How to Tell if a Website is Legitimate

Computer Security

If you’re one of the 209.6 million Americans who shop online,* it’s important to take steps to verify the legitimacy of a company website before placing an order. Here are five tips to help you determine if a website is legitimate.

1. Can you easily find the company’s full contact information?

You should be able to locate the business’s full name, physical address, telephone number and email address. In addition, if you call the telephone number listed, make sure you can reach a live person who can verify details about the business.

Red Flag = You cannot find the company’s contact information.

2. Is there a Terms and Conditions web page?

Find the Terms and Conditions page on the website and read it carefully to understand company products, return policies and more.

Red Flag = You cannot find the company’s Terms and Conditions page.

3. Does the site accept secure payments?

If the company wants to accept secure payments with a credit card, they must use SSL security which properly encrypts your payment and personal information. Websites with SSL security have a website address that begins with “https” instead of “http.” For example, https://www.merchantsbank.com.

Red Flag = The company’s site does not accept secure payments.

4. Is the site design and information professional?

Review the site for typos, errors, misspellings, stolen images and more.

Red Flag = The company’s site contains any of the above.

5. What happens when you Google search the company’s name?

Type the company name into Google and read related customer reviews, feedback and articles.

Red Flag = Bad feedback or customer experiences.

Visit the FTC Consumer website for information on current website scams.

*http://www.statista.com/statistics/183755/number-of-us-internet-shoppers-since-2009/

 

Why Your Business Should Conduct a Risk Assessment

Man under umbrella.

Risk is inevitable. It’s simply part of any business, and because of that, managers often believe that understanding risk is an organic process that is either self-evident or intuitive, and based on the nature of the business itself. It’s not a bad approach because it tends to focus on business functions and not just the technology. But by themselves, intuition and experience are inadequate. And because they’re inadequate, a formal risk assessment process is critical to managing the growing, changing, and challenging threat environment that continues to evolve at the frenetic pace of technology today.

A structured risk assessment consists of three basic steps:

  1. Identify and define the risks to be assessed.
  2. Decide how likely it is that each risk will occur.
  3. Decide the magnitude of the impact to the business if a given risk does occur.

Notice that steps two and three are decisions. It’s not always easy to determine just how likely it is that a given risk will occur. Unless we have a good set of data to back up our evaluation, we can only reason, applying common sense to understanding each risk.

Yet to understand and communicate risk throughout the organization it should be quantified. This can be accomplished using a simple risk scoring methodology we are all familiar with.

For example, if we use a 1-5 ranking system, we can let 1 = low and 5 = high. Then if a risk is very likely to occur, we rank it a 5. If the risk would have a serious impact on the business, we rank that a 5. Finally, we multiply the 2 together for a risk score of 25.

Likeliness x Impact = Risk Score

Using this approach over and over we can develop a hierarchy of risks that cascade from high to low, and prioritize which of those to address first. However, it’s important not to make all decisions based on the risk score alone.

Let’s say a risk is very unlikely and we rate it a 1, but if it occurred, the impact on the organization would be catastrophic so we rate that a 5. The total risk score is a 5 and judging by the number alone, should be low on the list of risks needing remediation.

At this point we need to look past the numbers and determine our organization’s risk appetite.

If we’re willing to live with a risk having potentially catastrophic results, then we would likely not develop a disaster recovery plan nor would we have a disaster recovery site because the risk of complete loss of the data center is usually very low and the cost of a fully functional back up site is high.

But most organizations understand that essentially all catastrophic risks need to be addressed and while the scoring approach is very helpful, it cannot be relied upon exclusively, leading us back to the application of intuition and experience.

In short, a risk assessment is a structured process used in identifying and classifying risks, deciding what and how much to do about them. Once we’ve agreed on the assessment and classifications, we can focus on the two remaining aspects of risk management: risk remediation and, once that is accomplished, agreement that the remaining (or, residual) risk is acceptable.

Securing Your Identity in the Online Age

RodneyNelsestuenFraudTip

By Rodney Nelsestuen, Chief Information Officer

We all know the threats to online security are constantly changing. The challenges of being an active online and social media user while protecting our identity highlight the important role we all have in keeping our business and personal finances safe.

So, what are some of the current strategies used by hackers and what should we do about them?

Today’s online thief is patient and persistent. Thieves are taking their time in collecting data about us from many sources. Even the most mundane aspects of our lives may be important when added to other data taken from our personal lives, from social media (both our posts and those of friends and family,) and from our workplace. Eventually, all this information is applied in a manner that mimics our personality and behaviors in a convincing way.

How is this possible?

Once a “bad actor,” an online thief or fraudster, has some of your information and your online lifestyle, getting more becomes easy as automated intelligence (AI) serves up a large plate of your preferences, enabling the thief to fully take your place – at least in a virtual sense.

Thus, it’s entirely possible we have a virtual clone navigating the internet, posing as us, and preparing to wreak havoc on our lives by, essentially, taking it for their own.

So, how do we minimize the risk of this happening to us?

Steps to Minimize Risk

Drop out of social media

There are people who have already done this. But dropping out is probably not realistic for most of us. We rely on social media to keep up with friends and family, share joy, sorrow, important information, and we generally find social media a good force in our lives.

Limit what we share on social media

It could be worth our time to more closely manage what is posted and left on social media. Exposing too much about ourselves just makes it easier for thieves to enrich the already valuable data sources available to them.

Talk with family and friends about what you will and will not share on social media and encourage them to do the same. For some of us, posting is done almost willy-nilly, without thought and often reveals deep details that may later be used to compromise our financial or personal lives. Maybe it’s time to pick up the phone to discuss certain aspects of our lives instead of posting them.

Choose our connections in a more deliberate manner

It may be best to limit the number of friends we have online. Most of us have connections that may not be critical to a good social media experience but were set up out of curiosity or recommendations from friends. Examine the controls available on the social media site and narrow what others can see, keeping those closest to you fully engaged, but limiting others.

But Nothing is Fool-Proof. What’s the Next Step?

Because there’s no fool-proof methodology to protecting our identity or our money, we might leverage the tools provided by our most trusted businesses – including banks. Spending the time to fully understand the options and controls that we can employ will allow us to be active participants in managing online threats and help us move from a purely defensive posture to playing offense against the bad guys.

How can we do this?

Actively manage credit and debit cards through apps

Today most of these products have a number of controls that we can actively implement. These include:

  • Turning our credit or debit cards on and off when suspicious activity takes place
  • Setting alerts to notify us via text messages of certain types of transactions or amounts
  • Establishing an out-of-band authentication process when accessing any private financial site to verify your identity through two sources, like your password and a code texted to your phone

These three options will keep us informed on what’s happening to our financial accounts and provide additional assurance that we are, in fact, interacting with our bank and not a fake site.

We have apps for Merchants Bank Debit and Credit Cards that allow you to control your security preferences and set up alerts for when the cards are used.

Have security systems on your computer

It’s fundamental, and a best practice, to have strong antivirus systems on all of our computers. Most of us have these types of subscriptions given they were bundled with the purchase the last time we bought a computer. Make sure, however, that the software also has:

  • anti-malware
  • anti-spyware
  • anti-adware
  • anti-phishing capabilities that can be deployed (or not) at will.

There are additional options we might employ: we can download software that provides an additional layer of security on the computer itself. These tools may harden our computer, keyboard, or mouse against exploitation by hackers. Most of these technologies do not interfere with online speed or performance.

The Solution: Marry Technology and Cautious Online Practices

No technology alone can completely protect us from financial loss or ID theft. Technology needs to be coupled with smart interactions when online. Combining conservative practices, knowing who we are interacting with, using the technologies available through banks and on our own devices bring a holistic approach to securing our online selves and reducing the risks associated with today’s virtual world.

Protect Your Identity During the Holidays or Any Time of Year

CardProtectionApps-Blog

It’s important to take steps to protect your personal identity, especially during the holiday shopping season. Let’s work together to help keep your information safe.

Use Our Free Fraud Tools

Your security is top of mind at Merchants Bank. We have a number of ways to help you protect yourself with our SecurLock Equip app for your Merchants Bank credit card and My Mobile Money app for our debit card. These apps are very similar.

With SecurLock or My Mobile Money you can:

  • Turn your Merchants Bank credit card or debit card on and off.
  • Control where your credit card or debit card can be used.
  • Receive automatic notifications about possible fraud and take action.

More on SecurLock and My Mobile Money can be found on our website.

Plus, if you use Merchants Online Banking, consider using the “Alerts” functions to monitor activity. To set up automatic alerts, follow the steps outlined in our video tutorial. Alerts can be sent to an email address or via text message.

Best Practices to Use When Shopping Online During the Holidays:

  • Change your passwords often. Use a mixture of numbers, letters and special characters. Don’t use the same passwords for multiple accounts.
  • Be suspicious. Thieves will use calls or emails to trick you into sharing passwords, social security numbers, etc. If you don’t recognize the caller or email, don’t reply.
  • Don’t click on links in emails from your credit card companies, investment companies or banks that would have you update account information. Remember, Merchants Bank will never ask you to update your personal information via a link in an email. When suspicious, call the company at a number you confirmed in a separate source, like a phone book or prior statement.
  • Make a fraud kit. Keep a list of your credit and debit cards, account numbers, expiration dates and customer service of fraud department telephone numbers in a secure place.
  • Read through your credit card bills. If you see a charge you don’t recognize, call and get the charge reversed.
  • Don’t use the “remember password” option. It makes it easier for someone to access your accounts.
  • Do NOT keep a list of passwords in an unprotected document on your devices or written down in an unsecure place.
  • Never save your credit card number online. If that site gets breached, you are at risk. Enter your information each time you make a purchase.

If you’re traveling or spending the winter somewhere else, let us know by contacting your local Customer Service Representative so we can make sure you have the best service.

If you make purchases in a state or country where you don’t normally use your Merchants Bank debit or credit card, we may think these transactions are fraudulent unless we know otherwise. Let us know the dates of your trip, your travel locations and how we may be able to contact you.

If you have additional questions, please contact us. We’re happy to help.

 

 

 

 

3 Essential Small Business Security Practices

SecurityPracticesWithKerriBronk-Blog

Keeping your business protected from fraud and security threats can feel like an overwhelming job. One place to start is by focusing on internal controls that help keep your business’s financial information more secure. Our Security Officer, Kerri Bronk, recommends putting the following three internal controls into practice and reviewing them regularly.

“The idea is to have a combination of different types of security checks and balances in place – and to make sure you keep them up-to-date,” said Kerri. “These simple internal controls can really have an impact on how secure your business information can be.”

Authorized Account Signers

A small business may want to have a few people listed on a financial account as an authorized signer. This can vary by business but may include the owners, an office manager or bookkeeper.

Kerri advises, “[a]uthorized account signers have access to some of the essential functions of your financial account, so you want to make sure this type of access is only granted when necessary.”

 FAQs about Authorized Signers

  • What can an authorized account signer do? An authorized signer is different from an account owner (who has complete control over a financial account). In regards to a checking or saving account, for example, a signer can make withdrawals, sign checks and access some account information.
  • How many authorized account signers can I have? There is no limit. However, the more individuals who have access, the more risk you’re taking.
  • How often should I review this access? On an annual basis or when you’ve had an employment change in your executive management team or accounting/payroll staff.
  • How do I make changes to authorized account signers? Changes to authorized signer need to be done in person at a Merchants Bank location. Contact your Customer Service Representative to make an appointment.

Authorized Cardholders

You might like to have the option for several people to make business purchases with a debit or credit card. This is where authorized cardholders come in.

FAQs about Authorized Cardholders

  • What can an authorized cardholder do? An authorized cardholder can use a debit or credit card tied to your business account to make purchases and get cash from an ATM. You can set spending limits per card user to help keep spending in check.
  • Does the authorized cardholder need to be a signer on the account? No, you can give a person access to a card without having other signing abilities.
  • How many authorized cardholders can I have? There is not a set limit to the number, but again the more access, the harder it will be to track spending.
  • How often should I review this access? Who has access to business debit and credit cards should be reviewed more frequently. We’d recommend making updates to your authorized cardholders each quarter or when you have staffing changes.
  • How do I make changes to authorized card holders? For both your Merchants Bank debit or credit cards, stop into your local Merchants Bank location for assistance.

Access to Account Information

Knowing who has access to your business account information and keeping the number of people to a minimum is one of the best ways to avoid a security or fraud threat.

Considering that small or mid-sized businesses lost a median amount of $289,864 to employee funds theft in 2017, it’s critical to thoughtfully review who should have access to this information.*

FAQs about Account Access

  • What kind of information can I give employees access to? You can select the level of information you want an employee to receive from paper statements to viewing accounts in Online & Mobile Banking or credit card transactions through mycardstatement.com. You can also use our mobile card controls – Card Valet for debit cards and SecurLock Equip for credit cards – to have alerts on card spending.
  • How many people can have this access? This varies by solution, please ask at your local Merchants Bank location.
  • How often should I review this access? It’s extremely important to stay current with account access. This should be updated immediately when staff join or leave your business.
  • How do I make changes to who has access to my account information?
    • Statements: Contact your local Merchants Bank location for assistance.
    • Business Online & Mobile Banking: Once you have set up your Business Online Banking account with you as the owner, you can add or remove secondary users and define account access or transactions limits per user at your convenience. If you have any questions or need help with user setup, just contact our Electronic Banking Department (ibsupport@merchantsbank.com or (866) 496-0522).
    • mycardstatement.com: Contact your local Merchants Bank location for assistance.

“My last tip regarding internal controls is to ensure that no single employee has access to all the financial aspects of your business,” said Kerri. “For example, you want to make sure that employees who can pay business expenses with a business credit card are not the same employees who pay the credit card bill.”

Just remember that Merchants Bank is always here to help. If you think your business bank account information has been compromised or have a security concern, contact your local Merchants Bank location and ask to speak to your Treasury Management Specialist or a Customer Service Representative.

 

*https://www.hiscox.com/documents/2017-Hiscox-Embezzlement-Study.pdf

Top Business Fraud Updates – April 2018

FraudPrevention-Blog

Please review our most recent fraud alerts and security reminders to help protect your business.

Email Spoofing On the Rise

Our business customers have reported an increase in email spoofing scams. Fraudsters are posing as a customer or employee of the business and sending an email to the business asking for a wire transfer or ACH payment. Only after completing the wire transfer have businesses found out that they were dealing with fraudsters and not their actual customers or employees.

Before you complete transactions to your customers, make sure to verify who you are speaking with over the phone or through an email through a secondary source. Call your customer directly through a phone number you have verified. When working with customers via email, remember to look at both names and email addresses for consistency. If you notice anything suspicious, take the extra time to make sure both your business and your customer’s information is safe. When in doubt – check it out and verify.

Directory Listings Scam

Have you been contacted by someone wanting to verify or confirm your business information for a directory listing? Be cautious. Scammers have been calling business claiming to be able to help them with their online directory listings for a fee. In the end, the business is out the money and their information was verified for a directory listing that doesn’t exist. To avoid falling for this scam, make sure to verify who you are speaking to and confirm the phone number through a third party, like the phone book or Yellow pages. Read more details about this scam here.*

Steps to Take Now to Prevent Fraud

Here are three simple things you can do now to prevent fraud on your business accounts. We recommend:

  • Checking your business bank accounts daily for fraudulent transactions. If you are suspicious of a transaction, contact the Bank immediately.
  • Using a fraud transaction detection service, such as Positive Pay, to help you prevent fraudulent checks and transactions from hitting your account.
  • Using our free debit and credit card security apps to track and review all of your transactions immediately. Learn more about My Mobile Money for your business debit card and SecurLock Equip for your business credit card.

Protect Your Business from Cyber Attacks

This tip is part of the FCC’s top ten cyber security tips for small businesses. Protecting and cleaning any computer that handles business information or touches your network is a must. One of the best defenses against online threats is making sure you have the latest security software, web browser and operating system in place too. You can set each of these to automatically install when a new software update is available. In addition, your antivirus software can run a scan after each update to ensure your machines are adequately protected. Take half an hour to check your settings and update your software now. Get more tips here.*

Consider Security First

Use this guide from the FTC to create a security first approach to your business. This in-depth article gives you-step-by-step best practices for protecting sensitive information your business may handle. Read the FTC’s Start with Security Guide now.*

Next Steps If You Have a Security Concern

If you think your business bank account information has been compromised or have a security concern, contact your local Merchants Bank and ask to speak to your Cash Management Specialist or a Customer Service Representative.

 

*You will be linking to another website not owned or operated by Merchants Bank, NA. Merchants Bank, NA is not responsible for the availability or content of this website and does not represent either the linked website or you, should you enter into a transaction. We encourage you to review their privacy and security policies which may differ from Merchants Bank, NA.

Cell Phone Porting Fraud: Check Your Phone

Shot of a businesswoman using technology at work

Fraudsters are getting names, phone numbers and other personal identifiable information of real people and transferring their phone number to a different cell phone service provider. They pose as the victim and report the phone lost to the current provider and request the number be transferred (or “ported”) to a device with a different cellular service provider. Once they do this they can find where the victim may have bank accounts, click a “forgot password” link and request a password change code be sent to the stolen phone number via text message, now directed to their device. Then they can change their account’s password and can then access and manipulate those accounts.

What to watch for:

If your phone suddenly loses service, switches to “Emergency Calls Only,” receives any alert messages or unexpected text messages in regards to authenticating an action you did not request, notify your cellular service provider and financial institution immediately.

Take action to protect yourself:

You can take action against cell phone porting (or “port-out”) fraud by contacting your cell phone service provider. Ask them about their porting/port-out security and request they ask for security verification (that you would set up) when action is requested for your account.