FRAUD & SECURITY

Advanced technology allows criminals to pretend to be a loved one or anyone you may know by using artificial intelligence and machine learning to mimic their voice or make a fake video. While pretending to be someone you trust, they urgently ask you to send them money. You should always verify instructions are coming from the real person by calling them back directly. Don’t rely on caller ID to know if you’re talking to the real person.

Scammers mail QR codes or attach stickers with QR codes on meters and signs, attempting to capture users’ access credentials by redirecting them to spoofed sites. Always type the address or use the official app to avoid being misled to the wrong website.

When reporting a cybercrime, you should only use official government portals and type addresses directly (e.g., IC3.gov) to avoid fraudsters’ look-alikes.

If you need to mail a check, dropping it off at the post office is the best way to ensure it reaches the right destination. Electronic payments are the safest way to reduce check fraud risk.

Security is of the highest importance when it comes to your e-banking transactions and personal information. Follow the guidelines below to ensure your information remains safe and secure:

Secure Login ID and Password or PIN

• Do not disclose Login ID and Password or PIN.
• Do not store Login ID and Password or PIN on the computer.
• Use a long, unique passphrase for all of your accounts. Do not rotate on a schedule; instead, only change your password if you suspect an account was compromised or a site breach. Using a reputable password manager also helps reduce false positives from password-locking yourself and lowers your risk of a breach by avoiding reuse.

Keep personal information private.

Do not disclose personal information such as address, mother’s maiden name, telephone number, social security number, bank account number or e-mail address — unless the one collecting the information is reliable and trustworthy.

Keep records of online transactions.

• Regularly check transaction history details and statements to make sure that there are no unauthorized transactions.
• Review and reconcile monthly credit card and bank statements for any errors or unauthorized transactions promptly and thoroughly.
• Check e-mail for contacts by merchants with whom one is doing business. Merchants may send important information about transaction histories.
• Immediately notify the bank if there are unauthorized entries or transactions in the account so we can block fraudulent transactions and open an investigation.

Check for the right and secure website.

• Before starting any online transactions or sending personal information, make sure that the correct website has been accessed. Beware of bogus or “look alike” websites which are designed to deceive consumers.
• Type in a website’s address or use its official app instead of relying on a padlock icon alone (sometimes this is just a virtue signal and not indicative of the site’s trustworthiness). Don’t rely on HTTPS connection encryption since this isn’t proof that a site is legitimate. And always inspect the website URL carefully to ensure it’s not a look-alike.
• Always enter the website’s URL directly into the web browser. Avoid being redirected to the website or hyperlinking to it from a website that may not be as secure.
• If possible, use software that encrypts or scrambles the information when sending sensitive information or performing e-banking transactions online.

Protect your personal computer from hackers, viruses, and malicious programs.

• Install a personal firewall and a reputable anti-virus program to protect your personal computer from virus attacks or malicious programs.
• Ensure that the anti-virus program is updated and runs at all times.
• Always keep the operating system and the web browser updated with the latest security patches in order to protect against weaknesses or vulnerabilities.
• Always check with an updated anti-virus program when downloading a program or opening an attachment to ensure that it does not contain any viruses.
• Install updated scanner software to detect and eliminate malicious programs capable of capturing personal or financial information online.
• Never download any file or software from sites or sources, which are not familiar or hyperlinks sent by strangers. Opening such files could expose the system to a computer virus that could hijack personal information, including password or PIN.
• Cookies — A “cookie” is a small file that our website uses to enhance your online banking experience. No personal information or passwords are ever stored in this file. NobleBank & Trust has a strict Privacy Policy that protects your personal information.
• Per the Children’s Online Privacy Act, NobleBank & Trust does not collect information about children under the age of 13, nor recordings of children’s voices via the use of audio files.

Do not leave your computer unattended when logged in.

• Log off from the internet banking site when your computer is unattended, even if it is for a short while.
• Always remember to log off when e-banking transactions have been completed.
• Clear the memory cache and transaction history after logging out from the website to remove account information. This would avoid incidents of the stored information being retrieved by unwanted parties.

Check the site’s privacy policy and disclosures.

• Read and understand website disclosures, specifically those regarding refunds, shipping, account debit/credit policies, and other bank terms and conditions.
• Before providing any personal financial information to a website, determine how the information will be used or shared with others.
• Check the site’s statements about the security provided for the information divulged.
• Some websites’ disclosures are easier to find than others — look at the bottom of the home page, on order forms, or in the “About” or “FAQs” section of a site. If you are not comfortable with the policy, consider doing business elsewhere.

Other internet security measures:

• Do not send any personal information, particularly a password or PIN, via ordinary e-mail.
• Do not open other browser windows while banking online.
• Avoid using shared or public personal computers when conducting e-banking transactions.
• Disable the “file and printer sharing” feature on the operating system if conducting banking transactions online.
• Contact the banking institution to discuss security concerns and remedies to any online e-banking account issues.

• Use a strong device lock of at least a 6-digit passcode or, even better, an alphanumeric code. If available, enable biometrics and turn on auto-lock.
• Do not store sensitive information on your phone itself. If you must store confidential information on your device, ensure it is encrypted and password-protected.
• Install anti-virus and/or anti-malware software on your device if possible.
• Maintain secure channels and secure communication protocols (SSL) as often as possible.
• Ensure you set up remote wipe capabilities on your device so it can be located or wiped if lost (Find My iPhone, for example).

(Spot suspicious activities quickly and enable real-time monitoring by using mobile alerts and app-based controls.)

The Federal Trade Commission has provided important information on identity theft. Visit their site now to read about identity theft and how you can protect your sensitive information.

(Tip: In an effort to help their customers act fast if they suspect fraud or other criminal activity, many banks combine online financial safety education with prevention tools like transaction monitoring and real-time alerts.)

Automated Teller Machine (ATM) and debit cards

• Use ATMs that are familiar or that are in well-lit locations where you feel comfortable. If the machine is poorly lit or in a hidden area, use another ATM.
• Have your card ready before approaching the ATM. Avoid having to go through your wallet or purse to find your card.
• Do not use ATMs that appear to have been tampered with or otherwise altered. Report such conditions to the bank.
• Memorize your ATM personal identification number (PIN) and never disclose it to anyone. Do not keep those numbers or passwords in your wallet or purse. Never write them on the cards themselves. Avoid using easily available personal information like a birthday, nickname, mother’s maiden name, or consecutive numbers.
• Be mindful of “shoulder surfers” when using ATMs or POS terminals. Stand close to the ATM/POS and shield the keypad with your hand when keying in the PIN and transaction amount.
• If the ATM is not working correctly, cancel the transaction and use a different ATM. If possible, report the problem to the bank.
• Carefully secure your card and cash in your wallet, handbag, or pocket before leaving the ATM or POS terminal.
• Always take your receipt. Compare ATM receipts to your monthly statement. It is the best way to guard against fraud, and it makes record-keeping easier.
• Do not let other people use your card. If your card is lost or stolen, report the incident immediately to the bank.

View the Security Awareness document.

What is corporate account takeover?

“Corporate account takeover” is when cybercriminals gain control of a business’s bank account by stealing the business’s valid online banking credentials. Although there are several methods being employed to steal credentials, the most prevalent involves malware that infects a business’s computer workstations and laptops.

A business can become infected with malware via infected documents attached to an email or a link contained within an email that connects to an infected website. In addition, malware can be downloaded to users’ workstations and laptops by visiting legitimate websites – especially social networking sites – and clicking on the documents, videos, or photos posted there. This malware can also spread across a business’s internal network.

The malware installs keylogging software on the computer, which allows the perpetrator to capture a user’s credentials as they are entered at the financial institution’s website. Sophisticated versions of this malware can even capture token-generated passwords, alter the display of the financial institution’s website to the user, and/or display a fake web page indicating that the financial institution’s website is down.

In this last case, the perpetrator can access the business’s account online without the possibility that the real user will log in to the website.

Once installed, the malware provides the information that enables the cybercriminals to impersonate the business in online banking sessions. To the financial institution, the credentials look just like a legitimate user. The perpetrator has access to and can review the account details of the business, including account activity and patterns, as well as ACH and wire transfer origination parameters (such as file size, frequency limits, and Standard Entry Class (SEC) Codes).

Cybercriminals use the sessions to initiate funds transfers, by ACH or wire transfer, to the bank accounts of associates within the U.S. These accounts may be newly opened by accomplices or unwitting “money mules” for the express purpose of receiving and laundering these funds. A “money mule” is a person who transfers stolen money or merchandise from one country to another, either in person, through a courier service, or electronically.

The term is commonly used to describe online scams that prey on victims who are unaware that the money or merchandise they are transferring is stolen. In these scams, the stolen money or merchandise is transferred from the victim’s country to the scam operator’s country. The accomplices or mules withdraw the entire balance shortly after receiving the money, and then send the funds overseas via over-the-counter wire transfer or other common money transfer services.

Why are businesses and organizations targeted?

Cybercriminals appear to be targeting businesses, as well as government agencies and nonprofits, for several reasons:

• Many businesses and organizations have the capability to initiate funds transfers – ACH credits and wire transfers – via online banking (individual consumers generally do not have this capability except for payees set up in online bill payment systems).
• This “funds transfer” capability is often related to a business’s origination of payroll payments.
• In corporate account takeover, cybercriminals may add fictitious names to a payroll file (directed to the accounts of money mules) and/or initiate payroll payments off-cycle to avoid daily origination limits.
• Some businesses do not have the resources to defend their information technology systems.
• Many businesses do not monitor and reconcile their accounts on a frequent or daily basis.
• Some businesses bank with a wide variety of financial institutions with varying degrees of IT resources and sophistication.

Prevention, detection, & reporting for business customers’ account control

• Reconcile all banking transactions on a daily basis.
• Initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer.
• Utilize routine reporting on transactions.
• Perform periodic risk assessment of the banking products/services you use, including regular reviews of user access levels, dollar limits, and activity.
• Immediately report any suspicious transactions to the financial institution.
• Stay in touch with other businesses and industry sources to share information regarding suspected fraud activity.
• Government entities (i.e., FDIC, IRS, etc.) will not contact business customers to request software installation or the customer’s access credentials.

Computer security tools & practices

• Install a dedicated, actively managed firewall. A firewall limits the potential for unauthorized access to a network and computers.
• Install commercial anti-virus software on all computer systems.
• Ensure virus protection and security software are updated regularly.
• Ensure computers are patched regularly, particularly operating systems and key applications, with security patches.
• Consider installing spyware detection programs.
• Be suspicious of emails purporting to be from a financial institution, government department, or other agency requesting account information, account verification, or banking access credentials such as usernames, passwords, PIN codes, or similar information. If you are not certain of the source, do not click any links.
• Use long, unique passwords for every login, and store them in a password manager. Don’t force routine password changes; only change your password if prompted by the institution or after suspicion or compromise.
• Prohibit use of “shared” usernames and passwords for online banking systems.
• Use a different password for each website that is accessed.
• Never share username and password information with third-party providers.
• Limit administrative rights on users’ workstations.
• Carry out all online banking activities from a stand-alone computer system from which email and Web browsing are not possible.
• Verify use of a secure session (“https”) in the browser for all online banking.
• Avoid using an automatic login feature that saves usernames and passwords for online banking.
• Never leave a computer unattended while using any online banking or investing service.
• Never access bank, brokerage, or other financial services information at Internet cafes, public libraries, etc. Unauthorized software may have been installed to trap account numbers and sign-on information, leaving the customer vulnerable to possible fraud.

Business Fraud Prevention Tools

• Positive Pay / Payee Positive Pay: You can reduce your risk of check fraud by comparing issued checks to presented times, allowing legitimate transactions to clear while fraudulent transactions get reviewed.
• ACH filters & ACH Blocks with Separate Accounts: Keep separate accounts for payroll vs. operating to decrease your chances of payment fraud and control electronic debits.
• Transaction Monitoring with Real-Time Detection: Leverage AI-powered fraud detection, machine learning, graph analysis, and advanced pattern recognition to identify suspicious activities and for anomaly detection across payments, including cards, ACH, wires, and real-time payments.
• Account Takeover Controls: Strong authentication, alerts, and geo/device checks should be used to combat account takeover and account takeover fraud before funds are transferred.
• Tuning to Reduce False Positives: Our risk management and compliance teams set thresholds to ensure controls effectively detect fraud while safeguarding the customer experience.

Recommendations for Corporate Account Takeover Victims

• Immediately cease all activity on computer systems that may be compromised. Disconnect the Ethernet or other network connections to isolate the system from remote access.
• Immediately contact your financial institution and request assistance with the following actions:
  • Disable online access to accounts.
  • Change online banking passwords.
  • Open new account(s) as appropriate.
  • Request the financial institution’s agent to review all recent transactions and electronic authorizations on the account.
  • Ensure that no one has requested an address change, title change, PIN change, or ordered new cards, checks, or other account documents be sent to another address.
• Maintain a written chronology of what happened, what was lost, and the steps taken to report the incident to the various agencies, banks, and firms impacted. Be sure to record the date, time, contact telephone number, person spoken to, and any relevant report or reference number and instructions.
• File a police report and provide the facts and circumstances surrounding the loss. Obtain a police report number with the date, time, department, location, and name of the officer who took the report or was involved in the subsequent investigation. Having a police report on file will often facilitate dealing with insurance companies, banks, and other establishments that may be the recipients of fraudulent activity. The police report may initiate a law enforcement investigation into the loss with the goal of identifying, arresting, and prosecuting the offender and possibly recovering losses.
• This document is for information purposes only and is not intended to provide legal advice. The guidance included is not an exhaustive list of actions, and security threats change constantly.

How Banks Detect & Prevent Fraud

Within the banking industry, effective bank fraud detection and financial fraud detection require a coordinated effort that combines skilled teams, proven processes, and advanced software. By analyzing historical data alongside patterns of user behavior, banks can leverage AI-powered fraud detection systems that use real-time monitoring to quickly detect and prevent fraud.

These tools not only identify anomalies but also help reduce the number of false positives, ensuring that legitimate transactions are not unnecessarily blocked. With continuous real-time detection, compliance teams can accelerate investigation into suspicious activities and safeguard customers’ accounts, protect funds, and prevent the type of reputational damage that fraud attempts can cause.

What is Regulation E?

Regulation E protects individual customers using electronic funds transfers (EFT). Non-consumer accounts are not protected by Regulation E.

What is an EFT?

An electronic funds transfer (EFT) is any transfer of funds that is initiated through an electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit a consumer’s account. The term includes, but is not limited to:

• Point of sale transfers
• Automated teller machine transfers (ATM)
• Direct deposits or withdrawals of funds
• Transfers initiated by telephone
• Transfers resulting from debit card transactions, whether or not initiated through an electronic terminal
• Transfers initiated through internet banking and bill pay

How does Regulation E apply to a consumer using internet banking and/or bill pay?

Regulation E is a consumer protection law for accounts such as checking or savings, established primarily for personal, family, or household purposes. Non-consumer accounts, such as Corporations, Trusts, Partnerships, LLCs, etc., are excluded from coverage. Regulation E provides consumers a means to notify their financial institution that an EFT has been made to their account without their permission. If you are unsure if your account is protected by Regulation E, contact us.

What protections are provided to consumers under Regulation E for consumers who use internet banking and/or bill pay?

If you believe an unauthorized EFT has been made to your account, contact us immediately. If you notify us within two business days after you learn of the unauthorized transaction, the most you can lose is $50. Failure to notify the bank within two business days may result in losses up to $500.

No liability limit: Unlimited loss to a consumer account can occur if:

• The periodic statement you receive reflects an unauthorized transfer of money from your account, and
• You don’t report the unauthorized transfer to the bank within 60 days after the statement was mailed, and
• The loss could have been avoided if you had given timely notice.

How does Regulation E apply to a non-consumer using internet banking and/or bill pay?

A non-consumer using Online Banking and/or Bill Payment is not protected under Regulation E. Because the customer is not protected by Regulation E, special consideration should be made by the customer to review the controls in place to ensure that they are commensurate of the risk level that the customer is willing to accept.

What precautions should a non-consumer take because they are not protected by Regulation E?

As a non-consumer customer, you should perform a risk assessment and periodically evaluate the controls you have in place. The risk assessment should be used to determine the risk level associated with any internet activities you perform and any controls in place to mitigate these risks, including reviews that can surface internal fraud.