Phishing Alert

Identity Theft

What is Identity Theft? Identity theft occurs when a person's identity is stolen for the purpose of opening credit accounts, stealing money from existing accounts, applying for loans, even renting apartments or committing crimes. Victims of identity theft often aren't aware that they've been targeted, until they find unknown charges on their bank or credit card statements, are called by a collections agency or are denied credit. There are up to 10 million identity theft victims per year.


What to do if you've become a victim of identity theft:


  • Report the theft to the three major credit reporting agencies - Experian, Equifax and TransUnion Corporation and do the following:
  • Request that they place a fraud alert and a victim's statement in your file.
  • Request a FREE copy of your credit report to check whether any accounts were opened without your permission.
  • Request that the agencies remove inquiries and/or fraudulent accounts stemming from the theft.
  • Notify your bank(s) and ask them to flag your account, contact you regarding any unusual activity and take the following actions in the event of such activity:
  • If checks were stolen, place stop payments on them.
  • If bank accounts were set up without your consent, close them.
  • If your ATM card was stolen, issue a new card, account number and PIN.
  • Notify the issuers of the credit cards you carry. If unauthorized charges appear on your legitimate credit cards or if unauthorized cards have been issued in your name:
  • Request replacement cards with new account numbers.
  • Monitor credit card bills for new fraudulent activity. If found, report it immediately to the credit card issuers and credit reporting agencies.
  • Check with any online accounts, merchants or payment services that you use for any fraudulent activity against your account.
  • Contact your local police department to file a criminal report.
  • Contact the Social Security Administration's Fraud Hotline to report the unauthorized

use of your personal identification information.

  • Notify the Department of Motor Vehicles of your identify theft. Check to see whether an unauthorized license number has been issued in your name.
  • File a complaint with the Federal Trade Commission. Ask for a free copy of ID Theft: When Bad Things Happen In Your Good Name, a guide that will help you recover from your theft and guard against future thefts.
  • Document the names and phone numbers of everyone you speak to regarding the incident. Follow up your phone calls with letters, and keep copies of all conversations.
  • Additional ways to Protect Your Identity
  • Check your credit report regularly.
  • Shred your confidential mail.
  • Keep account numbers, Personal Identification Numbers (PINs), credit and bank cards and checks in a secure location.
  • Don't select a PIN that has personal significance, such as a birthday or address.
  • Memorize your PIN and do not share your account numbers or PINs with friends or family.
  • Always take your receipts with you from the ATM or store.
  • Never give your confidential information to callers claiming they are from your financial institution or to people unknown to you. Happy State Bank will NEVER initiate a call to ask you for personal or financial information. However, if you call us, we will ask for account verification so we can positively identify you.
  • Do not trust Caller ID. With today's technology, it is easy for thieves to fake Caller ID and make it look like the call is from a trusted source.
  • Never click on a link to a website from within an email, even if it appears to be from your financial institution. Rather, always go directly to the website and logon.

Choose a Secure Password

  • Do NOT use words or phrases that have personal significance.
  • Mix letters, numbers and symbols and use specific case sensitivity. When using alpha-numeric combinations along with case sensiitivity, it's almost impossible to "crack" a password.
  • A good way to do this is to use an acronym of a sentence or phrase that you will remember. (i.e. "I drive a black Toyota Tacoma" gives "IdabTT")
  • Try to memorize the password and avoid writing it down to prevent someone from finding it.
  • The longer the password, the more secure it is. Make the password longer than six or eight characters. Less characters are easier for "brute-force" programs used by hackers to calculate.
  • Don't use the same password for all of your secure access accounts. If someone obtains this password, they would gain access to all of your accounts. At minimum, have a unique password for your most secure accounts (ie: online banking) and a different password for all other accounts that are less sensitive (ie: email, AIM, etc...)
  • Keep your password a secret. Do not tell anyone your password and do not give it out for any reason. If you are having problems when working with a legitimate company's tech support to resolve the problems, rather than asking your for your password, they will simply reset it to a new password, then after the problem is resolved, you can change.

Other Resources

  • For more tips on preventing e-mail fraud and identity theft, see these updated reports from the Federal Trade Commission: "How Not to Get Hooked by the 'Phishing Scam'", "ID Theft: When Bad Things Happen to Your Good Name".
  • See this report from the U.S. Department of the Treasury's Office of the Comptroller of the Currency: "You Can Fight Identity Theft".

Pharming / Phishing


What is Pharming? "Pharming" is the practice of redirecting Internet domain name requests to false websites in order to capture personal information, which may later be used to commit fraud and identity theft.


What is Phishing? "Phishing" - as in fishing for confidential information - is a scam that encompasses fraudulently obtaining and using an individual's personal or financial information.


What are the differences between "Pharming" and "Phishing"? While pharming is similar to phishing in that both practices try to entice individuals to enter personal information on a fraudulent websites, they differ in how they direct individuals to that site:


Phishing - In a typical case, the consumer receives an e-mail appearing to originate from a financial institution, government agency or other entity that requests personal or financial information. The e-mail often indicates that the consumer should provide immediate attention to the situation described by clicking on a link. The provided link appears to be the website of the financial institution, government agency or other entity. However, in "phishing" scams, the link is not to an official website, but rather to a phony website. Once inside that website, the consumer may be asked to provide a Social Security number, account numbers, passwords or other information used to identify the consumer, such as the maiden name of the consumer's mother or the consumer's place of birth. When the consumer provides the information, those perpetrating the fraud can begin to access consumer accounts or assume the person's identity.


Pharming - refers to the redirection of an individual to an illegitimate website through technical means. For example, an online banking customer, who routinely logs in to his online banking website, may be redirected to an illegitimate website instead of accessing his or her bank's website. Pharming can occur in four different ways:


Static domain name spoofing: The "pharmer" (the person or entity committing the fraud) attempts to take advantage of slight misspellings in domain names to trick users into inadvertently visiting the pharmer's website. For example, a pharmer may redirect a user to anybnk.com instead of anybank.com, the site the user intended to access.


Malicious software (Malware): Viruses and "Trojans" (latent malicious code or devices that secretly capture data) on a consumer's personal computer may intercept the user's request to visit a particular site, such as anybank.com and redirect the user to the site that the pharmer has set up.


Domain hijacking: A hacker may steal or hijack a company's legitimate website, allowing the hacker to redirect all legitimate Internet traffic to an illegitimate site. Domain names generally can be hijacked in two ways:

  • Domain slamming: By submitting domain transfer requests, a domain is switched from one registrar to another. The account holder at the new registrar can alter routing instructions to point to a different, illegitimate server.
  • Domain expiration: Domain names are leased for fixed periods. Failure to manage the leasing process properly could result in a legitimate ownership transfer. In this instance, trade name laws usually must be invoked to recover lost domains.

DNS poisoning: The most dangerous instance of pharming may be domain name server (DNS) poisoning. Domain name servers are similar to Internet road map guides. When an individual enters "www.anybank.com" into his or her browser, Domain Name Servers on the Internet translate the phrase anybank.com into an Internet protocol (IP) address, which provides routing directions. After the DNS server provides this address information, the user's connection request is routed to anybank.com. Local DNS servers can be "poisoned" to send users to a website other than the one that was requested. This poisoning can occur as a result of misconfiguration, network vulnerabilities or Malware installed on the server. There are 13 root DNS servers for the entire Internet, which are closely protected and controlled. Most requests are directed by the local DNS server before they reach a root DNS server. However, if a hacker were to penetrate one or more of these root servers, the Internet could be severely compromised.


Detection and Prevention - Consumers and businesses can take several steps to prevent pharming attacks:

  • Digital certificates: Legitimate Web servers can differentiate themselves from illegitimate sites by using digital certificates; websites using certificate authentication are more difficult to spoof. Consumers can use the certificate as a tool to determine whether a site is trustworthy.
  • Domain name management: Businesses should diligently manage domain names by ensuring that the domain names are renewed in a timely manner. Institutions also should investigate the possibility of registering similar domain names. In addition, many registrars offer domain locks to prevent unauthorized domain slamming.
  • DNS poisoning: Businesses should investigate anomalies about their website to ensure that DNS poisoning attacks are addressed promptly. For example, if a business's domain was hijacked, it would immediately stop receiving normal Internet-related requests. The drop in Internet traffic should alert the business's technology staff to the problem, which should then be investigated.
  • Consumer education: Individual consumers are encouraged to research and study the problem of fraud and identity theft and to install current versions of virus detection software, firewalls and spyware scanning tools to reduce computer infections and to understand the importance of regularly updating these tools to combat new threats.

Spyware


What is Spyware? The term spyware refers to technologies that collect information about a user without his or her knowledge and reports that information to a third party. Certain forms of spyware can intercept sensitive and confidential information about an organization or user, including passwords, credit card numbers and other identifying data. As a result, spyware has significant confidentiality, integrity and availability implications for our banking customers.


What can I do to protect myself from Spyware?


  • Research and purchase reputable anti-spyware programs. There are numerous consumer versions of anti-spyware available on the market today. Careful research of these products is recommended to find the one most appropriate for your use.
  • Be aware of and stay away from questionable websites that can download and install spyware without your knowledge.
  • Be cautious when using public computers such as those in hotels, libraries or Internet cafes. You simply can't be certain that these computers have not been compromised with spyware.