How to Tell if a Website is Legitimate

Computer Security

If you’re one of the 209.6 million Americans who shop online,* it’s important to take steps to verify the legitimacy of a company website before placing an order. Here are five tips to help you determine if a website is legitimate.

1. Can you easily find the company’s full contact information?

You should be able to locate the business’s full name, physical address, telephone number and email address. In addition, if you call the telephone number listed, make sure you can reach a live person who can verify details about the business.

Red Flag = You cannot find the company’s contact information.

2. Is there a Terms and Conditions web page?

Find the Terms and Conditions page on the website and read it carefully to understand company products, return policies and more.

Red Flag = You cannot find the company’s Terms and Conditions page.

3. Does the site accept secure payments?

If the company wants to accept secure payments with a credit card, they must use SSL security which properly encrypts your payment and personal information. Websites with SSL security have a website address that begins with “https” instead of “http.” For example, https://www.merchantsbank.com.

Red Flag = The company’s site does not accept secure payments.

4. Is the site design and information professional?

Review the site for typos, errors, misspellings, stolen images and more.

Red Flag = The company’s site contains any of the above.

5. What happens when you Google search the company’s name?

Type the company name into Google and read related customer reviews, feedback and articles.

Red Flag = Bad feedback or customer experiences.

Visit the FTC Consumer website for information on current website scams.

*http://www.statista.com/statistics/183755/number-of-us-internet-shoppers-since-2009/

 

Ransomware and Rip Van Winkle: Don’t Ever, Ever Sleep Again

This can't be right

Security Awareness Week

By Rodney Nelsestuen, Chief Information Officer

We all know the story of Rip Van Winkle who slept for 20 years and woke to find he’d missed the Revolutionary War and that society had changed dramatically. Today, poor Rip would find that a mere 20-minute nap may be enough to put him out of touch – especially when it comes to security.

This was driven home by a 2017 global attack of ransomware (aptly named Wannacry) that put hospitals, governments, and businesses on the defensive and interrupted the normal course of business on some estimated 250,000 computers in 150 countries, including the US. This event was one of the first to have a large-scale global reach and one which cost those who were attacked an estimated $3 billion dollars. Moreover, the success of Wannacry and its scale will most certainly result in a massive expansion of the ransomware “business.”

You may wonder why ransomware is so popular as compared to other types of hacking. Here are three reasons:

The attacker need do nothing and still gets paid.

Ransomware either encrypts files on a computer or blocks access to the files. These programs used to be delivered exclusively in emails as an attachment that a victim would open. While that delivery method is still in use, the more pernicious versions simply roam the internet and when they find an unprotected network or computer, will launch the attack without human intervention.

Stealing personal information and credit card data is still popular, but imagine how much work it is to steal, store, organize, and then find a buyer for that data. In short, the old fashioned methods of theft are a lot of work compared to a ransomware attack that threatens to delete all data on a computer unless the victim pays for the release. Attackers simply sit back and wait for the victim to pay.

Want to go into business? Try ransomware as a service.

Don’t know anything about computers or hacking? No need to worry. You can contract with a hacker and outsource your criminal activity. Organizations offering ransomware services are beginning to take root and will encourage bad actors of all types to try their hand at it.

After all, what do they have to lose? The outsourced service provider does all the work and gets paid a cut of the take, and you merely await your share as the business owner.

If one door is locked, just try another.

The interconnectivity of the internet and businesses across the globe makes it much easier for a ransomware attack to succeed. Can’t get into a corporate network? Try the company’s version of webmail, which can be accessed from any computer in the world. Can’t get a user to click on a link? Then use in-memory malware to deliver the payload. Find it hard to scale your crime? Then hack cloud services and launch attacks against thousands of high value targets at once. In short, ransomware has multiple attack vectors.

So what can I do to protect my business?

There are long-standing processes and tools that companies need as a foundation to stopping ransomware. While the list of approaches is long, let’s focus on three items that will reduce the risk of being hacked or a victim of ransomware:

  1. Whether you run your own technology or outsource it, be sure you know what protections and processes you have in place. Anti-virus software, firewalls, and intrusion detection software with expert alerts, and patching systems and applications are regularly among these basics. More importantly, make sure your security tools are on the most current versions. This may mean having updates almost continuously at times as risk conditions can change dynamically. It’s good to look into new technologies as new threats arise, but remember that the tools you do have may be the best there are if kept up to date.
  2. Layer security across your business. No one single solution will protect you from every attack. Whether physical locks on doors, increasing the sophistication of passwords, using out of band authentication, or segmenting your network with additional firewalls, consider using a layered approach to make it more difficult for bad actors to get through to your valued information. This includes using the security and authentication steps offered by your bank. Most banks will provide tools that allow the business to verify financial transactions before they occur. Unfortunately, too many businesses fail to adopt these solutions and processes.
  3. Train your staff on proper use of the connected world we live in – and keep security awareness in the forefront of employees’ minds. The human threat is twofold: first, people make mistakes and as humans, we always will. Second, there has been a growing threat from insiders who are ‘groomed’ by bad actors to ultimately take part in a crime. While this is an unpleasant topic, it’s something every business owner or manager needs to consider today.

One final thought. It would pay most businesses to be connected to an organization that monitors the global threat environment and can keep the business up to date on emerging threats. This external information can then be aligned with your internal IT steps and actions. There are several such organizations and many have very reasonable fees.

The security issues faced by businesses will only be more challenging in the future. Staying up to date on security technology, being vigilant on how users interact with your systems, and having an eye to the emerging threats as they grow are all smart and necessary steps for any business today.

While there are no sure-fire solutions to risk, by taking a multi-faceted approach you’re in the know about the threat environment, and you’ll feel better that you’re managing it in a sound manner. Then you’ll be able to sleep peacefully even with one eye open so as not to miss, as Rip Van Winkle did, the important things in life such as the birth of a nation.

Tip #2: How to Review Your Bank and Credit Card Statements for Fraud

SAWTuesday

What’s the most important step you can take to prevent identity theft? Review your account transactions on a regular basis. Regardless of how you receive your statements or banking information (paper statements, eStatements, Online or Mobile Banking), reviewing your account information is crucial to catching fraudulent transactions.

First, look at each line item on your statement or in Online or Mobile Banking:

  • Review each item to see if you recall the transaction.
  • If you have a joint account, make sure to ask the other account owner about transactions you do not recognize.
  • If you see an item you believe is an unauthorized charge contact Merchants Bank immediately.

Next, review your transactions for a prenote.

A prenote is a normally a zero-dollar transaction sent to test the validity of an account. For the most part, prenotes are used by banks or other businesses you have authorized to set up electronic transfers. However, some fraudsters have started collecting account information by using prenote transactions. If you do not recognize the name or business associated with a prenote transaction on your statement or in Online Banking, contact Merchants Bank immediately (see numbers above).

Then, review your transactions for a pre-authorization.

A pre-authorization is a transaction sent to secure funds for a payment. For example, if you book a hotel online you might have a pre-authorization on your card in the amount of the hotel room but the hotel would not actually charge your card the amount until your stay is complete. It’s important to note that pre-authorization does affect the available balance in your account on a debit card or available credit on a credit card.

Fraudsters are now using pre-authorization to test the value of card numbers.

  • For debit cards: Fraudsters pre-authorize thousands of dollars to see what the account is worth. Typically pre-authorization will appear in your Merchants Online Banking account as a red “pending” transaction and never change to black.
  • For credit cards: Fraudsters pre-authorize small dollar amounts to see if the card number is valid. Typically pre-authorization will appear on http://www.mycardstatement.com in the Pending transactions section of your account and never move to the Transaction view of your account.
  • If you do not recognize the name or business associated with a pre-authorization in Online or Mobile Banking, contact Merchants Bank immediately (see numbers above).

Finally, make it a habit to review your financial transactions at least monthly. You know your spending history better than anyone and that makes you the best person to detect a fraudulent transaction on your account(s). If you want to access your account information more frequently, consider enrolling in Merchants Bank Online or Mobile Banking. Make sure to save your debit and credit card receipts to compare them against your statement.

During Security Awareness week, June 1-6, 2015, Merchants Bank will be sharing a fraud prevention tip each day. Visit our blog or Facebook or LinkedIn pages tomorrow for the next article in our Security Awareness Week series.