Customer Awareness Program

Understanding Reg. E Coverage

Federal Reserve regulation that sets rules, liabilities, and procedures for electronic funds transfers (EFT), and establishes consumer protections using EFT systems. This regulation prescribes rules for solicitation and issuance of EFT debit cards, governs consumer liability for unauthorized transfers, and requires financial institutions to disclose annually the terms and conditions of EFT services. For example, the regulation sets up an error resolution procedure for errors on EFT related accounts.

A consumer claiming that funds were taken from an account by another person's unauthorized transfer without prior consent, or a transaction was posted improperly due to a bank bookkeeping error, can have the error corrected by notifying the financial institution holding the account. Once notice is given, the financial institution has from 10 to 45 days to investigate the complaint and recredit funds debited in error. The consumer's account liability is limited by regulation to $50 if the bank is notified of the error, but otherwise can be as high as $500.

Under the Error Resolution procedures in Regulation E, a consumer who claims his bank account was debited erroneously without his or her authorization may challenge the transaction. The consumer's bank has ten business days from the time the complaint is lodged to investigate and if necessary correct the error. If it cannot, the bank must return the funds debited, and it then has up to 45 days in most transactions to investigate the alleged error.

If you believe there has been an unauthorized or inaccurate electronic funds transfer on your account, please contact us as soon as possible.

Understanding Phishing

Thieves often pose as:

  • Financial institution
  • Credit card company
  • Online merchant
  • Utility or other biller
  • Internet service provider
  • Government agency
  • Prospective employer

"Phishing" is the latest form of identity theft on an old telemarketing scam, buts uses email. These criminals send emails to millions of people hoping that even a few will give away valuable information.

They will act as if they are representing an organization and try to hook the consumer into providing personal or financial information. Once the consumer is hooked, the thieves can do lasting damage to a consumer's financial accounts.

They can dupe customers into providing their Social Security numbers, financial account numbers, Online Banking password's, mothers' maiden names and other personal information.

Please note: Mega Bank will never request identifying information, account information, or Online Banking password information via email. If you have any question regarding the validity of a phone call or email requesting account information, please call your Mega Bank branch or (626) 282-3000 prior to responding to the request for information.

How it Works

Consumers receive an email from an organization with which they do business. The email typically includes bogus appeals such as problems with an account or billing errors, and asks the consumer to confirm his/her personal information. Most emails ask recipients to follow an embedded link that takes them to an exact replica of the victim company's web site. Graphics on the counterfeit site are so convincing that even experts often can have a hard time distinguishing the fake site from the real one. Despite the convincing appeals, consumers should not respond to unsolicited emails that direct them to divulge personal identifying information. Reputable organizations that consumers legitimately do business with generally do not request account numbers or passwords unless the consumer initiated the transaction.

Clues to identifying a "Phishing" email:

  • Awkward greeting - A phish may address the customer with a nonsensical greeting or may not refer to the customer by name.
  • Typos & Incorrect Grammar - This is a technique used by phishers to avoid email filters. The errors are intentional.
  • Source code points to a different website than the alleged sender - The link looks official, but when your mouse curser rolls over it the link’s source code points to a completely different web site. Remember that you can always type a URL into your web browser instead of clicking on a link.
  • Urgent call to act - Different approaches include things such as "We're updating our records," "We've identified fraudulent activity on your account," or "Valuable account and personal information was lost due to a computer glitch." To encourage people to act immediately, the email usually threatens that the account could be closed or canceled.

What To Do

To avoid becoming the victim of a phishing scam, Mega Bank offers the following tips:

  • Do not click on links within an email unless you are sure of the sender. Many phishing emails include company logos or appear to come from government agencies, and appear legitimate. However, the links take you to a fraudulent website that has been set up to look like and feel just like the legitimate site. Check the URL carefully for differences in spelling, or go directly to a known website without the link. You may often find an alert on the legitimate site warning that a phishing email has been circulated by fraudsters.
  • Never give out your personal or financial information in response to an unsolicited phone call, fax or e-mail, no matter how official it may seem.
  • Do not respond to e-mail that may warn of dire consequences unless you validate your information immediately. Contact the company to confirm the e-mail's validity using a telephone number or web address you know to be genuine.
  • Check your credit card and bank account statements regularly and look for unauthorized transactions, even small ones. Some thieves use small transactions in hopes that they will go unnoticed. These small transactions are also used to test the bank account and routing numbers for future use. Report discrepancies immediately.
  • When submitting financial information online, look for the padlock or key icon at the bottom of your Internet browser. Also, most secure Internet addresses, though not all, use "https" in the URL.
  • Report suspicious activity to the Internet Crime Complaint Center. This organization is a partnership between the FBI and the National White Collar Crime Center.
  • If you have responded to an e-mail, contact Mega Bank immediately so we can protect your account and your identity.

Understanding Corporate Takeover

There has been a shift in the online criminal world from primarily targeting of individuals to increased targeting of corporations. Financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid online banking credentials belonging to small and medium sized businesses. Eastern European organized crimes groups are believed to be predominantly responsible for the activities that are also employing witting and unwitting accomplices in the United States (money mules) to receive, cash and forward payments from thousands to millions of dollars to overseas locations via popular money and wire transfer services.

How it Works

Typically compromise of the customer is carried out via a "spear phishing" e-mail which directly names the recipient correctly and contains either an infected file or a link to an infectious Web site. The e-mail recipient is generally a person within a company who can initiate funds transfers or payments on behalf of the business. Once the user opens the attachment, or clicks the link to open the Web site, malware is installed on the user’s computer which usually consists of a Trojan keystroke logger, which harvests the user’s corporate online banking credentials. Many types of spear-phishing have been used by criminal groups including messages impersonating the Better Business Bureau, US Court System, Microsoft Update, and UPS to name a few.

The customer's online credentials are either uploaded to a website from where the fraudster can later download them, or, if the bank and customer are using two factor authentication system, the Trojan keystroke logger may detect this and immediately send an instant message to the fraudster alerting them of the secure web activity. The fraudster then accesses the financial institution through use of the captured username and password or through hijacking the secure web session.

The fraud is carried out when the fraudster creates another user account from the stolen credentials or directly initiates a funds transfer masquerading as the legitimate user. These transfers have occurred through wire or ACH that are directed to the bank accounts of willing or unwitting individuals. Often within a couple days, or even hours of recruiting money mules and opening accounts, money is deposited and the mule is directed to immediately forward a portion of the money to subjects in Eastern Europe by various means.

What To Do

As a business owner, you need an understanding of how to take proactive steps and avoid, or at least minimize, most threats. Here are some suggestions that could help you:

  • Use a dedicated computer for financial transaction activity. DO NOT use this computer for general browsing and email;
  • Apply operating system and application updates (patches) regularly;
  • Ensure that anti-virus/spyware software is installed, functional and is updated with the most current version;
  • Have host-based firewall installed on computers;
  • Turn off your computer when not in use;
  • Do not approve transactions by batching them together; be sure to review and approve each one individually;
  • Review your banking transactions and your credit report regularly;
  • Contact your information technology provider to determine the best way to safeguard the security of your computers and networks.

Other Resources

Other Resources regarding types of fraud, prevention, and reporting:

  • The Internet Crime Complaint Center (IC3) - a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). http://www.ic3.gov/default.aspx
  • Federal Deposit Insurance Corporation (FDIC) Identity Theft & Fraud Web Site. http://www.fdic.gov/consumers/theft/index.html
  • Anti-Phishing Working Group - The Anti-Phishing Working Group (APWG) is a non-profit global pan-industrial and law enforcement association focused on eliminating the fraud, crime and identity theft that result from phishing, pharming, malware and email spoofing of all types. http://apwg.org/
  • The Financial Fraud Enforcement Task Force Federal Trade Commission TC Consumer & Privacy Resources. http://www.stopfraud.gov/
  • Mega Bank contact information