Be Aware, Be Skeptical About Mortgage Offers

Couple confused about finances

Financing your home is an important event. It opens the door to many new experiences, including unsolicited offers. Unfortunately, this is unavoidable, but you need to be aware and be skeptical so you can make the best decisions.

Where do these offers come from?

During the mortgage process, your information:

  • Is available to companies that buy or purchase lists from a credit bureau
  • Becomes part of the public record once it is recorded and can be accessed by companies searching for information

What type of information could you receive from outside sources?

Some of the information you receive by call, mail or email will likely be legitimate, and some will not.

You may receive offers for things like life insurance, offers to provide the financing or refinancing, or offers to provide copies of your records. Whatever it is, we ask that you look at the offer closely.

If you have any questions about any information or solicitations that you receive, please feel free to contact us by calling your local Merchants Bank branch. We will help you understand the information so you can make your best decision.

Please know that we would never sell your information. So, if you receive something saying the contact is sanctioned by Merchants Bank, it isn’t. Be skeptical.

*Loans are subject to credit approval.

How to Tell if a Website is Legitimate

Computer Security

If you’re one of the 209.6 million Americans who shop online,* it’s important to take steps to verify the legitimacy of a company website before placing an order. Here are five tips to help you determine if a website is legitimate.

1. Can you easily find the company’s full contact information?

You should be able to locate the business’s full name, physical address, telephone number and email address. In addition, if you call the telephone number listed, make sure you can reach a live person who can verify details about the business.

Red Flag = You cannot find the company’s contact information.

2. Is there a Terms and Conditions web page?

Find the Terms and Conditions page on the website and read it carefully to understand company products, return policies and more.

Red Flag = You cannot find the company’s Terms and Conditions page.

3. Does the site accept secure payments?

If the company wants to accept secure payments with a credit card, they must use SSL security which properly encrypts your payment and personal information. Websites with SSL security have a website address that begins with “https” instead of “http.” For example, https://www.merchantsbank.com.

Red Flag = The company’s site does not accept secure payments.

4. Is the site design and information professional?

Review the site for typos, errors, misspellings, stolen images and more.

Red Flag = The company’s site contains any of the above.

5. What happens when you Google search the company’s name?

Type the company name into Google and read related customer reviews, feedback and articles.

Red Flag = Bad feedback or customer experiences.

Visit the FTC Consumer website for information on current website scams.

*http://www.statista.com/statistics/183755/number-of-us-internet-shoppers-since-2009/

 

Why Your Business Should Conduct a Risk Assessment

Man under umbrella.

Risk is inevitable. It’s simply part of any business, and because of that, managers often believe that understanding risk is an organic process that is either self-evident or intuitive, and based on the nature of the business itself. It’s not a bad approach because it tends to focus on business functions and not just the technology. But by themselves, intuition and experience are inadequate. And because they’re inadequate, a formal risk assessment process is critical to managing the growing, changing, and challenging threat environment that continues to evolve at the frenetic pace of technology today.

A structured risk assessment consists of three basic steps:

  1. Identify and define the risks to be assessed.
  2. Decide how likely it is that each risk will occur.
  3. Decide the magnitude of the impact to the business if a given risk does occur.

Notice that steps two and three are decisions. It’s not always easy to determine just how likely it is that a given risk will occur. Unless we have a good set of data to back up our evaluation, we can only reason, applying common sense to understanding each risk.

Yet to understand and communicate risk throughout the organization it should be quantified. This can be accomplished using a simple risk scoring methodology we are all familiar with.

For example, if we use a 1-5 ranking system, we can let 1 = low and 5 = high. Then if a risk is very likely to occur, we rank it a 5. If the risk would have a serious impact on the business, we rank that a 5. Finally, we multiply the 2 together for a risk score of 25.

Likeliness x Impact = Risk Score

Using this approach over and over we can develop a hierarchy of risks that cascade from high to low, and prioritize which of those to address first. However, it’s important not to make all decisions based on the risk score alone.

Let’s say a risk is very unlikely and we rate it a 1, but if it occurred, the impact on the organization would be catastrophic so we rate that a 5. The total risk score is a 5 and judging by the number alone, should be low on the list of risks needing remediation.

At this point we need to look past the numbers and determine our organization’s risk appetite.

If we’re willing to live with a risk having potentially catastrophic results, then we would likely not develop a disaster recovery plan nor would we have a disaster recovery site because the risk of complete loss of the data center is usually very low and the cost of a fully functional back up site is high.

But most organizations understand that essentially all catastrophic risks need to be addressed and while the scoring approach is very helpful, it cannot be relied upon exclusively, leading us back to the application of intuition and experience.

In short, a risk assessment is a structured process used in identifying and classifying risks, deciding what and how much to do about them. Once we’ve agreed on the assessment and classifications, we can focus on the two remaining aspects of risk management: risk remediation and, once that is accomplished, agreement that the remaining (or, residual) risk is acceptable.

Securing Your Identity in the Online Age

RodneyNelsestuenFraudTip

By Rodney Nelsestuen, Chief Information Officer

We all know the threats to online security are constantly changing. The challenges of being an active online and social media user while protecting our identity highlight the important role we all have in keeping our business and personal finances safe.

So, what are some of the current strategies used by hackers and what should we do about them?

Today’s online thief is patient and persistent. Thieves are taking their time in collecting data about us from many sources. Even the most mundane aspects of our lives may be important when added to other data taken from our personal lives, from social media (both our posts and those of friends and family,) and from our workplace. Eventually, all this information is applied in a manner that mimics our personality and behaviors in a convincing way.

How is this possible?

Once a “bad actor,” an online thief or fraudster, has some of your information and your online lifestyle, getting more becomes easy as automated intelligence (AI) serves up a large plate of your preferences, enabling the thief to fully take your place – at least in a virtual sense.

Thus, it’s entirely possible we have a virtual clone navigating the internet, posing as us, and preparing to wreak havoc on our lives by, essentially, taking it for their own.

So, how do we minimize the risk of this happening to us?

Steps to Minimize Risk

Drop out of social media

There are people who have already done this. But dropping out is probably not realistic for most of us. We rely on social media to keep up with friends and family, share joy, sorrow, important information, and we generally find social media a good force in our lives.

Limit what we share on social media

It could be worth our time to more closely manage what is posted and left on social media. Exposing too much about ourselves just makes it easier for thieves to enrich the already valuable data sources available to them.

Talk with family and friends about what you will and will not share on social media and encourage them to do the same. For some of us, posting is done almost willy-nilly, without thought and often reveals deep details that may later be used to compromise our financial or personal lives. Maybe it’s time to pick up the phone to discuss certain aspects of our lives instead of posting them.

Choose our connections in a more deliberate manner

It may be best to limit the number of friends we have online. Most of us have connections that may not be critical to a good social media experience but were set up out of curiosity or recommendations from friends. Examine the controls available on the social media site and narrow what others can see, keeping those closest to you fully engaged, but limiting others.

But Nothing is Fool-Proof. What’s the Next Step?

Because there’s no fool-proof methodology to protecting our identity or our money, we might leverage the tools provided by our most trusted businesses – including banks. Spending the time to fully understand the options and controls that we can employ will allow us to be active participants in managing online threats and help us move from a purely defensive posture to playing offense against the bad guys.

How can we do this?

Actively manage credit and debit cards through apps

Today most of these products have a number of controls that we can actively implement. These include:

  • Turning our credit or debit cards on and off when suspicious activity takes place
  • Setting alerts to notify us via text messages of certain types of transactions or amounts
  • Establishing an out-of-band authentication process when accessing any private financial site to verify your identity through two sources, like your password and a code texted to your phone

These three options will keep us informed on what’s happening to our financial accounts and provide additional assurance that we are, in fact, interacting with our bank and not a fake site.

We have apps for Merchants Bank Debit and Credit Cards that allow you to control your security preferences and set up alerts for when the cards are used.

Have security systems on your computer

It’s fundamental, and a best practice, to have strong antivirus systems on all of our computers. Most of us have these types of subscriptions given they were bundled with the purchase the last time we bought a computer. Make sure, however, that the software also has:

  • anti-malware
  • anti-spyware
  • anti-adware
  • anti-phishing capabilities that can be deployed (or not) at will.

There are additional options we might employ: we can download software that provides an additional layer of security on the computer itself. These tools may harden our computer, keyboard, or mouse against exploitation by hackers. Most of these technologies do not interfere with online speed or performance.

The Solution: Marry Technology and Cautious Online Practices

No technology alone can completely protect us from financial loss or ID theft. Technology needs to be coupled with smart interactions when online. Combining conservative practices, knowing who we are interacting with, using the technologies available through banks and on our own devices bring a holistic approach to securing our online selves and reducing the risks associated with today’s virtual world.

3 Essential Small Business Security Practices

SecurityPracticesWithKerriBronk-Blog

Keeping your business protected from fraud and security threats can feel like an overwhelming job. One place to start is by focusing on internal controls that help keep your business’s financial information more secure. Our Security Officer, Kerri Bronk, recommends putting the following three internal controls into practice and reviewing them regularly.

“The idea is to have a combination of different types of security checks and balances in place – and to make sure you keep them up-to-date,” said Kerri. “These simple internal controls can really have an impact on how secure your business information can be.”

Authorized Account Signers

A small business may want to have a few people listed on a financial account as an authorized signer. This can vary by business but may include the owners, an office manager or bookkeeper.

Kerri advises, “[a]uthorized account signers have access to some of the essential functions of your financial account, so you want to make sure this type of access is only granted when necessary.”

 FAQs about Authorized Signers

  • What can an authorized account signer do? An authorized signer is different from an account owner (who has complete control over a financial account). In regards to a checking or saving account, for example, a signer can make withdrawals, sign checks and access some account information.
  • How many authorized account signers can I have? There is no limit. However, the more individuals who have access, the more risk you’re taking.
  • How often should I review this access? On an annual basis or when you’ve had an employment change in your executive management team or accounting/payroll staff.
  • How do I make changes to authorized account signers? Changes to authorized signer need to be done in person at a Merchants Bank location. Contact your Customer Service Representative to make an appointment.

Authorized Cardholders

You might like to have the option for several people to make business purchases with a debit or credit card. This is where authorized cardholders come in.

FAQs about Authorized Cardholders

  • What can an authorized cardholder do? An authorized cardholder can use a debit or credit card tied to your business account to make purchases and get cash from an ATM. You can set spending limits per card user to help keep spending in check.
  • Does the authorized cardholder need to be a signer on the account? No, you can give a person access to a card without having other signing abilities.
  • How many authorized cardholders can I have? There is not a set limit to the number, but again the more access, the harder it will be to track spending.
  • How often should I review this access? Who has access to business debit and credit cards should be reviewed more frequently. We’d recommend making updates to your authorized cardholders each quarter or when you have staffing changes.
  • How do I make changes to authorized card holders? For both your Merchants Bank debit or credit cards, stop into your local Merchants Bank location for assistance.

Access to Account Information

Knowing who has access to your business account information and keeping the number of people to a minimum is one of the best ways to avoid a security or fraud threat.

Considering that small or mid-sized businesses lost a median amount of $289,864 to employee funds theft in 2017, it’s critical to thoughtfully review who should have access to this information.*

FAQs about Account Access

  • What kind of information can I give employees access to? You can select the level of information you want an employee to receive in Small Business Online Banking or Commercial Online Banking or credit card transactions through mycardstatement.com. You can also use our mobile card controls – Card Valet for debit cards and SecurLock Equip for credit cards – to have alerts on card spending.
  • How many people can have this access? This varies by solution, please ask at your local Merchants Bank location.
  • How often should I review this access? It’s extremely important to stay current with account access. This should be updated immediately when staff join or leave your business.
  • How do I make changes to who has access to my account information?
    • Statements: Contact your local Merchants Bank location for assistance.
    • Small Business Online Banking and Commercial Online Banking: Once you have set up your account with you as the owner, you can add or remove secondary users and define account access per user at your convenience.

      If you have any questions or need help with user setup, contact our Electronic Banking Department (ibsupport@merchantsbank.com or (866) 496-0522) for Small Business Online Banking or Treasury Management Support for Commercial Online Banking (commercialonline@merchantsbank.com or (833) 694-2374).

    • mycardstatement.com: Contact your local Merchants Bank location for assistance.

“My last tip regarding internal controls is to ensure that no single employee has access to all the financial aspects of your business,” said Kerri. “For example, you want to make sure that employees who can pay business expenses with a business credit card are not the same employees who pay the credit card bill.”

Just remember that Merchants Bank is always here to help. If you think your business bank account information has been compromised or have a security concern, contact your local Merchants Bank location and ask to speak to your Treasury Management Specialist or a Customer Service Representative.

 

*https://www.hiscox.com/documents/2017-Hiscox-Embezzlement-Study.pdf

Cell Phone Porting Fraud: Check Your Phone

Shot of a businesswoman using technology at work

Fraudsters are getting names, phone numbers and other personal identifiable information of real people and transferring their phone number to a different cell phone service provider. They pose as the victim and report the phone lost to the current provider and request the number be transferred (or “ported”) to a device with a different cellular service provider. Once they do this they can find where the victim may have bank accounts, click a “forgot password” link and request a password change code be sent to the stolen phone number via text message, now directed to their device. Then they can change their account’s password and can then access and manipulate those accounts.

What to watch for:

If your phone suddenly loses service, switches to “Emergency Calls Only,” receives any alert messages or unexpected text messages in regards to authenticating an action you did not request, notify your cellular service provider and financial institution immediately.

Take action to protect yourself:

You can take action against cell phone porting (or “port-out”) fraud by contacting your cell phone service provider. Ask them about their porting/port-out security and request they ask for security verification (that you would set up) when action is requested for your account.

Ransomware and Rip Van Winkle: Don’t Ever, Ever Sleep Again

This can't be right

Security Awareness Week

By Rodney Nelsestuen, Chief Information Officer

We all know the story of Rip Van Winkle who slept for 20 years and woke to find he’d missed the Revolutionary War and that society had changed dramatically. Today, poor Rip would find that a mere 20-minute nap may be enough to put him out of touch – especially when it comes to security.

This was driven home by a 2017 global attack of ransomware (aptly named Wannacry) that put hospitals, governments, and businesses on the defensive and interrupted the normal course of business on some estimated 250,000 computers in 150 countries, including the US. This event was one of the first to have a large-scale global reach and one which cost those who were attacked an estimated $3 billion dollars. Moreover, the success of Wannacry and its scale will most certainly result in a massive expansion of the ransomware “business.”

You may wonder why ransomware is so popular as compared to other types of hacking. Here are three reasons:

The attacker need do nothing and still gets paid.

Ransomware either encrypts files on a computer or blocks access to the files. These programs used to be delivered exclusively in emails as an attachment that a victim would open. While that delivery method is still in use, the more pernicious versions simply roam the internet and when they find an unprotected network or computer, will launch the attack without human intervention.

Stealing personal information and credit card data is still popular, but imagine how much work it is to steal, store, organize, and then find a buyer for that data. In short, the old fashioned methods of theft are a lot of work compared to a ransomware attack that threatens to delete all data on a computer unless the victim pays for the release. Attackers simply sit back and wait for the victim to pay.

Want to go into business? Try ransomware as a service.

Don’t know anything about computers or hacking? No need to worry. You can contract with a hacker and outsource your criminal activity. Organizations offering ransomware services are beginning to take root and will encourage bad actors of all types to try their hand at it.

After all, what do they have to lose? The outsourced service provider does all the work and gets paid a cut of the take, and you merely await your share as the business owner.

If one door is locked, just try another.

The interconnectivity of the internet and businesses across the globe makes it much easier for a ransomware attack to succeed. Can’t get into a corporate network? Try the company’s version of webmail, which can be accessed from any computer in the world. Can’t get a user to click on a link? Then use in-memory malware to deliver the payload. Find it hard to scale your crime? Then hack cloud services and launch attacks against thousands of high value targets at once. In short, ransomware has multiple attack vectors.

So what can I do to protect my business?

There are long-standing processes and tools that companies need as a foundation to stopping ransomware. While the list of approaches is long, let’s focus on three items that will reduce the risk of being hacked or a victim of ransomware:

  1. Whether you run your own technology or outsource it, be sure you know what protections and processes you have in place. Anti-virus software, firewalls, and intrusion detection software with expert alerts, and patching systems and applications are regularly among these basics. More importantly, make sure your security tools are on the most current versions. This may mean having updates almost continuously at times as risk conditions can change dynamically. It’s good to look into new technologies as new threats arise, but remember that the tools you do have may be the best there are if kept up to date.
  2. Layer security across your business. No one single solution will protect you from every attack. Whether physical locks on doors, increasing the sophistication of passwords, using out of band authentication, or segmenting your network with additional firewalls, consider using a layered approach to make it more difficult for bad actors to get through to your valued information. This includes using the security and authentication steps offered by your bank. Most banks will provide tools that allow the business to verify financial transactions before they occur. Unfortunately, too many businesses fail to adopt these solutions and processes.
  3. Train your staff on proper use of the connected world we live in – and keep security awareness in the forefront of employees’ minds. The human threat is twofold: first, people make mistakes and as humans, we always will. Second, there has been a growing threat from insiders who are ‘groomed’ by bad actors to ultimately take part in a crime. While this is an unpleasant topic, it’s something every business owner or manager needs to consider today.

One final thought. It would pay most businesses to be connected to an organization that monitors the global threat environment and can keep the business up to date on emerging threats. This external information can then be aligned with your internal IT steps and actions. There are several such organizations and many have very reasonable fees.

The security issues faced by businesses will only be more challenging in the future. Staying up to date on security technology, being vigilant on how users interact with your systems, and having an eye to the emerging threats as they grow are all smart and necessary steps for any business today.

While there are no sure-fire solutions to risk, by taking a multi-faceted approach you’re in the know about the threat environment, and you’ll feel better that you’re managing it in a sound manner. Then you’ll be able to sleep peacefully even with one eye open so as not to miss, as Rip Van Winkle did, the important things in life such as the birth of a nation.