The 3 Online Banking Alerts You Should Have Set Up

Farmer examinig wheat field status with digital tablet

Security Awareness Week: June 5-9, 2017

If you’re not using the FREE alerts feature of Merchants Bank Online Banking, you’re missing out on tools that could protect you from identity theft and fraud.

To set up automatic alerts, sign in to your Online Banking account and click the Other Services tab. From here, select the type of alert you’d like to enable and follow the steps to configure. Alerts can be sent to an email address, via text message or both…it’s up to you!

Here’s the list of the top three alerts our Electronic Banking Specialists recommend all customers put in place.

My Profile Changed – Get an alert if there are any changes to your Merchants Bank Online Banking profile. For example, a change to the email address associated with your account. This alert may help you detect if someone else has accessed your account and is trying to make changes to your profile.

Internet Banking Login Error – Get an alert if your password is entered incorrectly when attempting to log in to Online Banking. This alert may help you detect if someone else is trying to access your Online Banking account.

Balance Alerts – Get an alert based on balances above or below a certain dollar amount. Simply select the account you’d like an alert for, then choose an option from the drop down and type in an amount. This alert may help you detect large withdrawals or purchases you did not initiate.

To learn more about all of our Merchants Bank Online Banking alert options, watch this video featuring Lucas Stangl, Electronic Banking Specialist.

To get started with alerts, sign in to your Online Banking account now.

Are You Using These 7 Tips to Protect Your Identity?

Home budgeting

Security Awareness Week: June 5-9, 2017

It may feel like keeping your personal information secure is impossible in a world tech-savvy hackers and scammers. Every day the news reports on new data breaches and scams. But, you can play an important role in protecting yourself from identity theft and fraud by taking small steps.

Here’s where to start:

  1. Check your financial activity. It only takes a few minutes, but reviewing your bank, credit card and other financial activity and statements for fraud is an important first step. If you see any suspicious activity, report it.
  2. Don’t use the “remember password” option. Using this feature on your computer or mobile device makes it easier for someone to access your accounts.
  3. Set up automated account alerts. Get a text or email alert for certain transactions, balances and more. We offer free alerts through Merchants Bank Online Banking for your checking, savings and loan accounts and through My Mobile Money for your debit card transactions.
  4. Be cautious when asked for personal information. If you are asked to provide personal information through a phone call, email or website pop-up page, think before you act. Verify the company or person asking for the information through a third party, like a phone book or other trusted resource.
  5. Store private information securely. Whether at home or work, do not leave your personal information out where others can see it.
  6. Make a fraud kit. Keep a list of your credit and debit cards, account numbers, expiration dates and customer service of fraud department telephone numbers in a secure place away from the cards for easy access.
  7. Be a skeptic. If a situation sounds too good to be true, it probably is. You can’t win the lottery if you haven’t entered. You don’t need to send a payment to claim prize winnings.

To stay up-to-date on Merchants Bank fraud alerts and scams, sign up for our alerts emails.

How to Control Debit Card Activity

mymobilemoney

Security Awareness Week: June 5-9, 2017

Take control of your debit card transactions with our free My Mobile Money app. Use it to:

  • Set card transaction alerts
  • Set spending controls
  • Turn your debit card(s) on and off
  • Deny transactions based on criteria you choose
  • And much more!

Learn how to enable the top three features recommended by our staff. Before you begin, make sure you have downloaded the app, enrolled and signed in.

Feature 1: Transaction Alerts

From Customer Service Manager, Michelle Schroeder: “I can’t say enough about the automatic notifications for all transactions. I love seeing everything that goes through my debit card. It’s perfect in case I forget about an automatic withdrawal I had approved or someone is attempting fraud on my account.”

To receive alerts for certain transactions on your mobile device:

  1. Choose the card you wish to set alerts for.
  2. Select Alert Preferences.
  3. If you would like alerts on all transactions, click the “Send alerts for” drop down and select All Transactions.To set specific alerts, such as alerting for all online purchases, click the “send alerts for” drop down and selected Preferred Transactions. Then choose the type(s) of alerts you wish to set.

Feature 2: On/Off and Automatic Denials

From Commercial Banking Officer, Mike Swanson: “My wife and I have used the on/off feature for our debit card more than once. If one of us misplaces our card…leaves it in the car, forgets it on the counter or something else, we can just turn it off on the app until we find it. If our cards really were lost, it would prevent anyone else from using them. It’s just nice peace of mind.”

To turn off a debit card:

  1. Choose the card you wish to turn off.
  2. Slide the Card ON/OFF button from green to red.

To deny debit card transactions based on dollar amount:

  1. Choose the card you wish to set up for denials.
  2. Select Control Preferences.
  3. Select Spend Limits and slide on Per Transaction.
  4. Simply enter in the maximum amount that will be allowed for a transaction.
  5. Click Save.

Feature 3: Location Controls

From Customer Service Representative and Lead Teller, Tina Bechtel: “I’ve used the location feature and that’s really handy. You just set up if you only want to allow transactions based on a city, region or state. Transactions attempted from outside that area are then automatically denied.”

Although these options give you the flexibility to protect your card while traveling, you still need to notify us (contact your local Merchants Bank) of travel plans outside of Minnesota, Iowa and Wisconsin to ensure your debit card can be used while out of town.

To deny transactions based on the location of your mobile device:

  1. Choose the card you wish to set up location controls for.
  2. Select Control Preferences.
  3. Select Locations.
  4. Swipe the My Location function on.
  5. All attempted transactions outside of the zip code where your mobile device is located will be denied.

To allow transactions based on locations you select:

  1. Choose the card you wish to set up location controls for.
  2. Select Control Preferences.
  3. Select Locations.
  4. Swipe the My Regions function on.
  5. Select the plus symbol.
  6. Add a region by entering a zip code or using the map to zoom.
  7. Give your region a title and choose save.
  8. Repeat steps 5-7 to add up to two other regions.
  9. All transactions within the regions you selected will be allowed.

To learn how to enable other My Mobile Money features, use our reference guide. If you have questions about My Mobile Money, contact your local Merchants Bank.

Privacy Code: Why You Need One

PrivacyCode-Blog.jpg

Security Awareness Week: June 5-9, 2017

As part of our privacy standards, we would like all Merchants Bank customers to have a privacy code in place to protect you and your data from being accessed by someone other than you.

What is it?

A privacy code is a word or numbers or combination between 4 to 30 characters that you choose and will easily remember. This will be used to identify you and protect your data from being accessed by someone other than you. It is not the PIN associated with a card, phone banking or online banking system. It is a part of identifying you as a person.

When will it be used?

Merchants Bank staff will use a privacy code to identify that it is really you on the phone before we give you information on your accounts. If you do not have your photo ID with you, we may also use this to identify you in person.

Why do I need one?

Fraud and identity theft are increasing. Without a privacy code you may no longer be able to call in and obtain information over the phone.

To set up a privacy code, please call or visit your local Merchants Bank branch.

 

Ransomware and Rip Van Winkle: Don’t Ever, Ever Sleep Again

This can't be right

Security Awareness Week: June 5-9, 2017

By Rodney Nelsestuen, Chief Information Officer

We all know the story of Rip Van Winkle who slept for 20 years and woke to find he’d missed the Revolutionary War and that society had changed dramatically. Today, poor Rip would find that a mere 20-minute nap may be enough to put him out of touch – especially when it comes to security.

This was driven home by the recent global attack of ransomware (aptly named Wannacry) that put hospitals, governments, and businesses on the defensive and interrupted the normal course of business on some estimated 250,000 computers in 150 countries, including the US. This event was one of the first to have a large-scale global reach and one which cost those who were attacked an estimated $3 billion dollars. Moreover, the success of Wannacry and its scale will most certainly result in a massive expansion of the ransomware “business.”

You may wonder why ransomware is suddenly so popular as compared to other types of hacking. Here are three reasons:

The attacker need do nothing and still gets paid.

Ransomware either encrypts files on a computer or blocks access to the files. These programs used to be delivered exclusively in emails as an attachment that a victim would open. While that delivery method is still in use, the more pernicious versions simply roam the internet and when they find an unprotected network or computer, will launch the attack without human intervention.

Stealing personal information and credit card data is still popular, but imagine how much work it is to steal, store, organize, and then find a buyer for that data. In short, the old fashioned methods of theft are a lot of work compared to a ransomware attack that threatens to delete all data on a computer unless the victim pays for the release. Attackers simply sit back and wait for the victim to pay.

Want to go into business? Try ransomware as a service.

Don’t know anything about computers or hacking? No need to worry. You can contract with a hacker and outsource your criminal activity. Organizations offering ransomware services are beginning to take root and will encourage bad actors of all types to try their hand at it.

After all, what do they have to lose? The outsourced service provider does all the work and gets paid a cut of the take, and you merely await your share as the business owner.

If one door is locked, just try another.

The interconnectivity of the internet and businesses across the globe makes it much easier for a ransomware attack to succeed. Can’t get into a corporate network? Try the company’s version of webmail, which can be accessed from any computer in the world. Can’t get a user to click on a link? Then use in-memory malware to deliver the payload. Find it hard to scale your crime? Then hack cloud services and launch attacks against thousands of high value targets at once. In short, ransomware has multiple attack vectors.

So what can I do to protect my business?

There are long-standing processes and tools that companies need as a foundation to stopping ransomware. While the list of approaches is long, let’s focus on three items that will reduce the risk of being hacked or a victim of ransomware:

  1. Whether you run your own technology or outsource it, be sure you know what protections and processes you have in place. Anti-virus software, firewalls, and intrusion detection software with expert alerts, and patching systems and applications are regularly among these basics.More importantly, make sure your security tools are on the most current versions. This may mean having updates almost continuously at times as risk conditions can change dynamically. It’s good to look into new technologies as new threats arise, but remember that the tools you do have may be the best there are if kept up to date.
  2. Layer security across your business. No one single solution will protect you from every attack. Whether physical locks on doors, increasing the sophistication of passwords, using out of band authentication, or segmenting your network with additional firewalls, consider using a layered approach to make it more difficult for bad actors to get through to your valued information. This includes using the security and authentication steps offered by your bank. Most banks will provide tools that allow the business to verify financial transactions before they occur. Unfortunately, too many businesses fail to adopt these solutions and processes.
  3. Train your staff on proper use of the connected world we live in – and keep security awareness in the forefront of employees’ minds. The human threat is twofold: first, people make mistakes and as humans, we always will.Second, there has been a growing threat from insiders who are ‘groomed’ by bad actors to ultimately take part in a crime. While this is an unpleasant topic, it’s something every business owner or manager needs to consider today.

One final thought. It would pay most businesses to be connected to an organization that monitors the global threat environment and can keep the business up to date on emerging threats. This external information can then be aligned with your internal IT steps and actions. There are several such organizations and many have very reasonable fees.

The security issues faced by businesses will only be more challenging in the future. Staying up to date on security technology, being vigilant on how users interact with your systems, and having an eye to the emerging threats as they grow are all smart and necessary steps for any business today.

While there are no sure-fire solutions to risk, by taking a multi-faceted approach you’re in the know about the threat environment, and you’ll feel better that you’re managing it in a sound manner. Then you’ll be able to sleep peacefully even with one eye open so as not to miss, as Rip Van Winkle did, the important things in life such as the birth of a nation.

Fraud and Scam Updates for May

Fraud-Blog

Review our most recent fraud alerts and updates to help keep your personal information secure. Want to be automatically updated about recent scams and fraud? Sign up for our Alerts emails here: http://bit.ly/1G1dF0n

Internal Revenue Service Scam

Some of our customers have fallen for a recent scam involving fraudsters posing as employees from the Internal Revenue Service (IRS). The fraudster will call you – stating to be an Internal Revenue Service employee – and claim you owe back taxes, which can be paid via wire transfer.

The truth is that the IRS does not use phone calls to make personal contacts. If the IRS wants to contact you, they will send a letter first. If you receive a phone call from an individual claiming to be from the IRS, it is a scam. For more information on how and when the IRS might contact you, see these two articles from the Federal Trade Commission:

Check Fraud

Merchants has recently seen an increase in fraudulent checks. Customers have fallen for some “too good to be true” scenarios including being asked to be a secret shopper for a fake business or receiving a winnings check in the mail from a drawing they did not enter. When you receive a check, make sure to consider where it came from.

Some questions to ask yourself:

  • Did I recently enter any contests or drawings where I could win money?
  • Can I verify the information on the check through a third-party? For example, can you confirm a person’s contact information through the phone book? Or confirm a business’s information through an online directory like the Yellow Pages?
  • Does it sound too good to be true?

Be a skeptic. If the situation doesn’t sound right, it’s time to do some more investigating before depositing that check. For more information, read this article on check fraud from the Federal Trade Commission.

Next Steps If You’ve Experienced Fraud

If you think your bank account information has been compromised or you are a victim of identity theft, contact your local Merchants Bank and ask to speak to a Customer Service Representative.

Best Practices in Risk Management

SAWRiskAssessmentFollowUP

Previously we discussed risk assessment and how, while it is both an IT and human undertaking, most risk assessments need to start and end with business processes. After you have conducted a risk assessment, it might seem that you simply need to review the assessment and determine which risks should be reduced or eliminated. While this is true, managing risk goes beyond responding to a risk assessment process. In this article, we’ll take up the topic of risk management, which involves dealing with a continuum of risks.

Categorizing Risk
Before you can begin to manage risk, it can be helpful to segment your potential risks into categories for further definition and review. Typically, risks can be placed in one of three categories:

  1. Known Knowns are risks are a part of our industry, business, or simply part of our lives. For example, almost every business using electronic payments the danger lies in being hacked, losing customer credit or debit card information, or having funds misdirected by a criminal – or even by human error.
  2. Known Unknowns are risks that cannot be foreseen, but can be understood. For example, while the risk of a computer/network system being hacked is a known risk, it is unknown who will do it, where it will come from or the purpose of the hack.
  3. Unknown Unknowns are risks you only see in hindsight only. Recent technology events that fit this class of risks include the “poodle’ and ‘heart bleed’ vulnerabilities. Both of these highly technical vulnerabilities actually existed in thousands of computer systems for decades but were completely innocent until someone discovered they could be exploited for malicious intent. It is quite possible that many more of these unknown unknowns exist in the computer systems we rely on every day.

Risk Management Practices
With these three categories in mind, you can establish risk management practices for your business. When considering the first two categories, your risk assessment can help you rank and rate each risk, its potential to occur and, if it occurs, the magnitude of its impact. From here, risk management policies can help you handle risks effectively and in a reasonable manner. For example, if a very low probability risk would have catastrophic results for your business, it may be a matter of policy that your company would work at reducing or eliminating that risk regardless of the risk assessment score.

Risk management is an active and ongoing process. Once policy is in place, a set of operating standards are needed to set expectations for IT and other staff who deal with risks. Standards may include existing controls or new controls to help reduce or eliminate risks. For example, one operating standard could be to have an out of band authentication (a process of secure verification of your staff member) on any online corporate funds transfer. Beyond existing controls, risk management standards could include requiring risks of a certain magnitude will be handled within a set number of days. If the risk is not resolved within that time frame, management can review and discuss why the risk is not yet reduced, and take additional action or, in some cases, decide to extend the time to cure the risk.

Once risk is reduced, it’s important to complete a review of the ‘residual’ risk, that risk which cannot be eliminated. For example, using out of band authentication reduces the risk of a bad actor transferring funds, but there is still the risk of human error in posting the funds, transferring to the wrong person or entity, and the like. These risks may then be addressed through procedures or processes.

Processes establish the methodology for meeting policy requirements at the level set by standards. In the funds transfer example above, using out of band authentication reduces the technology risk that money will be stolen. However, internal processes still need to be established to reduce the risk of human error. Moreover, and while disturbing to consider, more incidents of employee theft have been cited in recent years. Therefore, separation of duties and normal, traditional human control mechanisms are just as important as technical risk management.

The following six steps briefly summarize the risk management process:

SecurityGraphic

Risk management needs be an ongoing and integral part of your business management today. Technology risks are often more than purely IT issues and involve humans who conduct every part of your daily business. Especially when processes involve money, it is important to have these processes tied to policies and standards, which creates a measurable and defined set of risk management capabilities. Finally, while all three are tied together, it is important to manage risk dynamically as the risk environment changes