Protecting Your Privacy and Funds
First Business Financial Services, Inc., which includes First Business Bank and First Business Bank-Milwaukee, Alterra Bank collectively "Bank" or "Banks", takes the security of your financial information very seriously. We have a robust Information Security Program that includes investing in technology to protect your confidential information from outside attack, ensuring that bank records are maintained in secured facilities, and providing regular training to employees on the Banks' security policies as well as proper methods to communicate with you, our clients, in a secure and confidential manner.
Identity theft, check fraud, corporate account takeover, and other financial fraud schemes are ever increasing and becoming more sophisticated. We recognize the importance of having Security Procedures to assist and protect you from these types of fraud schemes and have put together commercially reasonable Security Procedures ("Security Procedures") to minimize risk while managing personal and corporate accounts.
If you are a business, please share this information with employees that interact with your finances.
The Bank staff will never initiate a request for sensitive information from you (i.e. social security number, personal login ID, password, PIN or account number) through an unsolicited e-mail message or phone call.
How to Protect Yourself
- Take advantage of all security enhancement products and options provided to you by the Banks. For clients with bank deposit accounts, we offer certain products, such as Positive Pay, Payee Positive Pay, and ACH Positive Pay that may reduce the risks associated with certain accounts. These products may be subject to a fee. We may also make you aware of additional products in the future designed to further mitigate the risk of future threats. If you are a commercial client and you continue to use mobile or internet banking services without subscribing for the enhanced security measures that we may offer now and in the future, you understand and agree that you assume all liability resulting from any losses or damages that could otherwise have been prevented by such Security Procedures or precautions, including, without limitation, losses or damages resulting from any unauthorized altered, counterfeit or fraudulent item or ACH transaction. Immediately notify the Bank of any suspicious activity by calling Client Services at 608-232-5938 (Madison), 262-792-1400 (Milwaukee), 920-734-1800 (Northeast, Wisconsin), or First Business Trust & Investments at 608-218-8000.
- Review your banking transactions on a daily basis and your credit report at least annually.
- Store extra checks, debit and credit cards, documents that list your Social Security number or Tax Identification Number, and similar items in a safe place. Shred all credit or debit card receipts and solicitations, ATM receipts, bank account and credit card statements, voided checks, and other financial documents before you throw them away.
- Replace paper invoices, statements and checks with electronic versions, if offered by your employers, utility company or other third party vendor. The Bank offers electronic statements for deposit and employee benefit accounts and the Banks offer bill payment to eliminate outgoing mail being stolen.
- Always have updated phone numbers, including a cell phone when possible, set up in online banking and with the Banks in the event you are contacted by the Bank to validate your identity. Out-of-band-authentication will be performed for our internet banking systems (Business Internet Banking or Consumer Internet Banking) if your access device is not recognized when logging in, or you originate ACH or wire transactions.
- Usernames and Passwords:
- Use complex passwords with at least 8 characters, including lower-case and upper-case letters, numbers and special characters. Do not use names, birthdays, or other personal details that might be guessed or easily determined.
- Change your password regularly - every 30 or 60 days
- Commit passwords and answers to security questions to memory, or, if you must write them down, store in a secure location where only you know what it is and where it is.
- Never share your password or answers to security questions with others.
- Avoid using the same username, password or security question for accessing your online accounts.
- Web Browser:
- Use the latest version of web browser available with "pop-up" blockers enabled.
- Clear the web browser cache before you begin an online session.
- Limit browsing to websites that you know are safe.
- Limit, or avoid altogether, downloading of programs and information.
- Access Devices:
- Never access an online session using a public computer, public Wi-Fi or kiosk.
- Never leave a device unattended while accessing an online session.
- Keep your devices up-to-date with the latest operating systems and patches, applications, and security software such as anti-virus and malware protection.
- Use a firewall and intrusion detection and/or prevention with your access device whenever possible.
Identity theft occurs when your personal or business information is stolen and used without your knowledge to commit fraud or other crimes. Identity theft can cost you time and money. It can destroy your credit and ruin your reputation.
The Bank offers the following Security Procedures related to avoiding identity theft from the Federal Trade Commission:
Contact the Internet Crime Complaint Center
- Deter identity thieves by safeguarding your information.
- Shred financial documents and paperwork with personal information before you discard them.
- Protect your Social Security number. Keep a close hold on your Social Security number and ask questions before deciding to share it. Ask if you can use a different kind of identification. If someone asks you to share your SSN or your child's, ask: why they need it, how it will be used, how they will protect it, and what happens if you don't share the number.
- Don't give out personal or business information on the phone, through the mail or over the Internet unless you know the entity you are dealing with. Avoid disclosing personal or business financial information when using public wireless connections.
- Never click on links sent in unsolicited emails. Instead, type in the source page of the website using a separate tab or window. Use firewalls, anti-spyware and anti-virus software to protect your home computer. Keep this software current. If you use peer file sharing, check the setting to make sure you are not sharing other sensitive private files.
- Keep your personal information in a secure place at home, especially if you have roommates, employ outside help or are having work done in your house.
- Promptly retrieve incoming mail to limit the opportunity for theft. Know your billing and statement cycles. Contact your vendor if you stop receiving your regular invoice or statement.
- Detect suspicious activity by routinely monitoring your financial accounts and billing statements.
- Be alert to the following signs that require immediate attention:
- Unexpected debit or credit cards or account statements
- Denials of credit for no apparent reason
- Calls or letters about purchases you did not make
- Charges on your financial statements that you don't recognize.
- For consumers, inspect your credit report. Credit reports contain information about you, including?
- Know what accounts you have and your bill paying history. The law requires the major credit reporting companies, Equifax, Experian, and Transunion, to give you a free copy of your credit report every 12 months if you request it.
Visit www.AnnualCreditReport.com or call 1-877-322-8228. This is a service created by these companies to allow you to order your free annual credit report. You can also write to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.
- If you think you are a victim of fraud such as ID theft or corporate account takeover:
- For consumers, place a "Fraud Alert" on your credit reports, and review the reports carefully. The alert tells creditors to follow certain procedures before they open new accounts in your name or make changes to your existing account. The three nationwide consumer reporting companies have toll-free numbers for placing an initial 90-day fraud alert; a call to one company is sufficient:
- Experian: 1-888-EXPERIAN (397-3742)
- Transunion: 1-800-680-7289
- Equifax: 1-800-525-6285
- Placing a fraud alert entitles you to free copies of your credit reports. Look for inquiries from companies you haven't contacted, accounts you didn't open and debts on your accounts that you can't explain.
- Immediately cease all activity from computer systems that may be compromised.
- Immediately contact the Bank so the following actions may be taken:
- Online access to the accounts must be disabled
- Online account passwords must be changed
- A new account(s) may need to be opened
Fraud detection and prevention services such as ID theft insurance for consumers, ACH debit block and filter, and payee positive pay are strongly recommended.
- File a police report. File a report with law enforcement officials to help expedite the potential for correction and as proof to third party vendors who may want proof of the crime. Obtain a police report number with the date, time, department, location and officer's name taking the report. A filed police report will help facilitate reporting a claim with insurance companies or other third parties.
- Report the theft to the Federal Trade Commission ("FTC"). Your report helps law enforcement officials across the country in their investigations. Review the FTC's recommendations.
- Online: ftc.gov/idtheft
- By phone: 1-877-ID-THEFT (438-4338) or TTY, 1-866-653-4261
- By mail: Identity Theft Clearinghouse, Federal Trade Commission, Washington, DC 20580
. This organization is a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center. This site provides a place to file claims of victims of identity theft. It also houses sources of internet crime prevention and current schemes.
- Maintain a written chronology of what happened. What was lost? What were the steps that were taken to report the incident and prevent fraud from happening in the future? Record the date time, contact phone number, person spoken to, and any relevant report of reference number and instructions.
- Consider hiring a consultant to have your network and systems reviewed by a computer forensic or information security professional.
Corporate Account Takeover
Corporate Account Takeover is the business equivalent of personal identity theft. Cyber criminals, backed by professional criminal organizations, are targeting businesses to obtain access to their online banking credentials or remote control of their computers. These hackers will then drain the compromised bank accounts, funneling the funds through mules that quickly redirect the monies overseas into hackers' accounts.
The steps of a typical Corporate Account Takeover include:
As a business owner, it is your responsibility to understand how to take proactive steps to avoid, or at least minimize the threat of a Corporate Account Takeover. The Bank offers the following Security Procedures related to avoiding corporate account takeover risk:
- Use an access device that is dedicated solely to browsing to legitimate, known financial websites to conduct legitimate financial business. No other activity should be conducted on the dedicated device, including accessing email.
- Use a host-based firewall protection.
- Ensure that anti-virus/spyware software is installed, functional, and is updated with the most current version.
- Use the latest version of web browser with 'pop up' blockers enabled.
- Keep versions of operating systems, security software, and applications up-to-date and patched.
- Consider purchasing cyber liability insurance.
- Review your banking transactions daily.
- Do not batch approve transactions; be sure to review and approve each item individually.
- Use dual controls for high risk transactions such as wires, ACH, bill payment, loan disbursements and external transfers. Have one user create the transaction; have a second user approve the disbursement from a different computer. This will reduce the risk of internal fraud, while at the same time making it more difficult for outside programs to find both usernames and passwords.
- Use your Administrator access only to create a log-in account to use exclusively when creating access rights and assigning roles to Authorized Persons, and a separate log-in account for use of the Services. This is to further reduce the risk of unauthorized access to the Administrator authority. Keep the Administrator password and token secure under dual control at all times.
- Establish transaction dollar limits for employees who initiate and approve online payments such as ACH, bill payment, wire transactions and transfers.
Contact your Information Technology provider to determine the best way to safeguard the security of your computers and networks.
Malware, short for malicious software, is software designed by cyber criminals to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. It is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent.
Examples of malware include computer viruses, worms, Trojan horses, and other malicious programs. Malware works to remain unnoticed, either by actively hiding or by simply not making its presence on a system known to the user.
The Bank offers the following Security Procedures related to avoiding malware risk:
- Keep versions of operating systems, security software, and applications up-to-date and patched.
- Only open e-mail or Instant Message attachments that are expected and come from a trusted source
- Scan all e-mail attachments with security programs prior to opening
- Scan all files with security programs prior to transferring to your device or opening
- Delete all unwanted messages without opening
- Do not click on web links sent by an unknown party
- If a person on your 'Friends List' is sending strange messages, files, or web site links, call them to determine if the message is legitimate.
- Always encrypt emails that contain sensitive information.
Social engineering attacks use human interaction (social skills) to obtain or compromise information about an organization or its computer systems. A cyber-criminal may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. They may be able to piece together enough information to infiltrate an organization's network by asking questions of several people over a period of days.
The Bank offers the following Security Procedures related to social engineering risk:
- Never provide passwords or answers to security questions to anyone.
- Never provide usernames, full names, IP address, etc. to anyone without verifying the legitimacy of the request.
Always alert others at your organization if you receive a suspicious phone call where the caller is requesting this type of information. If a social engineering attacker is not able to gather enough information from one source, they may contact another source within the same organization in order to add to their credibility.
Limit the amount of personal information you provide on social networking sites. The more information you post, the easier it may be for a criminal to use that information to steal your identify, access your data or commit other crimes
Fake Check Scams
The Bank offers the following Security Procedures related to avoiding fake check scams:
- If someone gives you a check or money order and asks you to send money somewhere in return, it's a scam. These are some examples of common fake check scams: Legitimate sweepstakes operators or other companies will not send you a check then ask you to forward money to a third party. If you have really won, you will pay taxes directly to the government. Do not remit payments for taxes to any third parties, only government agencies. Legitimate mystery shopper or account manager jobs do not use money transfer services to send money.
- A familiar company name doesn't guarantee that it is legitimate. Cyber criminals often pretend to be from well-known companies to gain people's trust. Find the company's contact information independently, online or through directory assistance, and contact it yourself to verify the information.
- A check or money order may be fake even if your bank lets you have the cash. You have the right to get the cash quickly, usually within 1-2 days, but your bank cannot tell if there is a problem with the check or money order until it has gone through the processing system to the person or company that supposedly issued it. Sometimes that can take several days. By the time the fraud is discovered, the crook has pocketed the cash and left you responsible for covering the charge.
- When the check or money order is returned unpaid, you will have to pay the money back to your bank. You are responsible because you are in the best position to know if the person who gave it to you is trustworthy. If you don't pay the money back, your account could be frozen or closed, and your credit may be affected. Some victims are even charged with fraud.
- Sending money using a money transfer service is like sending cash - once the crook picks it up you can't get it back from the service. It's not like a check that you can stop after you've given it to someone or a credit card charge that you can dispute. But if the money has not been picked up yet, you may be able to stop the transaction. Contact the money transfer service immediately if you think you've been scammed.
Phishing scams use fraudulent emails and websites to trick users into disclosing private account or login information. These cyber criminals send e-mails to millions of people hoping that even a few will give away valuable information such as your username, password, or debit or credit card number. The criminal then uses this information to steal the victim's identity. Do not click on links or open any attachments or pop-up screens from sources you are not familiar with.
The Bank offers the following Security Procedures related to avoiding phishing scams:
- Do not click on links within an email unless you are sure of the sender. Many phishing emails include company logos or appear to come from government agencies, and appear legitimate. However, the links take you to a fraudulent website that has been set up to look like and feel just like the legitimate site. Check the URL carefully for differences in spelling, or go directly to a known website without the link. You may often find an alert on the legitimate site warning that a phishing email has been circulated by cyber criminals.
- Never give out your personal or financial information in response to an unsolicited phone call, text message, fax or e-mail, no matter how official it may seem.
- Do not respond to text or e-mail message that may warn of dire consequences unless you validate your information immediately. Contact the company to confirm the message's validity using a telephone number or web address you know to be genuine.
- Check your investment, retirement plan and bank account statements frequently and look for unauthorized transactions, even small ones. Some cyber criminals use small transactions in hopes that they will go unnoticed. These small transactions are also used to test the bank account and routing numbers for future use. Report discrepancies immediately.
- When submitting financial information online, look for the padlock or key icon within your web browser. Most secure Internet addresses, though not all, use "https" in the URL.
- Report suspicious activity to the Internet Crime Complaint Center referenced at the bottom of this page. This organization is a partnership between the FBI and the National White Collar Crime Center.
- If you have responded to an e-mail or text message that you suspect to be a phishing scam, contact the Bank immediately so we can protect your account and your identity.
Scam Prevention Security Procedures
- Be suspicious of any offer made by telephone, on a web site or in an e-mail that seems too good to be true.
- Before responding to a telephone, mail or Internet offer, determine if the person or business making the offer is legitimate.
- Do not respond to an unsolicited e-mail that promises some benefit but requests personal identifying information.
- Beware of 'work from home' schemes that are offered on career websites. If they are asking you to open accounts or move money for the company, this is most likely a scam.
- You are responsible and liable for items you cash, borrow or deposit into your account; whether they are a check money order, cashier's check, loan proceeds, etc.
Protecting Your Mobile Device
Your mobile device provides convenient access to your email, bank and social media accounts. Unfortunately, it can potentially provide the same convenient access for criminals. The Bank recommends following these tips to keep your information - and your money - safe.
- Use the passcode lock on your smartphone and other devices. This will make it more difficult for thieves to access your information if your device is lost or stolen.
- Log out completely when you finish a mobile banking session.
- Protect your phone from viruses and malicious software, or malware, just like you do for your computer by installing a suitable mobile security app in order to protect your device and data.
- Use caution when downloading apps. Apps can contain malicious software, worms, and viruses. Beware of apps that ask for unnecessary "permissions." Refrain from downloading apps from unfamiliar websites, in order to help mitigate the threat of malware on their mobile devices. Pay close attention to the permissions requested by an app that is being downloaded.
- Download the updates for your phone and mobile apps.
- Avoid storing sensitive information like passwords, account numbers, or a social security number on your mobile device. The Bank mobile application provides access to your accounts and related details without exposing your account numbers.
- Tell the Bank immediately if you change your phone number or lose your mobile device.
- Be aware of shoulder surfers. The most basic form of information theft is observation. Be aware of your surroundings especially when you're punching in sensitive information.
- Wipe your mobile device before you donate, sell or trade it using specialized software or using the manufacturer's recommended technique. Some software allows you to wipe your device remotely if it is lost or stolen.
- Report any suspected fraud to the Bank immediately.
How We Protect You
General online security:
Business and Consumer Internet Banking security:
- We have strict password requirements for online systems and password characters are masked to maintain confidentiality.
- We require your browser to be, at a minimum, a fully SSL-compliant, 128 bit encrypted browser.
- We require username, passwords at least eight characters long, and challenge questions to authenticate users at login for our remote deposit capture, retirement and employee benefit online systems.
- We provide multi-factor authentication that utilizes user IDs and passwords ("Codes"), to identify clients.
- We utilize secure socket layer (SSL) certificates to encrypt information.
- Account numbers are masked.
- We evaluate the latest security technologies and upgrade our systems whenever relevant improvements are available. We use multiple firewalls, network and application access controls, multi-tier architecture and ongoing preemptive forensics to protect your information.
- We have strict policies and procedures in place to safeguard your personal information.
- We require clients that are locked out of the system due to a failed login attempt to contact us for reinstatement.
- We offer a no-charge email encryption service to our clients to send secure business communications to Bank representatives
- We provide you with the date and time of last login when using the Business and Consumer internet banking systems.
- We utilize out-of-band-authentication at login if your device (PC, laptop, tablet, and smart phone) is not recognized. For your security, you will receive a system generated phone call or text message if someone attempts to login from an unrecognized device.
- We have account daily limits set up for bill payment, funds transfer, wires, ACH and other treasury management services.
- We require token use at sign on and transaction level for Business Internet Banking clients with high risk payment capabilities such as ACH and wire transfers.
- We have security alerts in place. These alerts are emails automatically sent to your primary email address when certain events occur or optional based on your preferences. Alerts do not reference your specific name or account number. Being alerted promptly about account changes can help you detect and stop potential fraud.
- We recommend multiple approvals to add/change/delete a user within your Business Internet Banking system.
- We require dual control for high risk transactions such as ACH and wire transfers.
- We will never display a pop-up message indicating that you cannot use your current browser or send a message that includes an amount of time to wait before trying to login again.
- We require out-of-band-authentication for the final approver of all ACH and wire transactions, in addition to using security tokens.
- We require pre-note for new ACH transactions.
- We offer ACH Positive Pay and Payee Positive Pay. These services allow you to set up limits for authorized electronic debits and provide an automated means of monitoring the transaction activity within your account.
- We store client electronic statements in the system and we never send them to clients via unsecured email.