Flying South, Snowbird? Make sure your finances stay secure!

Older Couple Biking

Are you still planning to head south for the winter? If so, you may have even more on your mind than usual this year as you prepare to travel. Keep in mind these three tips to ensure smooth sailing while you’re somewhere warm.

1. Communicate your change of address

There are several businesses that should be aware of your change of address for the winter season, including Merchants Bank. To ensure you continue to receive important financial, medical or family information or to discontinue specific subscription services, you should contact the following regarding your address change:

  • Your bank
  • The Post Office
  • Your local newspaper (if you have it delivered)
  • Other delivery services

To alert Merchants Bank of your address change, stop in or call your local branch, or even submit a secure message in Online Banking to let us know of the change. Please include dates of departure and return as well as the names of other account holders living at your address.

2. Know how to access your bank account information.

Managing your money across a few states or a country is critical to helping you feel at ease during your trip. Make sure you are comfortable with getting information about your accounts and managing your money through with the following options:

  • Merchants Online Banking – Access on desktop and mobile. (TIP: set up account alerts, so you are notified of any activity).
  • Merchants Bank Credit Card App – To control your Merchants Bank credit card.
  • CardValet – To control your Merchants Bank debit card.
  • Give your local branch a call – Make sure you know your privacy code. If you’ve forgotten, stop in to your local branch to be reminded or set one up. That way we can verify your identity.

3. Be diligent in protecting your identity.

In the course of your travels, there are a number of circumstances that could impact the chance of identity theft. You could lose track of a card, leave financial statements in the mailbox, or post publicly on a social media site that you’re out of town, which lets criminals know that your house is empty. Review our security tips to ensure that your personal information is safe.

During your travels stay safe, and be well!

Be Aware, Be Skeptical About Mortgage Offers

Couple confused about finances

Financing your home is an important event. It opens the door to many new experiences, including unsolicited offers. Unfortunately, this is unavoidable, but you need to be aware and be skeptical so you can make the best decisions.

Where do these offers come from?

During the mortgage process, your information:

  • Is available to companies that buy or purchase lists from a credit bureau
  • Becomes part of the public record once it is recorded and can be accessed by companies searching for information

What type of information could you receive from outside sources?

Some of the information you receive by call, mail or email will likely be legitimate, and some will not.

You may receive offers for things like life insurance, offers to provide the financing or refinancing, or offers to provide copies of your records. Whatever it is, we ask that you look at the offer closely.

If you have any questions about any information or solicitations that you receive, please feel free to contact us by calling your local Merchants Bank branch. We will help you understand the information so you can make your best decision.

Please know that we would never sell your information. So, if you receive something saying the contact is sanctioned by Merchants Bank, it isn’t. Be skeptical.

*Loans are subject to credit approval.

How to Tell if a Website is Legitimate

Computer Security

If you’re one of the 209.6 million Americans who shop online,* it’s important to take steps to verify the legitimacy of a company website before placing an order. Here are five tips to help you determine if a website is legitimate.

1. Can you easily find the company’s full contact information?

You should be able to locate the business’s full name, physical address, telephone number and email address. In addition, if you call the telephone number listed, make sure you can reach a live person who can verify details about the business.

Red Flag = You cannot find the company’s contact information.

2. Is there a Terms and Conditions web page?

Find the Terms and Conditions page on the website and read it carefully to understand company products, return policies and more.

Red Flag = You cannot find the company’s Terms and Conditions page.

3. Does the site accept secure payments?

If the company wants to accept secure payments with a credit card, they must use SSL security which properly encrypts your payment and personal information. Websites with SSL security have a website address that begins with “https” instead of “http.” For example, https://www.merchantsbank.com.

Red Flag = The company’s site does not accept secure payments.

4. Is the site design and information professional?

Review the site for typos, errors, misspellings, stolen images and more.

Red Flag = The company’s site contains any of the above.

5. What happens when you Google search the company’s name?

Type the company name into Google and read related customer reviews, feedback and articles.

Red Flag = Bad feedback or customer experiences.

Visit the FTC Consumer website for information on current website scams.

*http://www.statista.com/statistics/183755/number-of-us-internet-shoppers-since-2009/

 

Why Your Business Should Conduct a Risk Assessment

Man under umbrella.

Risk is inevitable. It’s simply part of any business, and because of that, managers often believe that understanding risk is an organic process that is either self-evident or intuitive, and based on the nature of the business itself. It’s not a bad approach because it tends to focus on business functions and not just the technology. But by themselves, intuition and experience are inadequate. And because they’re inadequate, a formal risk assessment process is critical to managing the growing, changing, and challenging threat environment that continues to evolve at the frenetic pace of technology today.

A structured risk assessment consists of three basic steps:

  1. Identify and define the risks to be assessed.
  2. Decide how likely it is that each risk will occur.
  3. Decide the magnitude of the impact to the business if a given risk does occur.

Notice that steps two and three are decisions. It’s not always easy to determine just how likely it is that a given risk will occur. Unless we have a good set of data to back up our evaluation, we can only reason, applying common sense to understanding each risk.

Yet to understand and communicate risk throughout the organization it should be quantified. This can be accomplished using a simple risk scoring methodology we are all familiar with.

For example, if we use a 1-5 ranking system, we can let 1 = low and 5 = high. Then if a risk is very likely to occur, we rank it a 5. If the risk would have a serious impact on the business, we rank that a 5. Finally, we multiply the 2 together for a risk score of 25.

Likeliness x Impact = Risk Score

Using this approach over and over we can develop a hierarchy of risks that cascade from high to low, and prioritize which of those to address first. However, it’s important not to make all decisions based on the risk score alone.

Let’s say a risk is very unlikely and we rate it a 1, but if it occurred, the impact on the organization would be catastrophic so we rate that a 5. The total risk score is a 5 and judging by the number alone, should be low on the list of risks needing remediation.

At this point we need to look past the numbers and determine our organization’s risk appetite.

If we’re willing to live with a risk having potentially catastrophic results, then we would likely not develop a disaster recovery plan nor would we have a disaster recovery site because the risk of complete loss of the data center is usually very low and the cost of a fully functional back up site is high.

But most organizations understand that essentially all catastrophic risks need to be addressed and while the scoring approach is very helpful, it cannot be relied upon exclusively, leading us back to the application of intuition and experience.

In short, a risk assessment is a structured process used in identifying and classifying risks, deciding what and how much to do about them. Once we’ve agreed on the assessment and classifications, we can focus on the two remaining aspects of risk management: risk remediation and, once that is accomplished, agreement that the remaining (or, residual) risk is acceptable.

Securing Your Identity in the Online Age

RodneyNelsestuenFraudTip

By Rodney Nelsestuen, retired Chief Information Officer

We all know the threats to online security are constantly changing. The challenges of being an active online and social media user while protecting our identity highlight the important role we all have in keeping our business and personal finances safe.

So, what are some of the current strategies used by hackers and what should we do about them?

Today’s online thief is patient and persistent. Thieves are taking their time in collecting data about us from many sources. Even the most mundane aspects of our lives may be important when added to other data taken from our personal lives, from social media (both our posts and those of friends and family,) and from our workplace. Eventually, all this information is applied in a manner that mimics our personality and behaviors in a convincing way.

How is this possible?

Once a “bad actor,” an online thief or fraudster, has some of your information and your online lifestyle, getting more becomes easy as automated intelligence (AI) serves up a large plate of your preferences, enabling the thief to fully take your place – at least in a virtual sense.

Thus, it’s entirely possible we have a virtual clone navigating the internet, posing as us, and preparing to wreak havoc on our lives by, essentially, taking it for their own.

So, how do we minimize the risk of this happening to us?

Steps to Minimize Risk

Drop out of social media

There are people who have already done this. But dropping out is probably not realistic for most of us. We rely on social media to keep up with friends and family, share joy, sorrow, important information, and we generally find social media a good force in our lives.

Limit what we share on social media

It could be worth our time to more closely manage what is posted and left on social media. Exposing too much about ourselves just makes it easier for thieves to enrich the already valuable data sources available to them.

Talk with family and friends about what you will and will not share on social media and encourage them to do the same. For some of us, posting is done almost willy-nilly, without thought and often reveals deep details that may later be used to compromise our financial or personal lives. Maybe it’s time to pick up the phone to discuss certain aspects of our lives instead of posting them.

Choose our connections in a more deliberate manner

It may be best to limit the number of friends we have online. Most of us have connections that may not be critical to a good social media experience but were set up out of curiosity or recommendations from friends. Examine the controls available on the social media site and narrow what others can see, keeping those closest to you fully engaged, but limiting others.

But Nothing is Fool-Proof. What’s the Next Step?

Because there’s no fool-proof methodology to protecting our identity or our money, we might leverage the tools provided by our most trusted businesses – including banks. Spending the time to fully understand the options and controls that we can employ will allow us to be active participants in managing online threats and help us move from a purely defensive posture to playing offense against the bad guys.

How can we do this?

Actively manage credit and debit cards through apps

Today most of these products have a number of controls that we can actively implement. These include:

  • Turning our credit or debit cards on and off when suspicious activity takes place
  • Setting alerts to notify us via text messages of certain types of transactions or amounts
  • Establishing an out-of-band authentication process when accessing any private financial site to verify your identity through two sources, like your password and a code texted to your phone

These three options will keep us informed on what’s happening to our financial accounts and provide additional assurance that we are, in fact, interacting with our bank and not a fake site.

We have apps for Merchants Bank Debit and Credit Cards that allow you to control your security preferences and set up alerts for when the cards are used.

Have security systems on your computer

It’s fundamental, and a best practice, to have strong antivirus systems on all of our computers. Most of us have these types of subscriptions given they were bundled with the purchase the last time we bought a computer. Make sure, however, that the software also has:

  • anti-malware
  • anti-spyware
  • anti-adware
  • anti-phishing capabilities that can be deployed (or not) at will.

There are additional options we might employ: we can download software that provides an additional layer of security on the computer itself. These tools may harden our computer, keyboard, or mouse against exploitation by hackers. Most of these technologies do not interfere with online speed or performance.

The Solution: Marry Technology and Cautious Online Practices

No technology alone can completely protect us from financial loss or ID theft. Technology needs to be coupled with smart interactions when online. Combining conservative practices, knowing who we are interacting with, using the technologies available through banks and on our own devices bring a holistic approach to securing our online selves and reducing the risks associated with today’s virtual world.

3 Essential Small Business Security Practices

SecurityPracticesWithKerriBronk-Blog

Keeping your business protected from fraud and security threats can feel like an overwhelming job. One place to start is by focusing on internal controls that help keep your business’s financial information more secure. Our Security Officer, Kerri Bronk, recommends putting the following three internal controls into practice and reviewing them regularly.

“The idea is to have a combination of different types of security checks and balances in place – and to make sure you keep them up-to-date,” said Kerri. “These simple internal controls can really have an impact on how secure your business information can be.”

Authorized Account Signers

A small business may want to have a few people listed on a financial account as an authorized signer. This can vary by business but may include the owners, an office manager or bookkeeper.

Kerri advises, “[a]uthorized account signers have access to some of the essential functions of your financial account, so you want to make sure this type of access is only granted when necessary.”

 FAQs about Authorized Signers

  • What can an authorized account signer do? An authorized signer is different from an account owner (who has complete control over a financial account). In regards to a checking or saving account, for example, a signer can make withdrawals, sign checks and access some account information.
  • How many authorized account signers can I have? There is no limit. However, the more individuals who have access, the more risk you’re taking.
  • How often should I review this access? On an annual basis or when you’ve had an employment change in your executive management team or accounting/payroll staff.
  • How do I make changes to authorized account signers? Changes to authorized signer need to be done in person at a Merchants Bank location. Contact your Customer Service Representative to make an appointment.

Authorized Cardholders

You might like to have the option for several people to make business purchases with a debit or credit card. This is where authorized cardholders come in.

FAQs about Authorized Cardholders

  • What can an authorized cardholder do? An authorized cardholder can use a debit or credit card tied to your business account to make purchases and get cash from an ATM. You can set spending limits per card user to help keep spending in check.
  • Does the authorized cardholder need to be a signer on the account? No, you can give a person access to a card without having other signing abilities.
  • How many authorized cardholders can I have? There is not a set limit to the number, but again the more access, the harder it will be to track spending.
  • How often should I review this access? Who has access to business debit and credit cards should be reviewed more frequently. We’d recommend making updates to your authorized cardholders each quarter or when you have staffing changes.
  • How do I make changes to authorized card holders? For both your Merchants Bank debit or credit cards, stop into your local Merchants Bank location for assistance.

Access to Account Information

Knowing who has access to your business account information and keeping the number of people to a minimum is one of the best ways to avoid a security or fraud threat.

Considering that small or mid-sized businesses lost a median amount of $289,864 to employee funds theft in 2017, it’s critical to thoughtfully review who should have access to this information.*

FAQs about Account Access

  • What kind of information can I give employees access to? You can select the level of information you want an employee to receive in Small Business Online Banking or Commercial Online Banking or credit card transactions through mycardstatement.com. You can also use our mobile card controls – Card Valet for debit cards and our Merchants Bank Credit Card App – to have alerts on card spending.
  • How many people can have this access? This varies by solution, please ask at your local Merchants Bank location.
  • How often should I review this access? It’s extremely important to stay current with account access. This should be updated immediately when staff join or leave your business.
  • How do I make changes to who has access to my account information?
    • Statements: Contact your local Merchants Bank location for assistance.
    • Small Business Online Banking and Commercial Online Banking: Once you have set up your account with you as the owner, you can add or remove secondary users and define account access per user at your convenience.If you have any questions or need help with user setup, contact our Electronic Banking Department (ibsupport@merchantsbank.com or (866) 496-0522) for Small Business Online Banking or Treasury Management Support for Commercial Online Banking (commercialonline@merchantsbank.com or (833) 694-2374).
    • mycardstatement.com: Contact your local Merchants Bank location for assistance.

“My last tip regarding internal controls is to ensure that no single employee has access to all the financial aspects of your business,” said Kerri. “For example, you want to make sure that employees who can pay business expenses with a business credit card are not the same employees who pay the credit card bill.”

Just remember that Merchants Bank is always here to help. If you think your business bank account information has been compromised or have a security concern, contact your local Merchants Bank location and ask to speak to your Treasury Management Specialist or a Customer Service Representative.

*https://www.hiscox.com/documents/2017-Hiscox-Embezzlement-Study.pdf

Cell Phone Porting Fraud: Check Your Phone

Shot of a businesswoman using technology at work

Fraudsters are getting names, phone numbers and other personal identifiable information of real people and transferring their phone number to a different cell phone service provider. They pose as the victim and report the phone lost to the current provider and request the number be transferred (or “ported”) to a device with a different cellular service provider. Once they do this they can find where the victim may have bank accounts, click a “forgot password” link and request a password change code be sent to the stolen phone number via text message, now directed to their device. Then they can change their account’s password and can then access and manipulate those accounts.

What to watch for:

If your phone suddenly loses service, switches to “Emergency Calls Only,” receives any alert messages or unexpected text messages in regards to authenticating an action you did not request, notify your cellular service provider and financial institution immediately.

Take action to protect yourself:

You can take action against cell phone porting (or “port-out”) fraud by contacting your cell phone service provider. Ask them about their porting/port-out security and request they ask for security verification (that you would set up) when action is requested for your account.

Fraud and Scam Updates for May

Fraud-Blog

Review our most recent fraud alerts and updates to help keep your personal information secure. Want to be automatically updated about recent scams and fraud? Sign up for our Alerts emails here: http://bit.ly/1G1dF0n

Internal Revenue Service Scam

Some of our customers have fallen for a recent scam involving fraudsters posing as employees from the Internal Revenue Service (IRS). The fraudster will call you – stating to be an Internal Revenue Service employee – and claim you owe back taxes, which can be paid via wire transfer.

The truth is that the IRS does not use phone calls to make personal contacts. If the IRS wants to contact you, they will send a letter first. If you receive a phone call from an individual claiming to be from the IRS, it is a scam. For more information on how and when the IRS might contact you, see these two articles from the Federal Trade Commission:

Check Fraud

Merchants has recently seen an increase in fraudulent checks. Customers have fallen for some “too good to be true” scenarios including being asked to be a secret shopper for a fake business or receiving a winnings check in the mail from a drawing they did not enter. When you receive a check, make sure to consider where it came from.

Some questions to ask yourself:

  • Did I recently enter any contests or drawings where I could win money?
  • Can I verify the information on the check through a third-party? For example, can you confirm a person’s contact information through the phone book? Or confirm a business’s information through an online directory like the Yellow Pages?
  • Does it sound too good to be true?

Be a skeptic. If the situation doesn’t sound right, it’s time to do some more investigating before depositing that check. For more information, read this article on check fraud from the Federal Trade Commission.

Next Steps If You’ve Experienced Fraud

If you think your bank account information has been compromised or you are a victim of identity theft, contact your local Merchants Bank and ask to speak to a Customer Service Representative.

Best Practices in Risk Management

SAWRiskAssessmentFollowUP

Previously we discussed risk assessment and how, while it is both an IT and human undertaking, most risk assessments need to start and end with business processes. After you have conducted a risk assessment, it might seem that you simply need to review the assessment and determine which risks should be reduced or eliminated. While this is true, managing risk goes beyond responding to a risk assessment process. In this article, we’ll take up the topic of risk management, which involves dealing with a continuum of risks.

Categorizing Risk
Before you can begin to manage risk, it can be helpful to segment your potential risks into categories for further definition and review. Typically, risks can be placed in one of three categories:

  1. Known Knowns are risks are a part of our industry, business, or simply part of our lives. For example, almost every business using electronic payments the danger lies in being hacked, losing customer credit or debit card information, or having funds misdirected by a criminal – or even by human error.
  2. Known Unknowns are risks that cannot be foreseen, but can be understood. For example, while the risk of a computer/network system being hacked is a known risk, it is unknown who will do it, where it will come from or the purpose of the hack.
  3. Unknown Unknowns are risks you only see in hindsight only. Recent technology events that fit this class of risks include the “poodle’ and ‘heart bleed’ vulnerabilities. Both of these highly technical vulnerabilities actually existed in thousands of computer systems for decades but were completely innocent until someone discovered they could be exploited for malicious intent. It is quite possible that many more of these unknown unknowns exist in the computer systems we rely on every day.

Risk Management Practices
With these three categories in mind, you can establish risk management practices for your business. When considering the first two categories, your risk assessment can help you rank and rate each risk, its potential to occur and, if it occurs, the magnitude of its impact. From here, risk management policies can help you handle risks effectively and in a reasonable manner. For example, if a very low probability risk would have catastrophic results for your business, it may be a matter of policy that your company would work at reducing or eliminating that risk regardless of the risk assessment score.

Risk management is an active and ongoing process. Once policy is in place, a set of operating standards are needed to set expectations for IT and other staff who deal with risks. Standards may include existing controls or new controls to help reduce or eliminate risks. For example, one operating standard could be to have an out of band authentication (a process of secure verification of your staff member) on any online corporate funds transfer. Beyond existing controls, risk management standards could include requiring risks of a certain magnitude will be handled within a set number of days. If the risk is not resolved within that time frame, management can review and discuss why the risk is not yet reduced, and take additional action or, in some cases, decide to extend the time to cure the risk.

Once risk is reduced, it’s important to complete a review of the ‘residual’ risk, that risk which cannot be eliminated. For example, using out of band authentication reduces the risk of a bad actor transferring funds, but there is still the risk of human error in posting the funds, transferring to the wrong person or entity, and the like. These risks may then be addressed through procedures or processes.

Processes establish the methodology for meeting policy requirements at the level set by standards. In the funds transfer example above, using out of band authentication reduces the technology risk that money will be stolen. However, internal processes still need to be established to reduce the risk of human error. Moreover, and while disturbing to consider, more incidents of employee theft have been cited in recent years. Therefore, separation of duties and normal, traditional human control mechanisms are just as important as technical risk management.

The following six steps briefly summarize the risk management process:

SecurityGraphic

Risk management needs be an ongoing and integral part of your business management today. Technology risks are often more than purely IT issues and involve humans who conduct every part of your daily business. Especially when processes involve money, it is important to have these processes tied to policies and standards, which creates a measurable and defined set of risk management capabilities. Finally, while all three are tied together, it is important to manage risk dynamically as the risk environment changes

Fraud: It’s Social

SAWSocialEngineering

Mitigating fraud is especially critical to business success today. Regardless of what industry you’re in, the threat of fraud impacting you or your customers is ever-present. The impact may be financial, loss of trust, damage to reputation, or all of these. And the perpetrators of fraud are growing both in number and in sophistication, which leads us to the topic of social engineering.

One definition provided by Techtarget.com lists social engineering as “an attack…that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.” While awareness of social engineering is growing, the actual theft of money and confidential information obtained through social engineering is growing faster. According to the FBI, thieves stole nearly $750 million in (email phishing) scams from more than 7,000 companies in the U.S. between 2013 and 2015.

Social engineering uses the good will of employees and customers, who often believe they are being helpful, to acquire confidential information. How does this evolve into a crime? Social engineering data is taken from a broad and meaningful set of sources by deceiving users to disclose information and from publically available sources such as Facebook or professional aggregation sites such as spokeo.com or, by purchasing stolen data that is readily for sale online. This information is analyzed in conjunction with other data to enable serious crimes that may be perpetrated later on. Once a criminal has enough information, they no longer need to steal money by brute force, but simply log on as an employee, posting real credentials and security information, and steal money in what appears to be a legitimate transaction. So what should a business do to prevent fraud that may go undetected for some time?

Companies are now employing best practices that extend beyond the fraud software used in today’s business operations —they include the integration of deep technology controls and dynamic cybersecurity practices into more traditional risk management techniques. The success of this effort depends on the ongoing, up-to-date expertise of a company’s staff with respect to rapidly changing security threats. Staff training and scenario planning need to be a constant effort with reminders to people throughout the organization to be on the lookout for the unusual request or event.

Even with strong training and due diligence, a fraud event may well occur. When it does, the business should have a three-part response:

  1. Halt the event
  2. Assess the damage
  3. Address how to recover.

Finally, complacency is not acceptable. The nature of fraud will continue to evolve, creating new threats that need to be combatted with a proactive, disciplined approach by both businesses and the customers they serve.