Education is key to protecting yourself and stopping fraud.
Report Fraudulent or Suspicious Activity
Contact us immediately if you suspect you have fallen victim to a social engineering attack and have disclosed information concerning your Alpine Bank accounts.
Regularly monitoring your account activity is a good way to detect fraudulent activity. Alpine Online Banking and the Alpine Mobile App make it easy to review transaction history, set up alerts, and even set spending spending controls on your debit card. If you notice unauthorized transactions in your account, notify Alpine Bank immediately. Learn more here.
Secure your accounts
- Multi-Factor Authentication (MFA): Enable multi-factor authentication on all accounts that you are able. Multi-Factor Authentication requires two or more different forms of authentication: Something you know (Password) and Something you have (Token) or Something you are (Fingerprint)
- Creative Passwords: Password strength is directly related to the length of the password. Try using different passwords for each login or different passwords for banking then social media.
- Alerts: Setting up account alerts to show new logins, password changes, or account changes is a great way to help monitor for account takeover.
- Masked Account Numbers: Only the last four digits of your account number(s) will be printed on bank statements and notices. For example: Account number: xxxx xxxx xxxx 1503
Secure your devices
- Patching and Updating: Enable automatic updates for all of your devices. You should always run the latest versions of software on your computer (Mac or Windows) mobile devices (iPhone or Android) and your software or apps installed on those devices.
- Passcodes, Passwords, and Biometrics: Always use a password, passcode, or biometrics (Fingerprint or facial recognition) on all of your devices including you phone and computer.
- Reputable Software: Always download software from reputable sources: Apple App Store, Google Play, or Windows Store.
- Security Software: On any of your devices, it is a good idea to run anti-virus software. Configuring firewalls, spam filters, and privacy protections are good practices on all of your devices.
- Disable features: When not actively in use disable features such as Bluetooth, Wi-Fi, and Web Cameras. Set Bluetooth-enabled devices to non-discoverable when Bluetooth is enabled.
Safety Tips for Cards and ATMs
- Treat your debit card like cash; always keep it in a safe place.
- If your debit card has been lost, stolen, or misplaced, call 800-551-6098 or visit your local Alpine Bank branch location to report it RIGHT AWAY.
- Keep your personal identification number (PIN) secret. PINs are like passwords, commit them to memory and never share.
- Always be aware of your surroundings before conducting a transaction, especially at an ATM.
- Block the view so others can’t see when using an ATM or point-of-sale (POS) terminal.
- Look for signs of tampering at ATM and POS terminals.
- Before using an ATM or POS terminal, try wiggling the keypad or card slot. If anything seems loose, don't use the device.
- Look for keypads that appear raised or have an unusual color. A thief could have placed an overlay on the keypad to record the personal identification number you key in.
- Some gas pumps have security tape that forms a seal around the card reader. A broken seal could be a sign that the reader has been compromised.
- Never allow the cashier, or any other person, to enter your PIN for you, even if they are assisting you with the transaction.
To learn more about information security, visit any of the following websites:
- SecurityPlanner.org: Answer a few simple questions to get a personalized online safety recommendation.
- Video about reporting internet crime
- Lost or stolen debit/credit card info
Spot and Stop Fraud
Website spoofing is the act of creating a fake website to mislead individuals into sharing sensitive information. Spoofed websites are typically created to look exactly like a legitimate website published by a trusted organization.
- Pay attention to the web address (URL) of websites. A website may look legitimate, but the URL may have a variation in spelling or use a different domain.
- If you are suspicious of a website, close it and contact the company directly.
- Do not click links on social media sites, pop-up windows, or non-trusted websites.
Phishing is when an attacker attempts to acquire information by masquerading as a trustworthy entity in an electronic communication. Phishing attacks are typically carried out through email, instant messaging, telephone calls, social media, and text messages (SMS).
- Delete email and text messages that ask you to confirm or provide sensitive information. Legitimate companies don’t ask for sensitive information through email or text messages.
- Beware of messages sent through social media.
- Beware of visiting website addresses sent to you in an unsolicited message.
- Even if you feel the message is legitimate, type web addresses into your browser or use bookmarks instead of clicking links contained in messages.
- Try to independently verify any details given in the message directly with the company.
How Credential Stuffing Threatens Your Online Accounts
Major data breaches at brand name companies, such as Sony, Yahoo, JP Morgan, have siphoned off billions of login credentials – usernames and passwords – people use every day to access their online accounts. So, what happens to all those credentials, and how vulnerable are any of us to possible identity theft or account takeovers? Chances are those credentials have found their way into the underground economy where cybercriminals buy them in bulk. Then they use them in massive “credential stuffing” campaigns, which are a direct threat to anyone with online accounts.
What is Credential Stuffing?
Credential stuffing is an automated process that cybercriminals use to steal login credentials to gain fraudulent access to user accounts. With lists of credentials numbering in the millions, the automated attacks on targeted websites are massive. The expectation is that a small percentage will penetrate the target and gain access to users’ accounts. Using automated tools, hackers can bombard a website with thousands of credentials and make them appear as legitimate logins.
From there, the hackers can pillage the user’s account to drain balances or steal sensitive information. The attacks are most harmful when a large number of people reuse the same password across multiple websites.
Successful credential stuffing doesn’t require any special skills or knowledge, just a few hundred dollars to buy the right tools, which is why it is so prevalent. Over 17 months from November 2017 to March 2019, more than 55 billion credential attacks were detected across dozens of industries, including retail, gaming and media streaming. Because its use is so widespread and easy to execute, anyone who logs onto an online account is vulnerable.
How to Defend Against Credential Stuffing Attacks
Companies are the front line of defense against credential stuffing attacks, working with security experts to detect and counter attacks. However, even as companies improve their defenses, credential stuffing attacks are likely to grow in number and intensity. The most vulnerable among us are those who fail to practice “password hygiene”. Weak passwords should always be avoided, but reused passwords are the biggest enablers of credential stuffing attacks. Utilizing password manager software to generate unique and complex passwords for each online account you have makes it much more difficult for hackers to lift your credentials.
Business Email Compromise Scams & What You Need to Know
Employees and employers: Beware of business email compromise & payroll diversion scams
Cybercriminals are utilizing social engineering techniques to obtain employee credentials, and then they conduct payroll diversion fraud. When this issue occurs, it’s overwhelmingly with businesses and organizations that are not using multi-factor authorization (MFA) on their email. To that end, Alpine Bank strongly recommends the use of MFA on all logins, and well as verification of every email request.
About business email compromise/Email account compromise
Business email compromise/Email account compromise (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.
The scam is frequently carried out when a subject compromises legitimate business or personal email accounts through social engineering, or computer intrusion, to conduct unauthorized transfers of funds.
The scam is not always associated with a transfer-of-funds request. One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information (PIN) or Wage and Tax Statement (W-2) forms.
About payroll diversion scams
Another method involves a company’s human resources or payroll department receiving spoofed emails that appear to be from employees requesting a change to their direct deposit account. This is different from the payroll diversion scheme in which the subject gains access to an employee’s direct deposit account and alters the routing to another account.
In a typical example, HR or payroll representatives received emails appearing to be from employees requesting to update their direct deposit information for the current pay period. The new direct deposit information provided to HR or payroll representatives generally leads to a pre-paid card account.
Some companies reported receiving phishing emails prior to receiving requests for changes to direct deposit accounts. In these cases, multiple employees may receive the same email that contains a spoofed login page for an email host. Employees enter their usernames and passwords on the spoofed login page, which allows the subject to gather and use employee credentials to access the employees’ personal information. This makes the direct deposit requests appear legitimate.
Cybercriminals target employees through phishing emails designed to capture an employee’s login credentials. Once the cybercriminal has obtained an employee’s credentials, the credentials are used to access the employee’s payroll account in order to change their bank account information. Rules are added by the cybercriminal to the employee’s account, preventing the employee from receiving alerts regarding direct deposit changes. Direct deposits are then changed and redirected to an account controlled by the cybercriminal, which is often a prepaid card.
To mitigate the threat of payroll diversion:
- Alert and educate employees about this scheme, including preventative strategies and appropriate reactive measures should a breach occur.
- Instruct employees to hover their cursor over hyperlinks included in emails they receive to view the actual URL. Ensure the URL is actually related to or associated with the company it purports to be from.
- Instruct employees to refrain from supplying log-in credentials or personally identifying information in response to any email.
- Direct employees to forward suspicious requests for personal information to the information technology or human resources department.
- Ensure that login credentials used for payroll purposes differ from those used for other purposes, such as employee surveys.
- Apply heightened scrutiny to bank information initiated by employees seeking to update or change direct deposit credentials.
- Monitor employee logins that occur outside normal business hours.
- Restrict access to the Internet on systems handling sensitive information or implement two-factor authentication for access to sensitive systems and information.
- Only allow required processes to run on systems handling sensitive information.
The FBI encourages victims to report information concerning suspicious or criminal activity to their local FBI field office, and file a complaint with the IC3 at www.ic3.gov. If your complaint pertains to this particular scheme, then please note payroll diversion in the body of the complaint.