Security

Cybersecurity and Identity Theft Tips

The Internet Banking Service has several effective security techniques that we encourage you to implement when you use the Internet banking service:

  • NEVER provide your personal information via email.
  • NEVER click on links in an email unless you are sure of who sent you the email. We will never solicit your personal information via email.
  • Never reveal your pass codes to anyone or leave your pass code anywhere that someone else can obtain and use it.
  • Change your pass code on a regular basis.
  • Use the Exit button to end each Internet banking session. Do not use the Back button to exit the site.
  • Make sure your anti-virus software is up-to-date.
  • Keep your Microsoft security updates current.
  • Balance and monitor your account on a regular basis. Internet banking makes it easy!
  • Contact the Federal Trade Commission for information on what to do if you are a victim of Identity Theft.
  • Visit the FDIC website for more information on cybersecurity.

Phishing

It has come to Commercial Bank’s attention that customers may receive a fraudulent phishing (fishing) e-mail requesting debit card and personal information. This e-mail purports to be from MasterCard and requests that cardholders enroll in the “Verified by MasterCard Secure Code Program” immediately by clicking a link located within the e-mail. Please do not respond to this e-mail. It is not from Commercial Bank. MasterCard does not directly contact customers and ask for personal information, nor does Commercial Bank. If you receive such an e-mail, please contact us immediately. Here are some other tips to help you protect your personal information:

  • Never respond to any e-mail that asks for debit card and personal information, even if it looks legitimate, and do not click on links within an e-mail; instead, copy and paste the address into your browser.
    Note: By opening or viewing a preview of the e-mail or by clicking on the link within the e-mail, you may cause your PC to discretely download a virus or spyware.
  • Install spam filter and anti-virus software on your PC.
  • Ensure your PC is protected with a personal firewall.
  • Scan your PC regularly to detect and remove spyware.
  • Update your operating system and web browser software regularly.
  • Look to ensure “https://” appears in the web site address and that the security padlock icon appears on websites that request personal information.
  • Educate yourself of Internet fraud scams.
  • Regularly request and validate the accuracy of your credit report.

Pharming……..this isn’t plowing a field

First we had to worry about phishing (fishing) NOW we have pharming (farming). So much has been published warning people of the danger of replying to an email with a link attached to it that most people are extremely cautious and delete any strange looking email without even opening it up. But let’s discuss the new breed of cyberswindle, pharming. Pharmers redirect as many users as possible from legitimate commercial websites and lead them to malicious ones.

Pharming can occur in four different ways:

  • Static Domain Name Spoofing: The pharmer (the person or entity committing the fraud) attempts to take advantage of slight misspelling in domain names to trick users into inadvertently visiting the pharmer’s web site. For example, a pharmer may redirect a user to anybank.com instead of anybank.com, the site the user intended to access.
  • Malicious Software (Malware): Viruses and “Trojans” (latent malicious code or devices that secretly capture data) on a consumer’s personal computer may intercept the user’s request to visit a particular site, such as anybank.com, and redirect the user to the site that the pharmer has set up.
  • Domain hijacking: A hacker may steal or hijack a company’s legitimate Web site, allowing the hacker to redirect all legitimate internet traffic to an illegitimate site. Domain names generally can be hijacked in two ways:
    • Domain Slamming by submitting domain transfer requests, a domain is switched from one registrar to another. The account holder at the new registrar can alter routing instructions to point to a different, illegitimate server.
    • Domain expiration: Domain names are leased for fixed periods. Failure to manage the leasing process properly could result in a legitimate ownership transfer. In this instance, trade name laws usually must be invoked to recover lost domains.

DNS Poisoning: The most dangerous instance of pharming may be domain name server (DNS) poisoning. Domain name servers are similar to internet road map guides. When an individual enters www.anybank.com into his or her browser, Domain Name Servers on the internet translate the phrase www.anybank.com into an internet protocol (IP) address, which provides routing directions. After the DNS server provides this address information, the user’s connection request is routed to www.anybank.com. Local DNS servers can be “poisoned” to send users to a web site other than the one that was requested. This poisoning can occur as a result of misconfiguration, network vulnerabilities or Malware installed on the server.

There are 13 root DNS servers for the entire internet, which are closely protected and controlled. Most requests are directed by the local DNS server before they reach a root DNS server. However, if a hacker were to penetrate one or more of these root servers, the internet could be severely compromised.

There are steps that you can do to prevent pharming attacks:

Digital Certificates: Legitimate Web Servers can differentiate themselves from illegitimate sites by using digital certificates. Web sites using certificate authentication are more difficult to spoof. Consumers can us the certificate as a tool to determine whether a site is trustworthy.

  • Domain Name Management: Domain names must be registered and renewed timely.
  • DNS Poisoning: Investigation anomalies about web sites to ensure that DNS poisoning attacks are addressed promptly. For example, if Anybank’s domain was hijacked, it would immediately stop receiving normal internet-related requests. The drop in Internet traffic should alert technology staff at Anybank to the problem, which the staff should then investigate.
  • Consumer Education: Internet banking customers should install current versions of virus detection software, firewalls and spyware scanning tools to reduce computer infections. These tools are effective only if you regularly do updates to combat new threats. Run your spyware weekly and delete anything that you are not totally sure of. Check your firewall logs.
  • Make sure that anytime you connect to a web site that it is trusted and not a spoofed site. One way is to always look for the lock when utilizing a secure page.

If you have questions or concerns please feel that you can call the Bank and ask to speak to anyone in our technology department.

**information in this article provided by FDIC FIL-64-2005

How Not to Get Hooked by a ‘Phishing’ Scam

Internet scammers casting about for people’s financial information have a new way to lure unsuspecting victims: They go “phishing.” Phishing, also called “carding,” is a high-tech scam that uses spam to deceive consumers into disclosing their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information.

According to the Federal Trade Commission (FTC), the emails pretend to be from businesses the potential victims deal with -for example, their Internet service provider (ISP), online payment service or bank. The fraudsters tell recipients that they need to “update” or “validate” their billing information to keep their accounts active, and direct
them to a “look-alike” Web site of the legitimate business, further tricking consumers into thinking they are responding to a bona fide request. Unknowingly, consumers submit their financial information -not to the businesses -but the scammers, who use it to order goods and services and obtain credit.

To avoid getting caught by one of these scams, the FTC, the nation’s consumer protection agency, offers this guidance:

  • If you get an email that warns you, with little or no notice, that an account of yours will be shut down unless you reconfirm your billing information, do not reply or click on the link in the email. Instead, contact the company cited in the email using a telephone number or Web site address you know to be genuine.
  • Avoid emailing personal and financial information. Before submitting financial information through a Web site, look for the “lock” icon on the browser’s status bar. It signals that your information is secure during transmission.
  • Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
  • Report suspicious activity to the FTC. Send the actual spam to the FTC. If you believe you’ve been scammed, file your complaint at the Federal Trade Commission and to the FTC’s Identity Theft website to learn how to minimize your risk of damage from identity theft.

Visit the Federal Trade Commission Consumer Advice website to learn other ways to avoid email scams and deal with deceptive spam.

The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit or call toll-free, 1-877-FTC-HELP (1- 877-382-4357); TTY: 1-866-653-4261. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

Fraud Protection

If your financial information has been compromised, use this page as a resource guide. For more information on fraud, identity theft, phishing and consumer reporting, visit our Helpful Links page.

Lost or stolen Debit Card, Business Debit Card or ATM Card

If your debit or ATM card has been lost or stolen, please call us immediately at 402-225-3381.

Lost or stolen checkbook

Notify us immediately if your checkbook is lost or stolen. Call us at 402-225-3381 during business hours or send us a Secure Email from within Online Banking.

If possible, supply the last known date and location of your checkbook. If known, please provide information on outstanding checks, including amount, check number and payee. Be sure to give us your current contact information.

Reporting fraud, phishing or identity theft to Commercial Bank

If you suspect that you’re a victim of fraud, contact us immediately. Call us at 402-225-3381 during business hours or send us a Secure Email from within Online Banking.

Reporting fraud, phishing or identity theft to a credit bureau

Reporting that you might be a victim of fraud or identity theft to a credit bureau may help prevent further unauthorized activity. These three major credit bureaus can place a fraud alert on your credit file:

Equifax 800.525.6285

Experian 888.397.3742

TransUnion 800.680.7289