Click here to load the FDIC 's Special Edition of "A Bank Customer's Guide to Cybersecurity".
US-CERT (United States Computer Emergency Readiness Team) has a "Tips" page that describes and offers advice about common security issues for non-technical computer users. This is an excellent website for learning "best practices" for internet usage.
Email and Communication
This hyperlink will take you to the US-CERT "Tips" page.
[The above link leads away from the Bank of McCrory website. The Bank of McCrory is not responsible for the website content or any products or services provided through this link.]
Never share any of your personal Online Banking login information with anyone. The Bank of McCrory, nor any other credible source, will ever call, write, email, or TEXT you asking for this information.
Passwords – the Key to Staying Ahead of Hackers [From Austen's Newsletter, Shazam Account Consultant]
For most of us who deal with computers on a daily basis, creating passwords is a routine operation. In truth, however, it should be anything but routine. Password security is perhaps the most important line of defense against cyber-criminals. The strongest passwords are those that are easy to remember but difficult to hack. Here are some tips for creating such a password.
Use different character classes Don’t just use letters. A to Z is one character class, a to z is another, symbols are another, while numbers are another. Use them all. Weak: Guitar. Stronger: GuiTar. Stronger still: GuiT&r.
Use more than one word Passwords such as yellowelephant or whenpigsfly or ceramicwater are more secure than single word passwords. Separate your words with symbols or numbers (Fuzzy!4!monKey, for example) for even more security.
Use complete sentences A password like “F&WL2HH&E4D” might seem impossible to remember, but it’s actually easy. Each letter is the first word of a sentence – in this case “Fred And Wilma Like To Have Ham And Eggs For Dinner.” Simply come up with a memorable sentence of your own and include letters, symbols and numbers – you’ve got a super-secure password.
Ideas for passwords Sometimes it’s not easy to come up with strong password ideas. Here are a few:
* Choose a memorable purchase, such as your first car (#72Montecarl@). * Look through a catalog and choose words based on items you like (C@llowayRazr4me). * Describe a memorable photo (Mom&me@Thebeach!).
Social Engineering: Are You At Risk? The term “social engineering” refers to an attempt to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals.
Most users should be familiar with email phishing scams (a form of social engineering) and have been taught not to open attachments from unknown or untrusted sources or visit untrusted websites. However, there are other ways that a perpetrator might try to gain access to information or systems.
Below are several examples of social engineering methods — many of which rely on direct contact with an individual — along with suggestions to minimize the likelihood that such methods will be successful.
Impersonation In this situation, the perpetrator pretends to be someone else (for example: impersonating a senior manager from your organization or someone from your help desk). The impersonation may occur over the telephone, in person, or via email.
The perpetrator may try to make you feel obligated to assist or under pressure to follow their directions. They may use intimidation or a false sense of urgency to seek your cooperation, prompting you to react before you have fully thought through the consequences.
Follow your organization's procedures when responding to requests for sensitive or confidential information. Never give out your password to anyone, even if they claim to be from “technical support."
Systems and Physical Access All too often, people will hold the door open for someone entering a secure area or building without even knowing who the individual is or asking where they are going. The unauthorized individual may pretend to be a delivery person, a visitor, or even a fellow employee.
Do not allow unauthorized individuals to follow you through secured access doors, and report this to appropriate officials.
Shoulder Surfing This scenario refers to the ability of a perpetrator to gain access to information by simply watching what you are typing or seeing what is on your computer screen. This is known as “shoulder surfing,” and can also be done by looking through a window, doorway, or simply listening in on conversations.
Be aware of your work environment and who is around you when you are working with confidential information, or even when you are typing in your password. Do not let others see you type your password, and protect your computer screen from unauthorized viewing. Computers in public areas that are utilized for sensitive information should not have the monitors facing outward.
Baiting This scenario involves a perpetrator asking a variety of seemingly innocuous questions designed to probe for information.The attack is often done over the telephone but can also be done in person. Small amounts of facts are interjected into the conversation at the right time to make requests for information sound legitimate.
Information you know could be valuable to the perpetrator — whether that information is about your work environment, fellow employees, projects, or personal information — must be handled with extreme care. Be mindful of what you say and to whom.
Surveys Many of us have no doubt been recipients of requests to participate in surveys — whether online, via telephone, or otherwise. The surveys may be for legitimate purposes or might be a scam.
In either case, be aware of unwittingly disclosing information that may be used inappropriately (for example: disclosure of details about your organization, its network security, or infrastructure could prove extremely useful to someone with malicious intent).
If you receive a survey request, you should contact the sponsoring organization to ensure the survey is legitimate. Then check with your supervisor or appropriate individual, such as your privacy or security officer, to determine if it is OK to respond to the survey. If you do respond, make sure you are not sharing sensitive or confidential information with unauthorized individuals or organizations.
Dumpster Diving Searching through trash (“dumpster diving”) is a method used by perpetrators to obtain sensitive information. When confidential and sensitive documents are no longer needed, be sure to shred or properly destroy them in accordance with your organization’s policy.
Social Media and Networking Websites Use discretion when posting information online or commenting about anything on social networking sites. Once information is posted, it can potentially be viewed by anyone and may not be retracted afterward. The more information you post, the more information is available for a perpetrator to use in an attempt to conduct a social engineering attack.
Recommendations The scenarios above represent just a few types of social engineering attempts you may encounter. By following some common-sense rules and using your best judgment, you can defend against these attacks and better protect yourself and your information.
1. Before releasing any information to anyone, it is essential to at least establish: The sensitivity of the information Your authority to exchange or release the information The true identity of the third party The purpose of the exchange 2. Be aware of your surroundings. Make sure you know who is in range of hearing your conversation or seeing your work. Computer privacy screens are a great way to deter shoulder surfing in public places. 3. If you do not know someone who is in a restricted area, look for a badge or a visitor pass. If you are unsure about the person's authorization or access permission, report the situation to the appropriate staff. 4. Before you throw something in the trash, ask yourself, “Is this something I would give to an unauthorized person or want to become publicly available?” If you are not certain, always err on the side of caution and shred the document or deposit it in a secure disposal container.
Resources For More Information:
Department of Homeland Security Blog — Protect Yourself Against Social Engineering Attacks: Click here
CSO Magazine — Social Engineering: The Basics: Click here
June 15, 2012
It has come to our attention that Bank of McCrory customers are receiving automated recorded phone messages saying that the customer's debit
card has been compromised. THIS IS A FRAUDULENT PHONE CALL. PLEASE DO NOT RESPOND. The Bank of McCrory, nor our debit card processor (Shazam), ever use recorded phone messages to contact our customers. If you have already received this fraudulent phone call AND RESPONDED TO IT BY PROVIDING ANY CARD INFORMATION, please notify the Bank of McCrory immediately at (870)731-2521. After hours you may call Shazam directly using the 800 number located on the back of your debit card.
April 19, 2012
Shazam is aware of a phishing attack being broadcast through the Twitter hashtag #shazamdebitcard. This attack has led to the creation of several fraudulent “Shazam Debit Card” Internet sites. The sites claim to be collecting information for fast-cash loans; therefore, personal information, such as a person’s Social Security number, date of birth, and driver’s license number, is being targeted. Please ignore any such sites and the Twitter hashtag #shazamdebitcard.
20101119 SHAZAM has been alerted to a “mishing” fraud attack that is targeting cardholders. The attack consists of a text message sent to mobile phones stating “Notice: Issues Found On Your Shazam 551729XX Mastercard. Please Call 13035780902!” This number currently hosts an automated recording demanding the entry of the PAN. Additional confidential information is then requested from the cardholder. These calls are fraudulent and have not been authorized by SHAZAM. SHAZAM nor the Bank of McCrory will ever contact you concerning official banking business using a text message.
20091022 Shazam has an excellent website about fraud awareness. Go to our External Links page and click the 'Fightback' hyperlink to learn how to avoid becoming a victim of the latest scams.
20091021 If you believe your card and/or PIN has been lost or stolen and you need to cancel your card during non-business hours, call Shazam at 1(800) 383-8000.
Insured by the Federal Deposit Insurance Corporation