Identity Verification Procedures:
Our staff will never contact you on an unsolicited basis and request you provide personal financial information, electronic banking credentials, or other sensitive information. Our employees or an authorized third-party fraud monitoring service acting on the bank's behalf may notify you of suspicious activity on your debit card or your account and ask you to verify if it was authorized as an additional security measure. Our fraud analysts are available for general questions as well relating to your account and debit card. A bank employee may ask you questions relating to your accounts, but they will not ask you for your online banking password or your debit card PIN.
If you contact the bank to request sensitive information or to perform transactional activity, your identity will be verified. In addition to asking for standard identifying information, such as your full name, address, and last four digits of your social security number, our staff may ask you additional "out of wallet" questions, such as the last major purchase you made with your debit card, the last gas station or grocery store where you shopped, your nearest relative's name, or other information that would not be easily known or guessed by an impostor or criminal. If you are uncomfortable answering these questions over the phone, we encourage you to please visit our bank in person.
Commercial Customer Guidance:
There are several general best practices for our business customers to follow with regards to their bank accounts. Businesses should safeguard all sensitive information and only authorize appropriate, trusted employees to access this information. Businesses should safeguard any signatory stamps, letterhead, checks, check stock, debit cards, or other sensitive documents, authorizing equipment, or access devices. All business equipment should be protected by appropriate login credentials that comply with industry guidance to prevent unauthorized access by an employee or non-employee. In addition, CNB strongly recommends that commercial customers perform a risk assessment and controls evaluation periodically and test these controls on a regular basis to ensure their adequacy. NIST Special Publication 800-30, "Risk Management Guide for Information Technology Systems", provides the recommendations of the National Institute of Standards and Technology (NIST). NISTIR 7621 Revision 1, "Small Business Information Security: The Fundamentals", provides additional pertinent information.
Risk Control Mechanisms:
Our customers may consider implementing risk control mechanisms based on the products and services provided and the access devices that are utilized. While there are several resources and different risk control frameworks that can be used, here are some general guidelines of risk control mechanisms that may be useful:
Passwords:
- Avoid using personal information.
- Avoid using passwords that may be easily guessed, e.g. "password123"
- Create a unique password for online banking that you don't use elsewhere.
- Do not share your passwords with anyone, including friends, family, or technical support representatives.
- Do not write down your passwords. Use a secure password manager if possible.
- Do not use the password auto-save feature in your browser. Use a secure password manager if possible.
- Change your password periodically (our system currently requires every 180 days).
- When possible, use multi-factor authentication, such as codes sent via SMS/text or email, or a secure MFA application like Google Authenticator.
- Remember from the Identity Verification Procedures section, the bank will not ask you for your password.
Best Practices:
- Keep your personal information private and secure to safeguard it from criminals.
- Check your account balance regularly and report any suspicious or unusual activity immediately.
- Do not access sensitive information, including your online banking, from a public location or while on public wi-fi.
- Be skeptical of unsolicited e-mail messages, phone calls, or text messages.
- Be skeptical of threatening calls or messages. The IRS will not call you to demand an amount or threaten you with jailtime.
- The SLAM acronym can be used as a reminder of what to look for to identify possible phishing emails. The SLAM acronym stands for sender, links, attachments, message.
- Sender: when hackers send phishing emails, they often mimic a trusted sender's email address to trick recipients into opening the email. This is why it is important to analyze a sender’s email address before opening an unsolicited email. To check an email address for validity, recipients should hover their mouse over the sender's name to reveal where the email came from prior to opening it. Email addresses should be checked carefully to look for misspellings in a trusted individual’s name or a company name. It is also important to note that an email coming from a company will usually have the company’s name in the domain address. For instance, an email coming from microfsoftsupport@gmail.com is not a legitimate Microsoft email address. An email coming from Microsoft support would display as support@microsoft.com.
- Links: phishing emails generally contain links that enable hackers to steal a recipient’s login credentials and infiltrate their network. Just like with the sender’s email address, links contained in an email should be hovered over to check the legitimacy of the link. Is the URL actually directing you to the page it says it will? Are there misspellings in the link address? It is also best practices to, rather than clicking on a link in the email itself, to go to the company website directly. For instance, many phishing emails wrongly state that your login credentials for a particular company were compromised, providing a reset link in the body of the email. However, by clicking on this link, you expose your login credentials to the hacker. Since most people use the same login credentials across multiple platforms, by stealing your credentials in one incident, it is likely that hackers will gain access to your other accounts. Whenever you receive an email that says that your login credentials were compromised, or that you need to reset your password, you should manually input the company’s website into your web browser. This way you can be certain that you are on a legitimate website, preventing your login credentials from being stolen.
- Attachments: you should never open an email attachment from any sender that you do not know. However, even when you do know the sender, you should not open unsolicited email attachments. Hackers often send malicious email attachments using a compromised email address’ contact list to infiltrate the recipient’s system. It is unlikely that a business would send an email attachment without prompting. If you’d like to check the validity of an email attachment, you should reach out to the sender directly to confirm that the attachment sent was legitimate.
- Message: while phishing emails have become more sophisticated over the years, the content of the message itself can often be a dead giveaway. Phishing emails often contain generic greetings, misspellings, grammatical errors, or strange wording. Emails that contain any of these issues should not be trusted.
- Only enter sensitive information online through secure websites with verified web addresses that begin with https:// and have valid web addresses.
- Avoid oversharing on social media. Personal details of your life or your interests can be used in phishing email attempts.
- Avoid storing sensitive information that may be used for identity theft or phishing email attempts.
Device Usage:
- Always sign out/log off and lock your device when you are finished accessing sensitive information.
- Update software frequently from known valid sources and keep your system current.
- Install, activate, and run the most recent version of a reputable antivirus software, such as Bitdefender or Norton.
- Update your virus software definitions on a regular basis through your antivirus software.
- Schedule virus scans to run regularly, immediately after definitions updates, and immediately after any suspicious activity.
- Install and activate a personal firewall when possible.
- Keep your operating system (OS) current on all devices, including computers, tablets, and mobile devices.
- Set your browser's security level to a secure setting and avoid changing settings that make your browser less secure.
- Whenever possible, activate automatic update features for your browsers, antivirus, operating system, and software.
- Whenever possible on mobile devices, enable the ability to remotely wipe your device in the event it is lost or stolen.
ID Theft Prevention:
- Shred receipts, statements, expired cards, and sensitive information, including medical records.
- Review statements promptly and carefully. Report any unusual activity immediately.
- Positively identify anyone before you divulge any personal information and only if you have initiated the contact through a known, valid method.
- If conducting transactions via email, do not provide sensitive information or use the information provided. Use "out of band authentication" by calling a known, valid phone number to verify the email is legitimate and to provide sensitive information, and only after verifying the identity of the person.
- Periodically check your credit report through www.annualcreditreport.com. You may obtain one free annual credit report from each of the three major credit bureaus.
ATM/POS Usage:
- Protect your debit card and PIN. If your card or PIN is lost, stolen, or otherwise compromised, report this to the bank immediately.
- If your debit card or PIN is suspected to be lost, stolen, or otherwise compromised, block your card online if possible.
- Choose a secure PIN that is difficult to guess and different from your address, telephone number, or date of birth.
- Whenever possible, conduct an EMV chip transaction with your debit card and use your PIN for higher security.
- Always be mindful of people and your surroundings. If you feel uncomfortable, do not use the machine.
- Avoid ATMs that are in poorly lit areas, have no surveillance, and/or are isolated. These ATMs are targets for robbery or skimming.
- When you complete your transaction, immediately put away your card and your cash and make sure you receive a receipt.
- Observe the card reader and PIN pad. If an ATM or other POS device appears to be damaged or you are skeptical of the machine, do not use it. There could be a skimming device, shimming device, or PIN overlay that will capture your information.
Customer Contact Information:
In the event of suspicious activity, notification should be provided to the following resources:
Bank Account, Debit Card, or General Bank Notification:
The Citizens National Bank of McConnelsville
100 East Main Street
P.O. Box 329
McConnelsville, OH 43756
740-962-4565
Bank Compliance Notification:
Frannie J. Smedley
AVP of Compliance/BSA
frannie.smedley@cnbmoco.com
(740) 962-4565
Bank Information Security or Identity Theft Notification:
Dean W. Moore
VP of Operations
dean.moore@cnbmoco.com
(740) 962-4565
Credit Reporting Bureaus:
Equifax Information Services LLC
www.equifax.com
P.O. Box 740241
Atlanta, GA 30374-0241
800-685-1111
Experian
www.experian.com
701 Experian Parkway
P.O. Box 2002
Allen, TX 75013
888-397-3742
TransUnion
www.transunion.com
2 Baldwin Place
P.O. Box 1000
Chester, PA 19022
800-888-4213
Additional Resources:
Annual Credit Report: https://www.annualcreditreport.com
Better Business Bureau: https://www.bbb.org/data-security
Bureau of Consumer Protection: https://business.ftc.gov/privacy-and-security/data-security
Department of Homeland Security Cybersecurity Resource: https://www.dhs.gov/topics/cybersecurity
Federal Trade Commission's ID Theft Website: https://www.identitytheft.gov
Internet Crime Complaint Center: https://www.ic3.gov
NACHA: https://www.nacha.org/content/risk-management
National Cyber Security Alliance: https://www.staysafeonline.org
Small Business Information Security: https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
Cybersecurity & Infrastructure Security Agency: https://www.cisa.gov/