Nearly 60 percent of Americans are accessing their finances online, and they love the convenience. But, as with all activities online, security is a concern. Learn how locally owned and operated banks hold an advantage in safeguarding customers.
At first, Jim Stocker was skeptical. Was online banking really safe from hackers and fraudsters? Would it really help him to better manage accounts and track his finances? Today, he’s a believer.
“I saw the need of it when I was the executor of my mother’s finances and estate when she was ill,” he says. “It was easy to track across accounts, and easy for family to see what was going on with the account at all times.”
Like many online banking users, the St. Charles-area mortgage lender finds it’s time-saving and easy to use, when managing both business and personal accounts.
“To sit and hand-write checks could take a minute per check to write and record,” Stocker says. “I can sign in and send several checks in about a minute, when I use online banking.”
In the early days, online customers were limited to simple activities, like reviewing statements. Now, thanks to new advances, even the smallest banks offer a complex suite of services. Everything from bill payment and funds transfers to statement reviews and transaction downloads are accessible from computers and smartphones.
Those who love online banking are quick to talk about the convenience; those who distrust it express concerns about fraud and theft. While it’s true that there’s a dark side to electronic banking, community banks are well aware of what to watch for. Thanks to their small, vigilant and flexible staffs – and powerful new tools – these locally owned and operated institutions are helping customers to accomplish their goals and stay safe online.
“I think that’s the advantage of the community bank,” says Valerie DuCharme, executive vice president and chief retail officer at STC Capital Bank, 460 S. First St., St. Charles. “If something goes wrong, we’re going to resolve it faster, and probably do it in a friendlier manner, than a big bank.”
When it comes to online products, large and small banks offer similar services. For example, STC Capital’s new system enables a wide variety of business and personal account management services. Personal banking customers can set up automatic bill pay, monitor account statements and balances, and transfer funds among accounts. Commercial customers can do all this and more.
But no matter how often people use online services, banks still want to build personal relationships with customers. That’s why the Minuteman Online Banking system at Home State Bank, 40 Grant St., Crystal Lake, requires customers to apply for accounts inside a branch office, where they also can set up electronic services.
“We want to put a face with a name and introduce them to a Home State Bank representative, so they will have a familiar contact and we can positively establish identity,” says Bill Baldoni, senior vice president and chief operations officer. “Although the law allows us to use software to verify identity, we feel there is less risk getting identification in person. We want to know exactly who we’re dealing with.”
Nationally, nearly 60 percent of bank customers prefer online banking, while only 20 percent prefer a brick-and-mortar location, according to a survey conducted by Ipsos Public Affairs and shared with the American Bankers Association (ABA). Customers over age 55 enjoy it just as much as young people.
“Surprisingly, we have a lot of senior citizens who use it extensively,” Baldoni says. “Many of them are quite adept at it.”
“And often, they’re beginners with very little computer experience,” adds Carmen Rhodes, electronic banking manager. “They’re not hesitant to call us for help, and we’re happy to sit down and train them. They can come in, and we can help them with whatever they’re having problems with.”
Online statements make it easy to see account balances, but shouldn’t replace a balanced checkbook, warns Baldoni. Instead, he recommends using online statements to avoid overdraft charges and detect fraud quickly. For those who still write checks, some systems even display an image of the processed check.
“If they’re checking their statements and they say, ‘Oh, I don’t remember this payment,’ they can click a button, and up pops their check,” Baldoni says. “So they see who exactly they wrote it to and when it was deposited.”
These days, there’s very little that can’t be done online. Along with offering customers constant access to their financial information, STC Capital has added a new system that allows people to make small electronic payments among themselves.
“Let’s say you bought me lunch, and I owe you $10.50,” says DuCharme. “I can, through a system called ZashPay, use my smartphone or computer to schedule a payment to be sent to you. All I need is your email address.”
With so many convenient electronic systems, do customers ever need to visit a bank?
“Yes,” answers DuCharme. “I think it’s in our genetics. There are very few people who don’t want to interact with other people. For normal transactions, online banking is probably the way to go, but for questions, general servicing, mortgages – things like that – there’s still a need for human interaction.”
Stocker, the STC Capital customer and online veteran, still finds comfort in his community bank. “Sometimes, I’ll bring in just one check to deposit, so I have a reason to say hello,” he says.
At STC Capital, customers are welcome to use the meeting room for personal get-togethers. Others come in just to relax.
“We have clients who come in and read the newspaper and drink a cup of coffee,” says DuCharme. “We’re OK with that.”
The Dark Side
Stocker’s early concerns about online banking – things like fraud, account hacking and scams – were legitimate. Every year, millions of dollars are lost to fraudulent activities. But larger banks report far more trouble with electronic services than smaller banks do. In a biennial survey from the ABA, few community banks reported online and mobile banking-related fraud. In fact, no community banks and just 9 percent of mid-sized banks reported online fraud, while 71 percent of large banks reported it.
Debit cards are a different story. As a whole, the banking industry in 2010 lost nearly $955 million to debit card-related fraud, and nearly $893 million to check fraud, according to the ABA. In 2008, nearly $1 billion was lost to debit card-related fraud. So where does all the money go?
“It goes straight into criminals’ pockets,” says Doug Johnson, vice president of risk management policy for the ABA.
Unlike old-school bank robbers, who literally carry money out of a bank, modern identity thieves use individuals’ accounts to steal money. Despite the intricate, multilayered security systems built around electronic banking, security is every individual’s responsibility.
So what’s a customer to do?
“Ensure that you, as an individual, hold the keys to the kingdom, so to speak,” says Johnson. “It’s important to think of online banking as your friend and ally in catching fraud. It’s easier to check your balances online, than to wait patiently for your statements, to see what’s happening.”
Identity theft causes banks a lot of headaches. Just ask Tiffany Umbarger, treasury manager for Crystal Lake Bank & Trust, 70 N. Williams St., Crystal Lake, and its affiliates in McHenry, Cary and Algonquin.
“I had a customer a couple of years ago tell me she spent probably 80 hours in a few months just trying to get her identity theft issue resolved,” Umbarger says. “Police reports, filing fraudulent items reports, closing accounts, opening new ones – it’s a very time-intensive process.”
The good news is that federal legislation offers many protections for consumers. Under Regulation E of the Electronic Fund Transfer Act, consumers aren’t liable for fraudulent activity, if it’s reported within 60 days. During the investigation of a consumer claim, both the bank and the credit card company grant “provisional credit,” allowing a customer to make everyday purchases. Banks can alert credit bureaus; they may also shut down old accounts and open up new ones.
“It’s just staying in constant contact with them every day, saying, ‘Is this your check, is this not your check?’” Umbarger says. “Usually, it dies down within a week or so, because usually that type of fraud is ‘one and done.’ The thieves go out for one or two days, write as many checks as they can, and then stop before they get caught.”
Catching a fraudster is tough, but flagging suspicious activity is easier. Banks have computer programs that constantly scan customer activity for unusual transactions. When a transaction raises a red flag, security officers evaluate it and act accordingly.
“My favorite is when I call a customer and say, ‘There’s $500 worth of suspicious websites on your card. Are they really yours?’ They’re typically not,” Umbarger says. “Or I call a customer and say, ‘Have you been to China recently?’ and when they say ‘no,’ I say, ‘Your card says you bought $1,000 worth of things from there.’ And they say, ‘No, I didn’t.’”
In 11 years of treasury management and digital security, Umbarger has seen a lot of scams. Some are pretty dumb, some are pretty clever, and some are pretty sneaky.
“I once had someone steal a box of checks out of the mail,” she says. “We put a stop payment on the series that was lost, and we reordered with a new series. The fraudster waited six more months, when the stop payment order typically expires, and then started using the stolen checks.”
While criminals still steal from mailboxes, they’re more likely to go phishing. In this scam, a fraudster poses as a legitimate organization in order to obtain your personal information. Most often, phishing happens through emails, but it may also occur through phone calls, text messaging and snail mail.
“A lot of times, a message will appear to be from your credit card company, your bank, the government, the Social Security Administration – someone you feel like you can trust,” says DuCharme. “It will request certain information, like your account number, or debit or credit card numbers, passwords, your date of birth, Social Security numbers – all for the purpose of obtaining information later used to get credit in your name, or to open a bank account in your name.”
In some cases, thieves take information and purchase cars, homes and other large items that only show up on a personal credit report. Online, fraudsters glean information from social media, or convince you to download malicious software that logs everything you type. They then use the personal information to pose as you and steal your money.
“There are malicious kinds of technologies that monitor keystrokes,” DuCharme explains. “They get into your computer when you click on a link or something that isn’t good. Now, unbeknownst to you, your keystrokes are being monitored. When you get into your online banking and fraudsters are monitoring your keystrokes, they get your password information.”
Once they’re in, fraudsters move quickly, draining bank accounts during huge shopping sprees. They rack up bizarre charges, buying hundreds of dollars of electronics at Best Buy, large quantities of gas in Mexico, or purchases in China minutes after a debit card is swiped in Crystal Lake. As the criminals pillage, red flags fly on the bank’s account monitoring software.
“We’re notified when customers are doing something that just doesn’t make sense, or doesn’t match their usual spending pattern,” Baldoni says. “We can ignore it, knowing that it makes sense with additional information we have, or we can contact the customer to ask if they made the transaction.”
At other times, customers call after noticing something odd, either in their bank statements or their credit reports.
“We occasionally get customers who call about an item they’re not familiar with,” Rhodes says. “They bring in counterfeit checks or some other obviously bogus item, asking if they should deposit it or dispose of it.”
When Umbarger’s clients notice unusual activity, she identifies what’s been hacked and sets a course of action. On the drastic end, she could set up brand-new accounts. On the lighter end, she may just stop a payment. Along the way, a customer may need to notify credit bureaus, file police reports and enter information into a federal database that tracks identity thieves.
“The first thing we’re going to do is ask why you suspect you’ve been compromised,” Umbarger says. “Did you get a phone call? What were they asking? Was it an email and you clicked on the link? The steps are going to depend on what’s been compromised.”
An Ounce of Prevention
There’s an old saying that a chain is only as strong as its weakest link. In the same way, banks are only as protected as their customers, and both have skin in the game. Working together, both can reduce the chances of falling victim.
“One thing I always say is you should check your account diligently, every day or every other day, for unusual activity,” says Ralph Benes, IT Security Officer for Home State Bank. He’s spent 42 years involved in computers and digital security. “When you set up your banking activity on your personal computer, make sure you also have the recommended security set up on that computer. Use firewalls, virus software, things like that, to stop people who could get in and compromise your computer.”
It’s also a good idea to change your passwords routinely. Don’t use something simple and easily guessed, like your name, dog’s name or home address. Instead, create something obscure and hard to guess, which has a combination of uppercase and lowercase letters, numbers and symbols. In other words, a password like Chris5 is easier cracked than, say, c4R!sIS5@fe.
Also, says Benes, don’t click on links you don’t recognize. They might download malicious software or invite you to enter personal information into a fraudster’s website. “Most reputable businesses and financial institutions will not send out emails requesting your account number or your Social Security number,” he says.
Instead, know how your bank will contact you. When Home State transmits sensitive information, it adds encryption and sends customers to an encrypted website. If ever in doubt, says Benes, call someone you know at the bank and double-check.
Banks like Home State and McHenry Bank & Trust, 2205 Richmond Road, McHenry, send notices to customers about safe practices and recent scams. But the staff itself goes further, learning new security practices. Since the tellers are a first line against fraud, they’re constantly on the lookout.
“We talk a lot with the tellers about knowing their customers, making an effort to know who they are, what they do,” says Umbarger. “Is it typical for John to deposit his paycheck and get $50 in cash? Well, if he comes in and cashes $4,000, that’s different, and you need to ask some questions.”
Justin Condon laughs about the questions he uses for his online banking at McHenry Bank & Trust.
“I use questions that aren’t exactly common knowledge, and I use a very interesting combination of letters and characters,” he says. “It would take a very long time for someone to break in.”
As someone who maintains technology for a small business and considers himself an early adopter, Condon has thrown himself headfirst into online banking. He says he especially uses the new mobile banking, which conveniently sends balances, fund transfers, logins and assistance via a simple text message. For his wife, Stephanie, this technology has been a real blessing.
“She’s a horrible record-keeper,” he laughs. “Online banking lets her see things in almost real time, so it helps her to keep track of things a lot better. Let’s just say there’s been a significant change in overdraft charges since she started using it.”
Running the Gauntlet
Remember the old TV comedy “Get Smart,” in which Agent 86, Maxwell Smart, walks through a long gauntlet of security doors to enter CONTROL headquarters, during the opening credits? Online banking systems act similarly.
“When somebody logs in on the consumer side of our website, they have multi-factor authentication,” says DuCharme. “When they first log in, they’ve got to answer some security questions, find an image, create a passphrase. So, when they log in, their computer has to be registered, and the system will know if it’s not, and it will ask a series of security questions if it has to be accessed. A little image has to be there, and the passphrase has to be there, and if it’s not, then that may indicate you’re logging into a fraudulent site.”
Herself a victim of identity theft, DuCharme is thankful for the safeguards at a smaller bank.“I think that’s the advantage of the community bank,” she says. “If something goes wrong, we’re going to be there more quickly. We’re going to resolve it faster, and probably do it in a friendlier manner than a big bank.”
“Horrible” is the word she uses to describe her personal fraud experience with a big bank. “I ended up feeling like the criminal, not the victim, and trying to get it resolved was a difficult time.”
When a family member used DuCharme’s information to open an account, the big bank didn’t thoroughly investigate the family member’s credibility. Because DuCharme knew banking and security procedures, she had an easier time obtaining results.
“They didn’t do their due diligence to make sure the Social Security number belonged to her, and as a result, some negative activity appeared on my credit report,” she explains. “So I had to contact the bank and tell them they didn’t do their due diligence. They didn’t know their client. They didn’t confirm the information that was provided, which banks are required to do through their customer identification program. As a result, I think they were looking at some potential issues if they didn’t get it resolved quickly.”
The ABA’s Johnson agrees that not all banks properly vet new customers. He says the ABA has proposed regulatory policies that would strengthen penalties for identity thieves and reduce the red tape that comes with verifying customer identities and bogus or stolen Social Security numbers.
“That’s key information for an institution,” he says. “That account information cannot be used as an identifier, but the current process is cumbersome, and we’re working to make sure it’s easier and less costly. We want to make sure the Social Security Administration is part of the solution.”
At the same time, Johnson acknowledges that the small, familiar nature of a community bank offers valuable protection against situations like DuCharme’s.
“By their nature, community banks have advantages just because of the volume difference,” he says. “Because they’re smaller, they have more effective ways of recognizing their customers. The new account opening process at community banks is going to have a more human interface.”
Worth the Effort
There’s a sense that fraudsters and con artists are ever-present, always adapting to new technologies and methods of deception. But most customers who love online banking understand the risks and take precautions.
Condon trusts he’s in good hands at McHenry Bank & Trust. He worked there growing up, and he knows people there. They know his identity, and he’s convinced that those friendly faces will keep him safe. Because his bank is part of a family of banks, he has a large-scale security system behind him.
“There’s always been a security concern with online technology,” he says. “You wonder who can access your account. But I realized that it’s always going to be there, so I just jumped in with both feet, and I love it.” ❚
Here are four of the most common ways criminals try to obtain your personal information.
Phishing: Typically sent via email or phone message, this scam encourages you to give your information to a fraudster, who may claim to represent your bank, utility company or other organization familiar to you. Legitimate callers won’t request passwords and account numbers, because that information is already available. If in doubt, hang up and call the company in question, at a known phone number, not at the one provided by the questionable caller.
Skimming: A little device placed at the end of an ATM or gas pump card scanner, skimmers quietly copy information from debit and credit cards. If the image on your ATM wiggles or looks unusual, it may have a skimmer attached. Many criminals place cameras nearby to capture your PIN number. Some skimming technology is so advanced that it can digitally transfer information from nearby cards, so experts recommend keeping cards in a safe wallet that’s specially designed to block skimming.
Mailbox Theft: In this scam, fraudsters take mail directly from the box. They’ll take account numbers, personal checks – anything that has valuable information. Criminals typically wash information from signed checks and write them to make large purchases, which they resell.
Computer Hacking: Whether planting a bug or spying through an unsecured public connection, hackers may be able to watch every move you make on your computer. Don’t use public computers or unsecured Wi-Fi connections for social networking, emailing, banking or sensitive business. Hackers can watch from unsecured connections, or plant keystroke-recording tools that steal information entered into public computers.
Identity Theft Checklist
Here are some suggestions from the Illinois Attorney General for safeguarding your identity.
Protect your mail. Know when pickup occurs and don’t let mail build up.
Protect papers with personal information. Keep your documents and shred them when no longer needed. Some banks even offer “shred day” events to encourage document destruction.
Protect your Social Security number. Hide your card. Don’t carry it with you, and don’t share your number.
Keep track of your credit and debit cards. Know where they go and when they’re used.
Protect account numbers, passwords and PIN numbers. Don’t share them with anybody.
Protect your information when shopping online. Use only trusted sites, and share sensitive information only on a secured connection, where the URL begins: https://.
If you suspect you’ve become a vicitim of identity theft:
Immediately contact your bank, credit card, credit bureau, etc., and alert them to a possible breach. Many banks will stop payments on a compromised account and coach you through follow-up investigative and legal procedures.
File a police report. Take any supporting documentation, personal identification and things like time sheets, receipts and statements from witnesses, that prove you didn’t make the purchases.
Because many identity thieves operate on a national and global scale, many municipalities can’t, or won’t, investigate. However, the FBI assembles reports to prosecute fraudsters in large-scale cases, so visit ic3.gov to file a complaint. ❚