About » Security & Privacy

Business Security Alerts

Security Alerts

Last Updated on: 05/08/17 8:56 AM

The Business E-mail Compromise (BCE) Scam

Date Updated: 05/08/17 9:10 AM

This Public Service Announcement (PSA) is an update to Business E-mail Compromise (BEC) PSAs 1-012215-PSA, 1-082715a-PSA and I-061416-PSA, all of which are posted on www.ic3.gov . This PSA includes new Internet Crime Complaint Center (IC3) complaint information and updated statistical data as of December 31, 2016.

Business E-mail Compromise (BEC) is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The E-mail Account Compromise (EAC) component of BEC targets individuals that perform wire transfer payments.

The techniques used in the BEC/EAC scam have become increasingly similar, prompting the IC3 to begin tracking these scams as a single crime type(1) in 2017.

The scam is carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment. The fraudsters will use the method most commonly associated with their victim’s normal business practices. The scam has evolved to include the compromising of legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees, and may not always be associated with a request for transfer of funds.

The victims of the BEC/EAC scam range from small businesses to large corporations. The victims continue to deal in a wide variety of goods and services, indicating that no specific sector is targeted more than another.

It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam. The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).

Some individuals reported being a victim of various Scareware or Ransomware cyber intrusions immediately preceding a BEC incident. These intrusions can initially be facilitated through a phishing scam in which a victim receives an e-mail from a seemingly legitimate source that contains a malicious link. The victim clicks on the link, and it downloads malware, allowing the subject(s) unfettered access to the victim’s data, including passwords or financial account information.

The BEC/EAC scam is linked to other forms of fraud, including but not limited to: romance, lottery, employment, and rental scams. The victims of these scams are usually U.S. based and may be recruited as unwitting money mules(2). The mules receive the fraudulent funds in their personal accounts and are then directed by the subject to quickly transfer the funds to another bank account, usually outside the U.S., upon direction, mules may open bank accounts and/or shell corporations to further the fraud scheme.

The BEC/EAC scam continues to grow, evolve, and target small, medium, and large businesses. Between January 2015 and December 2016, there was a 2,370% increase in identified exposed losses(3). The scam has been reported in all 50 states and in 131 countries. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to 103 countries.

Based on the financial data, Asian banks located in China and Hong Kong remain the primary destinations of fraudulent funds; however, financial institutions in the United Kingdom have also been identified as prominent destinations.

The following BEC/EAC statistics were reported to the IC3 and are derived from multiple sources, including IC3 and international law enforcement complaint data and filings from financial institutions between October 2013 and December 2016:

Domestic and international incidents: 40,203
Domestic and international exposed dollar loss: $5,302,890,448

The following BEC/EAC statistics were reported in victim complaints to the IC3 from October 2013 to December 2016:

Total U.S. victims: 22,292
Total U.S. exposed dollar loss: $1,594,503,669

Total non-U.S. victims: 2,053
Total non-U.S. exposed dollar loss: $626,915,475

The following BEC/EAC statistics were reported by victims via the financial transaction component of the new IC3 complaint form, which became available in June 2016(4). The following statistics were reported in victim complaints to the IC3 from June 2016 to December 2016:

Total U.S. financial recipients: 3,044
Total U.S. financial recipient exposed dollar loss: $346,160,957

Total non-U.S. financial recipients: 774
Total non-U.S. financial recipient exposed dollar loss: $448,464,415

Based on IC3 complaints and other complaint data, there are five main scenarios by which this scam is perpetrated.

Scenario 1: Business Working with a Foreign Supplier
A business that typically has a longstanding relationship with a supplier is requested to wire funds for an invoice payment to an alternate, fraudulent account. The request may be made via telephone, facsimile, or e-mail. If an e-mail is received, the subject will spoof the e-mail request so it appears similar to a legitimate request. Likewise, requests made via facsimile or telephone call will closely mimic a legitimate request. This particular scenario has also been referred to as the “Bogus Invoice Scheme,” “Supplier Swindle,” and “Invoice Modification Scheme.”

Scenario 2: Business Executive Receiving or Initiating a Request for a Wire Transfer
The e-mail accounts of high-level business executives (Chief Financial Officer, Chief Technology Officer, etc.) are compromised. The account may be spoofed or hacked. A request for a wire transfer from the compromised account is made to a second employee within the company who is typically responsible for processing these requests. In some instances, a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank “X” for reason “Y.” This particular scenario has been referred to as “CEO Fraud,” “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire Frauds.”

Scenario 3: Business Contacts Receiving Fraudulent Correspondence through Compromised E-mail
An employee of a business has his or her personal e-mail hacked. This personal e-mail may be used for both personal and business communications. Requests for invoice payments to fraudster-controlled bank accounts are sent from this employee’s personal e-mail to multiple vendors identified from this employee’s contact list. The business may not become aware of the fraudulent requests until that business is contacted by a vendor to follow up on the status of an invoice payment.

Scenario 4: Business Executive and Attorney Impersonation
Victims report being contacted by fraudsters who typically identify themselves as lawyers or representatives of law firms and claim to be handling confidential or time-sensitive matters. This contact may be made via either phone or e-mail. Victims may be pressured by the fraudster to act quickly or secretly in handling the transfer of funds. This type of BEC scam may occur at the end of the business day or work week and be timed to coincide with the close of business of international financial institutions.

Scenario 5: Data Theft
Fraudulent requests are sent utilizing a business executive’s compromised e-mail. The entities in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipients of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur prior to a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario even if they were able to successfully identify and avoid the traditional BEC scam. This data theft scenario of the BEC scam first appeared just prior to the 2016 tax season.

W-2/PII Data Theft
This scenario of BEC/EAC was identified in 2016 in which a human resource department or counterpart was targeted with a spoofed e-mail seemingly on behalf of a business executive requesting all employee PII or W-2 forms for tax or audit purposes. The request appeared to coincide with the 2016 U.S. tax season, which runs from January through April. The number of complaints and reported losses peaked in April 2016, although complaints were still submitted by victims throughout 2016. Victims appeared to be both the businesses responsible for maintaining PII data and the employees whose PII was compromised. In several instances, thousands of employees were compromised. Employees filed identity theft–related complaints with IC3 that included reported incidents of fraudulent tax return filings, credit card applications, and loan applications.

Resurgence of Original Scheme
The IC3 saw a 50% increase in the number of complaints in 2016 filed by businesses working with dedicated international suppliers. This scenario was described in the earliest BEC/EAC complaints and quickly evolved into more sophisticated scenarios . In some instances, instead of requesting a change in a single remittance or invoice payment, BEC/EAC perpetrators changed the remittance location to redirect all incoming invoice payments. The fraudulent request appeared to be facilitated through a spoofed e-mail or domain.

Real Estate Transactions
The BEC/EAC scam targets all participants in real estate transactions, including buyers, sellers, agents, and lawyers. The IC3 saw a 480% increase in the number of complaints in 2016 filed by title companies that were the primary target of the BEC/EAC scam. The BEC/EAC perpetrators were able to monitor the real estate proceeding and time the fraudulent request for a change in payment type (frequently from check to wire transfer) or a change from one account to a different account under their control.

Businesses with an increased awareness and understanding of the BEC/EAC scam are more likely to recognize when they have been targeted by BEC/EAC fraudsters, and are therefore more likely to avoid falling victim and sending fraudulent payments.

Businesses that deploy robust internal prevention techniques at all levels (especially for front line employees who may be the recipients of initial phishing attempts) have proven highly successful in recognizing and deflecting BEC/EAC attempts.

Some financial institutions reported holding their customer requests for international wire transfers for an additional period of time to verify the legitimacy of the request.

The following list includes self-protection strategies:
•Avoid free web-based e-mail accounts: Establish a company domain name and use it to establish company e-mail accounts in lieu of free, web-based accounts.
•Be careful what you post to social media and company websites, especially job duties and descriptions, hierarchal information, and out-of-office details.
•Be suspicious of requests for secrecy or pressure to take action quickly.
•Consider additional IT and financial security procedures, including the implementation of a two-step verification process. For example:
-Out-of-Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this two-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
-Digital Signatures: Both entities on each side of a transaction should utilize digital signatures. This will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.

•Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
•Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
•Consider implementing two-factor authentication for corporate e-mail accounts. Two-factor authentication mitigates the threat of a subject gaining access to an employee’s e-mail account through a compromised password by requiring two pieces of information to log in: (1) something you know (a password) and (2) something you have (such as a dynamic PIN or code).
•Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
•Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, a detection system for legitimate e-mail of abc_company.com would flag fraudulent e-mail from abc-company.com.
•Register all company domains that are slightly different than the actual company domain.
•Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
•Confirm requests for transfers of funds. When using phone verification as part of two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
•Know the habits of your customers, including the details of, reasons behind, and amount of payments.
•Carefully scrutinize all e-mail requests for transfers of funds to determine if the requests are out of the ordinary.

A complete list of self-protection strategies is available on the United States Department of Justice website www.justice.gov in the publication titled “Best Practices for Victim Response and Reporting of Cyber Incidents.”

If funds are transferred to a fraudulent account, it is important to act quickly:
•Contact your financial institution immediately upon discovering the fraudulent transfer.
•Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent.
•Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds.
•File a complaint, regardless of dollar loss, with www.ic3.gov or, for BEC/EAC victims, bec.ic3.gov

When contacting law enforcement or filing a complaint with IC3, it is important to identify your incident as “BEC/EAC”; also consider providing the following information:
•Originating business name
•Originating financial institution name and address
•Originating account number
•Beneficiary name
•Beneficiary financial institution name and address
•Beneficiary account number
•Correspondent bank if known or applicable
•Dates and amounts transferred
•IP and/or e-mail address of fraudulent e-mail

Detailed descriptions of BEC/EAC incidents should include but not be limited to the following when contacting law enforcement:
•Date and time of incidents
•Incorrectly formatted invoices or letterheads
•Requests for secrecy or immediate action
•Unusual timing, requests, or wording of the fraudulent phone calls or e-mails
•Phone numbers of the fraudulent phone calls
•Description of any phone contact, including frequency and timing of calls
•Foreign accents of the callers
•Poorly worded or grammatically incorrect e-mails
•Reports of any previous e-mail phishing activity

May 04, 2017

Alert Number


Questions regarding this PSA should be directed to your local FBI Field Office.

Local Field Office Locations:

1. The IC3 uses descriptions of crime types for categorization purposes.
2. Money mules are defined as persons who transfer money illegally on behalf of others.
3. Exposed dollar loss includes actual and attempted loss in United States dollars.
4. “Financial Recipient” is defined as an account holder who receives the fraudulent funds.

Information provided by: FBI Internet Crime Complaint Center

FDIC Publishes a Bank Customer's Guide to Cybersecurity

Date Updated: 03/09/16 4:13 PM

FDIC Publishes a Bank Customer's Guide to Cybersecurity
Special edition of consumer newsletter feature tips for preventing online fraud and theft

Consumers increasingly rely on computers and the Internet for everything from shopping and communicating to banking and bill paying. While the benefits of faster and more convenient "cyber" services are clear, the strategies for preventing online fraud and theft may not be as well-known by many bank customers. That is why the FDIC has produced a special edition of the agency's quarterly FDIC Consumer News (Winter 2016) entitled "A Bank Customer's Guide to Cybersecurity." Here is a brief overview of the articles and other features in this special issue.

Safety precautions to take before connecting to the Internet with a personal computer, laptop, smartphone or tablet: The lead article discusses ways to protect log-in information for bank accounts and other financial accounts, including the use of "strong" user IDs and passwords that will be hard for a hacker to guess, basic security measures such as security software updates, and the need to be careful where and how to connect to the Internet. Other articles focus on security measures when using a smartphone or tablet (including "auto lock" features and the ability to remotely remove data if a mobile device is lost or stolen), how to protect computers from malicious software ("malware") that can steal valuable personal financial information, and ideas to help small businesses protect against losses from cyberattacks.

Tips on how to avoid identity theft online: One article advises on identifying and avoiding "phishing" and "pharming" scams that start with fake emails and websites and end with consumers providing Social Security numbers, bank account numbers and other valuable details. A second article offers assistance on preventing identity thieves from using social networking sites to learn enough information about individuals to figure out passwords, access financial accounts or commit identity theft. And a third provides guidance to help parents and caregivers protect young people from cyber-related identity theft and financial fraud, including the need to secure all electronics connected to the Web, even video games, because the equipment may link to information such as credit or debit card numbers.

What to know about the roles that banks and the government play in protecting customers: As explained in one article, federal law and regulations require financial institutions to have programs to ensure the security and confidentiality of customer information. The article also notes that banking regulators expect the institutions they supervise to have a framework for learning about emerging threats and provide guidance about the steps institutions can take to be prepared. Another article describes how federal consumer laws and financial industry practices protect cybertheft victims from losses under certain circumstances. And, our "Dear FDIC" feature answers questions about deposit insurance coverage and online banking.

Additional resources from the FDIC that can help educate consumers: The back of the guide features an eight-question quiz to test a consumer's knowledge of key information in this issue and a checklist with reminders about 10 simple things bank customers can do to help protect themselves from online criminals.

The goal of FDIC Consumer News is to deliver timely, reliable and innovative tips and information about financial matters, free of charge. The Winter 2016 special edition on cybersecurity can be read or printed at FDIC. Check back there for coming versions of this issue for e-readers and portable audio (MP3) players. To find current and past issues, visit FDIC, or request paper copies by contacting the FDIC's Public Information Center in writing at 3501 North Fairfax Drive, Room E-1002, Arlington, VA 22226, by emailing publicinfo@fdic.gov, or toll-free at 1-877-275-3342.To receive an email about each new issue of the quarterly FDIC Consumer News with links to stories, go to FDIC.

Information provided by FDIC.

Protection Against Dangerous Financial Malware Threat (Dridex)

Date Updated: 10/19/17 10:16 AM

A new and dangerous financial malware has been identified. The malware has the ability to redirect your CashANALYZER session and capture your CashANALYZER credentials (e.g. company ID, user ID, password and answers to your security questions).

There is something that YOU can do to prevent becoming a victim of financial malware.
Dollar Bank is vigilant in providing our customers with a safe banking experience and we continue to offer protection for your CashANALYZER transactions through IBM Trusteer Rapport at no cost to you. If you have already installed Trusteer Rapport then you are already protected.

If you have not already installed Trusteer Rapport, we recommend doing so immediately. To install Trusteer Rapport, click here .

Please remember that Dollar Bank will never ask you to allow us to log in to your computer and you will never be prompted to enter your CashANALYZER company ID, user ID, password and security answer outside of our usual log in process.

If you have any questions, please contact the Dollar Bank Customer Service Center at 1-800-828-5527.

Threats from malware continue to be a concern.

Date Updated: 12/11/15 9:47 AM

Threats from malware that target banks and financial companies continue to be a concern. These threats actually come from highly organized cyber-criminal organizations. Banking malware, such as the Dyre Trojan, has been around for a while, but it continues to evolve into new forms. International law agencies tried to take down a botnet, which was a web of home and business computers that were infected without the owners knowing. After this, a new form of another well-known financial malware called Drydex emerged. The latest known emanation of these campaigns is targeting regional and smaller banks in North America. Companies and individuals are being solicited through emails that contain attachments that download and activate the malware. Fortunately, Dollar Bank offers protection from this threat. We strongly encourage all customers to download and install Rapport, which we offer free of charge.

Dollar Bank offers additional security software to protect your CashANALYZER® Management System sessions from being interrupted and personal information from being intercepted. Trusteer Rapport is an additional layer of security to the antivirus or security software you already use and the security systems we use at Dollar Bank. You can download the software here.

Avoiding Tax Season Scams

Date Posted: 03/09/15 3:08 PM

It’s tax season, which means it’s also time for tax scams, with numerous online scams that attempt to steal people’s tax refunds, bank accounts or identities. Last year, the Internal Revenue Service (IRS) estimates it paid $5.2 billion in fraudulent identity theft refunds in filing season 2013. Websense Security Labs reported in 2014 it saw approximately 100,000 IRS-related scams in circulation every two weeks.

Users who have already filed their taxes this season can still be vulnerable to tax-related scams. Many schemes take advantage of users by alleging to have information about the filer’s refund, or noting a problem with the return that was previously filed.

One scam that has already been impacting users this season involves phishing emails claiming to be from Intuit’s TurboTax. The emails prompt users to click on links to verify their identity or update their accounts in an attempt to download malware to the victim’s machine, or steal data such as Social Security numbers or financial information.

Below are some of the most common email scams users should be cautious about:

• The email says the user is owed a refund and should forward a bank account number where the refund may be deposited. Once the scammer has the bank account information, that account will see a big withdrawal, not a deposit.
• The email contains exciting offers or refunds for participating in an “IRS Survey.” This fake survey is actually used to acquire information to perform identity theft.
• The email threatens the user with fines or jail time for not making an immediate payment, or responding to the email.
• The email includes a “helpful” downloadable document (e.g. “new changes in the tax law,” a tax calculator, etc.). In reality, the download is a malicious file intended to infect your computer.

How To Avoid Becoming A Tax-Scam Victim

• Do not respond to emails appearing to be from the IRS. The IRS does not initiate taxpayer communications through email or social media to request personal or financial information. If you receive an unsolicited email claiming to be from the IRS, send it to phishing@irs.gov.
• Do not respond to unsolicited emails and do not provide sensitive information via email. If the email appears to be from your employer, bank, broker, etc., contact the entity directly. Do not open any attachments or click on links contained in unsolicited or suspicious emails.
• Carefully select the tax sites you visit. Use caution when searching online for tax forms, advice on deductibles, tax preparers and other similar topics. Do not visit a site by clicking on a link sent in an email, found on someone's blog or in an advertisement. The website you land on may look just like the real site, but it may be a well-crafted fake.
• Secure your computer. Make sure your computer has all operating system and application software updates. Anti-virus and anti-spyware software should be installed, running and receiving automatic updates. Ensure you use a strong password and different passwords for each account.

Information provided by: The Multi-State ISAC has released this month's Security Tips Newsletter which includes information on a number of online scams during tax season and recommended actions.

Security Tips Newsletter

Prepare for heightened phishing risk this tax season.

Date Updated: 08/30/17 9:33 AM


Throughout the year, scam artists pose as legitimate entities—such as the Internal Revenue Service (IRS), other government agencies, and financial institutions—in an attempt to defraud taxpayers. They employ sophisticated phishing campaigns to lure users to malicious sites or entice them to activate malware in infected email attachments. To protect sensitive data, credentials, and payment information, US-CERT and the IRS recommend taxpayers prepare for heightened risk this tax season and remain vigilant year-round.

Remain alert

Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. In many successful incidents, recipients are fooled into believing the phishing communication is from someone they trust. An actor may take advantage of knowledge gained from research and earlier attempts to masquerade as a legitimate source, including the look and feel of authentic communications. These targeted messages can trick any user into taking action that may compromise enterprise security.

Spot common elements of the phishing lifecycle

1.A Lure: enticing email content.

Example 1 of actual phishing email

Example 2 of actual phishing email

2.A Hook: an email-based exploit.

Email with embedded malicious content that is executed as a side effect of opening the email

Email with malicious attachments that are activated as a side effect of opening an attachment

Email with “clickable” URLs: the body of the email includes a link, which displays as a recognized, legitimate website, though the actual URL redirects the user to malicious content.

3. A Catch: a transaction conducted by an actor following a successful attempt.

Unexplainable charges

Unexplainable password changes

Understand how the IRS communicates electronically with taxpayers.

The IRS does not initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.

This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.

The official website of the IRS is www.irs.gov .

Take action to avoid becoming a victim

If you believe you might have revealed sensitive information about your organization or access credentials, report it to the appropriate contacts within the organization, including network administrators. They can be alert for any suspicious or unusual activity.

Watch for any unexplainable charges to your financial accounts. If you believe your accounts may be compromised, contact your financial institution immediately and close those accounts.

If you believe you might have revealed sensitive account information, immediately change the passwords you might have revealed. If you used the same password for multiple accounts, make sure to change the password for each account and do not use that password in the future.

Report suspicious phishing communications

Email: If you read an email claiming to be from the IRS, do not reply or click on attachments and/or links. Forward the email as-is to phishing@irs.gov, then delete the original email.

Website: If you find a website that claims to be the IRS and suspect it is fraudulent, send the URL of the suspicious site to phishing@irs.gov with subject line, “Suspicious website”.

Text Message: If you receive a suspicious text message, do not reply or click on attachments and/or links. Forward the text as-is to 202-552-1226 (standard text rates apply), and then delete the original message (if you clicked on links in SMS and entered confidential information, visit the IRS’ identity protection ).

If you are a victim of any of the above scams involving IRS impersonation, please report to phishing@irs.gov, file a report with the Treasury Inspector General for Tax Administration (TIGTA), the Federal Trade Commission (( FTC ), and the police.

Additional Resources

For more information on phishing, other suspicious IRS-related communications including phone or fax scams, or additional guidance released by Treasury/IRS and DHS/US-CERT, visit:

Avoiding Social Engineering and Phishing Attacks

Recognizing and Avoiding Email Scams

Phishing and Other Schemes Using the IRS Name

IRS Repeats Warning about Phone Scams

Report Phishing and Online Scams

To report a cybersecurity incident, vulnerability, or phishing attempt, visit US-CERT.gov/report.

Information provided by US-CERT and IRS report

Fraud Prevention

Date Updated: 02/02/15 2:13 PM

Fraudulent ACH activity is a growing concern, as many organizations have moved to using ACH transactions to conduct business. Dollar Bank has three ways to help our customers prevent ACH Fraud.

ACH Notification Service

E-mails an alert of an electronic withdrawal.The e-mail will be sent to a designated e-mail address and include the account name, the dollar amount and the date of the transaction. You then can review the transaction using Dollar Bank’s CashANALYZER® Management System and determine if the transaction is legitimate. To reject the item, you would simply call and advise us to not honor the transaction.

ACH Debit Block

Places an all-debit block on accounts that will not have any ACH activity. Any and all ACH debits will be rejected to the originator. Once set-up, the service is automatic and requires nothing from you.

ACH Debit Filter

Will only pay ACH debits that are on an approved exception list.
This service is ideal for those accounts that will have limited ACH debit activity. The approved list will be provided by you and all other ACH debits will be rejected to the originating party. You can provide Dollar Bank with an updated list at any time.

Sign up for Positive Pay and ACH Protection Services to
help safeguard your business.

Call Treasury Management at 1-800-438-0270 or
visit Dollar Bank Business Center .

Information provided by: Dollar Bank

Fictitious Correspondence Regarding the Release of Funds

Date Updated: 03/13/17 2:32 PM

Fictitious correspondence, allegedly issued by the Office of the Comptroller of the Currency (OCC) regarding funds purportedly under the control of the OCC and possibly other government entities, is in circulation. Correspondence may be distributed via e-mail, fax, or postal mail.

Any document claiming that the OCC is involved in holding any funds for the benefit of any individual or entity is fraudulent. The OCC does not participate in the transfer of funds for, or on behalf of, individuals, business enterprises, or governmental entities.

The correspondence may indicate that funds are being held by a specific financial institution and that the recipient will be required to pay an “approval fee” before the Federal Reserve Wire Network will release the funds to the beneficiary.

Attached is a copy of the “Interim Stop Order” document Click here . E-mails being sent in regard to this scam appear to be sent from officials at the Federal Reserve Bank of Cleveland and the United States Department of Financial Institutions, but they are not. E-mail addresses utilized in the electronic correspondence may be from [morgjamesin@yahoo.com] or [usdepartmentfinance@yahoo.com]. This material is being sent to consumers in an attempt to elicit funds from them and to gather personal information to be used in possible future identification theft.

Before responding in any manner to any proposal supposedly issued by the OCC that requests personal information or personal account information or that requires the payment of any fee in connection with the proposal, recipients should take steps to verify that the proposal is legitimate. At a minimum, the OCC recommends that consumers;
-Contact the OCC directly to verify the legitimacy of the proposal
(1) via e-mail at occalertresponses@occ.treas.gov;
(2) by mail to the OCC’s Special Supervision Division, 400 7th St. SW, Suite 3E-218, MS 8E-12, Washington, DC 20219;
(3) via fax to (571) 293-4925; or
(4) by calling the Special Supervision Division at (202) 649-6450.
-Contact state or local law enforcement.
-File a complaint with the Internet Crime Complaint Center at www.ic3.gov if the proposal appears to be fraudulent and was received via e-mail or the Internet.
-File a complaint with the U.S. Postal Inspection Service by telephone at (888) 877-7644; by mail at U.S. Postal Inspection Service, Office of Inspector General, Operations Support Group, 222 S. Riverside Plaza, Suite 1250, Chicago, IL 60606-6100; or via the online complaint form at https://postalinspectors.uspis.gov/forms/MailFraudComplaint.aspx, if the proposal appears to be fraudulent and was delivered through the U.S. Postal Service.

Any information regarding the subject of this or any other alert that you wish to bring to the attention of the OCC may be sent to occalertresponses@occ.treas.gov.

Ellen M. Warwick
Director for Enforcement and Compliance

Information provided by: Office of the Comptroller of the Currency

Dridex-laced spam originates from several Asian countries

Date Updated: 10/19/17 11:11 AM

Threat actors behind the malicious email campaigns delivering the Dridex banking Trojan seem to be focused on residents in Australia, the United Kingdom and the United States, in this particular order.

Dridex is considered the successor of Cridex, an infostealer that was distributed through spam campaigns leading to pages containing an exploit kit.

Multiple countries impacted by the malware
The malware aims at stealing online banking credentials and carries out its task via web injects in the pages of financial organizations targeted in the configuration file.

Researchers at Trend Micro have identified a recent email campaign that distributes the piece of malware through macros included in a Microsoft Word document. A macro is actually a script with commands designed to automate repetitive tasks.

The text file poses as an invoice or other type of financial document that would entice the unsuspecting user to open it. As soon as launched, if macros are enabled in the Office program, these start the process of compromising the computer with Dridex malware.

According to telemetry data from Trend Micro, most of the infected computers are located in Australia, accounting for 19.91% of the total number of compromised systems. Next comes the UK, with 15.24%, followed closely by the US with 14.08%. The information has been collected between September and October.

Other countries have also been affected, Italy, Spain, Japan, India, Taiwan, France and China being on the list too.

Mostly Europe-based banks are targeted

Roughly during the same period, Palo Alto Networks (PAN) also monitored a campaign spreading Dridex in the same way as this one. Their data revealed that the US had the largest number of infections, Australia and UK being on the list of the affected countries as well.

The similarities between the two campaigns are so striking (even the email with the malicious Word document is the same) that one could easily conclude that it is one and the same campaign.

As far as the origin of the malicious messages is concerned, Trend Micro provides a large list of countries, with Vietnam, India, Taiwan, Korea and China forming the top five.

After analyzing the threat, the researchers discovered that the configuration file marked financial institutions in Europe, which included Bank of Scotland, Lloyds Bank, Danske, Bank, Barclays, Kasikorn Bank, Santander, and Triodos Bank.

Microsoft recognizes the security risk posed by macro code and has it disabled by default in all Office components. Users are free to enable it and, when doing so, they are informed of the potential danger of the action.

However, if support for macros code is not turned on, cybercriminals may display a message informing the victim that the feature needs to be activated in order to see the content of the document.

Information provided by: Softpedia - Dridex-laced spam originates from several Asian countries

Dollar Bank offers Trusteer Rapport free for all Dollar Bank customers. Trusteer Rapport will protect your computer from financial malware, including this Trojan. Click here to download Trusteer Rapport.

Monster banking Trojan botnet claims 500,000 victims

Date Updated: 10/30/17 3:12 PM

Security researchers have uncovered the infrastructure behind one of largest and most voracious banking Trojan networks uncovered to date.

The Qbot (aka Qakbot) botnet apparently infected 500,000 systems before sniffing "conversations" – including account credentials – for a whopping 800,000 online banking transactions. More than half (59 per cent) of sniffed sessions were reportedly from accounts at five of the largest US banks.

The researchers said online banking credentials for banks in Europe were also targeted by the Russian-speaking cybercrime group behind the scam, which was uncovered by email security outfit Proofpoint.

The security firm said the attackers launched the assault from compromised WordPress sites using drive-by-download style attack tactics. Windows XP clients comprised 52 per cent of the infected systems in the cybercrime group’s botnet.

The cybercrime group also made money by selling access to compromised systems to other ne’er do wells. More details on the research can be found in Proofpoint report here (registration required). ®

Information provided by: The Register - Monster banking Trojan botnet claims 500,000 victims

Dollar Bank offers Trusteer Rapport free for all Dollar Bank customers. Trusteer Rapport will protect your computer from financial malware, including this Trojan. Click here to download Trusteer Rapport for your business

Phishing Scam: Solidwall Bank

Date Posted: 08/11/14 1:51 PM

The Office of the Comptroller of the Currency (OCC) has been informed that an entity titled “Solidwall Bank” is involved in a Web site spoofing and phishing scam. This entity has spoofed the Web site of a legitimate bank in Somerville, Massachusetts. The Solidwall Bank Web site, [www.solidwallf.com], replicates the following text found on the legitimate bank’s Web site in wording and appearance:

About Us
President’s Message
Community Involvement
Privacy Policy
Contact Us (Bank Locations)

The Web site [www.solidwallf.com] was established in April 2014 in Lagos, Nigeria, and presents a telephone number of (414) 263-9615, which is an Internet-based telephone number registered to the unauthorized entity.

Consumers are receiving unsolicited e-mails of an urgent nature from the fictitious entity. The e-mails contain a hyperlink to the Solidwall Bank Web site, which is designed to harvest financial and personal information. Anyone receiving e-mails from this entity should not respond but rather report the incident to the following agencies:

Federal Trade Commission (FTC): by telephone at (877) FTC-HELP or, for filing a complaint electronically, via the FTC's Web site.

National Consumers League (NCL): by telephone at (202) 835-3323 or by e-mail at National Consumers League (NCL). To file a fraud complaint, visit the NCL fraud Web site.

Federal Bureau of Investigation Internet Crime Complaint Center (to report scams that may have originated via the Internet). Federal Bureau of Investigation Internet Crime Complaint Center .

Additional information concerning this matter that should be brought to the attention of the Office of the Comptroller of the Currency (OCC) may be forwarded to

E-mail: occalertresponses@occ.treas.gov
Mail: Office of the Comptroller of the Currency
Special Supervision Division
400 7th St. SW, Suite 3E-218; MS 8E-12
Washington, DC 20219
Phone: (202) 649-6450
Fax: (571) 293-4925
Internet: www.occ.gov

For additional information regarding phishing fraud, please visit the OCC’s Anti-fraud resources page

Information provided by: OCC Director for Enforcement and Compliance

The Office of the Comptroller of the Currency (OCC) charters and oversees a nationwide system of national banks and federal savings associations and assures that these banking institutions are safe and sound, competitive, and capable of serving the banking needs of their customers in the best possible manner. OCC Press releases and other information. To receive OCC press releases and issuances by e-mail, click here to subscribe.

E-ZPass drivers warned about Phishing Scam

Date Posted: 07/15/14 3:22 PM

Drivers using the toll service are being targeted in a new scam.

E-ZPass Group, a toll collection program consisting of 25 agencies in 15 states, has issued a warning to customers concerning a Phishing scam that is posing as a collection notice.

In a notice to customers, E-ZPass stated that the messages being reported are not authorized communications, even if a person's account is behind on payments. If that happens to be the case, payment notices are invoiced and sent to the customer directly via the United States Postal Service.

"We advise you not to open or respond to such a message should you receive one," the E-ZPass warning stated.

The emails are coming from compromised WordPress installations, and have been sent in batches since July 8. The messages use the E-ZPass brand's colors (a bold purple that is present on all toll signs in the states were the service is used), and contain a subject related to driving on toll roads.

More than likely, the E-ZPass warning notes, the message is an attempt to steal sensitive information, including usernames, passwords, and financial data.

However, Gary Warner, Chief Technologist and Co-Founder of Malcovery, tested the Phishing emails and discovered that the links were pointing to malware that will connect the infected host to the ASProx botnet. Based on information he has received, the infected systems are primarily being used for advertising click-fraud.

In order to help detect the scam quicker, E-ZPass singled out the subject lines of "In arrears for driving on toll road" and "Payment for driving on toll road" as recent examples. In his research, Warner also discovered "Indebtedness for driving on toll road" and "Pay for driving on toll road".

The context of the Phishing attack itself is short and to the point:

"Dear customer,

You have not paid for driving on a toll road. This invoice is sent repeatedly, please service your debt in the shortest possible time.

The invoice can be downloaded here."

Drivers in Indiana, Illinois, New York, New Jersey, Washington, D.C., Massachusetts, and Virginia have received similar warnings, as reports of the Phishing attack spread to each of the states supporting the E-ZPass system, representing some 14 million accounts.

The source of the contact information being used in the scam is unknown. While a data breach somewhere in the EZ-Pass chain of operation is possible, proof of such an incident hasn't turned up.
It's likely the criminals behind the Phishing scheme are sending the emails blindly, waiting to see who falls for the bait. This theory is also backed by the fact that some of those targeted in the Phishing attack are not E-ZPass customers.

"Phishing scams are pervasive and users should always be on the lookout for unexpected communications from organizations they have relationships with," said Chester Wisniewski, Senior Security Advisor for Sophos, when asked his thoughts on the scam.

"It can be tempting to click before you think, but important messages are not typically sent via email. The safest thing to do is go directly to the web site of the organization or pick up the phone if you are unsure.

Information provided by CSO

IBM Trusteer has become aware of a phishing e-mail campaign

Date Updated: 05/29/14 4:46 PM

IBM Trusteer has become aware of a phishing e-mail campaign targeting IBM
Trusteer. The campaign started on May 9, 2014.

The fraudulent e-mails appear to come from Trusteer with the sender’s e-mail address
masquerading as support@trusteer.com, an e-mail account that is no longer in use.

These e-mails are part of a spear phishing campaign (spear phishing is a phishing message that appears to come from a trusted source) that uses IBM Trusteer’s brand to distribute a malicious executable file. The emails are addressed directly to recipients containing their full name and e-mail address. The content of the message requests that recipients run the attached file in order to upgrade their IBM Trusteer Rapport software version.

Please note that IBM Trusteer will not distribute Rapport updates as email

In response, IBM Trusteer has already begun rolling out an update that will protect
users from accidentally opening the malicious file. Further recommendations from IBM
Trusteer are as follows:

1. Users who received this email are requested to delete it immediately.

2. Users who may have already launched the attached file should be instructed to
refrain from online banking, and contact IBM Trusteer Support.

Should you have any questions, please do not hesitate to contact Trusteer directly at trusteerenterprise-support@us.ibm.com.

Information provided by IBM Trusteer

Homeland Security: Don't use IE due to Bug

Date Posted: 04/30/14 4:35 PM

SAN FRANCISCO — The U.S. Department of Homeland security is advising Americans not to use the Internet Explorer Web browser until a fix is found for a serious security flaw that came to light over the weekend.

The bug was announced on Saturday by FireEye Research Labs, an Internet security software company based in Milpitas, Calif.

"We are currently unaware of a practical solution to this problem," Will Dormann at the CERT division of the Software Engineering Institute at Carnegie Mellon University in Pittsburgh, wrote on Monday.

It recommended that users and administrators "consider employing an alternative Web browser until an official update is available."

The security flaw allows malicious hackers to get around security protections in the Windows operating system. They then can be infected when visiting a compromised website.

Because the hack uses a corrupted Adobe Flash file to attack the victim's computer, users can avoid it by turning off Adobe Flash.

"The attack will not work without Adobe Flash," FireEye said. "Disabling the Flash plugin within IE will prevent the exploit from functioning."

While the bug affects all versions of Internet Explorer 6 through 11 it is currently targeting IE9 and IE10, FireEye stated.

The attacks do not appear to be widespread at this time. Microsoft said it was "aware of limited, targeted attacks that attempt to exploit" the vulnerability.

These are called "watering-hole attacks," said Satnam Narang, a threat researcher with computer security company Symantec in Mountain View, Calif.

Rather than directly reach out to a victim, the hackers inject their code into a "normal, everyday website" that the victim visits, he said. Code hidden on the site then infects their computers.

"It's called a watering-hole attack because if you're a lion, you go to the watering hole because you know that's where the animals go to drink."

FireEye said the hackers exploiting the bug are calling their campaign "Operation Clandestine Fox."

Microsoft confirmed Saturday that it is working to fix the code that allows Internet Explorer versions 6 through 11 to be exploited by the vulnerability. As of Monday morning, no fix had been posted.

Microsoft typically releases security patches on the second Tuesday of each month, what's known as Patch Tuesday. The next one is Tuesday, May 14. Whether the company will release a patch for this vulnerability before that isn't known.

About 55% of PC computers run one of those versions of Internet Explorer, according to the technology research firm NetMarketShare. About 25% run either IE9 or IE10.

Computer users who are running the Windows XP operating system are out of luck. Microsoft discontinued support of the system on April 8.

Symantec is offering XP users tools to protect themselves, which it has made available on its blog.

Information Provided by USA TODAY Homeland Security: Don't use IE due to bug

'Heartbleed' bug causes big security headache on Internet

Date Updated: 05/17/19 9:22 AM

SAN FRANCISCO -- A confounding computer bug called "Heartbleed" is causing major security headaches across the Internet, as websites scramble to fix the problem and Web surfers wonder whether they should change their passwords to prevent theft of their email accounts, credit card numbers and other sensitive information.

The breakdown revealed this week affects a widely used encryption technology that is supposed to protect online accounts for a variety of online communications and electronic commerce.

Security researchers who uncovered the threat are particularly worried about the lapse because it went undetected for more than two years. They fear the possibility that computer hackers may have been secretly exploiting the problem before its discovery. It's also possible that no one took advantage of the flaw before its existence was announced late Monday.

Although there is now a way to close the security hole, there are still plenty of reasons to be concerned, said David Chartier, CEO of Codenomicon. A small team from the Finnish security firm diagnosed Heartbleed while working independently from another Google Inc. researcher who also discovered the threat. "I don't think anyone that had been using this technology is in a position to definitively say they weren't compromised," Mr. Chartier said.

Canada's tax agency isn't taking any chances. Citing the security risks posed by Heartbleed, the Canada Revenue Agency shut off public access to its website "to safeguard the integrity of the information we hold," according to a notice posted on its website Wednesday. The agency said it hopes to re-open its website this weekend. The lockdown comes just three weeks from Canada's April 30 deadline for filing 2013 tax returns.

The U.S. Internal Revenue Service said in a statement Wednesday that it's not affected by the security hole. "The IRS advises taxpayers to continue filing their tax returns as they normally would in advance of the April 15 deadline," the agency said.

TurboTax, the most popular tax preparation software, also issued a statement Wednesday reassuring people that its website is now protected against Heartbleed.

Computer security experts are still advising people to consider changing all their online passwords.

"I would change every password everywhere, because it's possible something was sniffed out," said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software. "You don't know, because an attack wouldn't have left a distinct footprint."

Google is so confident that it inoculated itself against the Heartbleed bug before any damage could be done that the Mountain View, Calif., company is telling its users they don't have to change the passwords they use to access Gmail, YouTube and other product accounts. More than 425 million Gmail accounts alone have been set up worldwide.

Facebook, which has more than 1.2 billion accountholders, also believes that its online social network has purged the Heartbleed threat. But the Menlo Park, Calif., company encouraged "people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don't use on other sites."

Online short messaging service Twitter Inc. and e-commerce giant Amazon.com Inc. say their websites weren't exposed to Heartbleed. Ebay Inc., which runs the PayPal payment service as well as online shopping bazaars, says most of its services avoided the bug.

Changing passwords on other online services potentially affected by Heartbleed won't do much good, security experts said, until the problem is patched. The troubleshooting software was released Monday.

So far, very few websites have acknowledged being afflicted by Heartbleed, although the bug is believed to be widespread.

Yahoo Inc. and Google are among the most prominent Internet services to say they have already insulated most of the most popular services from Heartbleed.

At Yahoo, the repairs have been made on a list of services that includes its home page, search engine, email, finance and sport sections, Flickr photo-sharing service and its Tumblr blogging service. In a blog post Wednesday, Google said it had applied the Heartbleed patch on its search engine, Gmail, YouTube, Wallet and Play store for mobile apps and other digital content.

Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and "https:" on Web browsers to signify that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock had been closed. Interlopers could also grab the keys for deciphering encrypted data without the website owners knowing the theft had occurred, according to security researchers.

The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.

About two-thirds of Web servers rely on OpenSSL, Mr. Chartier said. That means the information passing through hundreds of thousands of websites could be vulnerable, despite the protection offered by encryptions.

Information provided by: PostGazette.com / Michael Liedtke and Anick Jesdanun / Associated Press

VISA Security Alert "Chewbacca" POS Malware

Date Updated: 01/17/18 1:27 PM


Distribution: Merchants, Acquirers

Who should read this: IT, Information Security, Incident Response


Chewbacca is a relatively new variation of malware (Trojan.Win32.Fsysna.fej) targeting Point of Sale (POS) systems that run on Microsoft Windows. Chewbacca utilizes keylogger and memory scraping/parsing functionality. The malware is privately utilized, meaning that it is not currently distributed through online criminal forums and therefore is not known to be widely available. Since approximately October 2013, the malware has been linked to several dozen merchant compromises.

Distribution and Installation

Since the Chewbacca malware is private at the moment (i.e. being used by a limited number of criminals), it is not yet clear how the malware is disseminated or what the total potential number of victims may be.

Analysis of current samples indicates that the Chewbacca malware installs a copy of itself in the Windows startup folder, as a file named "spoolsv.exe." Clearly, the file name disguises the Trojan as a Windows Print Spooler service executable, and placement in the Startup folder causes it to run automatically at Windows startup. It should be noted that unlike some malware, Chewbacca currently has no persistence mechanism and thus deleting the malicious spoolsv.exe executable and rebooting the infected machine will remove the malware.

Data-stealing capability

Chewbacca features two distinct data-stealing mechanisms: a generic keylogger and a memory scanner designed to specifically target POS systems. The memory scanner dumps a copy of a running process’s memory and searches it using simple regular expressions for credit and debit card magnetic stripe data (track 1 and track 2). If a card number is found, the malware extracts it and enters it into a log. Extracted magnetic stripe data is stored within the “system.log” file inside the user’s %temp% folder.

Network traversal and data exfiltration

One of the important innovations associated with the Chewbacca malware is that communication between an infected machine and the Command and Control (C2) server is handled through the TOR (The Onion Router) network. Using a network of encrypted relay systems, it is designed to conceal a user’s identity along with the contents of his communications. Tor often communicates over TCP 443 and it can be difficult to distinguish from normal TLS network traffic. All communications are encrypted,concealing the real IP address of the malware’s C2 server(s), which makes network detection more difficult.

For Chewbacca to function properly on the TOR network, it requires a TOR proxy application, which is installed on the infected machine. It is here, on the POS system, where the best opportunity for detection exists. In addition to identifying the TOR client application itself (tor.exe) on a POS system, it is possible to detect TOR running on a Windows system by issuing “netstat –nt” from a Windows command prompt. Look for the TOR listener, typically running on TCP 9050.


Visa requires participants in the payment system to comply with all PCI-DSS requirements and we recommend taking the following preventative steps to address this specific threat:

• Prevent the use of TOR on POS systems. This can be done by adding TOR and its components (Tor, Vidalia, TOR Browser) to antivirus solutions and application blacklisting controls. Network filtering, particularly outbound traffic from POS systems, can also be used to disable the malware’s ability to exfiltrate data.

• Control the Windows Administrator account. Data-stealing malware (like Chewbacca) requires Administrator-level permission in order to perform memory-scanning and key logging functions. Make it more difficult for malware to gain Administrative privileges.

• Assign a strong password for all accounts on the POS system. • Assign a strong password for all accounts on the POS system.

• Create a unique local Administrator password for each and every POS system. • Create a unique local Administrator password for each and every POS system.

• Do not allow users to be local Administrators on a POS system. • Do not allow users to be local Administrators on a POS system.

• Change password frequently (at least every 90 days). • Change password frequently (at least every 90 days).

• Ensure the POS system functions as a single purpose machine. To reduce the risk of malicious software infection, disallow all applications and services (i.e. Internet browsers, email clients) that are not directly required as part of the POS’s core functionality in processing payments.

• Keep operating system patch levels up to date. For Windows, this means ensuring Windows Update is functioning and automatically applying monthly security patches.

• Restrict permissions on Windows file sharing or disable file sharing altogether. Unless absolutely necessary, Visa recommends disabling file sharing on POS systems. Microsoft has published instructions on how to disable simple file sharing and set permissions on shared folders.

Technical Threat Indicators

View Technical Threat Indications Here

Additional Resources

This malware targets Windows-based POS systems, including Windows XP. It should be noted that Microsoft’s support ends in April 2014 for Windows XP and January 2016 for Windows XP Embedded operating systems. POS applications built on these platforms will be placed at increased risk.

To report a data breach, contact Visa Fraud Control:
• Asia Pacific Region, Central Europe/Middle East/Africa Region: VIFraudControl@visa.com

• Canada Region, Latin America Region, United States: USFraudControl@visa.com

For more information, please contact Visa Risk Management: cisp@visa.com

Information provided by VISA Security Alert March 6,2014

New Apple Security Flaw

Date Updated: 02/26/14 4:17 PM

It is important for all Apple users to keep their operating system updated and to apply current security patches. Recently, it has been recognized that iOS 7.0.6 has been released to patch an SSL security flaw which is issued for iPhones (4 and later), iPod touch (5th generation) and iPad (2nd generation). You are strongly encouraged to update all of your devices with the latest software update.

Currently Apple has not released a patch for the Mac computer.

Please keep your computers and devices patched with the latest security patches to help ensure you are protected.

•For information on the security content of this update, please visit this website: Apple Support

•Please update through iTunes or on the device while connected to a secure wireless network.

Information provided by: Dollar Bank

Fraudulent Correspondence Regarding the Release of Funds

Date Updated: 05/17/19 9:21 AM

Fictitious correspondence, allegedly issued by the Office of the Comptroller of the Currency (OCC) regarding funds purportedly under the control of the OCC and possibly other government entities, is in circulation. Correspondence may be distributed via e-mail, fax, or postal mail.

Any document claiming that the OCC is involved in holding any funds for the benefit of any individual or entity is fraudulent. The OCC does not participate in the transfer of funds for, or on behalf of, individuals, business enterprises, or governmental entities.

The correspondence may indicate that funds are being held by Bank of America and that the recipient will be required to pay a mandatory administrative charge for an issuance of a Capital Currency Control Certificate to release the funds to the beneficiary.

Attached (links below) are copies of the fraudulent documents, which include a solicitation as well as an invoice. This material is being sent to consumers in an attempt to elicit funds from them and to gather personal information to be used in possible future identification theft.

Sample Telegram Sample Invoice

The correspondence in question contains the name of a fictitious OCC employee. In addition, the material contains telephone numbers, addresses, and e-mail addresses that are not associated with the OCC or Bank of America.

Before responding in any manner to any proposal supposedly issued by the OCC that requests personal information or personal account information or that requires the payment of any fee in connection with the proposal, recipients should take steps to verify that the proposal is legitimate. At a minimum, the OCC recommends that consumers

A. Contact the OCC directly to verify the legitimacy of the proposal
(1) via e-mail at occalertresponses@occ.treas.gov;
(2) by mail to the OCC’s Special Supervision Division, 400 7th Street, SW, Suite 3E-218; MS 8E-12, Washington, D.C. 20219;
(3) via fax to (571) 293-4925; or
(4) by calling the Special Supervision Division at (202) 649-6450.

B. Contact state or local law enforcement.

C. File a complaint with the Internet Crime Complaint Center if the proposal appears to be fraudulent and was received via e-mail or the Internet.

D. File a complaint with the U.S. Postal Inspection Service by telephone at (888) 877-7644; by mail at U.S. Postal Inspection Service, Office of Inspector General, Operations Support Group, 222 S. Riverside Plaza, Suite 1250, Chicago, IL 60606-6100..

Information provided by: OCC
Office of the Comptroller of the Currency - Alert 2014-4 Issues Jan 16 2014

Neverquest Virus

Date Updated: 11/14/17 4:12 PM

Neverquest is a virus (trojan) to be aware of. It is a new version of an old trojan, but this version steals your account login information and attempts to access your online accounts from your computer. It might also use your computer and email address to send out spam.

How to protect yourself:

Dollar Bank offers free anti-malware software called Trusteer. Download Trusteer
Customers are strongly encouraged to take advantage of this.

Do not follow unsolicited web links in email messages or submit any information to webpages in links.

Use caution when opening email attachments. Don’t open attachments from senders you don’t know. If you were not expecting an attachment from a sender you do know, verify with them first that they did send you the attachment.

Maintain up-to-date anti-virus software.

Keep your operating system and software up-to-date with the latest patches.

For more details about Neverquest, see Network World

Information provided by: Dollar Bank

“Payroll Invoice” from ADP Contains Trojan

Date Updated: 12/08/17 10:54 AM

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Payroll Invoice”. This e-mail is sent from the spoofed address “sudsum5@digitronia.com” and has the following body:

A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and available for viewing.
Year: 13
Week No: 08
Payroll No: 1
Please open attached file to view and check following payroll...

This e-mail was generated by an automated notification system. If you have any questions regarding the invoice or you have misplaced your MyTotalSource login information, please contact your Payroll Service Representative. Please do not reply to the e-mail directly.© 2013 Automatic Data Processing, Inc.

The attached ZIP file has the name invoice.zip and contains the 137 kB large file invoice_2034837510_293mw.pdf.exe.

The trojan is known as Spyware/Win32.Zbot, Generic9_c.BJAJ, BackDoor.Maxplus.13119, Win32.Troj.Generic.a.(kcloud), Backdoor.Win32.ZAccess.elaw, Trojan:Win32/Sirefef.P and others.

At the time of writing, 24 of the 48 AV engines did detect the trojan at Virus Total.

Information provided by: http://blog.mxlab.eu

Affordable Health Care "Advisors" Scam

Date Updated: 11/06/13 2:23 PM

Tuesday October 1, 2013, the first stage of the new health care act kicks in. You can start shopping for policies on new insurance "marketplaces". There is going to be an enormous amount of confusion about this law, starting with whether you even need to buy a new policy or not. The federal government website, healthcare.gov, is the best place to start, but the bad guys have already figured out dozens of ways to scam people.

Variations on a Scheme
Bad guys are now sending spam and phishing e-mails with subjects like "We can get you a great deal right now," or "We can help you get signed up." There are also the scams that use the social engineering tactic 'prevent a negative consequence' to coerce an employee to give out personal information or even send money with subjects like "You are going to get in trouble if you don't sign up.", or "You will get fined by the Federal Government if you don't comply." There are even scams that use the guise of a (non-existent) 'New Health ID Card' or 'Discount Cards'.

An example is a scammer who will claim to be calling or sending a phishing e-mail on behalf of Medicare and will ask for your Social Security number, driver’s license number, bank account number or credit card information for your new "National Insurance Card."

Tell your employees to delete any e-mail related to this, and hang up the phone if they get a live cold call or a robo-call promoting a toll-free hotline promising they can be signed up right now. Especially if scammers ask for a wire transfer over the phone, hang up. Those are all Red Flags and these new marketplaces and exchanges are a hotbed for scams. It would not surprise me if completely fake health care exchange websites will be promoted in the coming days. Stay safe out there and STOP - LOOK - THINK before you click!

Information provided by: Dollar Bank

Malware Affecting Retail Merchants

Date Updated: 11/06/13 2:24 PM

It has been observed that there has been an increase to malicious activities involving intrusions targeting retail merchants. Once inside the network the actor may install malware based on cash register systems or back-of-the-house servers to extract full magnetic stripe data from Random Access Memory (RAM).

The malware then is configured to “hook” into payment applications. These applications are used for processing authorized data which include the full magnetic stripe data. When the authorization is processed, the payment application will read the transaction and store the authorization data in RAM. Executing this activity within RAM allows the actor to have access to the data while it is decrypted for transaction processing. Visa has provided an in-depth Recommended Mitigation Strategy on their site: Recommended Mitigation Strategy

Information provided by: VISA DATA SECURITY ALERT - August 2013
Need Help?

Need Help?

Contact Us Today:
Dollar Bank representatives are available Monday - Friday from 8:00 AM to 8:00 PM and Saturday from 9:00 AM to 3:00 PM.

E-mail Us »

This link redirects you to a website that Dollar Bank does not maintain. To proceed to this website, click the Continue button. To stop and return to the previous page, click the Cancel button.

The launch of our new website is in progress. The following webpages will transition to the new format in the near future. Click Continue below to be directed to Dollar Bank's secure online application.

Click Continue below to be directed to Dollar Bank's secure Online Banking system.

The launch of our new website is in progress. The following webpages will transition to the new format in the near future.