The Internet is one of the most powerful communication tools available, making it possible to share information instantly, any time of the day or night, around the globe.
Criminals have capitalized on the broad power and wide availability of the Internet and electronic mail (e-mail) to defraud unsuspecting people. It is critical that each of us maintain constant vigilance over the way we use the Internet and all forms of electronic communication.
The Bank of New York Mellon maintains active oversight of all of our systems as part of our efforts to protect the security and privacy of client information.
If you have any concerns or questions, please contact your Bank of New York Mellon representative.
The Bank of New York Mellon does not contact its clients or anyone else by e-mail to confirm credit card or financial transactions, or to confirm or request personal account information or any other type of sensitive information.
To help protect yourself and your personal data, do not trust any e-mail communications that request your personal information.
Criminals can be convincing. They make their fraudulent e-mails look like they come from legitimate sources. They publish fake Web sites that use designs, information and programming stolen from their rightful owners. Cyber criminals use methods to impersonate you over the phone to arrange funds transfers, or imitate communications from the financial institution to verify transactions, or initiate other changes to your account. Don't fall for their ploys.
- E-mail and Web Site Scams
- Tricks of the Trade
- Web Site Spoofing
- Lottery / Sweepstakes Letter Scams
- Corporate Account Takeover
- What You Can Do
- Learn more about E-mail Security
E-mail and Web Site Scams
E-mail is by far the most popular way for criminals to try to get your attention — and your personal information. An e-mail may direct you to a Web site designed and operated by criminals to trick you into revealing such information. Therefore, treat e-mail from someone you don't know the same way you would treat a telemarketing call from someone you don't know: don't necessarily believe what you're being told.
Fraudulent e-mails and Web sites are created every day to attempt to steal personal information. It's called "phishing" — a variation of the word "fishing." There are limitless variations of these online scams, so the best defense is education and a healthy dose of skepticism. A few misleading and deceptive techniques in use include the following:
- The e-mail or Web site may appear to be genuine.
- It may include a logo that appears legitimate.
- It may ask you to click on a link to go to a Web site — the Web site address may, at first glance, appear legitimate and imply importance.
- The e-mail or Web site may ask for you to supply account numbers, Social Security numbers, personal identification numbers (PINs), passwords or credit card numbers.
- The e-mail or Web site may even already contain some of this information and is asking you to confirm the data.
- You are right to be suspicious of any e-mail or Web site asking you to supply or confirm any personal information.
As technology and one's ability to detect these scams improves, so, unfortunately, do the criminals. The latest attacks do not even require you to do anything. Merely opening the e-mail can launch "hidden" software — a virus, "spyware" or other malicious code — that will download to and reside on your computer. Should they go undetected, any of these programs could compromise your computer in a variety of ways, including stealing private information, redirecting your Web surfing to unscrupulous sites and transmitting information that you type on your computer directly to the criminals. Therefore you should delete all unwanted and potentially fraudulent e-mails without opening them.
Some fraudulent e-mails, spear-phishing attempts for example, can be very well done and very convincing. These are often created by more sophisticated and more determined criminals who are highly motivated to succeed. More generally, however, most fraudulent e-mails and Web sites established for fraud may frequently be characterized by the following:
- Misspellings and other typographical errors
- Poor grammar
- Urgent messages in the e-mail subject line
- Random characters in the e-mail subject line or body
- "Fuzzy" logos, or logos that are distorted
Tricks of the Trade
There are a number of common e-mail scams of which you should be aware. While this list is by no means exhaustive, recent e-mail tricks include:
- Creating a sense of panic. E-mails threatening loss of account access, loss of credit, foreclosure, etc., are trying to get you to panic enough to lose your common sense and fall for their scam. Don't panic; when in doubt, call your financial institution.
- Referencing a recent transaction. Vaguely worded e-mails referring to a "recent transaction" that you need to go online and verify, or for which you need to provide additional account information, are also just trying to get you to fall for their scam.
- Confirming your account information. It's possible that the criminals think they already have your account numbers, password, etc., and all they need is your confirmation. They could have guessed, they could have bought it, they could have stolen it. Don't give them the help they need to use it. Do not respond to confirmation-of-information requests received via an e-mail that you are not expecting or that could possibly be fraudulent. This includes both not responding via e-mail and not visiting a Web site to confirm the information.
- You're a winner! "Just send money to cover the costs/fees/taxes and you can claim your prize." If you do respond to this solicitation, the thief will have your money as well as your credit or debit card information if you pay online, or your checking account number and bank routing information if you pay by check. A legitimate contest will never make you pay to receive the prize.
- Your donation is needed. Many criminals act like they are actually charities and request your donations, appealing to your emotions and taking advantage of tragedies and natural disasters. Be careful when making charitable donations. Many legitimate organizations now accept donations online. But exercise caution and only donate via a non-profit organization's Web site directly, or if you are absolutely sure of the company through which you are donating.
Web Site Spoofing
"Spoofing" is another trick used by criminals. Criminals steal a Web site's code — the technical programming that makes the Web site work — and use it to create a fake Web site that "spoofs" or appears to be the legitimate site.
The difficulty for unsuspecting consumers is that these sites look legitimate. To help protect yourself, be aware of how you're accessing the site.
- Don't follow a link in an unsolicited e-mail if you have any doubts about the sender (see "phishing", above).
- Type all Web site addresses carefully, or use Favorites or Bookmarks to store frequently accessed sites — especially financial-related sites. Misspelling, even by one letter, the address of the Web site you are trying to access may send you to an incorrect, possibly fraudulent, Web site.
Lottery / Sweepstakes Letter Scams
If you receive a letter, accompanied by a check with a The Bank of New York Mellon brand, that claims you have won a lottery, a sweepstakes, have been chosen to be a paid "secret shopper" or a similar variation of a popular contest, be advised that these are scam letters and fraudulent checks. If you contact the sender as requested, you will be instructed to negotiate the check and forward the sender money through a wire transfer or money order. Please do not negotiate these checks, as they are not authentic The Bank of New York Mellon checks. If you receive one of these letters and/or checks, you should report it to your local U.S. Postal Inspection Service.
Corporate Account Takeover
Corporate account takeovers, once associated mostly with large corporations, have started to target municipalities, smaller businesses, and non-profit organizations. Thousands of businesses, small and large, have reportedly fallen victim to this type of fraud. To obtain access to business financial accounts, cyber criminals often target employees and cause the targeted individual to download and spread malicious software (or "malware") which in turn steals their log-in credentials. Cyber criminals typically will accomplish this by getting you to perform some action such as open an email attachment, accept a fake friend request on a social networking site, visit an already compromised legitimate website, or plug an infected USB drive into your system. All of these can install malware on your computer.
Some recent methods used to trick employees into opening the attachment or clicking on the link, have included making the e-mail appear come from a legitimate business, for example:
- UPS (e.g., "There has been a problem with your shipment.")
- Financial institutions (e.g., "There is a problem with your banking account.")
- Better Business Bureaus (e.g., "A complaint has been filed against you.")
- Court systems (e.g., "You have been served a subpoena.")
Cyber criminals may try to take advantage of some current event, such as a natural disasters or major sporting events, They may use credentials stolen from company websites or co-workers or executives and design the e-mail to look like it comes from a trusted source.
Once they are able to get you to download their malware, they can easily steal your account login credentials and then be able to electronically steal money from your business accounts through unauthorized wire transfers and ACH payments.
What You Can Do
Report any problems regarding The Bank of New York Mellon to your customer service representative.
If you should become a victim of identity theft, you can take the following actions to help you protect your personal and financial interests:
Contact your bank and credit card issuers to ensure that:
- Access to your accounts can be protected
- All transactions are actually yours
- Your address information has not been changed
- Your PINs have not been changed
- New checks have not been ordered by the identity thief
File a police report with your local police department and provide the facts and circumstances surrounding your loss. Obtain a police report number with the date, time, police department, location and name of the police officer taking the report or involved in the subsequent investigation. Having a police report on file will often facilitate your dealings with insurance companies, banks, credit card agencies, and commercial establishments that may be parties involved in fraudulent transactions. The police report may initiate a law enforcement investigation into the loss with the goal of identifying, arresting, and prosecuting the offender and possibly recovering your lost items. The police report will also help provide immediate clarification should someone assume your identity and be arrested for criminal activity using your name and biographical data.
Contact the three major credit bureaus (listed below) to order copies of your credit report, and to report identity theft.
PO Box 105069
Atlanta, GA 30349
To order a credit report: +1 800 685 1111
To report credit fraud: +1 800 525 6285
PO Box 2002
Allen, TX 75013
To order a credit report: +1 888 397 3742
To report credit fraud: +1 888 397 3742
PO Box 1000
Chester, PA 19022
To order a credit report: +1 800 916 8800
To report credit fraud: +1 800 680 7289
By ordering your credit report, you will be able to determine if the identity thief has opened any credit accounts in your name. You can then contact these creditors to let them know that your identity has been stolen, and that the accounts are fraudulent.
When calling to report fraud, request that a statement be placed on your credit report that indicates no further credit is to be granted in your name without first contacting you directly at the telephone number you designate. This is typically called a "Fraud Alert" or "Victim Statement", and will help prevent further accounts from being opened in your name.
Contact the Federal Trade Commission. The FTC maintains the Identity Theft Data Clearinghouse (the federal government's centralized identity theft complaint database), and provides identity theft victims with information. The FTC can be contacted through the following methods:
- Telephone: +1 877 ID-THEFT
- Web site: www.ftc.gov/bcp/edu/microsites/idtheft/
If you discover that a fraudulent bank account has been set up using your name, report the account information to the following merchant check guarantee firms:
- Telecheck: +1 800 366 2425
- National Processing Company: +1 800 526 5380
- SCAN (Deluxe): +1 800 262 7771
- CheckRite: +1 800 766 2748
- CrossCheck: +1 800 552 1900
- Market Block List: +1 888 567 8688
Report improper use of your Social Security Number to the Social Security Administration (SSA) by contacting the SSA Hotline at +1 800 269 0271.
If your driver's license is stolen, report the theft immediately to your local Department of Motor Vehicles. Ensure that a duplicate license was not issued to the identity thief.
Maintain a log of what happened, what was lost, and all of the steps you took to correct the situation. Remember to record dates, times, phone numbers, people you spoke with, and any relevant reference numbers and information. Correcting an ID theft can be a long and difficult process — do not rely on your memory.
Businesses and Corporate clients should
- Proactively use account features that may protect their accounts, such as check cashing limitations and automated payment filters.
- Consider using positive pay features to limit check fraud
- Consider using debit blocks on disbursement only accounts
- Reconcile banking transactions on a daily basis
- Initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer
Business and personal customers also should employ best practices to secure computer systems in their homes and business including, but not limited to:
- Utilize strong passwords with at least 10 characters that include a combination of mixed case letters, numbers and special characters
- Do not share with others usernames and passwords for online banking systems
- Use a different password for online banking sites than you might use for email and other Internet activities
- Verify use of a secure session (https not http) in the browser for all online banking
- Do not "script" usernames and passwords for online banking to allow for automatic logins
- Install commercial anti-virus, desktop firewall, and intrusion detection software on all computer systems and apply updates regularly
- Ensure computers are patched regularly particularly operating system and key application with security patches
- Always activate the screensaver locking feature when you need to leave your computer unattended
- Limit administrative rights on users' workstations to help prevent the inadvertent downloading of malware or other viruses — create limited user accounts for daily use
- Where practical, carry out online banking activities from a stand-alone and locked down computer from which e-mail and Web browsing are not possible
- Never access bank, brokerage or other financial services information from public kiosks such as those found at Internet cafes, public libraries, and airports
- Educate your staff on this type of fraud scheme
- Configure routers and firewalls to deny unauthorized access to your computer or network
- Change the default passwords on all network devices regularly
- Block pop-ups
- Keep abreast of the continuous cyber threats that occur
- Engage IT support staff if staff reports any unexplained changes in the performance or behavior of computers, they experience unexpected system shutdown and restarts, or see new and unexpected toolbars or menu items
- Make sure your employees know how and to whom to report suspicious activity to within your company and at your financial institution
- Ensure your contingency plan addresses the need to recover systems suspected of compromise by malware, not just data corruption and catastrophic system/hardware failure
- Consider whether other company or personal data may have been compromised
- Contact your financial institution for more information
Immediately notify us of any suspicious transactions, particularly ACH or wire transfers
BNY Mellon actively works to protect the privacy and data integrity of sensitive information while it is in our possession and control. In the course of providing services, we may exchange information with clients or their authorized representatives which is sensitive and confidential. In order to protect this information, BNY Mellon requires Highly Confidential Information (HCI), and in some cases other types of sensitive information, to be encrypted when transmitted over an open unsecured network.
BNY Mellon provides two methods of encryption for electronic messages containing HCI sent to external recipients.
- Enforced Transport Layer Security (ETLS)
- BNY Mellon Secure Messaging Portal
Enforced Transport Layer Security (ETLS) is the primary and preferred method of encryption for BNY Mellon. This method of encryption allows e-mail to be automatically secured with no additional steps required by the sender and recipient. ETLS requires our external partner organizations to have both an ETLS capable infrastructure and a valid digital certificate for encryption. Once established, this method is the most convenient for all users and provides seamless encryption for e-mail and attachments. ETLS encrypts e-mail message between servers and is designed to protect confidentiality and data integrity and is a widely recognized standard issued by the Internet Engineering Task Force (IETF) for securing transmitted data.
If you have questions about ETLS encryption or to establish an ETLS relationship with your client, please contact the TLS Administration Team.
BNY Mellon Secure Messaging Portal is the alternative secure encryption tool which is utilized when an external partner does not have ETLS capability. The portal encapsulates a message and its attachments into an encrypted message. Once protected, the encrypted message is sent to recipients as an attachment to a plain text email. The recipient uses a self-created, pre-registered password to access the notification and any attachments. This guide provides step by step instructs on how to register and use BNY Mellon's Secure Messaging tool.
The BNY Mellon Secure E-mail User Guide can be obtained by contacting firstname.lastname@example.org.
If you have questions about BNY Mellon's Secure Messaging Portal, please contact the Secure Messaging Team at email@example.com.
When accessing any third-party/external sites that may be linked above, you will leave the BNY Mellon web site. These sites are not controlled or endorsed by BNY Mellon, and BNY Mellon is not responsible for the contents, operation or security of these sites.