Finance the purchase and installation of a photovoltaic (PV) system for your home.
Save automatically whenever you sign or select 'credit' when using your Business Debit MasterCard.®"
Specifically applies to CPB’s online use and disclosure of information collected from visitors during the use of our website.
Information provided by FDIC Consumer News
When Small Charges Can Signal a Big Crime
Counting every penny on your credit and debit card statements can help detect fraud
Most people looking at their bank statements would probably notice if their credit or debit card were used without their approval to purchase a big ticket item, and they would quickly call their bank or card issuer to report the error or fraudulent transaction. But consumers are less likely to be suspicious of very small charges, including those less than a dollar ... which is why criminals like to make them.
“These small transactions might be signs that someone has learned your account information and is using it to commit a crime,” said Michael Benardo, manager of the FDIC's Cyber Fraud and Financial Crimes Section. “That’s why it’s important to be on the lookout for fraudulent transactions, no matter how small.”
He added, “When thieves fraudulently obtain someone else’s credit or debit card information and create a counterfeit card, they might test it out with a small transaction — like buying a pack of gum or a soda — to make sure the counterfeit card works before using it to make a big purchase. If this test goes unnoticed by the true account holder, thieves will use the card to buy something expensive that they want or that they can easily sell for cash.”
In one example, the Federal Trade Commission alleged that a group of individuals stole nearly $10 million by making charges to more than a million credit and debit cards that went unnoticed by most of cardholders because the transactions ranged from 20 cents to $10.
Even a small deposit in your checking or savings account that you weren’t expecting could be a sign that criminals have learned your account information and are trying to link your account to theirs so they can fraudulently withdraw money, perhaps your entire balance. Note: Be aware that if you ask to link your accounts at two different financial institutions, such as when setting up automatic transfers for investment or payment purposes, many banks and other payment providers may make test charges or deposits of less than $1 to verify that the proper arrangements have been made.
What can consumers to do protect themselves? Be on the lookout for small transactions you don’t think you’ve conducted or authorized. “The best way to catch this kind of fraud is to regularly and thoroughly review your bank and credit card statements to look for transactions that you didn’t initiate,” Benardo said. “If you have online access to your bank and credit card accounts, it is a good idea to check them regularly, perhaps weekly, for suspicious activity.”
Immediately contact your bank or credit card issuer if you see a transaction that you didn’t authorize and ask for it to be reversed. Debit card users in particular should promptly report an unauthorized transaction. While federal protections for credit cards cap losses from fraudulent charges at $50, a consumer’s liability limit for a debit card could be up to $500 or more if you don’t notify your bank within two business days after discovering the theft.
Also ask your bank or credit card issuer about additional precautions it could take to prevent fraud on your account. “For a period of time, it might monitor your account more closely for fraudulent transactions,” Benardo said. “Or, it may determine that the best course of action is to close your current account and issue you a new card with a new account number.”
For Banking by Computer or Mobile Device
Take extra precautions for logging into bank and other financial accounts. These measures include using "strong" user IDs and passwords by choosing combinations of upper- and lower-case letters, numbers, and symbols that are hard for a hacker to guess. Don't use your birthdate, address or other words or numbers that can be easy for con artists to find out or guess. Don't use the same password for different accounts because a criminal who obtains one password can then log in to your other accounts. Keep your user IDs and passwords secret, and change them regularly. Make sure to log out of financial accounts when you complete your transactions or walk away from the computer.
Consider using a separate computer solely for online banking or shopping. A growing number of people are purchasing basic PCs and using them only for banking online and not Web browsing, emailing, social networking, playing games or other activities that are more susceptible to malicious software — known generally as "malware" — that can access computers and steal information. As an alternative, you can use an old PC for this limited purpose, but uninstall any software no longer needed and scan the entire PC to check for malicious software before proceeding.
Take precautions if you provide financial account information to third parties online. For example, some people use online "account aggregation" services that, from one website, can provide a convenient way to pay bills, monitor balances in deposits and investment accounts, and even keep track of your frequent flyer miles. While these websites may be beneficial, they can also present potential issues related to the security of the account information you have shared with them. If you want to use their services, thoroughly research the company behind the website, including making sure that you're dealing with a legitimate entity and not a fraudulent site. Also ask what protections the website offers if it experiences a data breach or loss of data.
Periodically check your bank accounts for signs of fraud. If you bank online, check your deposit accounts and lines of credit at regular intervals to spot and report errors or fraudulent transactions, just as you would review a paper statement. Online banking makes it easier and faster to monitor your accounts. This is important, because the sooner you can detect a problem with a transaction, the easier it should be to fix.
Federal laws generally limit your liability for unauthorized use of your debit, credit and prepaid cards, especially if you report the problem to your financial institution within specified time periods, which vary depending on the circumstances. A good rule of thumb is to check your accounts online once or twice a week. Also, many banks make it easier for customers to keep track of their accounts by offering email or text message alerts when balances fall below a certain level or when there is a transaction over a certain amount.
Basic Security Tips
Keep your software up to date. Software manufacturers continually update their products to fix vulnerabilities or security weaknesses when they find them. "All of your software should be checked and updated as generally recommended by the manufacturer or when flaws are found," explained Kathryn Weatherby, a fraud examination specialist for the FDIC. "This advice goes for everything from your operating system to your word processing software, Internet browsers, spreadsheet software, and even your digital photography applications. A vulnerability in one piece of software, no matter how insignificant it may seem, can be exploited by a hacker and used as a pathway into your whole computer."
Some software manufacturers may issue "patches" that you need to install to update a program. Others may simply provide you with a completely new version of the software. "Before installing any update you receive, make sure it is legitimate, especially if it is emailed to you," said Benardo. "Check the software manufacturer's website or contact the company directly to verify the update's validity. Criminals have been known to imitate software vendors providing a security update when, in fact, they are distributing malware. Once you confirm that an update is legitimate, install it as soon as possible to correct whatever security flaw might exist."
Install anti-virus software that prevents, detects and removes malicious programs. Crooks and computer hackers are always developing new malware that can access computers and steal information, such as account passwords or credit or debit card numbers. These programs also may be able to destroy data from the infected computer's hard drive.
Malware can enter your computer in a variety of ways, perhaps as an attachment to an email, a downloaded file from an infected website, or from a contaminated thumb drive or disk. Fight back by installing anti-virus software that periodically runs in the background of your computer to search for and remove malware. Also be sure to set the software to update automatically so that it can protect you from the latest malware. See Beware of Malware: Think Before You Click! for more information.
Use a firewall program to prevent unauthorized access to your PC. A firewall is a combination of hardware and software that establishes a barrier between your personal computer and an external network, such as the Internet, and then monitors and controls incoming and outgoing network traffic. In simple terms, a firewall acts as a gatekeeper that helps screen out hackers, malware and other intruders who try to access your computer from the Internet.
Only use security products from reputable companies. Some anti-virus software and firewalls can be purchased, while others are available free. Either way, it's a good idea to check out these products by reading reviews from computer and consumer publications. Look for products that have high ratings for detecting problems and for providing tech support if your computer becomes infected. Other ways to select the right protection products for your computer are to consult with the manufacturer of your computer or operating system, or to ask someone you know who is a computer expert.
Take advantage of Internet safety features. When you are banking online, shopping on the Internet or filling out an application that requests sensitive personal information such as credit card, debit card and bank account numbers, make sure you are doing business with reputable companies. You also can have greater confidence in a website that encrypts (scrambles) the information as it travels to and from your computer. Look for a padlock symbol on the page and a Web address that starts with "https://." The "s" stands for "secure."
Also, current versions of most popular Internet browsers and search engines often will indicate if you are visiting a suspicious website or a page that cannot be verified as trusted. It's best not to continue on to pages with these kinds of warnings. Review your Internet browser's user instructions and explore the "tools" and "help" tabs to learn more about the security settings and alerts offered.
Be careful where and how you connect to the Internet. A public computer, such as at an Internet café or a hotel business center, may not have up-to-date security software and could be infected with malware. Similarly, if you are using a portable computer (such as a laptop or mobile device) for online banking or shopping, avoid connecting it to a wireless (Wi-Fi) network at a public "hotspot" such as a coffee shop, hotel or airport. Wi-Fi in public areas can be used by criminals to intercept your device's signals and as a collection point for personal information.
The bottom line, especially for sensitive matters such as online banking and activities that involve personal information, is to consider only accessing the Internet using your own computer with a secure, trusted connection, and to only connect laptops and mobile devices to trusted networks.
Everywhere you look, people are using smartphones and tablets as portable, hand-held computers. "Unfortunately, cybercriminals are also interested in using or accessing these devices to steal information or commit other crimes," said Michael Benardo, manager of the FDIC's Cyber Fraud and Financial Crimes Section. "That makes it essential for users of mobile devices to take measures to secure them, just as they would a desktop computer."
Here are some basic steps you can take to secure your mobile devices.
Avoid apps that may contain malware. Buy or download from well-known app stores, such as those established by your phone manufacturer or cellular service provider. Consult your financial institution's website to confirm where to download its official app for mobile banking.
Keep your device's operating system and apps updated. Consider opting for automatic updates because doing so will ensure that you have the latest fixes for any security weaknesses the manufacturer discovers. "Cybercriminals try to take advantage of known flaws, so keeping your software up to date will help reduce your vulnerability to foul play," said Robert Brown, a senior ombudsman specialist at the FDIC.
Consider using mobile security software and apps to protect your device. For example, anti-malware software for smartphones and tablets can be purchased from a reputable vendor.
Use a password or other security feature to restrict access in case your device is lost or stolen. Activate the "time out" or "auto lock" feature that secures your mobile device when it is left unused for a certain number of minutes. Set that security feature to start after a relatively brief period of inactivity. Doing so reduces the likelihood that a thief will be able to use your phone or tablet.
Back up data on your smartphone or tablet. This is good to do in case your device is lost, stolen or just stops working one day. Data can easily be backed up to a computer or to a back-up service, which may be offered by your mobile carrier.
Have the ability to remotely remove data from your device if it is lost or stolen. A "remote wipe" protects data from prying eyes. If the device has been backed up, the information can be restored on a replacement device or the original (if you get it back). A number of reputable apps can enable remote wiping.
Malicious software — or “malware” for short — is a broad class of software built with malicious intent. “You may have heard of malware being referred to as a ‘computer bug’ or ‘virus’ because most malware is designed to spread like a contagious illness, infecting other computers it comes into contact with,” said Michael Benardo, manager of the FDIC’s Cyber Fraud and Financial Crimes Section. “And if you don’t protect your computer, it could become infected by malware that steals your personal financial information, spies on you by capturing your keystrokes, or even destroys data.”
Law enforcement agencies and security experts have seen an increase in a certain kind of malware known as “ransomware,” which restricts someone’s access to a computer or a smartphone — literally holding the device hostage — until a ransom is paid. While businesses have been targeted more than consumers to date, many home computer users have been victims of ransomware. For more information, see an alert issued by the U.S. Department of Homeland Security.
The most common way malware spreads is when someone clicks on an email attachment — anything from a document to a photo, video or audio file. Criminals also might try to get you to download malware by including a link in the wording of an email or in a social media post that directs you somewhere else, often to an infected file or Web page on the Internet. The link might be part of a story that sounds very provocative, such as one with a headline that says, “How to Get Rich” or “You Have to See This!”
Malware also can spread across a network of linked computers, be downloaded from an infected website, or be passed around on a contaminated portable storage device, such as a thumb drive or flash drive.
Here are reminders plus additional tips on how to generally keep malware off your computer.
Don’t immediately open email attachments or click on links in unsolicited or suspicious-looking emails. Think before you click! Cybercriminals are good at creating fake emails that look legitimate but can install malware. Either ignore unsolicited requests to open attachments or files or independently verify that the supposed source did send the email to you (by using a published email address or telephone number). “Even if the attachment is from someone you know, consider if you really need to open the attachment, especially if the email looks suspicious,” added Benardo.
Install good anti-virus software that periodically runs to search for and remove malware. Make sure to set the software to update automatically and scan for the latest malware.
Be diligent about using spam (junk mail) filters provided by your email provider. These services help block mass emails that might contain malware from reaching your email inbox.
Don’t visit untrusted websites and don’t believe everything you read. Criminals might create fake websites and pop-ups with enticing messages intended to draw you in and download malware. “Anyone can publish information online, so before accepting a statement as fact or taking action, verify that the source is reliable,” warned Amber Holmes, a financial crimes information specialist with the FDIC. “And please, don’t click on a link to learn more. If something sounds too good to be true, then most likely it’s fraudulent or harmful.”
Be careful if anyone — even a well-intentioned friend or family member — gives you a disk or thumb drive to insert in your computer. It could have hidden malware on it. “Don’t access a disk or thumb drive without first scanning it with your security software,” said Holmes. “If you are still unsure, don’t take a chance.”
In today's world, it's important for small business owners to be vigilant in protecting their computer systems and data. Among the reasons: Federal consumer protections generally do not cover businesses for losses they incur from unauthorized electronic fund transfers. That means, for example, your bank may not be responsible for reimbursing losses associated with an electronic theft from your bank account — for instance, if there was negligence on the part of your business, such as unsecured computers or falling for common scams.
Here are tips to help small business owners and their employees protect themselves and their companies from losses and other harm. Several of these tips mirror basic precautions we have suggested elsewhere in this issue for consumers.
Protect computers and Wi-Fi networks. Equip your computers with up-to-date anti-virus software and firewalls to block unwanted access. Arrange for key security software to automatically update, if possible. And if you have a Wi-Fi network for your workplace, make sure it is secure, including having the router protected by a password that is set by you (not the default password). The user manual for your device can give you instructions, which are also generally available online.
Patch software in a timely manner. Software vendors regularly provide "patches" or updates to their products to correct security flaws and improve functionality. A good practice is to download and install these software updates as soon as they are available. It may be most efficient to configure software to install such updates automatically.
Set cybersecurity procedures and training for employees. Consider reducing risks through steps such as pre-employment background checks and clearly outlined policies for personal use of computers. Limit employee access to the data systems that they need for their jobs, and require permission to install any software.
And, train employees about cybersecurity issues, such as suspicious or unsolicited emails asking them to click on a link, open an attachment or provide account information. By complying with what appears to be a simple request, your employees may be installing malware on your network.
Require strong authentication. Ensure that employees and other users connecting to your network use strong user IDs and passwords for computers, mobile devices and online accounts by using combinations of upper- and lower-case letters, numbers and symbols that are hard to guess and changed regularly. Consider requiring more information beyond a password to gain access to your business's network, and additional safety measures, such as requiring confirmation calls with your financial institution before certain electronic transfers are authorized.
Secure the business's tablets and smartphones. Mobile devices can be a source of security challenges, especially if they hold confidential information or can access your company's network. In the case of the latter, require employees to password-protect their devices, encrypt their data and install security apps to prevent criminals from accessing the device while it is connected to public networks. Also develop and enforce reporting procedures for lost or stolen equipment.
Back up important business systems and data. Do so at least once a week. For your backup data, remember to use the same security measures (such as encryption) that you would apply to the original data. In addition, in case your main computer becomes infected, regularly back up sensitive business data to additional, disconnected storage devices.
Use best practices for handling card payments online. Seek advice from your bank or a payment processor to select the most trusted and validated tools and anti-fraud services. This may include using just one computer or tablet for payment processing.
Be vigilant for early signs something is wrong. "Monitor bank account balances regularly to look for suspicious or unauthorized activity," suggested Luke W. Reynolds, chief of the FDIC's Outreach and Program Development Section.
In today's world, financial institutions must be aware of current cyberthreats and take appropriate precautions in order to protect their customers' money and personal information. "Banks are tempting targets for cyberthieves who want to commit financial fraud," said Jeff Kopchik, a senior policy analyst with the FDIC. "But what customers need to remember is that banks and regulators are working together to prevent these crimes."
Banks have employees or use outside firms that work to prevent cyberfraud. Also, financial institutions must continually improve their information security programs so they can effectively respond to the latest cyberthreats.
In addition, the FDIC and other regulators work with financial institutions to help protect customer information and money. Since 2001, federal law and regulations have required that financial institutions have programs to ensure the security and confidentiality of customer information. Federal and state bank examiners also regularly conduct on-site examinations of FDIC-insured institutions and their outside firms to ensure that they comply with these and other regulations.
Banking regulators also work with institutions to share overviews of the cyberthreat landscape and discuss steps they can take to be prepared. For example, in 2015, the FDIC produced an educational video on cybersecurity to help boards of directors and senior management at banks protect against potential threats. That same year, the regulators unveiled a voluntary "cybersecurity assessment tool" to help institutions identify risks and assess their preparedness.
"Banks may use any risk assessment tool they choose. FDIC examiners are available to discuss the results with bank management and help them focus on areas that need improvement," said Mark Moylan, FDIC deputy director for operational risk. "We view this communication as an important part of our strategy to help ensure the safety of customer financial information."
The FDIC also recommends that institutions join industry organizations that provide reliable and timely information designed to help institutions protect critical systems from cyber threats.
"Cybercriminals are constantly looking for new ways to commit financial fraud against a bank and its customers," Kopchik said. "That is why the FDIC devotes significant resources to financial institution compliance with federal information security laws and alerts bank management about the newest cyber threats and effective countermeasures. It's part of the FDIC's mission to maintain stability and public confidence in the nation's financial system."
When criminals make unauthorized purchases using stolen payment card numbers or other information, federal consumer laws and financial industry practices protect victims from losses under certain circumstances. Here are key details to remember.
If your credit card number is accessed by cyberthieves: "Under federal law, a consumer's liability is normally capped at $50 for all unauthorized transactions on each card. However, if your credit card number is stolen, but not the card, you are not liable for any unauthorized use," said Richard Schwartz, a counsel in the FDIC's Consumer Compliance Section. "In addition, credit card losses are typically absorbed by the card issuer because of zero-liability policies, which preclude consumers from having to pay any amount of an unauthorized charge. These policies are set by the card industry."
If your debit card or the card number is used to withdraw money from a checking or savings account: To minimize your losses, you should contact your bank as soon as possible if you discover that your debit card has been lost or stolen. Your maximum liability under federal law is $50 if you notify your bank within two business days after learning of the loss or theft of your card. But if you notify your bank after those first two days, under the law you could lose more.
What if your debit card number (not the card itself) is stolen in an online hacking incident? Remember to check your account activity regularly. Timing is critical because under federal law you will not be liable for the transaction if you report it within 60 days after your account statement showing the transaction is sent to you. But if the charge goes unreported for more than 60 days, all your money in the account could be lost. However, remember to check with your bank about the payment card networks' zero-liability policy, which may protect you.
If you have a debit card for a business account that is used fraudulently: Debit cards issued for business use have different loss protections than debit cards for consumers. The Uniform Commercial Code (UCC), which sets many rules for businesses, requires a standard of "ordinary care" by the card holder in order to avoid liability for losses from online fraud. "This can be a technical area, so check with an attorney to make sure you are managing your business account consistent with the UCC rules," Schwartz advised.
If a prepaid card account is used fraudulently: Prepaid cards have money deposited onto them, and they usually aren't linked to a checking or savings account. In terms of legal protections against losses as a result of fraud, the rules vary depending on the type of prepaid card:
- Prepaid cards used by employers to pay their employees are covered under the same laws described earlier for consumer debit cards.
- General-purpose "reloadable" prepaid cards, which display a network brand such as American Express, Discover, MasterCard or Visa, currently have no protections limiting liability under federal law but do, in most cases, include in their contracts with customers the same protections as those for consumer debit cards. However, regarding liability for losses, the Consumer Financial Protection Bureau (CFPB) in November 2014 proposed a rule that would include reloadable prepaid cards under the federal law for consumer debit cards. Visit the CFPB website for updates.
- Prepaid gift cards for purchases at stores are typically not registered and, therefore, are not subject to federal consumer liability rights and protections. And, issuers of prepaid gift cards generally do not provide their own fraud liability coverage to card holders. "If you lose your gift card, you will probably lose the entire value of that card," Schwartz said.
Reminders about 10 simple things bank customers can do to help protect their computers and their money from online criminals
1. Have computer security programs running and regularly updated to look for the latest threats. Install anti-virus software to protect against malware (malicious software) that can steal information such as account numbers and passwords, and use a firewall to prevent unauthorized access to your computer.
2. Be smart about where and how you connect to the Internet for banking or other communications involving sensitive personal information. Public Wi-Fi networks and computers at places such as libraries or hotel business centers can be risky if they don’t have up-to-date security software.
3. Get to know standard Internet safety features. For example, when banking or shopping online, look for a padlock symbol on a page (that means it is secure) and “https://” at the beginning of the Web address (signifying that the website is authentic and encrypts data during transmission).
4. Ignore unsolicited emails asking you to open an attachment or click on a link if you’re not sure it’s who truly sent it and why. Cybercriminals are good at creating fake emails that look legitimate, but can install malware. Your best bet is to either ignore unsolicited requests to open attachments or files or to independently verify that the supposed source actually sent the email to you by making contact using a published email address or telephone number.
5. Be suspicious if someone contacts you unexpectedly online and asks for your personal information. A safe strategy is to ignore unsolicited requests for information, no matter how legitimate they appear, especially if they ask for information such as a Social Security number, bank account numbers and passwords.
6. Use the most secure process you can when logging into financial accounts. Create “strong” passwords that are hard to guess, change them regularly, and try not to use the same passwords or PINs (personal identification numbers) for several accounts.
7. Be discreet when using social networking sites. Criminals comb those sites looking for information such as someone’s place of birth, mother’s maiden name or a pet’s name, in case those details can help them guess or reset passwords for online accounts.
8. Be careful when using smartphones and tablets. Don’t leave your mobile device unattended and use a device password or other method to control access if it’s stolen or lost.
9. Parents and caregivers should include children in their cybersecurity planning. Talk with your child about being safe online, including the risks of sharing personal information with people they don’t know, and make sure the devices they use to connect to the Internet have up-to-date security.
10. Small business owners should have policies and training for their employees on topics similar to those provided in this checklist for customers, plus other issues that are specific to the business. For example, consider requiring more information beyond a password to gain access to your business’s network, and additional safety measures, such as requiring confirmation calls with your financial institution before certain electronic transfers are authorized.
Fraud can come in many forms. It is important as a consumer to protect yourself to avoid becoming a victim. One of the most common types of fraud attempts is to steal your identity. Identity theft starts with the misuse of your personally identifiable information such as your name and Social Security number, credit card numbers, or other financial account information. For identity thieves, this information is priceless.
There are many ways to try and steal this information, which include but are not limited to the following:
Credit: APWG, Carnegie Mellon Universtiy, and Wombat Security Technologies, Inc.
DETER identity theft by safeguarding information
DETECT suspicious activity by monitoring accounts
DEFEND against identity theft as soon as you suspect a problem
IF YOU BECOME AN IDENTITY THEFT VICTIM
If you suspect your identity or financial information is being used fraudulently, call your bank and credit card companies immediately. The sooner you act, the better the chances of catching the culprit and of limiting the damage. File a police report. The best way for the authorities to bring criminals to justice and prevent future fraud is through sharing information. Your police report helps authorities gain insight on how the crime was committed.
To report a phising and/or fraud attempt, contact us.