Security

Cyber Security Customer Awareness Program

As internet usage is expanding it is increasingly important to know how to take steps to protect yourself from becoming a victim of fraud and identity theft.  We want to help our customers to better protect themselves in the current online banking environment. Below are areas that you may find helpful to assist in maintaining online safety while utilizing the internet: 

Electronic Funds Transfer Act

(Regulation E)
Regulation E establishes the basic rights, and responsibilities of consumers who use electronic fund transfer services and of financial institutions that offer these services. The primary objective of the act and this part is the protection of individual consumers engaging in electronic fund transfers.

Regulation E Points:

  • Banks follow specific rules for electronic transactions issued by the Federal Reserve Board known as Regulation E. These rules cover all kinds of situations revolving around transfers made electronically. Under the consumer protections provided under Regulation E you may be able to recover internet banking losses according to how soon you detect and report them.
  • In general, these protections are extended to consumers and consumer accounts.
  • Tell us at once if you believe your card and/or code has been lost or stolen, or if you believe that an electronic fund transfer has been made without your permission using information from your check. Telephoning is the best way of keeping your possible losses down. If you report the losses within two days after you learn of the loss or theft of your card and/or code, you can lose no more than $50.  Also, if you do NOT tell us within two business days after you learn of the loss or theft of your card and/or code, and we can prove we could have stopped someone from using your card and/or code without your permission if you had told us, you could lose as much as $500. Also, if your statement shows transfers that you did not make, including those made by card, code or other means, tell us at once. If you do not tell us within 60 days after the statement was mailed to you, you may be legally liable for the full amount.
  • Regulation E protects individual consumers engaging in electronic fund transfers (EFT). Non-consumer (or business) accounts are not protected by Regulation E.
  • Regulation E is a consumer protection law for accounts established primarily for personal, family or household purposes. Non-consumer accounts, such as Corporations, Partnerships, Trusts, etc. are excluded from coverage. Regulation E give consumers a way to notify their Bank that an EFT has been made on their account(s) without their permission.

For a complete detail explanation of protections provided and not provided under regulation E, please visit the following link:

Debit Card Protection

Debit card usage has increased dramatically in recent years and fraudulent use of debit cards has also increased. Citizens' Bank receives alerts and notification of compromised cards. Our policy is to close the exposed card and reissue a new card to mitigate any future risk. We also have a fraud alert monitoring program in place and is based on a model that monitors debit card transactions and uses commercially reasonable efforts to identify potential fraudulent activity. From time to time you may receive a verification call of noted suspect transactions. The caller will always identify themselves from "Citizens' Bank".  Below are some suggestions for you for the care and usage of debit cards:

  • NEVER give your debit card information when requested by phone, email or texting.  Citizens’ Bank will NEVER request information from you in this manner.
  • In a situation where another person takes your debit card out of sight to process a transaction, it may be better to pay with a credit card. For instance when at a restaurant and the waiter takes your card.
  • Review your account statements in a timely manner and contact us immediately of any unauthorized transactions.
  • Do not keep your Personal Identification Number (PIN) with your card.

Phishing, Malware and Other Fraudulent Communication

Malware, also known as malicious code, refers to a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim's data applications, or operating system.  Malware is the most common external threat to most hosts, causing widespread damage and disruptions and necessitating extensive recovery efforts within most organizations. Common forms of malware are viruses, worms, Trojan Horses, malicious mobile code and blended attacks. Blended attacks uses multiple infection or transmission methods such as using methods of viruses and worms.  Generally recommended practices for avoiding malware incidents are as follows:

  • Not opening suspicious emails or email attachment, clicking on hyperlinks, etc. from unknown or known senders, or visiting websites that are likely to contain malicious content.
  • Not clicking on suspicious web browser popup windows.
  • Not opening files with file extensions that are likely to be associated with malware (e.g., .bat, .com, .exe, .pif, .vbs).
  • Not disabling malware security control mechanisms (e.g., antivirus software, content filtering software, reputation software, personal firewall).
  • Not using administrator-level accounts for regular host operation.
  • Not downloading or executing applications from untrusted sources.

Current malware sometimes rely on social engineering, which includes phishing, and is a general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign that are actually malicious. Examples of recommendations for avoiding phishing attacks and other forms of social engineering include:

  • Never reply to email requests for financial or personal information. Instead, contact the person or the organization at the legitimate phone number or website. Do not use the contact information provided in the email, and do not click on any attachments or hyperlinks in the email.
  • Do not provide passwords, PINs, or other access codes in response to emails or unsolicited popup windows. Only enter such information into the legitimate website or application.
  • Do not open suspicious email file attachments, even if they come from known senders. If an unexpected attachment is received, contact the sender (preferably by method other than email, such as phone) to confirm that the attachment is legitimate.
  • Do not respond to any suspicious or unwanted emails.  (Asking to have an email address removed from a malicious party's mailing list confirms the existence and active use of that email address, potentially leading to additional attach attempts). 

Forward phishing emails to spam@uce.gov – and to the company, bank, or organization impersonated in the email.

Victims of phishing could become victims of identity theft; there are steps you can take to minimize your risk.

Visit the FTC's Identity Theft website at www.ftc.gov/bcp/edu/microsites/idtheft/.

Alternative Risk Control Mechanisms

Citizens' Bank provides enhanced security controls over account activities when using Online Banking such as a layered security approach which uses different controls at different points of a transaction so weakness in one control can be compensated for by the strength of another control as well as multi layered security in the authentication process.  Some of the security features employed within Online Banking for our customers are as follows:

  • Fraud detection and monitoring systems which consider customer history and enable a timely and effective response.
  • Internal control of administrative functions including enhance controls for system administrators who set up or change system configurations.
  • Enhanced control over account maintenance activities performed by customers or through customer service channels.
  • Processes internally designed to detect and respond to suspicious activity related to initial login and initiation of electronic transactions.
  • Multifactor authentication for transaction approvals for ACH, wires and external account transfers.
  • Transaction related security alerts via email and/or SMS when:

               ♦ A security related change is made (passcode, email address, phone(s),security questions/answers)

               ♦ Online Transfer is processed (On-Us)

               ♦ External Transfer is processed

               ♦ ACH batch approval

               ♦ Receiver for ACH origination added/modified

               ♦ Wire Transfer Approved

               ♦ Beneficiary for wire transfer added/modified

               ♦ New payee bill payment alert

  • Dual control for commercial activity (ACH origination, wire transfers) and Sub-User administration.
  • Security Token PIN for commercial activity (ACH origination, wire transfers).
  • Out-of band verification for transactions via email.
  • Dollar limits are set for External Transfers, ACH origination and Wire Transfer Requests.
  • Offer user initiated Notify-Me Alerts.
  • Reminders to users every 120 days to change password and update security questions semi-annually.

Helpful and Useful Tips to Mitigate Risk are Outlined Below:  

Passwords

  • Memorize your User Name and Password.  Your online User Name and password authenticate you when you begin an Online Banking Session. You should never write it down anywhere, save to your computer, or reveal it to anyone.
  • Create a complex unique password for online banking that: 
                   ♦ Is 8-12 characters in length. The longer the Password, the better.
                   ♦ Includes both letters and numbers.
                   ♦ Has at least four different characters (no repeats).
                   ♦ Has at least one special character.
                   ♦ Is obvious or easily obtainable information. Avoid dictionary words, children's names or birthdates.
  • Do not use the password auto-save feature on your browser.
  • Change your password periodically and often.

Personal Computers

  • Always sign out or log off and close your browser when you are finished. Don't rely on our Online Banking time-out feature.
  • Update software frequently and keep systems current.
  • Virus software, “definitions” should be updated daily.
  • Install and activate a personal firewall.
  • Install and run most recent version of Antivirus software.
  • Keep your operating system (OS) current.
  • Activate the automatic update feature.
  • Set your browser’s security level to the default setting or higher.
  • If your computer is infected with a virus, run anti-virus software to remove the infection and change passwords on all your financial and business accounts including your email account using a secure device.

General Best Practices

  • Keep your personal information private and secure.
  • Check your account balance regularly.
  • Do not access your account from a public location.
  • Be skeptical of email messages, for example, from someone unlikely to send an email such as the IRS.
  • Do not open suspicious emails and do not click on the links. Should this happen, stop work and have a diagnostics performed immediately.

Identity Theft Tips

  • Shred receipts, billing statements, expired cards, and similar documents.
  • Review statements promptly and carefully.
  • Only give personal information if you initiate the contact.
  • Periodically check your credit report. You are entitled to receive one credit report from each credit bureau annually at no cost.

Websites

  • Watch out for copycat websites that deliberately use a name or web address very similar to, but not the same as, that of the real financial institution or business.
  • Wireless access should be secured with strong password encryption. Be cautious when using public hotspots and consider your WI-FI auto-connect settings.
  • Check for the yellow lock icon in the status bar of your browser. This means the website uses encryption to protect your information. Make sure the yellow lock is closed, indicating the encryption is on. Double-click it to display the security certificate. The security certificate information should match the name of the site you intended to be on. 
  • Pay using credit cards.
  • Avoid using a public or shared computer for business and financial transactions. Only conduct Online Banking and financial transactions using a trusted computer.
  • Shred credit card, medical and other statements with personal information.
  • Never click on suspicious links.
  • Only give sensitive information to websites using encryption, verified though the web address.
  • Use social media wisely and don’t reveal too much.

Mobile Devices

  • Use passcodes.
  • Avoid storing sensitive information.
  • Keep software up-to-date.
  • Install remote wipe if the device is lost or stolen it can be cleared off.

Using ATM’s safely

  • Protect your ATM card and PIN. If lost report as soon as possible.
  • Choose a PIN different from your address, telephone #, and birthdate.
  • Be aware of people and your surroundings.
  • Put away your card and cash.
  • Skimming – observe the card reader; if it appears damaged don’t use it.

Listing of Bank Contacts

Contact any Citizens’ Bank Branch Locations click here, in the event you notice suspicious account activity or experience customer information security-related events.

To report a lost or stolen ATM/Debit Card during regular business hours please call (251)947-1981. After regular business hours please call (800)500-1044.

To report a suspicious email that uses Citizens' Bank's name, forward it to abuse@citizensbankal.com .

Report any suspected fraud to the Bank and immediately to the fraud units of the three credit reporting agencies:    TransUnion (800) 680-7289 - Experian (888) 397-3742-
Equifax (800) 525-6285

For more help and tips on Identity Theft please visit our webpage click here

Other Researched Security References:

Identity Theft

Tips for Safeguarding Your Information

Identity Theft occurs when a criminal uses another person's personal information to take on that person's identity. Criminals then use key pieces of information such as Social Security and driver's license numbers to obtain credit, merchandise and services in the name of the victim. The victim is left with a ruined credit history and the time-consuming and complicated task of regaining financial health.

While you probably can't prevent identity theft entirely, you can minimize your risk. By managing your personal information wisely, cautiously and with an awareness of the issue, you can help guard against Identity Theft.

Practical Safeguard Tips

  • Don't give your Social Security number or other personal information over the phone, through the mail, or over the Internet unless you've initiated the contact or are sure you know who you're dealing with.
  • Guard your trash from theft. Tear or shred receipts, copies of credit applications, insurance forms, physician statements, checks and bank statements, expired charge cards, and credit offers you get in the mail.
  • Secure personal information in your home.
  • Don't carry your Social Security Number card; leave it in a secure place. Don't put your Social Security Number or drivers license number on your checks.
  • Give your Social Security Number only when necessary. Ask to use other types of identifiers when possible.
  • Ask about information security procedures in your workplace. Find out who has access to your personal information.
  • Guard your mail from theft. Deposit outgoing mail in secured mailboxes. Promptly remove your mail from your mailbox.
  • Keep your purse or wallet in a safe place at work.

Securing your Debit/Credit Cards

  • Notify your credit-card company if your card has expired and you have not yet received a replacement.
  • Carry only the identification information and the number of credit and debit cards that you'll actually need.
  • Pay attention to your billing cycles. Follow up with creditors if your bills don't arrive on time.
  • Scrutinize monthly billing statements. Open bills promptly and check your accounts monthly. Look for charges you don't recognize and report them immediately. Save receipts to compare with your billing statements.
  • Keep your eyes on your credit card during all transactions and get it back as soon as possible.
  • Keep a record of all your credit card account numbers, expiration dates and the telephone numbers and addresses of each creditor. Store in a safe place.
  • Be wary of promotional scams. Identity thieves may use phony offers to get you to give them your personal information.
  • Try not to divulge personal information over a cell phone; they are not as secure as you may think.
  • Review your monthly accounts regularly for any unauthorized charges.
  • Place passwords or PIN numbers for your credit cards, bank debit/ATM card and phone accounts in a safe place. DO NOT write them on the cards. Protect your PINs and passwords (don't carry them in your wallet!) Use a combination of letters and numbers for your passwords and change them periodically.

Using the Internet Safely

  • Limit the amount of information you place on your Internet homepage and websites detailing family genealogy.
  • Choose to do business with companies you know are reputable, particularly online.
  • Use a secure browser - software for your computer that encrypts or scrambles information you send over the Internet - to guard the security of your online transactions. When conducting business online, make sure your browser's padlock or key icon is active.
  • Don't open e-mail from unknown sources, and use virus detection software. Update this software regularly, or when a new virus alert is announced.
  • Use a firewall program on your computer, especially if you use a high-speed Internet connection like cable, DSL or T-1, which leaves your computer connected to the Internet 24 hours a day.
  • Try not to store personal/financial information on your laptop computer unless absolutely necessary. If you do, use a strong password - a combination of letters (upper and lower case), numbers and symbols.
  • Before you dispose of any computer, delete personal information. Deleting files using the keyboard or mouse commands may not be enough. Use a "wipe" utility program to overwrite the entire hard drive.
  • Look for website privacy policies. If you don't see a privacy policy, consider surfing elsewhere.
  • Report any suspected fraud to your bank and the fraud units of the three credit reporting agencies immediately. The fraud unit numbers are:

Trans Union (800) 680-7289
Experian (888) 397-3742
Equifax (800) 525-6285

You may also contact the FTC's ID Theft Consumer Response Center at (877) IDTHEFT (438-4338) or visit their Identity Theft Website at http://www.ftc.gov/bcp/edu/microsites/idtheft/.

Protecting your Business

It is suggested that commercial online banking customers perform risk assessments and control evaluations periodically to help identify potential threats and to determine the strength of their controls. Corporate account takeover is a type of fraud where thieves gain access to a business’ finances to make unauthorized transactions, including transferring funds from the company, creating and adding new fake employees to payroll, and stealing sensitive customer information that may not be recoverable. We continually strive to improve security for our customers, we recognize that we cannot single-handedly protect our customers from online threats. Customers also have an important role to play in their own online banking security. Here are some recommended general practices to help avoid an account takeover:

  • Educate your employees. You and your employees are the first line of defense against corporate account takeover. A strong security program paired with employee education about the warning signs, safe practices, and responses to a suspected takeover are essential to protecting your company and customers.
  • Protect your online environment. It is important to protect your cyber environment just as you would your cash and physical location. Do not use unprotected internet connections. Encrypt sensitive data and keep updated virus protections on your computer. Use complex passwords and change them periodically.  
  • Partner with your bank to prevent unauthorized transactions. Talk to your banker about programs that safeguard you from unauthorized transactions. Positive Pay and other services offer call backs, device authentication, multi-person approval processes and batch limits help protect you from fraud.
  • Pay attention to suspicious activity and react quickly. Look out for unexplained account or network activity, pop ups, and suspicious emails. If detected, immediately contact your financial institution, stop all online activity and remove any systems that may have been compromised. Keep records of what happened.
  • Understand your responsibilities and liabilities. The account agreement with your bank will detail what commercially reasonable security measures are required in your business. It is critical that you understand and implement the security safeguards in the agreement. If you don’t, you could be liable for losses resulting from a takeover. Talk to your banker if you have any questions about your responsibilities.

Online Banking Security

Citizens' Bank provides enhanced security controls over account activities when using Online Banking such as a layered security approach which uses different controls at different points of a transaction so weakness in one control can be compensated for by the strength of another control as well as multi layered security in the authentication process.  Some of the security features employed within Online Banking for our customers are as follows:

  • Fraud detection and monitoring systems which consider customer history and enable a timely and effective response.
  • Internal control of administrative functions including enhance controls for system administrators who set up or change system configurations.
  • Enhanced control over account maintenance activities performed by customers or through customer service channels.
  • Processes internally designed to detect and respond to suspicious activity related to initial login and initiation of electronic transactions.
  • Multifactor authentication for transaction approvals for ACH, wires and external account transfers.
  • Transaction related security alerts via email and/or SMS when:
           ♦ A security related change is made (passcode, email address, phone(s),security questions/answers)
           ♦ Online Transfer is processed (Onus)
           ♦ External Transfer is processed
           ♦ ACH batch approval
           ♦ Receiver for ACH origination added/modified
           ♦ Wire Transfer Approved
           ♦ Beneficiary for wire transfer added/modified
           ♦ New payee bill payment alert
  • Dual control for commercial activity (ACH origination, wire transfers) and Sub-User administration.
  • Security Token PIN for commercial activity (ACH origination, wire transfers).
  • Out-of band verification for transactions via email.
  • Dollar limits are set for External Transfers, ACH origination and Wire Transfer Requests.
  • Offer user initiated Notify-Me Alerts.
  • Reminders to users every 120 days to change password and update security questions semi-annually.

For more security information and to learn how you can further protect yourself online please click here.

How to Safely Shop Online

Do you regularly use your debit card for online purchases? Do you have payment information saved on online shopping accounts? Do you use autofill to enter your payment information? If you answered yes to any of these questions, your payment information may be at risk. Online retailers are a popular target for cybercriminals, which makes your information vulnerable to a data breach. A data breach is when a cyberattack results in the theft of private user information.

If you shop online and want to secure your payment information from a data breach, consider the following tips:

Avoid Making Payments With Debit Cards

When you make purchases online, always use a credit card instead of a debit card. Debit cards are linked to your bank account, so if a bad guy can access your debit card information, they can access your entire bank account. Because debit cards use the cash available in your bank, disputing a charge can lead to the long and complicated process of replacing stolen funds. Credit card purchases add to your debt, which means that a fraudulent charge won’t immediately impact your finances. Using a credit card for online purchases allows you to dispute a charge, without losing access to your cash.

Avoid Saving Payment Methods for Future Purchases

When you shop online, many retailers offer to save your payment information for future purchases. While this option is more convenient than entering your payment information every time you shop, always decline saving this information. Unfortunately, data breaches happen and even the most reputable online retailers are vulnerable to a breach. Avoid saving your payment method altogether so that your information is not at risk during a cyber attack.

Avoid Saving Payment Methods for Autofill

When you make purchases online, internet browsers such as Chrome, Edge, and Firefox offer to save your payment information for autofill. Even if it is more convenient to use the autofill feature, always decline saving this information. If bad guys physically or remotely gain access to your browser, they can steal any information that your browser stores for autofill purposes. It may be inconvenient to manually enter your payment information every time you shop online, but the inconvenience is worth keeping your information secure. 
Back to Top