Security Center

To help you have a safe and secure online experience, we have put together a list of best practices:

Safeguard your computer

• Install antivirus, anti-spyware and anti-malware software and update them frequently.
• Install all available updates and security patches to your computer’s operating system, as well as any third-party software and applications you may have installed.
• Install the most recent version of your chosen web browser.
• Enable the firewall built into your operating system, if available.

Safeguard your personal information and data

• Immediately delete emails from senders that you do not recognize or if you have any doubts about the authenticity of the email. Do not assume an email is safe simply because you feel that you recognize who or where it came from.
• Do not view, open, edit, or save unexpected or questionable email attachments.
• Do not click links (URLs) embedded in the body of unexpected or suspicious emails.
• Be very cautious when giving out personal information. Only give such information to those with an absolute need to know.  Read the privacy policy for each website before you give them any information, including your email address.
• Use a different password for each of your online services and accounts.
• Always use strong passwords.  At a minimum, a strong password should consist of upper- and lowercase letters, numbers, and special characters.  Change your passwords often, particularly if you are notified of a data breach.
• Keep your passwords secure.  Never share them with anyone.
• Enable multifactor authentication (MFA) for every online account you have if it is an available option.
• Monitor the activity in your accounts closely.  Notify us immediately at 866-839-6271 if you find any unusual or unrecognized activity.
• Log out of all online accounts, including online and/or mobile banking, when you have finished using them.

Safeguard your mobile devices

• Be suspicious when installing applications or programs that ask you to provide information that is unrelated to the purpose of the application.
• If you conduct mobile banking using your laptop, phone, or tablet and your device becomes lost or stolen, contact us immediately at 866-839-6271.  Depending on the type of mobile device, you may also need to contact your cellular provider.
• Never leave any type of mobile device logged on and/or unattended in public.
• Password protect and lock your mobile devices when not in use.
• Do not store financial or personal information on your mobile device.

Browse the web safely

• Block popups in the settings or options feature of any browser that you use.  Only allow popups from sites that you trust.
• Do not put personal information on any public channel such as blogs, forums, and social networking sites.
• Only make online purchases using secure sites.  To determine if a site is secure, look for the locked padlock icon in the browser and “https:” in the address line.
• Never access a website from a link in an unsolicited or suspicious email.
• When accessing online banking sites, do so by typing the address directly into your browser’s address bar.

Phishing

Phishing is a scam in which e-mail spam or pop-up messages are used to deceive you into divulging personal or financial information over the internet. Phishers will send you an email or a pop-up message that appears to be from a company that you recognize or deal with, such as your employer, credit card company, bank, or a government agency.  These emails will often be related to subject or topic of current relevance.  For example, the message may be related to a current political or social issue, or you may receive one of these messages in early April related to tax filing. The message usually requests that you update or validate account information and it will direct you to a fraudulent website that looks just like the legitimate organization’s website.  The purpose of the bogus website is to deceive you into entering your personal information so the scammers can steal your money, your identity, and possibly even commit crimes in your name.

To avoid being a victim of a phishing scam:

• Immediately delete emails from senders that you do not recognize or if you have any doubts about the authenticity of the email. Do not assume an email is safe simply because you feel that you recognize who or where it came from.
• Do not view, open, edit, or save unexpected or questionable email attachments.
• Do not click links (URLs) embedded in the body of unexpected or suspicious emails.

• Do not cut and paste links (URLs) from an email message into your internet browser. Fraudsters can make links look like they go to one place, but that actually send you to a fraudulent site.
• Do not give out personal information in response to an email request. Legitimate companies, including First Kentucky, will not ask for personal information, account information, or usernames and passwords via email.
• Delete suspicious messages, even if you know the source.

Variations of this scam are also sometimes perpetrated by text message, referred to as “smishing”, or by telephone call, referred to as “vishing.”  As with emails, legitimate companies will not ask you for personal information, account information, or usernames and passwords via text message or by phone.  You should only provide personal information by phone if you have initiated the call seeking assistance and you are being asked for such information as a means of identification.

Malware

Malware, short for “malicious software,” comes in many forms including viruses, spyware, ransomware, adware, and other types of malicious code.   Malware can be installed on your computer, phone, or mobile device without your consent.  Once installed, malware can be used to steal personal information, send spam, and commit fraud.

The best way to avoid malware is to avoid opening email attachments included with suspicious or unexpected emails, practicing safe web surfing, and by installing and regularly updating antivirus, anti-spyware, and anti-malware software on your device.

For more information on malware, visit the Federal Trade Commission’s website at:  https://www.consumer.ftc.gov/articles/0011-malware.

Corporate account takeover, also referred to as CATO, is a growing form of electronic crime where thieves typically use some form of malware, or malicious software, to obtain login credentials to corporate online banking accounts and fraudulently transfer funds from the accounts. Another means fraudsters commonly use is phishing or masquerading as a trustworthy entity in an electronic communication or through social engineering to gain access to your sensitive information. Once they have your credentials (username and password), they will login to your online banking and create transfers normally using ACH or Wire Transfer features to steal funds from your accounts.

These types of attacks can result in substantial monetary loss for your company that often cannot be recovered.  As your bank, we do everything we can to keep your money safe.  Unfortunately, our security procedures can only go so far to protect your accounts from corporate account takeover. There are some vulnerabilities that can only be addressed from your side and therefore require that you implement sound practices with your staff, systems, and offices. Awareness of online threats and education about common account takeover methods are helpful measures to protect against these threats.

Basic Online Security Practices 

• Education is key – Train your employees to recognize attacks or threats. Educate them on their responsibility for protecting sensitive information.
• Use strong password policies. Use a sentence or phrase so they are easy to remember but difficult to decipher. Change passwords often.
• Do not open attachments from e-mails. Be on the alert for suspicious emails.
• Do not use public internet access points.
• Surf the web carefully. Only visit sites you trust.
• Monitor and reconcile bank accounts daily, especially near the end of the day.
• Secure your computer and networks. Make sure any Wi-Fi networks are secure and hidden.
• Limit administrative rights. Do not allow employees to install any software without receiving prior approval.
• Install and maintain spam filter.
• Install and maintain real-time anti-virus, anti-spyware, and desktop firewall systems, as well as malware detection and removal software. Use these tools regularly to scan your computer. Allow for automatic updates and scheduled scans.
• Install routers and firewalls to prevent unauthorized access to your computer or network. Change the default passwords on all network devices.
• Install security updates (patches) to operating systems and all applications as they become available.
• Block pop-ups.
• Note any changes in the performance of your computer, i.e. a dramatic loss of speed, computer locks up, unexpected rebooting, unusual popups, etc.
• Make sure that your employees know how and to whom to report suspicious activity to at your Company and the Bank.

Contact the Bank immediately at 866-839-6271 if you:

• Suspect a fraudulent transaction
• Are trying to process an online wire or ACH batch and you receive a maintenance page
• Receive an email or phone call from someone claiming to be from the Bank requesting personal and/or company information

Incident Response Plans

A written incident response plan will provide important guidelines for your employees so that they will know what to do and who to contact for help if a CATO incident were to occur. Since each business is unique, you should write your own incident response plan.  Having a plan and reviewing/updating it annually will help minimize losses. A general template should include:

• The direct contact numbers of key employees of your company (including after hour numbers)
• The contact number for the bank (First Kentucky Bank: 866-839-6271)
• Steps you should include to limit further losses
  • Changing passwords
  • Disconnecting computers used for internet banking
  • Requesting a temporary hold on all other transactions until out-of-band confirmations can be made
• Requirements for gathering and documenting information about the incident to assist the bank in recovering your money
• The contact information for your insurance carrier
• Working with computer forensic specialists and law enforcement to review appropriate equipment.

Additional Business Security Resources:

U.S. Secret Service, FBI, IC3, and FS-ISAC – Fraud Advisory for Businesses: Corporate Account Takeover
http://www.ic3.gov/media/2010/CorporateAccountTakeOver.pdf

The Better Business Bureau -Business Cybersecurity

The Federal Trade Commission’s (FTC) Cybersecurity for Small Businesses: https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity

NACHA – Current Fraud Threats and how to protect your organization from fraud.

https://www.nacha.org/content/current-fraud-threats

Federal Communications Commission (FCC) -Cyberplanner to help you create and customize cybersecurity plans

https://www.fcc.gov/cyberplanner

National Cyber Security Alliance (NCSA)- CyberSecure My Business™ is a national program helping small and medium-sized businesses learn to be safer and more secure online.

https://staysafeonline.org/cybersecure-business/

STOP. THINK. CONNECT– Cybersecurity awareness campaign developed in part with NCSA and The Department of Homeland Security.

https://stopthinkconnect.org/

U.S. Small Business Administration– Small Business Cybersecurity Guide

https://www.sba.gov/business-guide/manage-your-business/small-business-cybersecurity

In some instances, these criminals may even fraudulently obtain a driver’s license or seek employment in your name. Among other things, these acts can damage your credit and result in large financial losses.  Unfortunately, you may not know you have become a victim of identity theft until you suffer financial consequences such as receiving a mysterious bill or being denied for a loan.

The following are best practices you can follow to protect yourself from becoming a victim of identity theft:

• Do not share your financial account information or Social Security number unless you know the person requesting the information is who he or she claims to be and that he or she has a legitimate reason to know such information.
• Store your personal information in a safe place, ideally under lock and key.
• Shred or otherwise destroy any document containing important information, such as credit card and ATM receipts, old account statements, and unused credit card offers.
• Use strong passwords for all online accounts.  At a minimum, a strong password should consist of upper- and lowercase letters, numbers, and special characters.  Change your passwords often, particularly if you have been notified that the business has had a data breach. Do not share your passwords with anyone.
• Limit the identification you carry. Take only the identification, credit, and debit cards you need and leave your Social Security card at home.
• Be mindful of your surroundings when using an ATM or logging into an online account while in a public location.   Shield the keypad when entering your PIN or typing your password to prevent “shoulder surfers” from viewing the information.
• Pay attention to the mailing cycles for your credit cards or other accounts for which you receive a regular bill or account statement. If you do not receive a bill or statement at its regular time, it may mean that an identity thief has diverted it.   Notify the bank, credit card company, or sender of the bill or statement immediately.  To minimize this risk, sign up for electronic bills and statements if they are available.
• Carefully check account statements as soon as you receive them. Ensure that you authorized all transactions on the statement.  Notify the bank or credit card company immediately if you find activity that you do not recognize.
• Take steps to guard your mail from theft. Take outgoing mail to post office collection boxes or the post office.  Remove incoming mail from your mailbox promptly.  If you will be away from home for more than three days, have the post office put a hold on your mail.
• Obtain a copy of your credit report once a year and review it to be certain that it does not include accounts that you have not opened.  Consumers are entitled to one free credit report from each credit reporting agency annually.   You may request your free report at annualcreditreport.com.
• Opt-out of pre-approved credit cards, direct mail lists, and telephone solicitation.  You may opt out at optoutprescreen.com or by calling 888-567-8688.

What to do if you are a victim of identity fraud

If you learn that you have become a victim of identity theft, do the following:

• Contact the companies where you know that fraud has occurred. Request that they close or freeze the accounts.
• Immediately contact the fraud departments of the three major credit bureaus: Equifax, Experian and TransUnion. Request that they place a fraud alert in your file as well as a credit freeze.
  • Equifax:
    Equifax.com/personal/credit-report-services
    800-685-1111
  • Experian:
    Experian.com/help
    888-EXPERIAN (888-397-3742)
  • TransUnion:
    Transunion.com/credit-help
    888-909-8872
• Order copies of your credit report from the three credit bureaus. Thoroughly review these reports for fraudulent activity. Look for unrecognized accounts that have been opened as well as inquiries.  Inquiries could be an indication that other accounts may be in the process of being opened.
• Contact your credit card companies and financial institutions to let them know about your situation. Request new cards and account numbers.
• Report the identity theft to the Federal Trade Commission at https://www.identitytheft.gov/#/assistant or by calling 877-438-4338.
• Report the crime to the local police. This will establish the criminal activity and the facts. It is important that you obtain a copy of the report from the police because the credit bureaus, credit card companies, and other financial institutions will most likely ask for a copy.
• Maintain up-to-date documentation of all events and the steps you have taken. Be certain to include the names of anyone that you communicate with, as well as the dates of those communications.  This will create a vital paper trail that you can refer to later if necessary.

Additional ID Theft Resources:
The Federal Trade Commission: identitytheft.gov
Federal Bureau of Investigation: fbi.gov/investigate/white-collar-crime/identity-theft
U.S. Department of Justice: justice.gov/criminal-fraud/identity-theft/identity-theft-and-identity-fraud