SUBJECT: Fraudulent E-Mails Claiming to Be From the FDIC Summary: E-mails that claim to be from the FDIC are reportedly in circulation. The Federal Deposit Insurance Corporation (FDIC) has received numerous reports of fraudulent e-mails that have the appearance of being from the FDIC. The e-mails appear to be sent from various “@fdic.gov” e-mail addresses, such as “subscriptions@fdic.gov,” “alert@fdic.gov,” or “accounts@fdic.gov.” They have subject lines that read: “FDIC: Your business account” or “FDIC: About Your Business Account.”

The e-mails are addressed to “Business Customer” or “Business Owner” and state “We have important information about your bank” or “…financial institution.” They then ask recipients to “Please click here to find details.” They conclude with, “This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership.”

These e-mails and the link included are fraudulent and were not sent by the FDIC. Recipients should consider the intent of these e-mails as an attempt to collect personal or confidential information, or to load malicious software onto end users’ computers. Recipients should NOT access the link provided within the body of the e-mails and should NOT, under any circumstances, provide any personal financial information through this media. Financial institutions and consumers should be aware that other subject lines and modifications to the e-mails may occur over time. The FDIC does not directly contact consumers in this manner nor does the FDIC request personal financial information from consumers.

For your reference, FDIC Special Alerts may be accessed from the FDIC’s Website at www.fdic.gov/news/news/SpecialAlert/2011/index.html. To learn how to automatically receive FDIC Special Alerts through email, please visit www.fdic.gov/about/subscriptions/index.html. Questions related to federal deposit insurance or consumer issues should be submitted to the FDIC using an online form that can be accessed at http://www2.fdic.gov/starsmail/index.asp.

Sandra L. Thompson Director Division of Supervision and Consumer Protection

FDIC Consumer News can’t tell you when it’s safe to throw away financial documents. One thing to remember, though, is that federal tax rules require you to have receipts and other records that support items on a return for as long as the IRS can assess you additional tax. 

“In very general terms, because the IRS has about six years to assess additional tax if you underreported your income by more than 25 percent, many tax advisors recommend holding all tax records for about seven years, building in extra time for any unforeseen delays in processing your return,” said Rick Cywinski, an FDIC tax policy manager. He also noted that the tax period is unlimited if the IRS suspects fraud. 

With tax considerations in mind, here are suggestions that may be reasonable for many people. 

Credit card and bank account statements: Save those with no tax significance for about a year, but those with tax significance should be saved for seven years. 

Canceled checks: Those unrelated to anything you claimed on your income tax form and not needed to show you’ve paid a bill or debt probably can be destroyed after you’ve verified that your bank statement is correct. But canceled checks that support your tax returns, such as charitable contributions or tax payments, probably should be held for seven years. 

And, you may want to keep indefinitely any canceled checks and related receipts or documents for a home purchase or sale, renovations or other improvements to a property you own. But once a home has been sold and another seven years have passed, checks related to renovations or improvements can be destroyed. 

Of course, many banks no longer send cancelled checks, although they may provide copies of the originals. “You can keep the copies of your tax-related checks if you get them from your bank, but if you don’t get copies with your statement, you have some options,” said Evelyn Manley, a Senior Consumer Affairs Specialist at the FDIC. 

“The most conservative approach is to order copies of important checks soon after your statement arrives,” she said. “Another is to keep the information on your bank statement to order copies if you’re audited in the future because, in general, banks that do not return original checks to customers are required to keep copies of checks for seven years.” 

Also, she said, if you keep records electronically, be sure to back up your data. You can store it in various ways (on CDs, flash drives and so on), but as old technology is no longer supported, you will need to transfer your old data to new media. Another option is to research different companies that provide backup storage online, either free or for a small charge. 

Deposit, ATM, credit card and debit card receipts: Save them until the transaction appears on your statement and you’ve verified that the information is accurate. You may make an exception for receipts for expensive items. If they are under warranty or you have to file an insurance claim, the receipt may be helpful. 

Finally, before tossing away any document that contains a Social Security number, bank account number or other personal information (especially financial information), shred it to avoid becoming a victim of identity theft. 

For additional guidance on what records to toss and when, ask your accountant, attorney or another trusted advisor. 

This short update on the Epsilon breach was published April 5, 2010 by CNET, a respected online technology review site.  It contains good basic information on the breach and some good suggested precautions for consumers who feel they may have been impacted.

The list of customers affected by the Epsilon database breach continues to grow.

The breach, which took place last week but was announced over the weekend, compromised the e-mail addresses and some names belonging to the customers of many major U.S. companies that outsource their marketing and e-mail communications to Epsilon.

The company said Monday that 2 percent of the companies it counts as clients are affected by the security breach. There is no official list of affected companies that’s available, and a company spokesperson said Epsilon cannot release the names of its clients. Epsilon is in the midst of conducting an investigation of what led to the security breach.

The list of Epsilon clients whose customer e-mail addresses were stolen is not complete, and is likely to grow. But so far Target, Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, and Best Buy have notified their own customers about the breach. Hilton Hotels and Ethan Allen are also said to be affected.

Here are some tips on what to do if you did receive an e-mail from one of the companies above or if you believe one of them does have your e-mail or name, and what could happen next.

How do you know if you’re affected?
If you’ve ever given your e-mail address to any of the above companies, you probably are.

What will happen?
Most of the companies that are talking about it say the information that was stolen is limited to e-mail addresses and possibly names. Credit card companies and banks like Chase and Capital One say they do not believe any financial information was compromised.

But a bunch of e-mail addresses in the wrong hands means what’s likely to result is a rise in phishing scams. “Phishing” is an attempt to use e-mail to try to get you to reveal more personal information about yourself. This can include usernames, passwords, Social Security numbers, or account numbers.

Many times phishers are simply guessing and will pick a company that a broad group of people does business with, like PayPal, or a government entity, like the IRS. The threat in the Epsilon case is now whoever gets access to these lists of e-mail addresses knows exactly what companies count you as a customer. That means phishing attempts can be much more targeted and therefore potentially harder to spot because they can masquerade as being from a bank or company such as the ones listed above.

What should you do about it?
Do not open e-mail from someone you don’t know. That’s pretty simple. But you’ll also need to be extra vigilant now that phishers may know specifically where you shop, what airline you fly, or where you bank. Look at the e-mail address–if it’s purportedly from one of the companies above but ends in something other than .com, especially an international domain like .uk, that’s a good indication it’s a scam since most phishing attempts originate outside the U.S. Also be on the lookout for spelling errors in the e-mail address, URL, or body of the e-mail, or e-mails whose tone sounds particularly urgent.

If you do open the e-mail, don’t click any links. A common phishing practice is to ask people to click a link to update their personal information.

If in doubt, call the company
If you get an e-mail from one of the companies listed above asking for any information, and you’re unsure if it’s legitimate, you can always call them. Many retailers affected by the Epsilon breach are notifying their customers now that they would never ask for sensitive information via e-mail.

Read more: 

http://news.cnet.com/8301-31021_3-20050555-260.html#ixzz1IeXIHmfN

550 17th Street NW, Washington, D.C. 20429-9990 Division of Supervision and Consumer Protection

SA-10-2011
January 12, 2011

SPECIAL ALERT

SUBJECT: Consumer Alert
Summary: E-mails fraudulently claiming to be from the FDIC are attempting to get recipients to click on a link, which may ask them to provide sensitive personal information. These e-mails falsely indicate that FDIC deposit insurance is suspended until the requested customer information is provided.

The Federal Deposit Insurance Corporation (FDIC) has received numerous reports from consumers who received an e-mail that has the appearance of being sent from the FDIC. The e-mail informs the recipient that “in cooperation with the Department of Homeland Security, federal, state and local governments…” the FDIC has withdrawn deposit insurance from the recipient’s account “due to account activity that violates the Patriot Act.” It further states deposit insurance will remain suspended until identity and account information can be verified using a system called “IDVerify.” If consumers go to the link provided in the e-mail, it is suspected they will be asked for personal or confidential information, or malicious software may be loaded onto the recipient’s computer.

This e-mail is fraudulent. It was not sent by the FDIC. It is an attempt to obtain personal information from consumers. Financial institutions and consumers should NOT access the link provided within the body of the e-mail and should NOT under any circumstances provide any personal information through this media.

The FDIC is attempting to identify the source of the e-mails and disrupt the transmission. Until this is achieved, consumers are asked to report any similar attempts to obtain this information to the FDIC by sending information to alert@fdic.gov.
For your reference, FDIC Special Alerts may be accessed from the FDIC’s Web site at www.fdic.gov/news/news/SpecialAlert/2011/index.html. To learn how to automatically receive FDIC Special Alerts through e-mail, please visit www.fdic.gov/about/subscriptions/index.html.

Sandra L. Thompson
Director
Division of Supervision and Consumer Protection

Distribution: FDIC-Supervised Banks (Commercial and Savings)

Note: Paper copies of FDIC Special Alerts may be obtained through the FDIC’s Public Information Center, 877-275-3342 or 703-562-2200.

“Now, more than ever, people really appreciate receiving gifts they can use,” said Todd Hurley, First Savings Executive Vice President and Chief Retail Officer.  “Branded gift cards are a thoughtful and practical option because they are being accepted by an increasing number of merchants.  But with these cards—as with any credit or debit card—we want our customers to have the information they need to use them wisely and avoid fraud.”

Branded gift cards look like a credit card, but are limited by the dollar amount loaded on the card by the purchaser and should be treated as cash. They differ from retail gift cards, which are issued by and accepted solely at the issuing retailer.

First Savings reminds consumers how important it is to know the facts when buying or using branded gift cards. Some tips include:

• Know the card’s terms and conditions, as they may vary. For example, there may be fees for dormancy, transaction, inactivity, ATM, balance inquiry or reloading. These fees and other terms and conditions are usually printed on the card.
• Some cards have an expiration date that may appear on the card itself, on the card’s sleeve, at the retailer’s or on the issuer’s website.
  • Keep the card’s account number and original packaging, which includes the customer service number, in a safe place.  You may need this information should your card become lost or stolen or there is a need to obtain a replacement card.
  • Sign the card in the space provided.
  • Whenever possible, register your card online.  This will help if you have any service issues.       
  • Before using the card, know your balance. Most issuers offer toll-free voice response systems where you can check your balance. Funds are immediately deducted from the available card balance when you make a purchase.
  • Most major retailers accept split payments.  You can pay with the gift card and pay the balance of a purchase using another form of payment. But you have to tell the merchant the exact amount you want deducted from your gift card.
  • It’s a good idea to keep gift cards after the card balance has been used. You may need to show the card should you make a return or an exchange.
  • When using a gift card at service locations, such as restaurants, be sure you have the available balance to cover incidentals and tips.
  • When using a gift card at a gas pump or any automated self-service terminal, be sure there are enough funds to cover the entire purchase. Even if the card is short by only a few dollars, the transaction may not be approved.

“Community bankers work throughout the year to offer our customers the products and services they want and the information they need to safeguard their finances.  We want to be especially sure during the holiday season that our customers who receive a branded gift card know how to protect it and themselves and enjoy the full value of their gift,” Hurley said.

For more information, visit www.icba.org.  

About ICBA

The Independent Community Bankers of America, the nation’s voice for community banks, represents nearly 5,000 community banks of all sizes and charter types throughout the United States and is dedicated exclusively to representing the interests of the community banking industry and the communities and customers we serve. For more information, visit www.icba.org.

            “First Savings works diligently to protect our customers from identity theft,” said Fred Schea, President and CEO of First Savings. “We use a combination of safeguards to protect customer information, such as employee training, strict privacy policies, and rigorous security standards. But we can’t do it alone. Customers can help us protect them by following a few simple precautions.”

            “We  encourage customers to follow some simple steps to avoid becoming a victim:

• Shred or tear up statements and other personal information. Criminals may be able to get access to your accounts and personal information by “dumpster diving” (retrieving canceled checks, deposit receipts or bank statements from dumpsters or trash bins). Better yet, utilize online bill pay and electronic statements to eliminate having personal information sent through the mail.
• Keep an eye out for any missing mail, particularly account statements and bills that do not arrive when expected.
• Review your monthly accounts regularly for any unauthorized charges through the Internet, phone or ATM statements.
• Order free copies of your credit report once a year from each of the credit reporting agencies to ensure accuracy. Go to the Federal Trade Commission’s authorized web site www.annualcreditreport.com for your free credit report.
• Choose to do business with companies you know are reputable, particularly online. When conducting business online, use firewalls, anti-spyware and anti-virus software and do not respond to unsolicited requests for personal information.
• Protect your PINs and passwords. Use a combination of letters and numbers for your passwords and change them periodically.
• Report any suspected fraud immediately to your bank and the fraud units of the three credit reporting agencies.”

            A special website is available that offers consumer tips, steps for victims and a state-by-state list of Protect Your Identity Week events. There’s also an online ID quiz that can help determine how prone one may be to identity theft. Click here to visit the site: http://www.protectyouridnow.org.

Don’t Be an On-line Victim: How to Guard Against Internet Thieves and Electronic Scams.
(FDIC YouTube Channel)

Originally Posted on www.bankinfosecurity.com

New Phishing Schemes Target Mobile Customers with Bogus Apps

Symptomatic of a new fraud trend targeting mobile banking, at least two banking institutions have posted messages on their websites, alerting members to be wary of a bogus application distributed on mobile phone platforms.

Bayport Credit Union of Newport News, VA, and First Technology Credit Union of Portland, OR, warned members about a mobile banking application that had appeared on the Android Marketplace, part of the Android mobile phone platform. Android is a subsidiary of Google. More than 50 fraudulent banking apps began appearing in the Android Marketplace in mid-December, industry experts say. The apps didn’t contain malware, but instead attempted to get users to enter their passwords, account numbers or other personal information.

Google says it has removed the malicious applications, which targeted customers of Barclays Bank, Chase, Wells Fargo, Bank of America, Wachovia and Deutsche Bank, among others.

Todd Lindemann, AVP of Electronic and Card Services at Mountain America Credit Union, Salt Lake City, UT, says that the malicious applications first came to his attention when MShift, a vendor providing mobile phone banking services for the credit union, investigated reports of mobile phone banking applications being hosted on an application site for Droid phones. What was more troubling to Lindemann was that his credit union had just launched its own iPhone application in November. The alert that MShift sent to its customers in December states, “This phishing attack has been launched from the Android Marketplace and is impacting over 50 financial institutions worldwide, including those that currently do not offer mobile banking solutions, much less an Android download.”

MShift advised its clients to inform their customers of this potential phishing threat and “direct any of your customers that have downloaded this application from the Android Marketplace that the Android downloadable provided by Droid09 is NOT an authorized or legitimate downloadable application of your institution.”

This attempt to grab bank account numbers and passwords by phishers highlights the security concerns of many institutions that both offer mobile banking to customers and rely on mobile phones, especially smart phones such as the iPhone and the Droid, to be connected to their staff.

Best Practices for Securing Mobile

Beyond phishing concerns, there are some best practices that cell phone users should keep in mind when using their phone, whether for business or for personal use. Simon Bransfield-Garth, CEO of Cellcrypt, a cell phone encryption company based in London, offers these tips for institutions and their customers:

Make No Assumptions- Never assume that voice calls are confidential (like fax or email), especially when calling internationally where some countries’ phone operators have no encryption security in place at all. Check your signal, calls on 3G are more secure than 2G but often falls back to 2G when 3G is unavailable.

Ensure Physical Security- Keep your phone safe and do not leave it lying around. Skilled attackers can take just a few moments to install a malicious program, compromise the security of the SIM card or install a special battery with a bug in it, all of which can later be used to help intercept calls.

Protect PIN- Use and protect your phone and voicemail PINs in the same way as your bankcard PIN. Never leave confidential messages in voicemails or send confidential texts. Texts in particular are easy to read on the phone and mobile phone voicemails can often be accessed from any phone with the PIN.s

Be Mindful of Malware- Be vigilant to prevent malicious software on your phone. Be wary of texts, system messages or events on your phone that you did not ask for, initiate or expect. Turn off Bluetooth if you are not using it.

Take Precautions- Consider installing antivirus/antimalware software. And if you strongly suspect your calls are being listened to, then turn off the phone when you don’t need it and remove the battery as an extreme precaution. Also, use voice call encryption software on your phone to secure your sensitive calls that works worldwide and is as easy to use as making a normal phone call.

Bransfield-Garth says financial institutions are no different to any other organization when it comes to protecting valuable phone calls, and this kind of call interception could also potentially extend to the calls made to the institution by customers inquiring about their accounts. Imagine a high-value customer calls into transfer or wire funds, and the call is intercepted. Who would be responsible for the theft of that customer’s money if a hacker got an account number, password or PIN? “The responsibility angle is very important, as theft of voice call data is not explicitly covered by regulatory, compliance or best practices that already exist for ‘data’ (which means non-voice data),” Bransfield-Garth says.

Linda McGlasson, Managing Editor
January 18, 2010