Security & Privacy

Learn to protect yourself from Identity Theft. American Plus Bank can help. Your identity is one of the most valuable things you own. It’s important to keep your identity from being stolen by someone who can potentially harm your good name and financial well-being. Identity theft occurs when someone uses your name, address, Social Security Number, credit card or financial account numbers, passwords, and other personal information without your knowledge to commit fraud or other crimes. While the words may sound like a foreign language -- Phishing, Pharming, Vishing, Spyware, Dumpster Diving — they are actually techniques used by thieves to put your identity and finances at risk. And their attacks grow more frequent and sophisticated every year. Identity theft is the fastest growing crime in the United States. According to US Department of Justice statistics, it’s now passing drug trafficking as the number one crime in America.

How to protect your identity

The simple fact is you can protect yourself against most forms of identity theft. The first step is education. To make it easier to understand, we’ve divided identity theft into the five “Danger Zones.” Take a few moments to learn about each of the Danger Zones and the steps you can take to avoid being a victim.

Phishing is an email scam used to steal your personal information. Email similar to the one pictured may appear in your inbox, claiming to be from your financial institution, credit card company, or another source. It may appear authentic, but be careful - any email requesting personal information or to "verify" account information is usually a scam. Do not respond to this and do not click on any link from this email.

 

How to spot Phishing and other email scams

 

1. Any email requesting personal information, or asking you to verify an account, is usually a scam... even if it looks authentic.

2. The email may instruct you to click on a link, or call a phone number to update your account or even claim a prize.

3. The message will often threaten a dire consequence if you don’t respond immediately, such as closing your account.

 

These are clear signs that someone is "Phishing" for your information.

 

Follow these steps to avoid email scams

 

1. Never respond to any email asking for confidential information, even if it appears urgent. Chances are it is a fraudulent email.

2. Never click on a link from an email. Instead, type the known Website address into your Internet browser.

3. Do not call any phone number provided in a suspicious email. It could be a fake phone number.

4. Always use anti-virus and anti-spyware software on your computer, and keep them up-to-date.

 

Remember, email is not a secure form of communication. So feel free to use your email, but don’t use it to send or receive confidential information. And if you follow the four basic steps listed, you can protect yourself from most phishing and other email scams.

The Internet is a great place to browse and do business. But it can also be a Danger Zone for identity theft if you don’t know what to watch for or how to protect yourself.

 

There are several types of Malware – which means malicious software – that can infect your computer as you surf the web including:

 

• Viruses
• Spyware
• Trojan Horses
• Keystroke Loggers

 

These programs are becoming more sophisticated and ingenious in their ability to infect your computer. Many are designed to steal your personal information.

 

Learn how to practice safe surfing

 

Follow these steps to protect your computer from the majority of Internet crime:

 

1. Make sure you have anti-virus and anti-spyware software installed on your computer, keep them updated, and run a full system scan at least weekly.
2. Keep your computer operating system up to date, and your firewall turned on.
3. Use strong passwords for secure sites. These should include eight or more characters with random numbers, and change your passwords every six months.
4. If you download anything from the Internet such as music, movies, or pictures, make sure you do so only from trusted websites. Downloads can be infected with spyware attached to the file.
5. Watch for signs of spyware—frequent pop up ads, unexpected icons on your desktop, random error messages or sluggish computer performance are all signs of infection. Run a full system anti-virus and anti-spyware scan to safely remove.
6. Be careful when using public computers to perform any type of personal transactions. Just logging into a Website may give away passwords and other private information if spyware has been installed on that computer.

 

Following these steps will help protect you from the most common forms of identity theft while surfing the Internet.

The telephone is one of the most often used sources for criminal activity. Here’s how it works. Your phone rings. The caller claims to be from your financial institution, or any other source. They begin asking questions about you and your account. This could be a telephone scam called Vishing. Someone is attempting to steal your identity. And it happens to millions of Americans every year.

 

Protect yourself from telephone scams

 

Follow these steps to protect yourself from most types of identity theft telephone scams:

 

1. Never offer personal or account information over the phone without verifying the caller’s identity.
2. If you are uncertain of the identity of a caller, hang up and initiate the call yourself using a known phone number.
3. Do not call any phone number received in a voice message or email asking for personal information. It could lead you to a phony answering system.

 

As a general guideline, be highly suspicious anytime you are requested to provide personal information over the phone.

Payment fraud happens when someone uses information from your checks, credit and debit cards, or any other form of payment without your knowledge to commit fraud or other crimes. But this, and other forms of identity theft, can be avoided if you know how to protect yourself.

 

Avoid being a victim of payment fraud

 

Don’t make it easy for criminals to steal your personal information. Here are some common sense tips to protect your identity:

 

1. Balance your checkbook, and verify all account and credit card statements via online banking regularly or as soon as they arrive.
2. Keep all checks, credit and debit cards in a safe place.
3. Don't leave outgoing checks or paid bills in your mailbox, and report lost or stolen items immediately.
4. Don’t write PIN numbers on your credit or debit cards, or leave them in your wallet for a thief to find.
5. Use a paper shredder to securely dispose of any documents containing personal information.
6. Make online purchases only from trusted Web sites. If you have questions about a company, you can check them out with the Better Business Bureau.
7. NOTE!!!!!!!! Consider paying all your bills electronically with online bill pay. This method is considered more secure than mailing paper checks.

 

Reducing your risk of identity theft starts with protecting your personal information. Keep it from getting into the wrong hands. Always be diligent about protecting your identity.

The simple act of sending and receiving mail, and putting your trash out at night can put your personal information at risk. Financial information, checks, bank account and credit card statements, and monthly bills can be stolen from your home, mailbox or even from your trash, and used to access your accounts and steal your identity. Watch the Video

 

Follow these steps to protect against identity theft in your home

 

1. Invest in a personal shredder. This is your first line of defense. Shred checking and credit card statements, cancelled checks, pre-approved credit card offers, or anything with your personal information on it before disposal.
2. Place your garbage out on the morning of pickup rather than the night before. This gives dumpster divers less opportunity to go through your trash.
3. Install a mailbox with a locking mechanism, or pick up your mail immediately after it is delivered each day.
4. Change that old habit of placing mail in your mailbox for the carrier to pick up. Always place outgoing mail in an official, secure mailbox.
5. It’s good practice to store your mail, bank statements, and other papers where they are out of sight and out of reach of anyone who might be in your home.

 

By following these steps you are on the right track to protecting your identity. Learning about all the identity theft danger zones and the simple steps you can take to avoid being a victim, is the best way to protect your good name.

If your identity has been stolen, you need to take immediate action to limit the damage and protect your good name.

 

1. Contact American Plus Bank and other related vendors immediately. Close any accounts that may have been tampered with or opened fraudulently.

2. Place a fraud alert on your credit report with one of the three major credit bureaus. Also request to review your credit report for suspicious activity. A copy of your credit report of is available free each year from www.annualcreditreport.com.

• Equifax: (888) 766-0008

• Experian: (888) 397-3742

• Trans Union (800) 680-7289

1. File a complaint with the Federal Trade Commission at www.ftc.gov.

2. File a report with local police.

 

Protect yourself against fraudulent transactions

 

Consumers are protected in a number of ways against unauthorized electronic transactions, but it’s very important to do your part. These protections do not apply to business accounts:

 

Report lost or stolen debit/ATM cards within two business days.

 

If you lose your debit/ATM card (or other access device) report it immediately.

 

By contacting your financial institution within two business days of discovering the loss, you limit your liability to $50. Waiting more than two business days to report the loss increases your liability up to $500.

 

Important! Review your statement every month.

 

If you find an unauthorized electronic transaction, you have 60 days to report it to your financial institution in order to limit the amount for which you are liable. If you wait more than 60 days you become liable for the unauthorized transactions. So review your statements every month and report any suspicious activity immediately.

The most important step in Mobile Banking security is treating your mobile device like a portable computer. A few common-sense precautions will help protect you from fraud and I.D. Theft:

 

1. Set the phone to require a password to power on the handset or awake it from sleep mode. If it's lost or stolen any personal information stored on the device will be more difficult to access.

2. Whether you're using the mobile Web or a mobile client, don't let it automatically log you in to your bank account. Otherwise, if your phone is lost or stolen, someone will have free access to your money.

3. Don't save your password, account number, PIN, answers to secret questions or other such information on the mobile device.

4. Immediately tell your bank or mobile operator if you lose your phone. The sooner you report the loss, the better protected you are from fraudulent transactions.

5. Download and install antivirus software for your mobile device, according to the manufacturer's recommendations.

6. Be careful when downloading Apps. Downloads should always be from a trusted and approved source and endorsed by your mobile device provider.

7. Avoid "free offers" and "free ringtones." An email or instant message that offers free software downloads, such as ringtones, may contain viruses or malware.

8. Be cautious of e-mails or text messages from unknown sources asking you to update, validate or confirm your personal details including password and account information. Don't reply to text messages from people or places that you do not know.

9. Treat your mobile device as carefully as you would for your wallet, cash or credit cards.

10. Keep track of account transactions. Review your bank statements as regularly as possible to rule out the chances of fraudulent transactions. If you notice discrepancies, contact your bank immediately.

11. Only use Wi-Fi on your device when connected to password protected hotspots. Turn-off any auto-connect features. They might cause your phone to log into insecure wireless networks without your knowledge.

12. Make sure you log out of social networking sites and online banking when you’ve finished using them.

13. Install operating system updates for your device as they become available - they often include security updates.

14. Before you upgrade or recycle your device, delete all personal/business details. Mobile Banking is a useful tool that can simplify your life and make managing your money incredibly convenient. By using common sense, it can also be a safe and secure part of your daily life.

“Social Engineering” is any method of theft that manipulates your human nature in order to gain access to your online financial accounts. Here are a few ways you can protect yourself from thieves using Social Engineering techniques:

 

1. Don't respond to ANY email or social network post or message that asks for money or confidential information. Thieves can hack email and social network accounts, and then pose as a friend or family member in order to gain your trust.
2. Don't assume that an unsolicited phone call or email is actually from a trusted source. Thieves can research your purchases or donations, then pose as a business or charity you trust. Or, they may pose as law enforcement, a bank officer or another trusted authority figure. Just because they have bits of information about you or your past activities doesn't mean they are legitimate.
3. Verify, verify, verify. If someone on the phone, or a message in your inbox, is telling you there is a problem with your online banking account, online auction account or credit card account, don't give them additional information to “fix” the problem. Instead, hang up the phone or delete the email and check those accounts directly by logging in normally or calling a published customer service number.
4. Be conscious of what can be learned about you. Many kinds of online accounts, including online banking, use challenge questions as part of their security. Make sure you don't choose responses that can be found online. For example, don't use your mother's maiden name if it is mentioned on a social network profile; or the model of your first car, if you discussed it on a forum. Thieves are very good at digging out those details from online searches.
5. Remember, even the most innocent email attachments can be infected with computer malware. Common and popular files like PDFs, JPGs and spreadsheets can provide a platform for installing viruses or keystroke-logging malware on your computer. If you aren't certain the file came from a legitimate business, charity or person, don't open it without verifying. Call them and ask if they sent an email with an attachment.

 

The thieves are smart and very good at exploiting your honesty and natural cooperation. They can send email that looks like it came from a family member, or hijack your best friend's social network account. Don't let your good nature become your downfall.

 

The best way to avoid Social Engineering schemes is to be cautious and suspicious of ANY request for money.

If you have questions or concerns about Identity Theft Prevention, please visit your local branch during normal banking hours.

Is your company keeping information secure?

Are you taking steps to protect personal information? Safeguarding sensitive data in your files and on your computers is just plain good business. After all, if that information falls into the wrong hands, it can lead to fraud or identity theft. A sound data security plan is built on five key principals:

 

1. Take stock. Know what personal information you have in your files and on your computers.

2. Scale down. Keep only what you need for your business.

3. Lock it. Protect the information in your care.

4. Pitch it. Properly dispose of what you no longer need.

5. Plan ahead. Create a plan to respond to security incidents.

 

Good practices can keep your information secure.

 

Corporate Account Takeover is a form of identity theft in which criminals steal your valid online banking credentials. The attacks are usually stealthy and quiet. Malware introduced into your systems may be undetected for weeks or months. Account-draining transfers using stolen credentials may happen at a time when they are not noticed for a day or two.

 

The good news is, if you follow sound business practices, you can protect your company:

 

• Use Layered System Security: Create layers of firewalls, anti-malware software and encryption. One layer of security might not be enough. Install robust anti-malware programs on every workstation and laptop. Keep them updated.

• Manage the security of online banking with a single, dedicated computer used exclusively for online banking and cash management. The computer should not be connected to your business network, should not retrieve any email messages, and should not be used for any online purpose except banking.

• Educate your employees about cybercrimes. Make sure your employees understand that just one infected computer can lead to an account takeover. Make them very conscious of the risk, and teach them to ask the question: "Does this email or phone call make sense?" before they open attachments or provide information.

• Block access to unnecessary or high-risk websites. Prevent access to any website that features adult entertainment, online gaming, social networking and personal email. All such sites can inject files into your network.

• Establish separate user accounts for every employee accessing financial information and limit administrative rights. If your user permissions for online banking include administrative rights, don't use those credentials for day-to-day processing.

• Use approval tools in cash management to create dual control on payments. Requiring two people to issue a payment - one to set up the transaction and a second to approve the transaction - doubles the chance of stopping a criminal from draining your account.

• Review or reconcile accounts online daily. The sooner you find suspicious transactions, the sooner the theft can be investigated.

 

The most important step in Mobile Banking security is treating your company mobile devices like portable computers.

 

A few common-sense precautions will help protect you from fraud and theft:

 

• Set the phone to require a password to power on the handset or awake it from sleep mode. If it's lost or stolen, any confidential information stored on the device will be more difficult to access.

• Whether you're using the mobile Web or a mobile client, don't let it automatically log you in to company bank accounts. Otherwise, if your phone is lost or stolen, someone will have free access to your money.

• Don't save your password, account number, PIN, answers to secret questions or other such information on the mobile device.

• Immediately tell your bank and mobile operator if you lose your phone. The sooner you report the loss, the better protected you are from fraudulent transactions.

• Download and install antivirus software for your mobile device, according to the manufacturer's recommendations.

• Be careful when downloading Apps. Downloads should always be from a trusted and approved source, and endorsed by your mobile device provider.

• Avoid "free offers" and "free ringtones". An email or instant message that offers free software downloads, such as ringtones, may contain viruses or malware.

• Be cautious of e-mails or text messages from unknown sources asking you to update, validate or confirm your personal details including password and account information. Don't reply to text messages from people or places that you do not know.

• Treat your mobile device as carefully as you would for your wallet, cash or credit cards.

• Keep track of account transactions. Review your bank statements as regularly as possible to rule out the chances of fraudulent transactions. If you notice discrepancies, contact your bank immediately.

• Only use Wi-Fi on your device when connected to password protected hotspots. Turn-off any auto-connect features. They might cause your phone to log into insecure wireless networks without your knowledge.

• Make sure you log out of social networking sites and online banking when you've finished using them.

• Install operating system updates for your device as they become available - they often include security updates.

• Before you upgrade or recycle your device, delete all personal/business details.

 

Mobile Banking is a useful tool for your business, and can make managing your money incredibly convenient. By using common sense, it can also be a safe and secure part of your daily operations.

Social Engineering

"Social Engineering" is any method of theft that manipulates human nature in order to gain access to your online financial accounts. No business is immune to the risks of Social Engineering attacks, and thieves will go to great lengths to lower your guard. Here are a few ways you can protect yourself from thieves using Social Engineering techniques:

 

• Don't allow unfamiliar visitors into any area with network access. Thieves often pose as vendors, service providers or even firefighters conducting an inspection, in order to gain physical access to your network. It only takes a few seconds for them to plug in a thumb drive that installs keystroke logging software. Legitimate technicians or officers will have I.D. beyond a logo shirt or uniform to back up their claim, and should be verified independently.
• Be cautious about letting visitors use a workstation or plug into your network. A request to "check my email" or "download that sales brochure" might seem innocent enough. But, this is a favorite tactic of Social Engineers to gain access to your network and leave monitoring software or hardware behind.
• Control access to your facility. Whatever type of business you are in, there should be barriers between public and private back office areas. Doors leading into back offices from public areas should be locked. Doors to outdoor smoking areas should be locked. Visitors to back office areas should always be accompanied by a trusted employee.
• Don't assume that an unsolicited phone call or email is actually from a trusted source. Thieves can research your business relationships or donations, then pose as a vendor or charity you trust. They can even pose as another company employee needing help. Again, verify before providing any confidential information.
• Remember, unexpected email attachments should be treated with great caution. Common and popular files like PDFs, JPGs and spreadsheets can provide a platform for installing viruses or keystroke-logging malware on your computer. If you aren't certain the file came from a legitimate business, charity or person, don't open it without verifying. Call them and ask if they sent an email with an attachment.
• Verify, verify, verify. If you receive a phone call or email claiming there is a problem with a bank account, credit card account or any other network or finance related account, hang up the phone or delete the email and check those accounts directly through normal access channels.

 

The best way to avoid Social Engineering schemes is to be cautious about any unknown visitor, and any request for money, passwords, account numbers or other confidential information - no matter where it seems to be coming from.

Know what personal information you have in your files and on your computers.

 

• Inventory all files storage and electronic equipment. Where does your company store sensitive data?
• Talk with your employees and outside service providers to determine who sends personal information to your business, and how it is sent.
• Consider all the ways you collect personal information from customers, and what kind of information you collect.
• Review where you keep the information you collect, and who has access to it.

Keep only what you need for your business.

 

• Use Social Security numbers only for required and lawful purposes. Don't use SSNs as employee identifiers or customer locators.
• Keep customer credit card information only if you have a business need for it, and ensure stored information is in accordance with Payment Card Industry Data Security Standards (PCI-DSS).
• Review the forms you use to gather data - like credit applications and fill-in-the-blank web screens for potential customers - and revise them to eliminate requests for information you don't need.
• Change the default settings on your software that reads customers' credit cards. Don't keep information you don't need.
• Truncate the account information on electronically printed credit and debit card receipts you give your customers. You may include no more than the last five digits of the card number, and you must delete the card's expiration date.
• Develop a written records retention policy, especially if you must keep information for business reasons or to comply with the law.

• Protect the information that you keep.
• Put documents and other materials containing personally identifiable information in a locked room or file cabinet.
• Remind employees to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day.
• Implement appropriate access controls for your building.
• Encrypt sensitive information if you must send it over public networks.
• Regularly run up-to-date anti-virus and anti-spyware programs on individual computers.
• Require employees to use strong passwords.
• Caution employees against transmitting personal information via e-mail.
• Create security policies for laptops used both within your office, and while travelling.
• Use a firewall to protect your computers and your network.
• Set "access controls" to allow only trusted employees with a legitimate business need to access the network.
• Monitor incoming Internet traffic for signs of security breaches.
• Check references and do background checks before hiring employees who will have access to sensitive data.
• Create procedures to ensure workers who leave your organization no longer have access to your company's network.

Properly dispose of what you no longer need.

 

• Create and implement information disposal practices.
• Dispose of paper records by shredding, burning, or pulverizing them.
• Defeat dumpster divers by encouraging your staff to separate the stuff that's safe to trash from sensitive data that needs to be discarded with care.
• Make shredders available throughout the workplace, including next to the photocopier.
• Use wipe utility programs when disposing of old computers and portable storage devices.
• Give business travellers and employees who work from home a list of procedures for disposing of sensitive documents, old computers, and portable devices.

• Create a plan for responding to security incidents.
• Create a plan to respond to security incidents, and designate a response team led by a senior staff person.
• Draft contingency plans for how your business will respond to different kinds of security incidents. Some threats may come out of left field; others - a lost laptop or a hack attack, to name just two - are unfortunate, but foreseeable.
• Investigate security incidents immediately.
• Create a list of who to notify - inside or outside your organization - in the event of a security breach.
• Immediately disconnect a compromised computer from the Internet.

 

Protect yourself against fraudulent transactions

 

Important! Review your statement every month.

 

If you find an unauthorized electronic transaction, you have 60 days to report it to your financial institution in order to limit the amount for which you are liable. If you wait more than 60 days you become liable for the unauthorized transactions. So review your statements every month and report any suspicious activity immediately.

 

Perform a risk assessment and controls evaluation

 

You can perform a risk assessment and controls evaluation periodically by using the below "Internet Security Assessment" questions.

 

INTERNET SECURITY ASSESSMENT

 

• Is antivirus software installed and running daily on SERVERS? Yes No
• Is antivirus software installed and running daily on WORKSTATIONS? Yes No
• Does someone receive antivirus alerts and resolve them as they are notified? Yes No
• Do you practice DUAL CONTROLS for critical tasks? Yes No
• Have employees been granted the "least amount of rights" to accomplish their responsibilities? Yes No
• Do you enforce passwords that expire every 30 days? Yes No
• Are your passwords NON-REUSABLE? Yes No
• Are you passwords strong, meaning that they contain at least 8 characters, including a number and a special character? Yes No
• Do you have firewalls running on your workstations or your network? Yes No
• Have you removed default accounts installed with operating systems and applications? Yes No
• Can you RESTORE the data and applications quickly enough to limit business impact? Yes No
• Have you tested the application-restore and data-restore activity? Yes No
• Have you hired an outside organization to evaluate your security strengths and weaknesses? Yes No

Rev. 6/2017