Business Fraud

Welcome to QNB’s Fraud Education Center. This section of our website is dedicated to the ongoing education of our customers on important cyber security and fraud prevention tips.

What You Need to Know About Ransomware

Ransomware is a type of malicious software that encrypts data on a computer, making it inaccessible. A cybercriminal then holds the data hostage until a ransom is paid. Learn more by viewing the PDF below:

Ransomware Fraud Prevention for Businesses (PDF)

What You Need to Know About Business Email Compromise

Business Email Compromise (BEC) is a sophisticated fraud scheme targeting businesses of all sizes that perform transfer-of-funds requests. The perpetrators usually send a carefully crafted email to the victim requesting payment be made via wire transfer. Learn more by viewing the PDF below:

BEC Fraud Prevention for Businesses (PDF)

Ransomware Prevention and Response Guide

Be sure to check out this U.S. Government interagency technical guidance document on how to protect your networks from ransomware:

Ransomware Prevention and Response Guide (PDF)

FTC Tips for Businesses Impersonated in Phishing Scams

The Federal Trade Commission notes that consumers are not the only ones harmed by phishing scams. It’s not just a problem for computer users, but also for the businesses that the scammers are impersonating. And people who have been scammed may look to impersonated businesses for help. The Commission has released tips and a video for businesses on how to respond if they are impersonated as part of a phishing scam. Among the steps businesses should take are notifying customers as soon as possible through social media, email or letters; contacting law enforcement; providing resources for affected consumers; and reviewing the company’s security practices.

Recent Fraud Alerts

Ransomware Prevention and Response Guidance (PDF)

FTC "Start with Security: A Guide for Business" (PDF)

How To Create A Strong Password

Fraud Advisory for Businesses: Corporate Account Takeover (PDF)

Avoid Being a Victim of a ‘Card Cracking’ Scam:

Card cracking, originates online on social media platforms and targets young consumers. Card cracking happens when a fraudster reaches out to a bank customer promising quick cash. The customer provides account credentials to the scammer, who then deposits a fake check in the customer’s account. The fraudster then makes an immediate ATM withdrawal, sharing some of the funds with the customer. Meanwhile, the customer is instructed to report the card or credentials lost or stolen so that the bank will reimburse the stolen money -- making the customer a criminal accomplice.

Avoid online solicitations for easy money:

  • never share an account number or PIN,
  • never file a false fraud claim with a bank,
  • report suspicious social media posts connected to scams.
  • View the infographic (PDF).

Microsoft Internet Explorer Vulnerability

QNB would like to make you aware of recent news regarding a Microsoft Internet Explorer vulnerability. The vulnerability affects all versions of Internet Explorer (IE), from IE6 - IE11. The US Department of Homeland Security is advising people to avoid using Internet Explorer for web browsing until Microsoft has issued a patch. We, here at QNB, would like to let you know that QNB-Online is compatible with other browsers like Chrome, Safari or Firefox. For more information on the Microsoft Internet Explorer security flaw please see Microsoft Corp. website, the US Department of Homeland Security website or contact your local technical support company.

5 Tips to Stay Safe on Public Wi-Fi

Check out this great article by Kim Komando that appeared in USA Today. These are great tips to follow to protect yourself while accessing public Wi-Fi.

Read the article 5 Tips to Stay Safe on Public Wi-Fi

Internet Crime Complaint Center's (IC3) Scam Alerts

June 19, 2013

This report, which is based upon information from law enforcement and complaints submitted to the IC3, details recent cyber crime trends and new twists to previously-existing cyber scams.

Tech Support Calls Purportedly from a Wire Transfer Company

The IC3 has recently received complaints from businesses regarding telephone calls from individuals claiming to be with a wire transfer company’s tech support. One complainant reported that the wire transfer company’s name was displayed on their caller ID. The callers instructed the victims to go to a particular website to run an application which allows the caller to remotely access the victim’s computer. Once remote access was established, the victims were instructed to open their wire transfer program and log-in to their accounts, so the callers could update the system. The victims were then told to turn off their monitors, to avoid interference with the update. The victims later discovered the subjects made wire transfers to NetSpend accounts. One victim noticed something downloading onto his computer once the caller gained remote access. This made the victim suspicious, so he turned off his computer. Later, he discovered the caller had loaded $950 on a prepaid credit card from the victim’s account. Another victim reported money transfers were made to various states and individuals, but the caller reassured the victim that no transfers were actually being processed. No other details were provided.

Corporate Account Takeover: Business Online Banking Identity Theft

What is Corporate Account Takeover?

Corporate Account Takeover is a type of business identity theft in which a criminal entity steals a business’s valid online banking credentials. Criminals can then initiate fraudulent banking activity, including wire transfers and ACH payments. Corporate Account Takeover Fraud involves compromised identity credentials and is NOT about compromises to the Wire System, ACH Network or Bank systems. Small to mid-sized businesses remain the primary target of criminals, but any business can fall victim to these crimes.

How is an account “Taken Over”?

Criminals employ various methods to obtain access to legitimate banking credentials from businesses such as mimicking a financial institution’s website, using malware and viruses to compromise the business’s system, or using social engineering to trick employees into revealing security credentials or other sensitive data.

A business’s systems may be compromised by:

  • An infected document attached to an email
  • A link within an email that connects to an infected website
  • Employees visiting legitimate websites – especially social networking sites – and clicking on the infected documents, videos, or photos posted there
  • An employee using a flash drive that was infected by another computer

Attacks are typically perpetrated quietly by the introduction of malware through a simple email or infected website. For many businesses, the malware introduced onto its system may remain undetected for weeks or even months. In each case, criminals exploit the infected system to obtain security credentials that they can use to access a company’s business accounts. The criminal can then initiate funds transfers by ACH or wire transfer to the bank accounts of their associates within the U.S. (often called ‘money mules’) or directly overseas. - NACHA Bulletin dated April 25, 2011, “Corporate Account Takeover: What You Need to Know”

How can I protect myself and my business from this criminal activity?

Education, risk assessment, security measures and training increase your protection against Corporate Account Takeover.

QNB strongly recommends that you, as a business owner, take time to read important information on ways you can mitigate Corporate Account Takeover as recommended by NACHA, the Electronic Payments Association.

NACHA Account Takeover Resources

Some sound business practices may not be appropriate for or applicable to all businesses. Accordingly, each business must identify its own risks and design and implement appropriate security measures to prevent and mitigate risks associated with Corporate Account Takeover.

Introducing layered security processes and procedures, technological and otherwise, can help protect businesses from criminals seeking to drain accounts and steal confidential information. No single security measure alone is likely to be effective in preventing or mitigating all risks associated with Corporate Account Takeover.

What is QNB doing to help?

  1. Education is Key: One of the first steps to preventing this criminal activity from happening to you is learning about Corporate Account Takeover. Once you know the threat is there, you can take steps to prevent it from happening to you. QNB is a community bank that truly cares about serving our customers and the community. We want to make sure you are informed of these important issues that affect your financial assets.
  2. Layered Security Measures for QNB Online Customers: QNB has a multi-layered security platform for our online banking customers. One of our financial representatives can go over the different measures we have in place today, ranging from account activity alerts you can use to warn you when high risk activity going on in your account, to alternative authentication mechanisms for additional security.

QNB believes the only way to truly mitigate the risk of Corporate Account Takeover is through cooperative learning and communication between financial institutions and their corporate account holders to help combat these attacks. You can help us reduce the risk of these attacks by taking an active role in training your staff and implementing prudent security controls in the use of electronic financial transactions.

Social Engineering - Phishing, Vishing and Smishing!!!

Social Engineering

Social Engineering is the act of manipulating people into performing actions or divulging confidential information. The term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

Types of Social Engineering

“Phishing” is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication or email.

Example Scenario:

  1. A criminal will send email messages to a list of email addresses stolen from a financial institution.
  2. The email messages alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity.
  3. The email message instructs the victims to call a phone number or click on a link to visit a website where their personal information is requested.
  4. Once the victim calls the phone number in the text message or visits the website and provides the information requested, the “Phisher” has the information necessary to make fraudulent use of the card or access the account.

“Vishing” is a combination of Voice and phISHING. Vishing is the criminal practice of using social engineering over the public telephone system.

Example Scenario:

  • A criminal will call a list of phone numbers stolen from a financial institution.
  • When the victim answers the phone, an automated message is played to alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity.
  • The automated message instructs the victim to “call the following phone number immediately”. The same phone number is often shown in the spoofed caller ID and given the same name as the financial company they are pretending to represent.
  • When the victim calls the number provided, it is answered by automated instructions to enter their credit card number or bank account number on the key pad.
  • Once the victim enters their credit card number or bank account number, the “Visher” has the information necessary to make fraudulent use of the card or to access the account.

“Smishing” is a combination of SMS and phISHING. SMS (Short Message Service) is the technological protocol used for sending and receiving text messages on cell phones. Smishing is the criminal practice of using social engineering over the cellular phone system.

Example Scenario:

  • A criminal will send text messages to a list of cellular phone numbers stolen from a financial institution.
  • The text messages alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity.
  • The text message instructs the victims to call a phone number or visit a website where their personal information is requested.
  • Once the victim calls the phone number in the text message or visits the website and provides the information requested, the “Smisher” has the information necessary to make fraudulent use of the card or access the account.

PROTECT YOURSELF against Social Engineering, malware, viruses, etc…

  • Be skeptical of suspicious e-mail, text messages, unfamiliar sites and links and any unprompted requests for personal information.
  • Protect your personal information. Keep your user names and passwords secret and be skeptical of any requests for personal information.
  • Always look for "https://" in the address of any site where you enter personal information; this indicates a secure connection.
  • Do not click on links contained within e-mails. Open a new browser window and type the address yourself.
  • Do not reply to phishing, smishing or vishing attempts. Never reply to phone calls, e-mail, or text messages asking for personal or financial information unless you can confirm the requestors identity.
  • Keep security software (antivirus, anti-malware) up-to-date and keep firewall settings active.

Click on the following link for more detailed information on phishing scams and how to protect yourself.

Protect Yourself and Your Computer

There are many nasty things that can happen to your computer resulting in loss of data and/or unintended divulgence of personal information. Following are things that could make you and your PC very unhappy and some recommended ways to protect yourself…

Viruses/Worms

Definition:

A program or piece of computer code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses are capable of replication to other computers. Viruses can compromise computer and network resources and bypass security systems. Some people distinguish between general viruses and worms. A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs.

Protection:

  • Purchase Antivirus (AV) software – AV software detects and removes viruses/worms from your computer (McAfee, Symantec).
  • Purchase Firewall software - firewall software protects your computer from anything (or anyone) on the Internet that tries to access or alter files on your PC without your permission (McAfee, Symantec).
  • Regularly update the virus definition files associated with the AV software.
  • Regularly scan your computer for viruses.
  • Do not click on or follow hyperlinks you are not familiar with or do not trust.
  • Do not open e-mail attachments sent from a source you are not familiar with or do not trust.

Spyware/Adware/Malware/Keyloggers

Definition:

Software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are inadvertently installed when visiting a website or clicking a hyperlink. Once installed, spyware monitors user activity on the Internet and transmits that information covertly to someone else. Spyware can also gather and transmit personal information (e-mail addresses, passwords, credit card numbers, etc…). Spyware can also cause problems with computer resources causing PC's to run slowly or erratically.

Protection:

  • Purchase software that protects your computer from anything (or anyone) on the Internet that tries to access or alter files on your PC without your permission (AdAware, Spybot).
  • Minimize unnecessary “surfing” on the Internet
  • Do not click on or follow hyperlinks you are not familiar with or do not trust.
  • Do not open e-mail attachments sent from a source you are not familiar with or do not trust.

Spam

Definition:

Electronic junk mail or junk newsgroup postings. Some people define spam even more generally as any unsolicited e-mail. E-mail advertising for some product sent to a mailing list or newsgroup.

Protection:

  • Purchase Anti-Spam Software - this software filters your e-mail for SPAM and either deletes it or directs it to a destination of your choosing. There are many companies who offer anti-spam software packaged with AV software (McAfee, Symantec).
  • Utilize SPAM filters provided by your email provider.