Fighting Fraud - Respond

Respond

If you suspect you have fallen victim to online fraud, it's crucial to take immediate action to minimize potential damage, recover lost funds, and prevent further incidents. Different types of fraud have different reporting requirements for recovery to be successful; thus, it is always better to act as quickly as possible.

One way to speed up the time it takes to respond to fraud is to develop plans for how you will respond should an incident occur. By taking the time to plan how to respond to an incident, the more successful your response will be. Developing plans will also enable you time to consider all facets of an incident; how it may impact you or your customers and vendors; any mitigating controls; and processes or technology that you can implement, all without the added stress of being in the middle of an incident.

Prior to completing any of the below Incident Response Steps, it is important to consider whether the device being used was involved in the incident and if it has been compromised. If it is suspected the device is compromised DO NOT USE THE DEVICE FOR ANY OF THE CORRECTIVE ACTIONS. Instead, complete the below steps from a known healthy device.

When responding to attempted or confirmed online fraud, Jonah Bank recommends that customers consider taking the below steps at a minimum (your selection of steps may change depending on the nature and scope of the incident).

Included in the Response Section for Fight Fraud, Jonah Bank has included additional suggested steps for dealing with a Business Email Compromise (BEC) Incident as we commonly see business email accounts involved in fraud.

Steps for Responding to Online Fraud

Ideally, Steps 1 and 2 would be done simultaneously to lock fraudsters out and kick them out of any active session they may be in and stop any pending or processed transactions. You can complete these first steps on your own or contact Jonah Bank, and we can help you.

When securing your accounts, your first steps should be as follows:
Online Banking Accounts
  • Temporarily disable all compromised users accounts.
  • Change the password of any compromised account using a strong, unique password that is not easily guessable. If an administrative account has been compromised, start by changing this account's password prior to resetting any sub-user's password.
  • Review Multi-Factor Authentication (MFA) settings to ensure only authorized numbers/devices are listed.
  • If the password (or any similar password) was used for authenticating to any other service, change the password there as well (the use of a Password Manager prior to an incident will make this step easier to accomplish).
  • Review the permissions for the compromised account and all other authorized users within your online banking configuration.
  • Review all drafted, approved, and processed transactions to identify additional transactions that need to be cancelled or reversed.
Business Email Compromise (BEC)
If Business Email Compromise is suspected:
  • Temporarily disable all compromised users accounts.
  • Change the password of any compromised account using a strong, unique password that is not easily guessable.
  • Turn on MFA if it is not already enabled for all accounts
  • Request the administrator terminate any active sessions for the compromised email account and implement conditional access controls to further protect the account.
  • If the account compromised is an administrator account, consider resetting all user account passwords and look for any suspicious new user accounts.
  • Consider all the accounts for which your email address is used to be compromised (whether the passwords are the same or not) as the email account can be used to reset account passwords.
  • Review the email account for any suspicious forwarding rules.
  • Review all sent and deleted emails for suspicious activity.
Report the fraud or unauthorized account access to Jonah Bank as soon as possible. We can help secure your accounts, lock login IDs or change passwords, stop or reverse transactions, and investigate the fraud. We can also help close accounts or cards suspected to be involved with fraud, set you up with new accounts and cards, and review your alert preferences to ensure you are able to monitor your accounts closely.

When contacting Jonah Bank regarding fraud or unauthorized access, we recommend you call one of Jonah Bank's main numbers to ensure your call is answered expeditiously, and remember, our staff is here for you and will be with you every step of the way.

Phone Numbers for Jonah Bank
  • Casper: 307.237.4555
  • Cheyenne: 307.773.7800
  • After Hours: Jonah Bank offers after hours assistance for fraud occurring on debit and credit cards.
  • Credit Cards: 844.546.8220
  • Debit Cards: 866.504.5111
Document all relevant information about the incident.
Incident Information:
  • Date and time incident was identified.
  • Name of person identifying the incident.
  • Contact details for the individual reporting the incident and for the person responsible for managing the incident.
  • Type of Incident: Suspicious Login; Fraudulent Transaction/Check; Credit Card Fraud; Debit Card Fraud; BEC; etc.
  • Description of the Incident: Can include how the incident was detected, the systems and accounts involved, and the possible impact of the incident.
Transaction Details
  • The date and time of the transaction.
  • The Type of Transaction: Single or Multiple ACH Payment or Collection; Payroll; Wire; Funds.
  • Transfer; Bill Pay; Check; or Credit Card.
  • The account or card numbers involved.
  • The amount of the transaction.
  • Login IDs Associated with the Transaction. The incident may involve both draftees and approvers, or account admins and any new sub-users created during the incident.
  • Recipient details included in the transaction.
  • For Transactions Originating through the Online or Mobile Channel: The method by which the transaction was authorized (Physical Symantec Token or Virtual) and its corresponding serial number.
  • For Check Fraud: The Check Number, Date of Issuance, Payee Information, Amount, and Any Memo.
  • As a part of gathering evidence, review all account activity and statements going back 30 or more days.
Business Email Compromise (BEC) Additional Information
  • Document all unauthorized sent, received, or deleted emails.
  • Attempts to reset passwords for linked accounts.
  • Suspicious forwarding rules configured.
  • Anomalous logins to the affected accounts.
  • Chat Logs.
  • Work with your IT staff to identify systems, accounts, and IP addresses involved.
  • Any other correspondence related to the fraud.
Once corrective actions have been taken to secure accounts and stop any fraudulent transactions, it is important to contact relevant law enforcement agencies.

Who to Contact?
Local Law Enforcement

The Internet Crime Complaint Center (IC3)
If the fraud happened via the internet in any way, a report should be made to IC3.gov by the victim as soon as possible. This is the FBI’s reporting page. This division of the FBI has immediate capabilities of freezing accounts without going through long court orders and hearings. Also, analysts compile the different aspects of each fraud and are able to connect them to additional crimes across the country. The more victims and the greater the dollar loss, the higher the priority for the FBI.

Why Contact Law Enforcement Agencies?
Consumers should report fraud to law enforcement for several important reasons:
  1. Legal Consequences: Reporting fraud to law enforcement can initiate a legal investigation, potentially leading to the apprehension and prosecution of the fraudsters. This can result in criminal charges, penalties, and imprisonment for those responsible helping to prevent them from victimizing others.
  2. Protecting Others: By reporting fraud, consumers help protect others from falling victim to the same fraudulent schemes. Law enforcement agencies can use the information provided to identify patterns and trends in fraudulent activity which can lead to broader investigations and the disruption of criminal operations.
  3. Identity Theft: By reporting the incident to local law enforcement, it can assist with any future identity theft issues.
  4. Recovering Stolen Funds: In some cases, law enforcement efforts may lead to the recovery of stolen funds or assets which can be returned to victims. While this is not always possible, reporting fraud increases the chances of recovering losses.
  5. Insurance Claims: Most insurance policies dealing with fraud require victims to report the fraud to law enforcement.
With the initial steps taken to secure your accounts, contacting Jonah Bank and Law Enforcement and the collection of evidence, it is time to take additional corrective actions to help ensure the incident does not reoccur. As there are any number of scenarios that could be involved, the below list serves as a starting point for you or your business to consider when responding to an incident.

Additional Corrective Actions
Bank Accounts
  • Setting all users up with a password management tool.
  • Enabling MFA on all high-risk accounts (not just at Jonah Bank).
  • Cancel all unauthorized transactions on your account.
  • Work with Jonah Bank to close impacted accounts and open new ones.
  • Implement changes to account monitoring and alerts to catch future fraudulent activity (see the Detect Section for more details).
  • Consider changes to transaction approval such as dual approval or changes in transactional limits.
  • Work with Jonah Bank to close credit/debit cards and issue new cards.
  • Enroll any new cards and existing cards that were not involved in the incident in
    Card Valet® or Visa® Purchase alerts and turn on additional card controls.
  • Review your settings for Security Access Codes and Transaction Authorization Codes and make changes as necessary.
  • Implement check Positive Pay.
  • Review all users on your account, their settings, and transactional rights.
  • Update any services that link to online banking (personal financial management tools such as Mint, accounting software like QuickBooks, and integration services such as Plaid).
  • Update any services that have your account on file with new account/card information to ensure payments process on time.
  • Consider how the information contained within your bank accounts could be used in future phishing campaigns against you, your business, your customers and vendors, and train staff on how to spot these scams.
Business Email Compromise (BEC)
  • Delete or disable suspicious accounts in your email system.
  • Review all accounts and determine if there is a need to modify any account permissions or roles.
  • Implement additional conditional access policies.
  • Enforce MFA on all accounts.
  • Implement additional logging and alerting.
  • Review emails sent from your account to any potential victims of phishing and notify them.
  • Implementation of new email filtering or rules.
  • Review best practice guides from your mail provider related to security.
  • Review all the information contained within any compromised email account and consider how that information may be used.
  • Consider the creation of separate email or email aliases for different work/personal purposes.
  • Provide continuous training to staff about email-based threats.
  • Implement policies requiring staff to confirm all emailed payment information via phone call, using a phone number you have on file for the vendor or customer.
Other
  • Consider subscribing to a credit monitoring service to help detect any identity theft or unauthorized credit activity.
  • Setup a credit freeze with the credit bureaus. A credit freeze restricts access to your credit report. If you suspect your personal information or identity was stolen, placing a credit freeze can help protect you from fraud.
  • Work with your IT staff or contract with a service provider to review any systems involved in an incident.
  • Review all of your accounts, not just the one that was compromised. Look for any unauthorized or suspicious activities on those accounts.
During the incident Response Phase, it is important to keep a thorough record of all communications, actions taken, and financial losses related to the fraud. This documentation may be valuable for legal or insurance purposes. By thoroughly documenting the incident, it can help to ensure you have not missed anything and assist in identifying any additional steps that may need to be taken. For example, if you close an account, additional steps post incident may involve updating any Bill Payments to use a new account or to update any subscription services with a new account number. Good documentation will help you identify this.