What is a fraudulent, spoofing or phishing e-mail?

A fraudulent (a.k.a. spoofing, imposter, or phishing) e-mail involves the mass distribution of "spoofed" e-mail messages with return addresses, links, and branding which falsely appear to come from a particular organization (such as a bank, insurance company, retailer or credit card company). These fraudulent messages are designed to fool the recipients into divulging sensitive personal data such as credit card numbers, bank account numbers and passwords, social security numbers, etc. Because these emails look "official," an average of 5% of recipients respond to them, resulting in financial losses, identity theft, and other fraudulent activity. It's often hard to detect a fraudulent e-mail. That's because the visible e-mail address of the sender often seems genuine (such as support@cnbohio.com), as do the design and graphics. But there are telltale signs to be aware of. For example, fraudulent e-mails often try to extract personal information from you:

• By luring you into providing it on the spot (e.g., by replying to the e-mail).
• By including links to a 'phishing' website that tries to get you to disclose personal data.
• By threatening to close or disable your account if you don't provide the requested information.
• By announcing that someone wants to send you money and needs your bank account information to complete the transaction.
• By asking you to re-activate or verify your account information because of recent security upgrades or software enhancements.
• By name impersonation. Be sure the name referenced in the email is the exact name of the business or person you believe it to be from. Oftentimes fraudsters will use a name that's close, but not exactly right.

Other Phishing Scams

A new form of phishing, known as Facebook phishing has materialized. In this scam, prompted by a Facebook message sent from a friend's account, users are sent to websites constructed to mirror Facebook's log-in page. They then enter an e-mail address and password. It perpetuates the scam by hacking into users' accounts and re-sending the link to their friends in a message simply labeled "Hello" that contains the link. This allows the hacker access to the Facebook user's friend list. Users should never click an unidentified link and should be vigilant about checking the web adress in the browser window. CNBBD will never message its fans with just a "Hello" in the subject line, nor will we ever ask for private information, such as a username or password through instant message or by email.

Has this happened at CNBBankDirect?

Fraudulent e-mail messages from sources claiming to be either CNBBankDirect or something with the Citizens name in the title have been reported. Fraudulent e-mails claiming to be from the FDIC have also been reported by our customers. We assure you that these messages have not compromised our systems or your accounts in any way. We take these incidents seriously and work with law enforcement agencies to investigate them.

If you ever receive suspicious e-mails claiming to be from CNBBD, please notify us right away.

CNBBD will never send you an e-mail asking for your sensitive personal information such as passwords, social security number, credit card numbers or other sensitive information.

If you're suspicious about the true identity of any website page, right-click on any open space on the page (not a link, graphic or text) and choose Properties from the pop-up menu. You'll see a box with the real address displayed. Imposter websites will likely have a long address and may contain 'cnbbankdirect', but to ensure you are visiting an authentic CNBBD site the beginning of the address should always appear like this http://www.cnbbankdirect.com. In certain cases there may be additional file info following the http://www.cnbohio.com such as http://cnbbankdirect.com/News.asp. This is still a legitimate CNBBD website page because the 'cnbbankdirect' immediately follows the 'http://www.'.

Never trust that the link address you "see" is the link you'll be connected to if you click on it. For example, you might expect that the link below will connect you to the FDIC website, however when you click on it you will see that what is displayed in the main message body is not what is programmed into the message code. If you click the example link below you will see that it is scripted to open a website for the American Cancer Society.

http://www.FDIC.org

In a real phishing situation you might see http://www.FDIC.gov in your message body, but it would link you to a hoax website where you would be asked to divulge personal information. To avoid clicking on a suspicious link, you can roll your mouse over the link and see what is displayed in the bottom of your browser window.

Protect Your Passwords

Use strong passwords or personal identification numbers for your Internet accounts. Choose passwords that are difficult for others to guess, and use a different password for each of your online accounts. CNBBD suggests that your passwords contain both letters and numbers and a combination of lower and upper case letters.

Stay Safe on Websites

Leave suspicious sites. If you suspect that a website is not what it claims to be, leave the site immediately. Do not follow any of the instructions it presents. Do not send sensitive personal or financial information unless it is encrypted on a secure website. Regular e-mails are not encrypted and are more like sending a postcard through the mail - anyone can see it. Look for the padlock symbol on the bottom bar of the browser to ensure that the site is running in secure mode BEFORE you enter sensitive information. When you click on our secure contact form, you will see the secure padlock at the bottom of the browser window. Be aware! Phony "look alike" websites are designed to trick consumers and collect their personal information. Make sure that websites on which you transact business post privacy and security statements, and review them carefully. Take note of the header address on the website. Most legitimate sites will have a relatively short internet address that usually depicts the business name followed by ".com," or possibly ".org." Spoof sites are more likely to have an excessively long string of characters in the header, with the legitimate business name somewhere in the string, or possibly not at all. Do business only with companies you know and trust.

Be Cautious with E-mail

Be alert for scam e-mails and don't reply to any e-mail that requests your personal information. Be very suspicious of any e-mail from a business or person that asks for your password, Social Security number, or other highly sensitive information--or one that sends you personal information and asks you to update or confirm it. If you get an email that warns you, with little or no notice, that an account of yours will be shut down unless you reconfirm your billing information, do not reply or click on the link in the email. Instead, contact the company cited in the email using a telephone number or website address you know to be genuine. If you need to update your information online, use the normal process you've used before, or open a new browser window and type in the website address yourself. If a website address is unfamiliar, it's probably not real. Only use the address that you have used before, or start at your normal homepage. Do not click on links within the suspected phish e-mail - they may be spoofed. Open e-mails only when you know the sender. Be especially careful about opening an e-mail with an attachment. Even a friend may accidentally send an e-mail with a virus.