Security Tips and Information
Download UIGEA Policy
Our Security Procedures
We also take steps to safeguard customer information. We restrict access to your personal and account information to those employees who need to know that information to provide products or services to you. Employees who violate these standards will be subject to disciplinary measures. We maintain physical, electronic, and procedural safeguards that comply with federal standards to guard your nonpublic personal information.
The best way to detect fraud is by constantly monitoring your account activity. Financial impact is lowest when fraud is detected as soon as possible. A good way to monitor your accounts easily is to use online banking. Customers who access their accounts online, use email alerts, and receive electronic statements maximize the timely notification of activity on their accounts and also reduce the risk of fraud. Here are some ways that you can recognize if you may have been a victim of identity theft:
- You did not receive your statement by mail as expected.
- There are charges on your account that are not familiar.
- You receive credit cards and you did not apply for credit.
- You find new accounts on your credit report that are not yours.
- Posted checks on your account appear significantly out of sequence.
- You receive calls from creditors regarding services you did not buy.
- You are denied credit for no apparent reason.
A recent amendment to the federal Fair Credit Reporting Act requires each of the nationwide consumer reporting companies to provide you with a free copy of your credit report at your request every 12 months.
Pharming and Phishing
Phishing is a scam where Internet fraudsters send spam or pop-up messages to lure personal and financial information from unsuspecting victims. Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. To avoid getting hacked:
- Don't reply to email or pop-up messages that ask for personal or financial information, and don't click on links in the message. Don't cut and paste a link from the message into your Web browser — phishers can make links look like they go one place, but that actually send you to a different site.
- Some scammers send an email that appears to be from a legitimate business and ask you to call a phone number to update your account or access a "refund." Because they use Voice over Internet Protocol technology, the area code you call does not reflect where the scammers really are. If you need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card.
- Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly.
- Don't email personal or financial information.
- Review credit card and bank account statements as soon as you receive them to check for unauthorized charges.
- Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
- Forward phishing emails to firstname.lastname@example.org – and to the company, bank, or organization impersonated in the phishing email.
For more information, visit www.annualcreditreport.com.
Lost or Stolen Debit Cards
If you think that your debit card may have been lost or stolen, contact us immediately at 1-800-500-1044. We will cancel your card and issue you a replacement, as well as review your account with you for unauthorized purchases or withdrawals. You will not be held liable for any unauthorized transactions as long as you notify us promptly.
ID Theft Recourse
If you are a victim of identity theft, take the following four steps as soon as possible, and keep a record with the details of your conversations and copies of all correspondence.
- Place a fraud alert on your credit reports, and review your credit reports. Fraud alerts can help prevent an identity thief from opening any more accounts in your name. Contact the toll-free fraud number of any of the three consumer reporting companies below to place a fraud alert on your credit report. You only need to contact one of the three companies to place an alert. The company you call is required to contact the other two, which will place an alert on their versions of your report, too. If you do not receive a confirmation from a company, you should contact that company directly to place a fraud alert.
TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013
Once you place the fraud alert in your file, you're entitled to order one free copy of your credit report from each of the three consumer reporting companies, and, if you ask, only the last four digits of your Social Security number will appear on your credit reports. Once you get your credit reports, review them carefully. Look for inquiries from companies you haven't contacted, accounts you didn't open, and debts on your accounts that you can't explain. Check that information, like your Social Security number, address(es), name or initials, and employers are correct. If you find fraudulent or inaccurate information, get it removed. See Correcting Fraudulent Information in Credit Reports to learn how. When you correct your credit report, use an Identity Theft Report with a cover letter explaining your request, to get the fastest and most complete results.
Continue to check your credit reports periodically, especially for the first year after you discover the identity theft, to make sure no new fraudulent activity has occurred.
- Close the accounts that you know, or believe, have been tampered with or opened fraudulently. Call and speak with someone in the security or fraud department of each company. Follow up in writing, and include copies (NOT originals) of supporting documents. It's important to notify credit card companies and banks in writing. Send your letters by certified mail, return receipt requested, so you can document what the company received and when. Keep a file of your correspondence and enclosures.
When you open new accounts, use new Personal Identification Numbers (PINs) and passwords. Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your Social Security number or your phone number, or a series of consecutive numbers.
If the identity thief has made charges or debits on your accounts, or has fraudulently opened accounts, ask the company for the forms to dispute those transactions:
- For charges and debits on existing accounts, ask the representative to send you the company's fraud dispute forms. If the company doesn't have special forms, use the sample letter to dispute the fraudulent charges or debits. In either case, write to the company at the address given for "billing inquiries," NOT the address for sending your payments.
- For new unauthorized accounts, you can either file a dispute directly with the company or file a report with the police and provide a copy, called an “Identity Theft Report,” to the company.
- If you want to file a dispute directly with the company, and do not want to file a report with the police, ask if the company accepts the FTC’s ID Theft Affidavit (PDF, 56 KB). If it does not, ask the representative to send you the company's fraud dispute forms.
- However, filing a report with the police and then providing the company with an Identity Theft Report will give you greater protection. For example, if the company has already reported these unauthorized accounts or debts on your credit report, an Identity Theft Report will require them to stop reporting that fraudulent information. Use the cover letter to explain to the company the rights you have by using the Identity Theft Report. More information about getting and using an Identity Theft Report can be found here.
Once you have resolved your identity theft dispute with the company, ask for a letter stating that the company has closed the disputed accounts and has discharged the fraudulent debts. This letter is your best proof if errors relating to this account reappear on your credit report or you are contacted again about the fraudulent debt.
- File a complaint with the Federal Trade Commission. You can file a complaint with the FTC using the online complaint form; or call the FTC's Identity Theft Hotline, toll-free: 1-877-ID-THEFT (438-4338); TTY: 1-866-653-4261; or write Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Be sure to call the Hotline to update your complaint if you have any additional information or problems.
By sharing your identity theft complaint with the FTC, you will provide important information that can help law enforcement officials across the nation track down identity thieves and stop them. The FTC can refer victims' complaints to other government agencies and companies for further action, as well as investigate companies for violations of laws the agency enforces.
Additionally, you can provide a printed copy of your online Complaint form to the police to incorporate into their police report. The printed FTC ID Theft Complaint, in conjunction with the police report, can constitute an Identity Theft Report and entitle you to certain protections. This Identity Theft Report can be used to (1) permanently block fraudulent information from appearing on your credit report; (2) ensure that debts do not reappear on your credit report; (3) prevent a company from continuing to collect debts that result from identity theft; and (4) place an extended fraud alert on your credit report.
- File a report with your local police or the police in the community where the identity theft took place.
Call your local police department and tell them that you want to file a report about your identity theft. Ask them if you can file the report in person. If you cannot, ask if you can file a report over the Internet or telephone. See below for information about Automated Reports.
If the police are reluctant to take your report, ask to file a "Miscellaneous Incident" report, or try another jurisdiction, like your state police. You also can check with your state Attorney General's office to find out if state law requires the police to take reports for identity theft. Check the Blue Pages of your telephone directory for the phone number or check www.naag.org for a list of state Attorneys General.
When you go to your local police department to file your report, bring a printed copy of your FTC ID Theft Complaint form, your cover letter, and your supporting documentation. The cover letter explains why a police report and an ID Theft Complaint are so important to victims.
Ask the officer to attach or incorporate the ID Theft Complaint into their police report. Tell them that you need a copy of the Identity Theft Report (the police report with your ID Theft Complaint attached or incorporated)to dispute the fraudulent accounts and debts created by the identity thief. (In some jurisdictions the officer will not be able to give you a copy of the official police report, but should be able to sign your Complaint and write the police report number in the “Law Enforcement Report” section.)
Corporate Account Takeover
What is Corporate Account Takeover?
Corporate account takeover occurs when a criminal obtains electronic access to your bank account and conducts unauthorized transactions. The criminal obtains electronic access by stealing the confidential security credentials of your employees who are authorized to conduct electronic transactions on your corporate bank account.
How are confidential security credentials stolen?
There are several methods being employed to steal confidential security credentials. One is to mimic the look and feel of a legitimate financial institution’s website. Users provide their credentials to these sites without knowing that a perpetrator is stealing their security credentials through a fictitious website which appears to be their financial institution.
A second method is malware that infects computer workstations and laptops via infected emails with links or document attachments. In addition, malware can be downloaded to a user’s workstation and laptop from legitimate websites, especially social networking sites. Clicking on the documents, videos or photos posted there can activate the download of the malware. The malware installs key-logging software on the computer, which allows the perpetrator to capture the user’s ID and password as they are entered at the financial institution’s website.
Other viruses are more sophisticated. They alert the perpetrator when the legitimate user has logged onto a financial institution’s website, then trick the user into thinking the system is down, or not responding during this perceived downtime, the perpetrator is actually sending transactions in the user’s name.
What does corporate account takeover look like?
If robust authentication is not used and a user’s credentials are stolen, the perpetrator can take over the account of the business. To the financial institution, the credentials appear to be the legitimate user. The perpetrator has access to and can review the account details of the business, including account activity and patterns and ACH and wire transfer origination parameters such as file size and frequency limits and Standard Entry Class (SEC) codes.
With an understanding of the permissions and the limits associated with the account, the perpetrator can transfer funds out of the account using wire transfers or ACH files. With ACH, the file would likely contain PPD (Prearranged Payments & Deposits) credits routed to accounts at one or more receiving depository financial institutions (RDFI’s). These accounts may be newly opened by accomplices or unwitting “mules” for the express purpose of receiving and laundering these funds. The accomplices or mules withdraw the entire balances shortly after receiving the money and send the funds overseas via wire transfer or other popular money transfer services.
Perpetrators also send ACH files containing debits in order to collect additional funds into the account that can subsequently be transferred out. The debits would likely be CCD (Cash Concentration & Disbursement) debits to other small business accounts for which the perpetrator has also stolen the credentials or banking information. Given the 2-day return timeframe for CCD debits and the relative lack of account monitoring and controls at many small businesses, these debit transactions often go unnoticed until after the return timeframe has expired.
What can business customers do to protect themselves (best practices)?
Business customers can take many steps to protect themselves against account takeover.
One of the most effective, yet basic, controls is for business customers to always initiate ACH and wire transfer payments under dual control. For example, one individual initiates the creation of the payment file, and another approves the file for release.
- Using multiple factors to prove identity is very effective in preventing a successful attack. Multiple factors are more challenging to compromise. For example, the use of 1) something the person knows (user ID, PIN, Password), and 2) something the person has (password-generating token, USB token) can substantially reduce the vulnerability to an attack. Tokens that generate single-use codes are among the best practices.
- Restrict functions that authorized employees may perform to specific computer workstations and laptops that are used solely for online banking and payments. This will help prevent the inadvertent downloading of malware or other viruses by users.
- Ensure that your company’s operating system and its components are up to date with current software patches. For example, the use of the most current firewalls, malicious code filtering, virus protection and spyware removal software will aid in the control of network intrusion tactics.
- Business customers should reconcile their bank accounts daily. Many business customers, particularly small businesses, may not typically reconcile their bank account on a daily basis, and therefore may not recognize fraudulent activity until it is too late to take action. Electronic Funds Transfer Act (Regulation “E”) is a consumer regulation and does not protect business clients from fraudulent electronic funds transfers (EFT’s).
- Business customers should train all staff who interact with the online banking system on corporate account takeover.
- Business customers should consider completing a risk assessment and controls evaluation periodically to mitigate any risk findings.
Click on link to download pdf document below.
In the event of fraudulent or suspicious activity please contact Brookhaven Bank at 404-633-2113.
Online Fraud Prevention Education:
The documents below are recommended best practices for using Brookhaven Bank’s online banking system.
Brookhaven Bank will NOT contact clients via email requesting electronic banking credentials to your account or request personal information.