Home | Login | About Us | Investor Relations | News | Contact Us | Privacy & Security
ONLINE PRIVACY POLICY
PRIVACY STATEMENT
SECURITY STATEMENT
PRIVACY POLICY
IDENTITY THEFT
INTERNET FRAUD WARNINGS
ONLINE BANKING EDUCATION CENTER
Privacy & Security - Internet Fraud Warnings


Phishing
“Phishing” is the latest form of identity theft. It's when thieves act as if they are representing an organization and try to hook the consumer into providing personal information. Once the consumer is hooked, the thieves can do lasting damage to a consumer's financial accounts. They can dupe customers into providing their Social Security numbers, financial account numbers, PIN’s, mothers' maiden names and other personal information.

The thieves often pose as a:

Financial institution
Credit card company
Online merchant
Utility or other biller
Internet service provider
Government agency
Prospective employer
Estimated to cost consumers $1.2 billion last year, according to research firm Gartner, Inc., phishing is perpetuated by both phone and e-mail, although email is more prevalent.

Here's how it works: Consumers receive an email from an organization with which they do business. The email typically includes bogus appeals such as problems with an account or billing errors, and asks the consumer to confirm his/her personal information. Different approaches include things such as "We're updating our records," "We've identified fraudulent activity on your account," or "Valuable account and personal information was lost due to a computer glitch." To encourage people to act immediately, the email usually threatens that the account could be closed or canceled.

Most emails ask recipients to follow an embedded link that takes them to an exact replica of the victim company's Web site. Graphics on the counterfeit site are so convincing that even experts often can have a hard time distinguishing the fake site from the real one.

Despite the convincing appeals, consumers should not respond to unsolicited emails that direct them to divulge personal identifying information. Reputable organizations that consumers legitimately do business with generally do not request account numbers or passwords unless the consumer initiated the transaction.

Unfortunately, by hijacking the trusted brands of well-known and reputable organizations nationwide, phishers are able to convince up to 5% of recipients to respond to them, according to the Anti-Phishing Working Group. Gartner, Inc. recently reported that more than 57 million Americans think they have received a phishing email, and the FBI has called phishing the "hottest, most troubling new scam on the Internet."

For more information, you can visit the sites below:

FBI/FDIC Spoofing

ABA Fraud Alert

FBI Spoofing

We want to assure our customers that we do not send any email asking you to send us, via email, any personal or private identifying information.

Below are some security suggestions for Internet users:

If you encounter an unsolicited email that asks you, either directly or through a website, for personal financial or identity information (such as social security number, passwords, account numbers or other identifiers), DO NOT RESPOND.

If a web site address is not familiar to you, then it is probably not real. Only use the address that you have used before or start at your normal homepage.

Always report fraudulent or suspicious email to your Internet Service Provider. Reporting instances of spoof web sites will help get those bogus websites shut down before they can do any more harm.

Most companies require you to log in to a secure site. Look for the lock at the bottom of your browser and "https" in front of the website address.

Take note of the header address on the website. Most legitimate sites will have a relatively short internet address that usually depicts the business followed by .com, .net or .org. Spoof sites are more likely to have an excessively long string of characters in the header with a legitimate business name somewhere in the string, or possibly not at all.

If you have any doubts about an email or website, contact the legitimate company directly. Make a copy of the questionable web site's URL address, send it to the legitimate business and ask if the address is legitimate.

If you've been victimized by a spoofed email or website, you should contact your local police or sheriff's department and file a complaint with the FBI's Internet Fraud Complaint Center at www.IFCCFBI.gov

When creating your passwords, don't use information that could easily be linked to you (i.e. phone number, your date of birth, address numbers).

Change your password often. We suggest changing your password every 30 days. (do not allow your browser to store your user name and password)

Do not share your passwords or PIN’s with anyone.

Do not write your passwords or PIN’s down where they may easily be found by others.

Pharming
While pharming is similar to phishing in that both practices try to entice individuals to enter personal information on a fraudulent Web site, they differ in how they direct individuals to that site: "Pharming" is the process of redirecting Internet domain name requests to false Web sites to collect personal information. Information collected from these sites may be used to commit fraud and identity theft.

Pharming can occur in four different ways:

Static domain name spoofing: The "pharmer" (the person or entity committing the fraud) attempts to take advantage of slight misspellings in domain names to trick users into inadvertently visiting the pharmer's Web site. For example, a pharmer may redirect a user to anybnk.com instead of anybank.com, the site the user intended to access.

Malicious software (Malware): Viruses and "Trojans" (latent malicious code or devices that secretly capture data) on a consumer's personal computer may intercept the user's request to visit a particular site, such as anybank.com, and redirect the user to the site that the pharmer has set up.

Domain hijacking: A hacker may steal or hijack a company's legitimate Web site, allowing the hacker to redirect all legitimate Internet traffic to an illegitimate site. Domain names generally can be hijacked in two ways:

Domain slamming: By submitting domain transfer requests, a domain is switched from one registrar to another. The account holder at the new registrar can alter routing instructions to point to a different, illegitimate server.

Domain expiration: Domain names are leased for fixed periods. Failure to manage the leasing process properly could result in a legitimate ownership transfer. In this instance, trade name laws usually must be invoked to recover lost domains.

DNS poisoning: The most dangerous instance of pharming may be domain name server (DNS) poisoning. Domain name servers are similar to Internet road map guides. When an individual enters www.anybank.com into his or her browser, Domain Name Servers on the Internet translate the phrase anybank.com into an Internet protocol (IP) address, which provides routing directions. After the DNS server provides this address information, the user's connection request is routed to anybank.com. Local DNS servers can be "poisoned" to send users to a Web site other than the one that was requested. This poisoning can occur as a result of misconfiguration, network vulnerabilities or Malware installed on the server.

To learn more about email scams and what you can do to protect yourself online, the Federal Trade Commission has information on its web site at www.ftc.gov
 
© 2006 Bank of Alameda All Rights Reserved. Click here for a full explanation of our Privacy & Security Policies.