domain that looks similar to the victim company domain. These are a few examples of the false domain names they typically create: they replace the letter l with the number 1 (example.com becomes examp1e.com); they drop the last letter of a domain (example. com becomes example.co); or they may add an extra letter to a domain name that is difﬁcult to spot (progress.com becomes progresss.com). The thief uses the look-alike email address and, based on information they have gathered on the business, makes money movement requests of company employees.

Forged Vendor Invoice

Fraudsters may also target an organization’s vendor relationships. To forge a vendor invoice request, the fraudster may compromise an email address from the vendor, or from an individual within the organization’s finance department. The thief will attempt to obtain sample invoices and gain insight into the relationship between the vendor and the organization, including typical invoice and payment patterns. With that information in hand, the fraudster will either use a compromised email account or look-alike domain email account to submit an invoice with altered payment information. The invoice payment is routed to the fraudster’s account rather than the vendor.

Conﬁdential and Urgent – Phishing

Thieves may also craft an elaborate story when sending a compromised or look-alike email. Often the story involves events that must be kept confidential such as an upcoming acquisition or large purchase. The requests are extremely urgent in nature requiring the target employee to act immediately. The combination of extreme urgency and high conﬁdentiality persuades the employee to act quickly and secretively, sometimes conﬂicting with or bypassing company safeguards and practices. Do not respond to unsolicited emails asking for account or credit card information, usernames or passwords, Social Security Number date of birth or any other personal and financial information. (American Business Bank will NEVER ask for personal information in this manner.)

Best Practices to Reduce the Risk of Imposter Fraud

Dual Control

Establish dual control for all money movement activities. Ensure that every funds transfer requires a transaction creator and separate approversl. Utilize online banking security features to set additional approval levels based on the dollar amount of the transaction. Set up online alerts to notify approvers when a money transfer request is awaiting approval. Utilize the approval feature within your bank’s mobile application to ensure that senior management can approve transactions on-the-go.

Conﬁrm All Requests

Instruct employees to always conﬁrm requests for money movement. To conﬁrm requests, employees should use a channel different from the channel used to make the request. For example, an email request should be followed up with a telephone call to the requestor

Control Publicly Available Information

Exercise restraint when publishing information regarding employee activities. Fraudsters will use this information to determine ideal time frames for committing fraud.

Monitor Account Activity

Regularly review your online activity for debits, credits, check orders, wires, ACH transactions and new payees and accounts that you don’t recognize. If you see unauthorized activity contact American Business Bank immediately so we can disable online banking and stop any additional unauthorized activity.

Detect Man-in-the-Middle or Man-In-The-Browser Attacks

When you are in Online Banking if your screen freezes or an unexpected pop up box appears asking you for other types of personal information or prompts you to authenticate with a secure code when you are not conducting a transaction, please call us at 213.430.4000 and speak to Treasury Management Services so we can assist you in determining if what you are experiencing indicates that your machine may have been compromised.

A man-in-the-middle attack is like eavesdropping. Data is sent from your computer to a website, and an attacker can get in-between these transmissions. They then set up tools programmed to “listen in” on transmissions, intercept data that is specifically targeted as valuable, and capture the data. Sometimes this data can be modified in the process of transmission to try to trick the end user to divulge sensitive information, such as log-in credentials. Once the user has fallen for the bait, the data is collected from the target, and the original data is then forwarded to the intended destination unaltered.

Man-in-the-browser is a form of Internet threats related to man-in-the-middle, it infects a web browser by taking advantage of vulnerabilities to modify web pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host web application. These attacks may be countered by using out-of-band transaction verification.

Educate Employees

Ensure employees are aware that this type of fraud is a real threat. Educate employees on the proper process for initiating money transfers, and enforce this process with all requests. Coach executives to encourage verification of all wire transfer requests. Encourage executives to introduce themselves to the Accounts Payable team and let them know it is acceptable to question any payment request.

Investigate Bank Inquiries

Often this type of fraud will trigger alarms at your bank. When the bank contacts the business to conﬁrm the authenticity of the wire, the company employees will conﬁrm the wire as legitimate since it originated from an executive’s request. Thus, the wire transfer is processed even though the bank questioned its authenticity. Instruct employees to take additional steps to ensure a wire is accurate and legitimate if they are contacted by the bank regarding a wire’s validity.

DDOS (Distributed Denial of Service) Attacks

These attacks consist of flooding a website with millions of requests for information at once to create a “traffic jam” that temporarily disrupts legitimate users from accessing a website. In recent years, many businesses have faced online DDOS Attacks meant to delay or prevent customers from accessing their website resources. These attacks do not compromise the website security or banking systems, merely slow down or make the site inaccessible. American Business Bank has processes in place to identify and block these types of attacks, but initially customers may experience slower-than-normal connections to ABB Connect. If you are ever unable to connect to americanbusinessbank.com or ABB Connect during an attack, you may contact us for assistance at 213.430.4000.

General Best Practices

If you use Wi-Fi (wireless) networks, remember that many public hotspots do not have the same security layers as secured networks and therefore may not be as safe. If you have a wireless network in your office, make sure your IT Security Expert has configured it using best practices to prevent unauthorized access.
If any request for information appears to come from a legitimate company but you are suspicious about its authenticity, call the company directly on a number you obtain from the website or other publication. Do not use any information in the email as contact information as it may contain fraudulent contact information.
Any site where you enter personal or financial information should have https:// at the start of the address.
If you notice your computer is unusually slow, if your desktop icons have moved, if you are not receiving emails you are expecting, if your phone is being flooded with spam calls, or any other abnormal activity on your computer alert your IT Security Specialist to scan for viruses, Trojans, spyware and malware.

Social Media

Don’t “friend” strangers, as they may be hackers attempting to gather your non-public information. Don’t make your personal information public. Hackers gather birthdays, e-mail addresses, phone numbers, children and pet names to obtain hints to your account and online passwords. Don’t announce vacations or other trips as criminals often strike when you are indisposed. Familiarize yourself with and use the Privacy settings on your social media to restrict who can access your page and profile.

Mobile Devices

The convenience of being able to surf the web, text, send and receive e-mail and more have also made your mobile devices vulnerable to many types of cyberattacks. Use the same rules for protecting yourself from email fraud on your computer when emailing on your mobile device. Threats that are unique to mobile include “Smishing”, which is an attack that uses text to attempt to fraudulently obtain sensitive information. You should not click on any link, download anything, or provide any personal or financial information via a text request. Another unique threat is Mobile App Malware that has been made available in app stores. Users should only download apps from trusted sources and implement anti-malware software for mobile devices where applicable. Take advantage of any available security settings on your device and do not store sensitive personal or account information on your device that is unencrypted.

Passwords

Use complex passphrases that are comprised of uppercase and lowercase alpha, numbers, and symbols. Do not use dictionary words and make the password as long as possible. [Example Passphrase: Our family tradition is to play volleyball at our annual reunion at my aunt’s house. – Passphrase could be: Ofti2pv@oar@mah]

Do not use the same user ID and/or password across multiple sites.
Use an encrypted password database to store your passwords, do not keep them in a document on your computer for the hackers to access.

How to Protect Your Computer

Below are some key steps to protecting your computer from intrusion:

Keep Your Firewall Turned On

A firewall helps protect your computer from hackers who might try to gain access to crash it, delete information, or even steal passwords or other sensitive information. Software firewalls are widely recommended for single computers. The software is prepackaged on some operating systems or can be purchased for individual computers. For multiple networked computers, hardware routers typically provide firewall protection and require some expertise to configure.

Install or Update Your Antivirus Software

Antivirus software is designed to prevent malicious software programs from embedding on your computer. If it detects malicious code, like a virus or a worm, it works to disarm or remove it. Viruses can infect computers without users’ knowledge. Most types of antivirus software can be set up to update automatically.

Install or Update Your Antispyware Technology

Spyware is just what it sounds like—software that is surreptitiously installed on your computer to let others peer into your activities on the computer. Some spyware collects information about you without your consent or produces unwanted pop-up ads on your web browser. Some operating systems offer free spyware protection, and inexpensive software is readily available for download on the Internet or at your local computer store. Be wary of ads on the Internet offering downloadable antispyware—in some cases these products may be fake and may actually contain spyware or other malicious code. It’s like buying groceries—shop where you trust.

Keep Your Operating System Up to Date

Computer operating systems are periodically updated to stay in tune with technology requirements and to fix security holes. Be sure to install the updates to ensure your computer has the latest protection.

Do not click on Links in Unexpected or Unsolicited E-mails

E-mail is a prevalent method of attack via delivery method of malicious links and attachments. Links can be disguised as harmless pointers while behind the scenes when clicked they can activate the install of spyware, Trojans, or other malicious software. If you hover your mouse over the link you can see where the link will take you. If that is a different location then the link is portraying that is a red flag.

Be Careful What You Download

Carelessly downloading email attachments can circumvent even the most vigilant anti-virus software. Never open an e-mail attachment from someone you don’t know, and be wary of forwarded attachments from people you do know. They may have unwittingly advanced malicious code. Scan all attachments before opening them.

Turn off Your Computer

With the growth of high-speed Internet connections, many opt to leave their computers on and ready for action. The downside is that being “always on” renders computers more susceptible. Beyond firewall protection, which is designed to fend off unwanted attacks, turning the computer off effectively severs an attacker’s connection—be it spyware or a botnet that employs your computer’s resources to reach out to other unwitting users.

What To Do If You Are A Victim

CONTACT AMERICAN BUSINESS BANK AS SOON AS YOU IDENTIFY A POSSIBLE DATA OR SYSTEM BREACH.

To determine some of the federal investigative law enforcement agencies that may be appropriate for reporting certain kinds of crime, please refer to the following table:

Type of Crime	Appropriate federal investigative law enforcement agencies
Computer intrusion (i.e. hacking)	● FBI local office ● U.S. Secret Service ● Internet Crime Complaint Center
Password trafficking	● FBI local office ● U.S. Secret Service ● Internet Crime Complaint Center
Internet Fraud matters that have a mail nexus	● U.S. Postal Inspection Service ● Internet Crime Complaint Center
Internet fraud and SPAM	● FBI local office ● U.S. Secret Service ● Federal Trade Commission (online complaint) ● if securities fraud or investment-related SPAM e-mails, Securities and Exchange Commission (online complaint) ● Internet Crime Complaint Center
Internet harassment	● FBI local office
Internet bomb threats	● FBI local office ● ATF local office

The Internet Crime Complaint Center (IC3)

The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). IC3’s mission is to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime. The IC3 gives the victims of cyber crime a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations. For law enforcement and regulatory agencies at the federal, state, and local level, IC3 provides a central referral mechanism for complaints involving Internet related crimes.

Additional Cyber Security Resources

Cyber Security for Small Business

Identity Theft

FBI Internet Crime Complaint Center

Homeland Security – Business Resources

CISA – Resources for Small to Medium Businesses

NIST- National Institute of Standards and Technology – Small Business Cyber Security