Business Fraud

Education Center

Welcome to QNB’s Business Fraud Education Center. This section of our website is dedicated to the ongoing education of our business customers on important cyber security and fraud prevention tips.

Businesswomen collaborating on a tablet in a conference room

Tips to Avoid Becoming a Victim of a Scam or Fraud

Fraudsters impersonate banks, government entities, and vendors to get your money.

  • Before sending money from your account(s) to anyone, ensure you have validated all aspects of that transaction.
  • If you receive an email, text, or phone call advising you to act regarding your accounts or bills/invoices, it is best to slow down and investigate. Contact the bank, business, or person directly using the phone number you have on file, not one provided in a text, email, or phone call.
  • If you receive communication payment instructions or changes to payments, stop to confirm this is legitimate. If via email, confirm the email address matches previous communications and check the domain name; fraudsters are known to alter an email address just slightly.

QNB Bank and other legitimate financial service providers will not call, email, or text you and ask you to provide access to your personal information, online banking, computer, or IT network.

  • This includes your password, online banking user ID or password, Social Security Number or EIN, or security codes such as access or multifactor authorization codes. Legitimate banks, credit cards, financial services, and technical support will not contact you to ask for this information either!

Protect your mobile phone and computer by not allowing access!

  • Fraudsters will want access to your mobile phone or computer by asking you to download a program giving them access to receive online banking messages and security codes such as access or transaction authorization codes. Also, do not let people have physical access to your devices.

Anyone trying to rush you to make changes to your payments or banking should be treated with caution.

  • Legitimate entities will allow you the time to validate. If anyone is pressing or rushing you, this can be a red flag that something is not legitimate.

Protect Against Check Fraud

  • Use gel ink when writing or printing checks to protect against check washing.
  • Review accounts daily to validate and ensure that checks posting to your account are for the correct amount and that the payee has not been altered. Businesses may enroll in a positive pay service to manage and approve in-clearing items.
  • If a check remains outstanding longer than normal, confirm the check has been received by the payee (checks not received may indicate it was stolen)
Protect your business from fraud with QNB’s Positive Pay, a powerful tool that helps you detect and stop suspicious activity in your business checking account before it happens.

Is Your Business Prepared for Social Engineering?

The Federal Bureau of Investigation (FBI) recently announced that individuals and businesses should be aware of social engineering techniques used by cyber criminals to gain access to financial, corporate, and network accounts. As described below, recently observed social engineering techniques are being used by cyber criminals to target victims. Obtaining personal information through these techniques gives cyber criminals the ability to invade a victim's network, steal a victim's data, and extort victims by threatening to release private data.

Social Engineering Tactics, Techniques, and Procedures

Impersonating Employees

Impersonating employees is a technique in which cyber criminals obtain credentials, pose as company employees, and contact IT and/or helpdesk staff to update employee login information, and gain access to a company's network.

SIM Swapping

SIM swapping is a technique in which cyber criminals contact a victim's mobile carrier and convince the mobile carrier to transfer the victim's mobile phone number to the cyber criminal's SIM card. In other words, the victim's mobile phone number is transferred by the mobile carrier to a physical device in the cyber criminal's control. This transfer request may be made in person at the mobile carrier's retail store or by calling the mobile carrier's customer service line.

To transfer the mobile phone number, the cyber criminal must provide personal identifying information and must answer security questions from the mobile carrier to confirm the account holder's (i.e., the victim's) identity. By gaining access to the victim's phone number, the cyber criminal can potentially bypass multi-factor authentication that is set up to protect a victim's online financial and other network accounts. That means the cyber criminal may be able to access the victim's accounts and then steal funds and/or other personal data from those accounts. For more information on SIM Swapping, please see the Public Service Alert I-020822-PSA: Criminals Increasing SIM Swap Schemes to Steal Millions of Dollars from the US Public.

Call Forwarding and Simultaneous Ring

Call forwarding is a technique in which cyber criminals contact a victim's mobile carrier to forward the victim's mobile phone number to the cyber criminal's phone number. Cyber criminals may also deceive the mobile carrier to set up the simultaneous ring function to enable the cyber criminal’s phone to be reached when a victim's phone number is dialed. Call forwarding and simultaneous ring features may be enabled by contacting the mobile carrier or by dialing a code that begins with an asterisk (*) from the victim’s phone. These features may allow cyber criminals to bypass multi-factor authentication, similar to the SIM swapping scheme described above.

Phishing Campaigns

Phishing is a type of social engineering in which cyber criminals pose as a trusted institution (bank, employer, etc.) or as the employer's VPN portal to solicit victim information and login credentials. For example, the criminal may send an email that appears to be from the victim's phone company asking the victim to click a link to update account information or may direct the victim to a new employer portal to access a corporate intranet. After clicking the link, the criminal will collect any personal information entered (i.e., employer credentials, birthday, SSN, account number, password, answers to security questions, etc.). For more information on phishing, please see the Multi-State Information Sharing and Analysis Center (MS-ISAC) publication, Phishing Guidance: Stopping the Attack Cycle at Phase One, and Cybersecurity and Infrastructure Security Agency Publication, Implementing Phishing-Resistant MFA.

Tips On How to Protect Yourself

The FBI recommends individuals take the following precautions:

  • Do not reply to calls, emails, or text messages that request personal information, such as your password, PIN, or any one-time password sent to your email or phone. If someone claiming to be a company "representative" contacts you and asks you to provide personal information or to verify your account by providing a code, initiate a new call to that company by dialing the customer service line of the company that you independently verified.
  • Reach out to your mobile carrier to disable or block SIM card changes, Call Forwarding, and Simultaneous Ring.
  • Ensure that you have set a unique password for your voicemail on your mobile phone.
  • Regularly review your mobile phone provider's account page to monitor account login history or any changes made.
  • Avoid posting personal information online, such as mobile phone numbers, addresses, or other personal identifying information.
  • Use "strong" passwords that are unique and random, contain at least sixteen characters, and are no more than 64 characters in length. Avoid reusing passwords and disable password "hints."
  • Use online or mobile banking to check your accounts frequently to look for any suspicious activity.

The FBI recommends companies take the following precautions:

  • Add an email banner to emails received from outside your organization. For example, label emails received from outside of your organization as "EXTERNAL EMAIL."
  • Consider disabling or blocking SIM changes and Call Forwarding for employee equipment.
  • Monitor accounts for suspicious login attempts or compromised credentials and implement multiple failed login attempt account lockouts.
  • Refine multi-factor authentication (MFA):
    • Do not use email-based MFA.
    • Monitor privileged logins for unusual activity.
    • For bring your own device (BYOD) equipment, require MFA enrollment.
  • Prevent employees from logging in using anonymous virtual private network (VPN) services.
  • Educate help desk and customer support staff about social engineering and phishing schemes used by cyber criminals. Education should include but not be limited to:
    • Regular training using real phishing examples from current high-profile threat groups, such as Scattered Spider.
    • Immediate reporting protocols of suspicious messages and interactions to abuse teams.
    • How to authenticate calls from third-party authorized retailers requesting customer information.

If You Think You've Been Scammed

If your organization has fallen victim to a social engineering attack involving the transfer of money from your QNB account:

  1. Contact your QNB branch or relationship manager immediately so we can attempt to stop the transfer and potentially recover any funds that may have been sent.
  2. Report suspicious activity to the FBI's Internet Crime Complaint Center (IC3), Internet Crime Complaint Center (IC3) | Home Page, and your local law enforcement agency.

QNB Reminder

We will never make unsolicited calls asking for your private information, such as Online & Mobile Banking username and password, secure access code, account number, debit card number, expiration, CVV, or PIN. Under any circumstances, do not give out private information to anyone calling you, including those who may fraudulently represent themselves as working for QNB. Fraudsters can make the number they are calling from look like a legitimate bank or fraud center number. When in doubt, hang up and call QNB directly at 1-800-491-9070.

Information provided by FS-ISAC, Inc.

Protect Yourself from Business Email Compromise Attacks

In today's interconnected world, BEC (Business Email Compromise) has emerged as one of the most prevalent and financially damaging forms of cybercrime. It affects organizations of all sizes and across all industries.

What is Business Email Compromise?

Business Email Compromise refers to a type of cyberattack wherein fraudsters send an email message that appears to come from a known trusted source such as an executive or business partner. These attackers often carefully research their targets to craft convincing emails that appear legitimate, tricking recipients into taking actions such as transferring funds, paying forged invoices, or disclosing sensitive information.

Common Tactics Used in Business Email Compromise Attacks

  • Email Spoofing: Attackers spoof email addresses to make it appear as though messages are coming from a trusted source within the organization, a known business partner, or a vendor.
  • Compromised Accounts: Hackers gain access to legitimate email accounts through various means, such as phishing attacks, malware, or credential theft.

Impact of Business Email Compromise Attacks

The consequences of falling victim to a BEC attack can be severe and lead to financial loss, reputational damage, and legal liability. According to the FBI's 2023 Internet Crime Report, BEC complaints amounted to $2.9 billion in reported losses, making it imperative for businesses to prioritize cybersecurity measures and employee awareness training.

Preventative Measures and Best Practices

To mitigate the risk of BEC attacks, implement the following preventive measures:

Employee Training:

  • Provide comprehensive cybersecurity awareness training to your employees to educate them on the various forms of BEC attacks and how to identify suspicious emails.
  • Train employees to spot red flags, such as urgent requests, unusual payment requests or methods e.g., gift cards, or changes in vendor details such as account information.

Robust Payment Verification Procedures:

  • Establish clear verification procedures for validating requests involving sensitive information or financial transactions, especially when initiated via email.
  • Always verify payment requests via phone or in person. Use known contact information, not details provided in the email.

Enhanced Email Authentication:

  • Enforce multi-factor authentication (MFA) for accessing email and other sensitive systems and accounts to add an extra layer of security.
  • Ask your IT or email service provider to implement email authentication protocols such as SPF, DKIM, and DMARC to prevent email spoofing and domain impersonation.

Conclusion

Business Email Compromise poses a significant threat to organizations like yours. Protect yourself by implementing robust cybersecurity measures and fostering a culture of vigilance among your employees. By staying informed about the latest cyber threats, adopting best practices, and investing in cybersecurity solutions, you can better protect yourself against the risks associated with BEC attacks.

If your organization has fallen victim to a business email compromise scam involving the transfer of money from your QNB account:

  1. Contact your QNB branch or relationship manager immediately so we can attempt to stop the transfer and potentially recover any funds that may have been sent.
  2. Report suspicious activity to the FBI's Internet Crime Complaint Center (IC3), Internet Crime Complaint Center (IC3) | Home Page, and your local law enforcement agency.

For more information on Business Email Compromise, see the FBI’s website: Business Email Compromise — FBI.

QNB Reminder

We will never make unsolicited calls asking for your private information, such as Online & Mobile Banking username and password, secure access code, account number, debit card number, expiration, CVV, or PIN. Under any circumstances, do not give out private information to anyone calling you, including those who may fraudulently represent themselves as working for QNB. Fraudsters can make the number they are calling from look like a legitimate bank or fraud center number. When in doubt, hang up and call QNB directly at 1-800-491-9070.

Raising the Security Level in Your Business

Businesses come in all shapes and sizes. Unfortunately, so do threats.

According to a March 2023 report by Expert Insights, the biggest, most damaging and most widespread threat facing small businesses is phishing attacks. Phishing accounts for 90% of all breaches that organizations face, they’ve grown 65% over the last year, and they account for over $12 billion in business losses. Phishing attacks occur when an attacker pretends to be a trusted contact and entices a user to open the email.

Within the email, the attacker may include an attachment or link that downloads a malicious file or leads to a malicious site designed to collect credentials and other information. Collected information can lead them to areas containing high-value confidential information including account data.

Reducing Your Risk

Perhaps you currently outsource information technology security operations to a third-party service provider. For many small banks or credit unions, outsourcing information technology and security services may make sense, mostly due to a lack of expertise or perhaps cost.

Like any vendor, it requires close management and monitoring to ensure your interests are being met. Consider the following:

  • Are you sure that system vulnerabilities are being patched timely? How are you verifying this?
  • Are you being notified of signs of potential probing and cyber-attacks?
  • Do you require the vendor to undergo an independent audit and provide you with a certification?
  • Where is the provider obtaining their threat-intelligence?

Layered Security Approach

No security tool or measure is perfect, so you need to account for potential failures. Adding multi-factor authentication (MFA) when accessing your critical assets (e.g., customer records, employee data and healthcare information) is a baseline standard you should adopt.

MFA requires more than one distinct authentication factor for successful authentication. The three possible authentication factors are:

  1. Something YOU KNOW (password or PIN),
  2. Something YOU HAVE (badge or phone), and
  3. Something YOU ARE (biometrics such as fingerprint, voice, or retina)

Utilizing multi-factor authentication provides the following benefits:

  • Strengthens defenses against open-source intelligence exposure.
  • Adds another layer of protection when backups fail.
  • Reduces shadow IT risk.
  • Lowers email infiltration risk.

Cyber Insurance

MFA is fast becoming a cyber insurance requirement for all accounts, privileged and non-privileged, to protect on-site and remote access. Here’s a quick guide to understanding the MFA insurance mandate. (IS Decisions)

In Summary

You have invested too much time and money in your business to see it get wiped out overnight by cybercriminals. Invest in some essential layers of security to reduce your cyber risks and keep your business both operating and profitable.

QNB Reminder

We will never make unsolicited calls asking for your private information, such as Online & Mobile Banking username and password, secure access code, account number, debit card number, expiration, CVV, or PIN. Under any circumstances, do not give out private information to anyone calling you, including those who may fraudulently represent themselves as working for QNB. Fraudsters can make the number they are calling from look like a legitimate bank or fraud center number. When in doubt, hang up and call QNB directly at 1-800-491-9070.

Information provided by FS-ISAC, Inc.

What You Need to Know About Ransomware

What Is Ransomware?

Ransomware is a type of malicious software that encrypts data on a computer, making it inaccessible. A cybercriminal then holds the data hostage until a ransom is paid. Cybercriminals may also pressure victims to pay the ransom by threatening to destroy the victim’s data or to release it to the public. The ransom demands are usually in the form of cryptocurrency, such as Bitcoin, and can range from as little as several hundred dollars up to several million dollars.

The most common means of infection are:

  • Email phishing campaigns wherein malicious attachments/links are sent in an email.
  • Network intrusion through poorly secured ports and services.
  • Exploiting software vulnerabilities.

Why Should Ransomware Concern You?

Ransomware is a growing and expensive problem. In 2020, the FBI’s Internet Crime Complaint Center (IC3) received 2,474 complaints identified as ransomware with adjusted losses of over $29.1 million (up from $8.9 million in 2019).

Many of these incidents resulted in significant network downtime, delayed services to constituents and customers, and costly remediation efforts.

Victims of ransomware risk losing access to their systems and files. In many cases, they may also experience financial loss due to legal costs, purchasing credit monitoring services for employees or customers, or ultimately deciding to pay the ransom. Tragically, ransomware attacks have even caused many businesses to fold.

Additionally, IT and other business service providers are targeted to push out ransomware to multiple entities. The cybercriminals first compromise these vendors and then exploit the trusted vendor-customer relationship to disseminate the ransomware.

What You Can Do About Ransomware

Defending against ransomware requires a holistic, all-hands-on-deck approach. Given that phishing is one of the primary means for ransomware, everyone should:

  1. Think before clicking on email links or opening attachments.
  2. Verify the sender of an email containing links or attachments before clicking, opening or providing credentials.
  3. Resist letting the apparent urgency of an email cause you to forget to do steps one and two.

Due to the effectiveness of well-crafted phishing emails and drive-by downloads from otherwise legitimate sites, ransomware infections are not entirely preventable. However, the risk of ransomware can be significantly reduced. The first place to start is to keep all your computers, devices, and software patched.

Organizations should also implement cybersecurity policies and procedures, and conduct cybersecurity user awareness and training. Employees should be provided with guidance on how to identify and report suspicious emails, activities or incidents. Ideally, an awareness program would also include organization-wide phishing tests to gauge user awareness and reinforce the importance of identifying potentially malicious emails. When employees can spot and avoid malicious emails, they help protect the organization.

The most effective strategy to mitigate the risk of data loss resulting from a successful ransomware attack is having a comprehensive data backup process in place. However, backups must be stored off the network and tested regularly to ensure integrity and assess the amount of time it takes to retrieve and restore them.

The FBI does not encourage paying a ransom to criminal actors. Paying the ransom does not guarantee that your files will be recovered or that the criminals won’t demand additional ransom to not release confidential information they’ve also exfiltrated. Additionally, paying a ransom may embolden adversaries to target additional organizations and encourage other criminal actors to engage in the distribution of ransomware or otherwise support these illicit activities.

Where You Can Report Ransomware

If your organization is the victim of a ransomware infection, follow your organization’s incident response procedures to report it. The FBI urges you to report ransomware incidents to your local field office or the FBI’s Internet Crime Complaint Center (IC3).

Alternatively, the Cybersecurity and Infrastructure Security Agency (CISA) provides a secure means for constituents and partners to report incidents, phishing attempts, malware, and vulnerabilities. To submit a report, visit https://us-cert.cisa.gov/report.

QNB Reminder

We will never make unsolicited calls asking for your private information, such as Online & Mobile Banking username and password, secure access code, account number, debit card number, expiration, CVV, or PIN. Under any circumstances, do not give out private information to anyone calling you, including those who may fraudulently represent themselves as working for QNB. Fraudsters can make the number they are calling from look like a legitimate bank or fraud center number. When in doubt, hang up and call QNB directly at 1-800-491-9070.

Is Your Business at Risk?

For many small businesses, any fraud loss is a huge loss. Have you examined all of the areas where you are at risk to fraud? Use this Fraud Exposure Checklist to find out.

  1. Do bank statements arrive at your desk unopened?
  2. Do you personally review bank statements every month?
  3. Do you personally review daily account activity online via your online balance reporting to spot irregular entries? If not, is this done by someone who has no signing authority on the account(s)?
  4. If you utilize ACH transactions or wire transfers, is there a second level of approval on all outgoing funds transfers?
  5. Do you have an approved vendor list for your payables, and do you review it periodically?
  6. If you receive cash, do you have dual controls in place? Can you see that the cash actually made it to the bank in the deposit?
  7. Do you review payroll reports and verify that payees and amounts are appropriate? Can you put a name and face with each payroll check?

Did you answer “no” to any of these questions? If so, your company may be at risk for fraud. Are there other areas in which you may have additional fraud risk? Continue your assessment below.

Accounts Receivable/Payable Controls

  1. Do you, or a responsible employee (other than the Bookkeeper or A/R clerk): Open the mail and pre-list all cash receipts before turning them over to the bookkeeper? Compare daily pre-listing of cash receipts with cash receipts journal, duplicate deposit slip, and bank statement?
  2. Are cash receipts deposited intact on a daily basis?
  3. Are cash receipts posted promptly to appropriate journals?
  4. Are cash sales controlled by cash registers or pre-numbered cash receipt forms?
  5. Are invoices paid to your known vendor list?

Electronic Banking

  1. Do you have complete access to your online banking program? Do you use it daily? Do you use multi-factor authentication?
  2. Do you or a trusted administrator safeguard and monitor who can access the system and what they can see/do?
  3. Does your Network Administrator require hard-to-guess passwords and multifactor authentication?
  4. Do you have a policy in place to require that passwords be protected and never shared?
  5. Do you review ACH/wire transfers (both outgoing and incoming) regularly?
  6. Do you have a change management policy in place to revoke terminated employee access to systems when necessary?
  7. Do you use Positive Pay for issued checks and/or Blocks and Filters for electronic entries?

Other Risk Areas

  1. Are annual one-week vacations mandatory for all employees not allowing network access to books, cash, or receivables duties?
  2. Are employees cross-trained so no one individual is always responsible for a specific duty without oversight?

QNB Reminder

We will never make unsolicited calls asking for your private information, such as Online & Mobile Banking username and password, secure access code, account number, debit card number, expiration, CVV, or PIN. Under any circumstances, do not give out private information to anyone calling you, including those who may fraudulently represent themselves as working for QNB. Fraudsters can make the number they are calling from look like a legitimate bank or fraud center number. When in doubt, hang up and call QNB directly at 1-800-491-9070.

Information provided by FS-ISAC, Inc.