Identity Theft Info:
Commercial Bank of California provides state-of-the-art cyber-security education, awareness, and training for our clients. CBC is always looking out for ways to help our clients without compromise. We chose from our inception to remain privately owned rather than become beholden to the interests of public investors, and as a result, we have the utmost respect for our clients’ right to enjoy a private banking relationship. In our view, exceptional security and stringent privacy standards are not at odds with each other – rather, we believe that each reinforces the other.
Please review the following tips and tricks to sharpen and reinforce your cyber-security skills:
Your home has locks on the doors and windows to protect your family and prevent thieves from stealing cash, electronics, jewelry, and other physical possessions. But do you have deterrents to prevent the loss or theft of your electronic assets, including bank account and other information in your personal computers, at home and when banking or shopping remotely online?
“Think about all of the access points to and from your computer — such as Internet connections, email accounts, and wireless networks,” said Michael Benardo, manager of the FDIC’s Cyber-Fraud and Financial Crimes Section. “These always need to be protected. Otherwise, it’s like leaving your front door wide open while you are away so that anyone could come in and take what they please.”
Consumers increasingly rely on computers, web-enabled devices, and the internet for everything from shopping and communicating to banking and bill-paying. While there are a number of benefits of using web services — faster and more convenient services, for example — bank customers should also be aware of the risks.
Common cyber-related crimes include identity theft, frauds, and scams. Identity theft is a crime in which someone wrongfully obtains and uses another person’s personal data to open fraudulent credit card accounts, charge existing credit card accounts, withdraw funds from deposit accounts, or obtain new loans. A victim’s losses may include not only out-of-pocket financial losses but also substantial costs to restore credit history and to correct erroneous information in their credit reports.
In addition to identity theft, every year millions of people are victims of frauds and scams, which often start with an email, text message, or phone message that appears to be from a legitimate, trusted organization. These messages typically ask consumers to verify or update personal information or they direct consumers to bogus websites (such as for credit repair services) in the hopes that consumers will visit the site and enter their personal information
The best protection against identity theft is to carefully guard your personal information. For example:
Consumers should always exercise caution when it comes to your personal and financial information. The following tips may help prevent you from becoming a fraud victim.
As mentioned previously, Security Operations personnel receives up to 11,000 alerts per day. Sifting through this large volume of notifications and choosing which alert to investigate is a resource challenge. In addition, per Crowdstrike and DFIR’s research, malicious actors are using automation with their malware.
For example, eCrime malware can laterally move across the network within an hour and 32 minutes after initial infection per Crowdstrike, a cyber security company. In 36% of these cases, the attacker was able to move across the network in less than 30 minutes.
Similarly, the Qbot malware, whose sole purpose is to steal browser data and e-mails from infected workstations, can do so 30 minutes after the initial infection. And it only takes 50 minutes before they infect additional workstations on the network.
Given the alert fatigue that Security Operations personnel are experiencing and the speediness of modern-day malware attacks, antivirus solutions might no longer be effective. Many antivirus companies now offer Managed Detection and Response (MDR) service. MDR service provides not only 24/7 threat monitoring, but some will apply remediation as well. Crowdstrike, Rapid7, and FireEye are some of the leaders in this space per IDC MarketScape.
Endpoint Detection and Response (EDR) is a good secondary option for those who cannot obtain MDR due to the size or complexity of their operations. EDR can enhance malware protection in the following ways when compared to traditional antivirus:
Per Proven Data, a data recovery service company, businesses can expect to pay $5 to $8 per user per month and $9 to $18 per server per month for EDR services.
Stopping unlawful requests for information is one of the most important (and easy!) things you can do. Letting so much as a single piece of information fall into the wrong hands is no small matter, as it allows the scammer to build a profile for further social engineering attacks, identity theft, or Account Takeover. Any “social engineering” attempts via phone or e-mail to obtain private data outside of secure and official lines of communication should be reported and used as an education or training opportunity.
Please note that CBC would never call or e-mail for personal information unless you have first contacted us about a particular banking product or service. If you ever receive an out-of-the-ordinary request from someone claiming to be CBC, please do not respond and contact the regional office that you bank with: cbcal.flywheelsites.com/locations
It may seem extreme, but a lot of damage can happen from clicking on a seemingly innocent browser link or opening an attachment in an e-mail. Per Microsoft Digital Defense Report, phishing is responsible for almost 70% of data breaches. While the previously mentioned technologies can mitigate malicious content being delivered by e-mail, the human firewall (you and your employees) will always be the last defense when all else fails.
Continuous training and testing are the most effective forms of strengthening the human firewall. Luckily, many companies can provide security awareness computer-based training. The current leader in this space, per Gartner’s 2019 report, is KnowBe4. Depending on the size of the organization and the packages you need, as of July of 2022, the cost of KnowBe4 training and testing packages can run between $9 to $30.50 per user per year.
It is unnecessary to be afraid of all links and attachments from e-mail, especially if you are expecting the e-mail or the sender’s request is not out of the ordinary based on your interactions with them. However, the best defense is to be politely paranoid and check the source if you received an unexpected email or out-of-the-ordinary request. For example, do not click on the link with an unexpected email on a lost package, security warning, or billing change. Visit the online store or service through the web. If the notification/warning is true, you will also see the same notification.
If you received an out-of-ordinary request from someone you know, you can verify if it’s really from them by call, text, or meeting with them face-to-face. However, we recommend not replying to the e-mail or calling the phone number from the e-mail to confirm the authenticity, as the sender’s e-mail may be compromised without them knowing. This is also known as Business E-mail Compromise, which netted malicious actors $1.8 billion in 2020, per the FBI.
For an e-mail containing a news article of interest or the latest viral video, simply use the search engine or your favorite news website to find the content.
The best security design is often compared to peeling an onion. The longer it takes a person to peel an onion, the more likely the person will be in tears. Deploying security tools in layers is important to slow down or even frustrate an attacker. In addition to having strong anti-malware controls and user education, another security layer is blocking suspicious or malicious websites.
Some business-grade antivirus programs or network firewalls will provide website (URL) filtering features where certain website categories can be blocked. The most relevant categories include malicious websites, scams, or hacking sites. The cost of the firewall varies between the hardware, the annual subscription, and installation fee. Per Proven Security, it can range between $1,500 to $15,000 (a month?), depending on the size of the network and needs.
For businesses with a remote workforce that are completely cloud-based, a network firewall might not be effective since the users do not need to use VPN to connect to their cloud environment to work. While a business-grade antivirus with URL filtering feature can still be effective in such cases, a secure web gateway is another possible solution to block suspicious or malicious websites.
At the basic level, Secure Web Gateway provides URL filtering and scanning for downloaded malicious codes. However, many of these services can also provide additional security features, such as a secure remote access solution known as Secure Access Service Edge (SASE). SASE is a more secure solution than VPN. According to Gartner’s 2020 report, Zscaler is the current leader in this space.
Per Microsoft, multi-factor authentication mitigates 99% of all password attacks. CBC customers are already familiar with the multi-factor authentication used for Online Banking, which requires both your password and a one-time pass-code sent to your phone number either by voice or text message. This essentially doubles the amount of work fraudsters must do to access your online banking account, because they have to know your password (knowledge factor) and access to your phone (possession factor).
However, because of telecom companies’ poor customer verification process, it is possible that attackers can hijack cell phone numbers through a SIM-Jacking attack. To mitigate this attack, many technology companies have specific MFA applications that use push notifications instead of one-time pass-codes to sign in. Therefore, it reduces the impact if your cell phone number is hijacked. Some of these mobile applications, such as Microsoft Authenticator or Google Authenticator, support other webpages that also use MFA. However, the app will display a time-based one-time pass-code instead of push notification.
Backing up your data is important with today’s Ransomware attack. Our head Information Security Officer recommends backing up critical data daily, if possible. Modern backup program or services has features in place to do differential or incremental daily backup where only new or changed data is backed up, thereby speeding up this nightly process. If feasible, the best practice for backup is to store an online copy and also an offline copy. There have been cases in a destructive malware attack, the online backup was deleted in the process. Per Gartner’s 2021 report, Veeam, Commvault, and Veritas Technologies are leaders in this space. The cost of backup varies between the software licensing cost and how much data is being stored.
Most important of all, it is important to perform a periodic restore test. These periodic testing can help you understand how long it would take to restore your system and how to do it. This will help speed up the disaster or incident recovery process. Most important of all, to ensure that when the time calls, your critical data is recoverable.
This last tip sounds like a broken record, but it is one of the most important tips. Unfortunately, developers are not perfect, each change in a software and application often has good intentions, but sometimes the change also make the software and application vulnerable to different malicious attacks. In addition, many of the security updates are often as a result of remediating a known vulnerabilities or in some cases, malicious threat actors become aware of the vulnerabilities as soon as the updates are released. As a result, it is important to patch your operating system (Windows) and applications at least monthly. If you are running operating systems or applications that are no longer supported by the manufacturer or software developers, we highly recommend coming up with a plan to retire or replace. If it is considered
Test your cyber-security knowledge with the online quizzes from the Federal Trade Commission: