Union Bank Privacy & Security

At Union Bank®, we believe in investing in your security. We consider your information to be a critical and valued asset, entrusted to our bank: The confidentiality and integrity of your information and financial assets are of primary concern and we are committed to safeguarding that information. We maintain enterprise-wide information security programs in good faith compliance with applicable laws and regulations, including Gramm-Leach-Bliley Act (GLBA). And, our teams work hard to ensure that all financial transactions, data transmissions, and communications are conducted in a secure online environment. 

To this end, we have created a multilayered security program. Here are some of the steps we take to protect your information:   

• We maintain a task force composed of security, information technology, and business professionals focused on assessing risk, testing the security controls of our services, and executing remediation plans to maintain our secure computing environment.
• We engage in ongoing application and network threat modeling and penetration testing. Before we offer our customers new services and features we test them to ensure they meet our standards for confidentiality and integrity. We also reevaluate our controls to ensure that our services and software withstand newly discovered vulnerabilities and attack vectors or techniques.
• We have a formal Incident Response Program that outlines the process in the event of a breach of electronic or physical security or loss/exposure of sensitive data. The Incident Response Program is structured to provide timely and efficient assessment and response to all reported incidents, in compliance with state and federal laws and regulations.
• We evaluate our online security practices regularly, with internal audits and evaluations of our internal control environment.
• Our program also includes investment in both the skills of our people and in advanced security systems. Our employees, along with the tools that enable them to do their jobs, are our strongest assets in the fight against hackers and fraudsters. We engage with our employees through our security awareness program and train and certify them to ensure they understand policy, regulations, and security. We periodically evaluate the preparedness of our employees through simulations of cyber threats.
• We communicate with our customers and commercial clients about cybersecurity and IT updates and requirements.
• We require that relevant third-party service providers adhere to specific security policies and standards, as well as regulatory obligations.
• We maintain strong relationships with law enforcement and leaders in the security industry.

Our approach to security strives to create an advanced web of protection that safeguards your private information and financial assets, while providing the banking services you need.

Federal Regulation E provides certain protections against loss resulting from unauthorized Online Banking or Mobile Banking transfers from your personal account, such as bill payments or transfers to other accounts. These protections do not apply to business purpose accounts, regardless of account ownership.

If you give your online PIN or access code to another person, you take responsibility for all transactions made by that person or by anyone else to whom that person gives the PIN or code, directly or indirectly, until you notify us to cancel your online service. If you download account information to your computer, you take responsibility for protecting the downloaded information from access by unauthorized persons.

You will not be responsible for any unauthorized online transaction if you report the first incident to us within 60 calendar days after the date of the first statement where the transaction is shown. If you do not report it to us within that time period, you could be held responsible for unauthorized transactions that occur after the 60 days. Thus, it is important for you to check your statement or Online Banking Account Detail screen regularly and report any unauthorized activity to us immediately.

If your online PIN or access code is lost or stolen and you tell us within 2 Business Days after you learn of the loss or theft, you can lose no more than $50 due to unauthorized activity using your PIN or code. If you do not tell us within 2 Business Days, you could lose as much as $500 if we can prove that we could have stopped the unauthorized activity if you had told us.

If you believe there has been an error with an online transfer or payment and you notify us within 60 calendar days after the transaction first appears on your account statement, we will either:

• Make a determination within 10 Business Days after we hear from you; or
• Take up to 45 calendar days to investigate. If we do this, we will credit your account within 10 Business Days for the transaction you think is in error. You will have use of the funds while we investigate.
• We may take up to 90 calendar days to investigate, if a notice of error involves an electronic fund transfer that:
  1. Was not initiated within a state;
  2. Resulted from a point-of-sale debit card transaction; or
  3. Occurred within 30 days after the first deposit to the account was made.

Review our “Personal Accounts & Services Disclosure and Agreement and Fee Schedule" for more information.

If you, or any user of the Online Banking service designated by you, give the online PIN or User ID to another person, you take responsibility for all transactions made by that person or anyone else to whom that person gives the PIN or User ID, directly or indirectly, until you notify us to cancel your online service. If you or any designated user downloads account information from the Online Banking service to your computer, you take responsibility for protecting the downloaded information from access by unauthorized persons. 

If your statement shows transactions that you did not make, notify us at once. If you do not notify us within 30 days after the date of the first statement where the transaction is listed, your statement will be considered correct and we will have no further responsibility to you with respect to online transactions shown on that statement.

Cyber criminals are taking advantage of the current situation and they are creating fraudulent messages, websites and apps concerning the virus. The Cybersecurity and Infrastructure Agency has put forth an alert on COVID-19 cyber scams.  The Federal Trade Commission warns of scams, which include but are not limited to:

• Emails that claim to come from a government agency or the World Health Organization and have attachments or links that download malicious software to your device.
• Emails offering cures and vaccines, or home test kits.
• Apps that claim to map infections and instead may be surveilling you.
• Emails claiming to come from charities, and requesting money.
• Messages offering deals too good to be true.

Some best practices to protect yourself from these scams:

• Get information from reliable and official government resources (federal, state, local) and your own medical provider. Know your go-to resources: The Centers for Disease Control and Prevention (CDC), the Federal Drug Administration (FDA) and your state and city’s official websites. The overall website of the Federal government on the matter is: https://www.usa.gov/coronavirus. The official webpage of the World Health Organization is: https://www.who.int/emergencies/diseases/novel-coronavirus-2019 .
• Keep an eye open for fraudulent emails even if they look professional or sound urgent. Look very closely at the email address of the sender. For example, a government email address usually ends with .gov not .com.  Don’t click on links or download attachments from unsolicited communications. And never give out your personal information over email or phone. 
• If you want to donate online, visit the official pages of charities that you already know and before sharing payment information, check that the page is encrypted (has an https:// or lock icon in front of the address).  
• Shop from online stores and from online sellers that you have used before and that you trust as some online sellers are claiming to have items that they don’t have. Make payments on encrypted websites.
• Avoid downloading apps that are specific to COVID-19, many are fake. Only download apps on the subject that have been approved by a government resource or your medical provider. Manage your privacy setting on apps and only download from official app stores.
• You may be working from home, stay cyber secure when doing so. Follow the procedures set up by your place of employment. Log into your work laptop via the Virtual Private Network of your company, and keep all data and devices secure. Make sure that you have access to your work-approved apps, and you know who to contact in case of issues. Work in an area that is quiet and that avoids any type of eavesdropping while conducting virtual meetings. (This may mean turning off networked voice assistants that you have at home while on work-related calls, as those sometimes are compromised and may be recording conversations.)  The National Cyber Security Alliance offers an extensive resource library on teleworking and other COVID-19-related cyber security best practices.

Your identity is one of your most valuable resources. That is one reason why we want to help you take extra precautions to protect it. We recommend that you help safeguard your identity and personal information by engaging in effective username and password creation, protection and management.

Cybercriminals are savvy, and may engage in large-scale automated cyber-attacks where they test different usernames and passwords (credentials) on legitimate websites (email, financial, social media etc.) to access accounts and obtain valuable information about users. This is called credential stuffing and this type of attack may have wide consequences for those affected.  In addition to obtaining your personal or financial information, once cybercriminals learn your credentials on one site, they may try to use those same credentials on other sites.  If you have the same username and password across online accounts you may be more susceptible to becoming a target of this type of cyber-attack.

Creating secure and unique passwords along with using different usernames and email addresses for registrations across online services can help keep you protected.  Here are some additional suggestions:

• Ensure that your passwords are at least eight characters but preferably ten characters. Longer passwords are harder to hack.
• Consider using a passphrase.  A passphrase is a phrase that is easy for you to remember but difficult for others to guess.  you may also create passwords that contain a combination of letters, number and even special chracters (#, &, %) if allowed.
• Use a unique password for each service or website
• Avoid using your Social Security number, account numbers, phone numbers or addresses, birth dates or anniversaries, obvious or common nicknames, names of relatives or pets, any personal information, including personal preferences, such as favorite sports team, and common words from the dictionary.
• Change your passwords every few months or immediately if you suspect that it has been compromised.
• Do not share your passwords with anyone.
• Consider using a password manager where you keep all your passwords. A password manager can be a plug-in (special program) that comes with your computer, or a small device where you can input passwords and store in a secure place.
• If offered, enable two-step authentication. Every time that you access your account, in addition to your password, you will have to input a code that you receive through a different channel, such as a text message on your mobile phone. Two-step verification makes it harder for an account to be compromised, as the perpetrator would need access to two devices to hack the account.
• Leverage other methods for two-step/multi-factor authentication; for example, you can leverage hardware such as Security Keys - USB devices that you plug into your device when you log into an online service that requires a password – in addition to inputting the password. Inserting the security key into your laptop or desktop showcases that it is in fact you who is logging into that account at that particular moment because only you have physical access to that security key.
• If the account offers it, establish strong answers that only you know for recovery questions in case you forget your password
• Take advantage of biometrics capabilities when available, like fingerprint or face identification.

Learn more from the National Cyber Security Alliance.

Although we invest in technology and processes to secure the electronic environment for all of your financial transactions, data transmissions, and communications, online security and protection of your identity and personal information is a team effort. That’s why we recommend you take steps to shield yourself and your computer from attempts to obtain your personal information electronically:

• Do not share your user ID or password with anyone.
• Do not send or receive personal or account information by unsecure or unencrypted email.
• Use Online Banking to check your account balance and transactions regularly. Notify us immediately of unexpected account activity. Account alerts can be set up in Online or Mobile Banking to help you monitor your accounts.
• Never respond to, click any link in, or open an attachment in an email that requests information about you or your accounts. Union Bank never makes such requests. If you accidentally click or respond to such requests, contact us immediately.

If you have any questions or concerns about your accounts, please contact us.

Spyware, which includes keystroke loggers, screen and mouse recorders, and other types of malware, allows hackers to extract sensitive data from your computer. These programs often slow down your computer and send harvested information to criminals. You can follow the tips below to help protect your computer and private information from these dangerous programs. Be careful of other forms of malicious software (malware) such as viruses, which also slow down and disrupt your systems.

• Never open any email attachments, web links, or files if the sender or source is not trustworthy or cannot be confirmed. Be careful with pop-up windows, side links, or shortened embedded links where you cannot see the entire link and may not know what you are clicking on. Also beware of emails that may appear legitimate that could be part of a phishing campaign.
• Use the automated update wizards in your operating system to download and install the latest security patches. Keep those up to date.
• Install anti-virus and other anti-malware software that include anti spyware protection, and keep them updated. Having only an anti-virus may not protect against other forms of malicious software.
• If you plug in USB devices, hard drives or other external devices to your computer, ensure that your anti-malware software scans them.
• Use email spam-filtering software and turn on your pop-up blocker.
• Be careful with adware and malvertising – ads that may appear benign but when clicked, download malicious software to your device and can act as spyware by collecting and transmitting your information.
  • Although it often targets businesses, ransomware can also affect home users. Authorities, such as the FBI recommend not paying the ransom. Learn more about ransomware and other cybercrimes on www.fbi.gov/investigate/cyber.
• Back up your devices in case they are disrupted by malware. Save a copy of your data (from important documents to photos) on an external hard drive that you keep in a safe place.
• Engage in proper online behavior: Avoid using public computers to pay your bills, check your account balance, or transact business. If you have to use a public computer, remember to log out of any accounts completely and log off the computer.
• Make sure your home network is encrypted. It should be Wireless Protected Access 2 (WPA 2). Also, when doing business or engaging in online services check that you are using encrypted sites with ‘https’ in front of the website address.

Learn more from the National Cyber Security Alliance.

As we are more digitally interconnected than ever, social media has become an important communication tool. When not managed properly, it can provide personal information to cyber criminals that can easily be exploited to engage in fraud and other dangerous crimes.

When communicating on social media, you and your family should actively manage the security and privacy of your information. Consider the following suggestions:

• Do not post personal information, such as addresses, phone numbers, birth dates, you or your family members’ full names. Create usernames that are different from your name.
• Use hard-to-guess, long, alphanumeric passwords with special characters that are unique for each social media account, and different from the password of the email account associated with the social media site. Read more about choosing effective passwords.  Similarly, create an email account that you only use for your social media sites. That way, if a social media site gets hacked, the e-mail account associated with it does not become vulnerable as well. Make sure that usernames and passwords for important sites like online banking, insurance, and 401K websites are unique to add another layer of separation from social media accounts. Also, be careful with whom you share your email addresses: Cybercriminals target existing email addresses to create fraudulent web-based accounts.
• Avoid connecting with strangers: Connect, befriend and "be followed" online by people you already know. If you are following a celebrity on social media platforms, such as Instagram or Twitter, ensure that you are following a verified account. If you receive a "friend request" or a "request to be followed" from a stranger, do not accept it. Know your friends’ list or followers’ list in your social media accounts. Sometimes a person who already befriended you requests to be a friend again. This second request may be a scam. As a general rule of thumb, it is good to verify requests, by contacting the person via a different channel.
• Avoid oversharing: Cyber criminals and other cyber threat actors are savvy. They can easily piece together different pieces of information that you post and send you emails, or create fictitious sites according to your interests to trick you into clicking on malicious content.
• Be aware of tracking activities by different social media sites, search engines or Web servers that collect and analyze your searches, your likes, the applications you download and the purchases you make, to sell you additional products or services.
• Avoid clicking on ads that appear on the sidelines; they may take you to sites that download malicious software (malware). Some of this malware can be spyware that, once downloaded, tracks your online and computer activity.
• Keep a separation between the virtual and physical worlds: Be cautious of posting information while on vacation or stating that you will be away from home.   You don’t want a cybercriminal to become a live criminal who may take advantage of information about where you are when and break in, or engage in predatory behavior.
• If possible, turn off the geolocation settings from your social media accounts and mobile applications.
• If you access social media via your mobile devices, make sure you are downloading the official applications from a reputable mobile application store.
• Check privacy settings on all your social media accounts: keep your pages and information as private as possible. For example, check that your Facebook page is viewed only by your Facebook friends and that it is not public on the Web. Often these settings are under "Security," "Privacy," "Tools," "Settings," and "Advanced." 
• Be aware of the loss of control of the content that you post online the moment you have a social media footprint: Even if you are privacy and security conscious, you have no control over the behavior of others. Your friends may not be cybersecurity savvy and can share what you post.
• Not only when using social media, but overall, try to browse the Internet using your browsers’ "Incognito" or "Private" tab/window options. This will not make you invisible but will prevent cookies from being stored so your search history will not be saved.
• Use Safe Browsing sites such as "Google Safe Browsing" that give you warnings when you navigate to dangerous sites or download dangerous files.

Learn more from the National Cyber Security Alliance.

Help keep your children safe online too. Consider these tips:

• Set up some form of parental control on the browsers of your family’s desktops, laptops, and mobile phones, and block access to certain websites. You may need to block social media sites; most social media sites require for children to be 13 years of age to join. If you have younger children they shouldn’t be using social media. Often you can find these parental controls under "Settings" or "Options" on the site, web browser or application.
• Set parental controls on your family’s mobile devices. Your own mobile provider may provide a suite of applications where you can monitor online behavior, block downloading certain applications, and track your child’s location via their mobile phone.
• Be aware of online games where kids may share personal information and consider monitoring access to those as well.
• Teach children and teenagers not to engage in cyber bullying and to report occurrences along with the sites where they occur to adults they trust. More importantly, teach them to understand the differences between the online/virtual world and the real world – teach them not to trust or meet in person strangers that they meet online.
• Overall, teach children to avoid “befriending” strangers online. Their online friends should be “real life” friends who they already know.
• Once they join social media or other online sites, teach your children how to manage those accounts’ settings, and to actively manage their friends and followers’ list. Follow the suggestions offered under by the National Cyber Security Alliance.
• Keep an eye on your children's online shopping behavior and, if needed, set spending limits on the sites or credit cards to which they may have access.

Learn more from the National Cyber Security Alliance.

Like anything else you do on the Internet, when you shop online you open yourself to the perils of cyber space. It is important to actively manage your behavior and keep your personal and financial information secure while shopping online.  Here are some tips:

• Buy From Reputable and Secure Sellers and Services
  • Use well-known shopping portals or the official websites and applications of brands/stores. Only obtain applications from reputable app stores and keep them updated. You can avoid obscure online shopping services by reading consumer reviews and confirming that the online service is accredited with a bureau, such as the Better Business Bureau (BBB).
  • Online shopping sites should be Secure Sockets Layer (SSL)-encrypted to protect the transmission of your financial information. Verify this by looking for https:// at the beginning of the URL. Sometimes you will see a padlock icon.
  • Avoid purchasing items from browser advertisements and pop-ups. Be suspicious of items priced too low to be true.
  • If engaging in a peer-to-peer transaction, look closely at the reviews of the seller and be careful even if you are using a reputable online service, such as Amazon. As a general rule of thumb avoid peer-to-peer shopping as the likelihood for fraud is greater in those transactions.
  • For each shopping website you use, set strong, unique multi-character passwords and, if offered, set up 2-factor/2-step authorization.
• Keep Your Personal and Payment Information Safe
  • Be careful about how you share payment information and with whom.  As a general rule of thumb, share the least amount of information necessary to complete a transaction online (i.e. credit card and shipping information).
  • Monitor your bank statements for fraudulent charges and immediately report suspicious activities to your bank or Credit Card company.
  • Do not share credit card information via email. All payments should be sent via an SSL-encrypted site.
  • Avoid storing your credit card/payment information on websites for later use.
  • It may be helpful to use reputable online payment services such as PayPal to keep your credit card information securely stored.
  • Understand your consumer protections such as the Fair Credit Billing Act that can protect you from certain erroneous charges and disputes regarding credit cards.
  • Read the privacy policies of all your online shopping services and understand how they are using your personal data and with whom they share it. Opt out, as needed.
• Use Secure Personal Devices and Networks to Protect Payment Data
  • Shop online using your personal computer, laptop, or mobile device on a password-protected Wi-Fi Protected Access 2 (WPA2) home network or data plan from a reputable vendor.
  • Avoid using public Wi-Fi when online shopping.  You should not transmit personal or financial information, such as credit cards in an open, unencrypted network.
  • Avoid shopping online using work-related devices: not only would you expose work devices to vulnerabilities, but personal shopping from a work device is against company policy at most workplaces.
  • Keep your web browser updated with the most recent security patches by going to "Settings" or "Help" on your browser. Often, when you click on the "About... Name of the Browser" section you can see what version it is and check for updates.
  • For added protection, keep devices with anti-malware and anti-virus software up to date, and use a pop-up blocker.

Learn more from the National Cyber Security Alliance.

A Smart Home is one where multiple devices ranging from central air thermostats and appliances, to security systems are connected to the Internet to allow remote control over one’s home. This interconnectedness of products on the web is often called the Internet of Things (IoT) and has led to a variety of home and task automation tools that make day-to-day activities more efficient. In the near future, for example, your fridge may have a sensor that knows when you are running out of milk, then connects to the Internet and purchases milk from an online store. Currently, smart fridges with tablets already exist and provide access to calendars and the ability to create notes and shopping lists on the fridge itself. You may already be a consumer of smart home gadgets like Internet-connected voice assistants that allow you to request to stream a song or a movie, or get the latest weather forecast.

A smart home may make life easier but also opens your home to cyber threats. Even more mainstream gadgets, such as voice-activated assistants, webcams, or wireless printers, are susceptible to hacking as they are all dependent on an Internet connection. A cybercriminal may hack into your personal home network or the application that you use on your device to control the gadget and obtain personal information. They could, for example, hack the webcam that you use to communicate with your loved ones, intercept communications, and monitor your movement 24/7. But even more dangerous, cybercriminals can hack into cameras, smart locks, smart doorbells and other devices actively used for security purposes that are connected to the Internet. Criminals can completely disable them to access your home and commit a physical crime. As a consumer you should be aware as well that smart devices are collecting and potentially sending information back to the vendor´s network or cloud – creating more vulnerability.

It is also important to be mindful of other applications, such as smart cars. Cybercriminals can access your car system and take control of the wheel by hacking an application connected to the car’s web service.

Below are some suggestions to consider when purchasing Smart Home technology:

• First and foremost, decide if you really need the device – the latest trend may not be worth opening yourself to the associated risks.
• Create very strong and unique passwords for each device.
• Only purchase devices from reputable companies – do your investigative research regarding each product. Look at what IT and cybersecurity experts are saying about the IT specifications and security of the device.
  • Ensure your home network is WiFi Protected Access 2 (WPA2) secure and that you are obtaining it from a reputable network or cable company. Make sure your home network password is strong and contains letters, numbers and characters. Also, ensure that the hardware that supports your network (i.e. your router) is secure and up-to-date.
  • Obtain a data plan from a reputable company for your mobile devices.
  • Avoid accessing applications for these devices via hot spots or public Wi-Fi, as those connections are inherently insecure.
  • Make sure the software and applications for the gadget are always up-to-date with security patches from the manufacturer.
  • Keep devices (desktop, laptop, mobile phone, and tablet) used to remotely control your smart home, both physically and cyber secure (i.e. install antimalware tools and keep them updated).
  • Keep in mind the amount of personal data that the applications of these devices may be collecting from you. Manage the privacy and security setting of each of those apps.

Learn More from the US-CERT webpage.

If you use your mobile phone or tablet to stay connected, like most of us, consider these tips.

Take Care of Your Devices and Data:

• Purchase smartphones or tables from a reputable source, store and brand. Read consumer reviews about the product.
• Avoid buying second-hand phones or tablets. Even if they have been reset, you may not know what the previous owners installed or if there are hardware defects that could lead to malfunction.
• Set up a complex password or passcode to lock your smartphone or tablet and, leverage biometrics, such as your fingerprint to lock/unlock it, if available. 
• Know your mobile device settings: how to turn on and off data connectivity and Wi-Fi access; and how to turn on and off airplane mode when traveling.
• Keep your device’s software updated. Often these updates include security features or fixes to glitches.
• Periodically back up your documents, photos, contacts, and any other data in case of malfunction or software issues.
• Keep your mobile devices with you at all times, especially your smartphone. If you need to leave them in your car, aim for the trunk, and never overnight.
• Be cognizant of threats that target mobile devices. Threat actors may target you via fraudulent text messages, known as SMiShing. Don’t reply or click on links if you don’t recognize the sender. Overall don’t provide any sensitive information via text.

Be Careful with How You Connect Your Mobile Device to the Web:

• Purchase data plans from reputable providers, and do consumer research on the network reach, connectivity quality and security.
• Avoid connecting your mobile devices to mobile hotspots or public Wi-Fi as those connections are inherently insecure.
• At home, connect your mobile devices to your Wireless Protected Access 2 (WPA2) network from a reputable Internet or cable provider that is protected by a strong alphanumeric and special character password of your choice.  Also, ensure that the hardware that supports your network (i.e. your router) is secure and up-to-date.
• Disable hotspot and Bluetooth when not required.

Be mindful of your apps:

• Download applications from a legitimate app store. Using unknown app stores is risky as there is a higher chance that the apps are insecure, malicious imitations.
• Check that you are downloading official apps, especially those dealing with payments, banking or home security.
• Really know your smartphone/tablet -- the settings of the device and individual apps are used to manage your privacy. Turn off geolocation settings for most apps unless they are dependent on location-based services (i.e. maps). Consider turning off automatic Wi-Fi sync for apps while traveling to prevent them from sending and receiving data over an unsafe network.
• Remember that you can uninstall apps in your settings tool. Uninstall applications that you don’t use.

If you are traveling also keep in mind the following:

• Keep your devices with you at all times. Don’t check in your laptop or tablet.
• Be cautious in areas where you have to wait or may be distracted, such as hotel lobbies, restaurants, and security checkpoints at airports (try at all times to keep a visual on electronics as they go through the metal detector).
• If you really need to connect online via public Wi-Fi or a public mobile hotspot do not use it to access sensitive accounts (such as online banking) or your smart home applications like those used to monitor your home’s safety. It’s better to connect via your own mobile device hotspot or data plan when traveling domestically.
• At hotels, do not fully trust in-room safes. Try to keep your electronics with you at all times. But of course, use judgement – a laptop may be more secure at your hotel room with a lock than with you next to the pool.
• Be careful saving information to memory sticks and hard drives and transporting those – they can be easily misplaced. If you do use them, use encrypted ones.
• Avoid printing on shared printers or using shared computers at hotels. If you do, make sure that you log off from your accounts, and sign off from the session. When printing, pick up your print job immediately, and do not print confidential information.
• Overall be careful with what you do in public while on your phone, tablet or laptop, someone can be looking over your shoulder. You may want to consider a privacy screen for your devices.
• Avoid oversharing details online about your travel.  You don’t want to let others know your every move.
• Don’t forget about the management of your children’s mobile devices and their access to apps and websites – set up parental controls.
• If you are traveling for work, follow your company’s procedures for device and data handling, and report any incidents and emergencies to prescribed contacts. You may be required to connect to the internet via your company’s virtual private network (VPN).
• Be extra cautious when traveling abroad. Have a general awareness of the physical and cyber landscape. Learn more about travel advisories with the State Department's website.

Learn more from the National Cyber Security Alliance.

"Phishing" refers to fraudulent electronic communication via email, text message, or instant message that appears to come from a legitimate business like a bank, insurance company, or regulatory agency, and asks you to provide personal information. Fraudsters can use your information to commit identity theft or lure you into additional scams.

Phishing may also be called “spoofing” as the fraudster masquerades as a user, website or email to gain access to your information.

Remember, Union Bank® does not request personal information by email, text, or instant message. Beware of any unsolicited requests for personal information and do not respond; instead, report it to [email protected]

The following tips can help you spot fraudulent messages:

• The sender's name is usually generic, such as "Customer Service Department," or simply the company's name, such as "XYZ Bank." The name of the company or content in the email may have misspelled words, or is written using poor grammar. The email address may contain extra letters.
• The email does not identify you specifically. Since phishing emails are often sent to millions of people they are typically addressed generically (e.g., “Account Holder,” “Sir,” “Madam”).
• The message title generally concerns an "urgent matter" that requires your immediate attention, such as "verifying" certain information to prevent the company from suspending or closing your account. Legitimate emails typically do not contain threats.
• The message looks professional and official, often displaying the look and feel of a website that you know. It may even contain graphics, logos, links or pop-up windows that appear legitimate. Avoid clicking on links or attachments as they may install malicious software (malware) on your computer to obtain further information.
• The sender asks for ATM or credit card numbers, personal identification numbers (PINs), sign-on IDs, and other personal information, such as your Social Security number, date of birth, or mother's maiden name—all of which thieves can use to take over an account or commit identity theft.
• The message points to a domain name that is spelled very closely to, or appears to be related to, the legitimate domain name.
• The email contains inaccurate information. For example, reference to a purchase you never made.

If you are ever unsure of the origin of a Union Bank email, or believe it is not legitimate, avoid clicking on the links. Instead, call Union Bank at 1-800-238-4486 or reach out to your branch or Relationship Manager to verify. As a general rule of thumb, avoid clicking on emails that seem suspicious or that are unsolicited and do your best to verify the sender when in doubt.

Be mindful of other forms of fraudulent communications:

“Vishing,” or voice phishing is a technique that combines text messages, phone recordings, and email to persuade someone to dial a telephone number or respond to a telephone call for financial gain. Fraudsters tell you to contact their bank at a fraudulent telephone number, which is provided in an email, a text message, or by a recording using Voice over Internet Protocol (VoIP) technology. During the call, targets are asked to provide their card number and other personal or banking account information.

And finally, “SMiShing” is the text message version of phishing. It is an attack that uses text messages (SMS) to incite the target to divulge private, sensitive or confidential information. The SMS may have a link requiring you to input information; it may have a link that, when clicked, downloads malicious software to the mobile phone; or the text may have a malicious attachment itself.

Since fraudsters constantly vary their scams, it is important to be careful with text messages, emails, and telephone calls or recordings requesting confidential data.

Learn more from the National Cyber Security Alliance.

By incorporating prudent business practices and making use of available cybersecurity safeguards, you can reduce the risk of losses from fraud and embezzlement in your business.  

There are a variety of ways in which fraudsters can attempt to access your accounts such as:

• Forgery:  Stolen or otherwise obtained checks cashed without proper authorization.
• Counterfeiting and alteration:  Fabricating or using chemical solvents to modify a check.
• Paperhanging:  Writing checks on closed accounts.
• Vishing:  Fraudulently obtaining your account access information or other sensitive information through phone calls.
• SMiShing:  Fraudulently obtaining your account access information or other sensitive information through text messages.
• Business Email Scams:  A more specialized form of phishing where fraudsters spoof company emails or use other social engineering techniques to assume the identity of a company’s CEO, trusted vendor or another individual in authority.

Follow these simple guidelines to improve efficiency and reduce the risk of loss:

• Dual custody:  Split the responsibilities for issuing checks and reconciling bank statements between two people, so one person doesn't control the entire process.
• Monitor bank activity regularly in Online Banking so discrepancies are noticed quickly.
• Secure check stock, credit/debit cards, and online access passwords.
• Review check orders immediately when they arrive from the printer to verify account information, including consecutive check numbers.
• Report missing checks to the bank immediately in case you need to stop payment.
• Store your working supply of blank checks in a secure location and your reserve supply in a separate, secure location; audit the reserves periodically to ensure that no checks are missing, especially in the middle of a stack.
• Change keys and entry codes periodically to prevent unauthorized access to secure areas.
• If you move your business, destroy all obsolete checks in a shredder or use a bonded shredding company.
• Practice safe cash-handling.
  • Limit the amount of accumulated cash in any register - use a drop-safe.
  • Check for counterfeit currency - inexpensive devices are available to aid detection of counterfeit bills.
  • Provide a receipt for every transaction.
  • Put one employee in charge of setting up cash drawers and have another double-check the cash count.
  • Never leave checks or bank records unattended in order to assist customers.

Business email compromise (BEC) is defined as a scam targeting businesses working with foreign suppliers and customer accounts, and targeting individuals (consumers or businesses) that perform wire transfer payments. Fraudsters carry out this scam by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct money transfers.  When personal accounts are targeted, the scam is called an EAC (Email Account Compromise).

BEC scams continue to evolve and target small businesses as well as large corporations. Victims deal in a wide variety of goods and services, no one sector is targeted more than another. From October 2013 to May 2018, the Federal Bureau of Investigations cited exposed losses totaling over $12 billion. (Source: https://www.ic3.gov/media/2018/180712.aspx)

Examples of Email Schemes:

• Business executive scam – a fraudulent message appears addressed from a senior executive within the company to execute a payment.
• Supplier email – an email is addressed from a supplier’s spoofed email address requesting a change in beneficiary account.
• Title company – A change in wire transfer instructions from a title company handling a property purchase.

Best Practices:

If you receive a suspicious email, be mindful of the following: 

• Do not open it or reply.
• Avoid clicking on links or opening attachments.
• Report the email to your IT or information security department. Suspicious emails can also be forwarded to [email protected].
• Be suspicious of last-minute changes and validate the email by calling the company at a phone number you know is correct. Do not contact the sender by a phone number included in the email.
• Be wary of wire transfer requests that request secrecy or quick action.

Filing your taxes as soon as possible is the best way to protect yourself. Criminals can gain access to personally identifiable information (PII), such as a Social Security number, bank account information, etc. and use it to file false tax returns to receive the refunds. Thousands of people have lost millions of dollars and PII to tax scams. These scams can be encountered anytime, but many peak during tax filing season. The IRS issues a list of frequently seen Tax Scams each year; here is 2019’s Dirty Dozen list. 

One twist to an old tax scam involves fraudulent refunds being deposited into an individual’s actual bank account. Then, the criminal calls to collect the money they claim was transferred in error. Criminals may pose as IRS agents or debt collection agency officials to request that the money be forwarded. You may also receive an automated call with a voice recording that threatens you with criminal fraud charges then leaves you with a phone number to call to return the refund. When you follow the instructions, the criminal pockets the money. 

Remember that the IRS does not initiate contact with taxpayers by email, text message or social media channels to request personal or financial information. Most communication is handled through regular mail delivered by the United States Postal Service.Review additional information from the IRS.

Reporting tax fraud

There are established procedures taxpayers should follow to return erroneous funds to the IRS.  In addition to contacting the IRS, it is also recommended that you contact your bank and tax preparer, as it may be best to close your account and take other security precautions.

Follow detailed instructions from the IRS to report fraud. Make sure to indicate that you are a victim of a scam. Learn more from IRS.

To report suspicious activity on your account (ATM/Debit, Check Fraud): 
Call 800-238-4486 Monday through Saturday, 8:00 a.m. to 5:00 p.m. Pacific Time
Sundays and bank holidays: Closed

To report suspicious activity on your credit card: 
Consumer: 888-642-3311  
Business: 888-643-9800 
Available 24/7
 

Identity thieves are getting creative, sophisticated, and bold. One scam involves teams of fraudsters who install wireless devices, called skimmers, and cameras on legitimate bank ATMs. The fraudster's goal is to steal both your ATM card number and your personal identification number (PIN).

Here's how it works:

The skimmer and camera are disguised to look like normal ATM equipment. The skimmer is mounted to the front of the ATM card slot. It reads the ATM card number and transmits it to the fraudster. The wireless camera, which looks like a brochure holder, is mounted in a position to view the ATM keypad and film customers' PINs. The thieves make duplicate cards and use the PINs to directly access the ATM and withdraw thousands of dollars from various accounts in a short amount of time.

What to look for:

• Alterations to equipment – especially near keypad.
• Sticky residue or tool/scratch marks on machine.
• Card reader overlay.

Be aware of what your ATM typically looks like as well as your surroundings. If you notice alterations to the equipment, call us at 1-800-238-4486. Do not attempt to remove the devices.

Be alert to “too good to be true” notifications of prize or lottery winnings.  These can arrive through the mail, by email, or by an unsolicited telephone call, and advise the targets that they have won a prize (often for a competition they didn't enter). Victims of lottery scams have lost thousands of dollars responding to demands for payment to cover costs of redeeming prizes when, in all probability, the prize did not exist. Victims rarely, if ever, receive any winnings in return for their cash.

How to Spot Prize and Lottery Scams:

• The information on the notification advises that you have won a prize, but you did not enter any competition run by the contest promoters.
• The notification was sent by bulk mail. Though it may be personally addressed to you, thousands of other targets around the world may have received the same notification.
• The prize promoters ask you to pay a fee (for administration or "processing") in advance.
• The notice contains an offer to buy shares in a fund that purports to purchase tickets in legitimate overseas lotteries.
• The offer includes prizes or the opportunity to purchase "exclusive items." If these items are real, they are often substandard, overpriced, or falsely represented.
• The notice informs you that claiming the prize might require travel overseas, at your own cost.
• You searched, or had someone search, the internet for possible information on the contest, lottery, or prize to determine its legitimacy, and didn’t find anything.

The cross-border purchase or sale of lottery tickets is a violation of U.S. law. Because these scams are generally operated outside the United States, victims have very little recourse to recover their losses.

As communicating on social media and utilizing online dating websites have become increasingly popular, scammers have capitalized on this trend. Many create fake profiles to lure victims and establish a romantic relationship for the purpose of extorting money at the end.

Modern online romance scams are premeditated, organized crimes that result in financial losses for millions of victims. The FBI's Internet Crime Complaint Center received 18,000 romance scam complaints in 2018 and reported over $360 million in losses. 

There are many variations of online dating scams but all tend to follow the same trajectory. The victim is identified, a close relationship is rapidly established online; a small amount of money is asked for to test the victim's readiness; a crisis occurs and a larger amount of money is sought with the promise of it being returned quickly; a series of additional "bleeds" occur until the scammer is exposed or the victim can't get any more money.

What are signs of a scammer?

• Someone who claims to be in love very quickly.
• From the US but happens to be overseas for business or military service.
• Ask to communicate off the dating site immediately.
• Need money for emergencies, hospital bills, or travel.
• Plan to visit, but can't because of an emergency.

What can I do?

• Never send money to anyone you don't know personally.
• Slow down - ask a lot of questions. A scammer may stumble over the details.
• Research the person online (e.g. profile name, email, phone numbers) to see what adds up and what doesn't.
• Contact your bank right away if you think you've sent money to a scammer.

Report your experience to:

• The online dating site
• FTC –ftc.gov/complaint
• FBI's Internet Crime Complaint Center – ic3.gov

The American Bankers Association (ABA) in collaboration with the Federal Trade Commission (FTC) released an infographic on the growing threat of online dating scams.

Card cracking usually originates online on a social media platform and targets young consumers. The fraudster will reach out promising quick and easy cash. The customer is tricked into providing their account credentials, after which a fake check is deposited into the customer’s account. The fraudster then makes an immediate ATM withdrawal, sharing some of the funds with the customer. Meanwhile, the customer is instructed to report the incident as lost/stolen card or credentials so that the bank will reimburse the stolen money. This makes the customer a criminal accomplice.

Be aware and avoid online solicitations for easy money. Never share an account number or PIN and never file a false fraud claim with a bank. When in doubt, report suspicious social media posts connected to the scams.

The American Bankers Association® provides additional information about card cracking scams.

The Internet is now a common place to look and apply for a loan. With so many lenders fighting for your business, it is easy to fall into an online loan trap. When borrowing money, be aware of scammers offering fake loans. They are skilled at convincing people that their loan offer is legitimate. Do not accept unsolicited offers of credit from unfamiliar lenders. Only deal with reputable online institutions.

Once you apply for a loan online, scammers can obtain your personal information. You may have given them all the information on an illegitimate loan website or they may have hacked/phished for your information. The scammer will contact you on the approval of the loan you just applied for. They will then request an upfront fee for vague reasons. The fake lender’s ultimate goal is getting you to wire money. They may even make mobile deposits of fraudulent checks to your online bank account and ask to send the majority of the funds back to them to pay-off the loan, for a promise to improve your credit score.

What are common signs of a fake lender?

• Guarantees you’ll get a loan without reference to your credit history.
• Not registered, has no physical address, and/or uses the name of a well-known organization.
• Demands fees upfront for vague reasons like "insurance," "processing," or "paperwork" and asks you to wire the money to an individual.

What precautionary steps should you take?

• Do your research and know who you are dealing with.
• Make sure the company is registered in your state. To check registration, call your state Attorney General’s office, or your state's Department of Banking or Financial Regulation.
• Get the lender’s phone number from another online source or phone book and call to make sure they are who they claim to be.
• Verify their physical address.
• Look them up on Better Business Bureau for ratings.
• Search online to see if others have fallen prey to a scam.
• Do not release personal information over the phone or online.

Stay away from "too good to be true" deals. There are no quick and easy fixes to difficult financial issues.  And remember that legitimate lenders do not need your personal information upfront.

Cybercriminals use a variety of tactics ranging from cold-calling and web advertising to persistent and annoying pop-up windows to defraud consumers. Some call and claim to be computer techs associated with well-known companies like Microsoft or Apple. Others send pop-up messages that display Tech Support alerts, asking you to call a support number to fix your device. They say they’ve detected viruses or other malware on your computer, diagnose a non-existent problem, and ask you to pay for unnecessary services.

If you get an unexpected pop-up, phone call, spam email or other urgent message about problems with your computer, don’t click on any links, don’t give control of your computer and don’t send any money. Microsoft or Apple will never proactively reach out to you to provide unsolicited PC or technical support.

How do I protect myself from tech support scams?

• Hang up on unsolicited urgent phone calls from people who claim to be tech support.
• Ignore tech support pop-up messages on your devices.
• Do not call the number in a pop-up window on your device.
• Never share passwords or give control of your computer to anyone who contacts you.

What can I do if I was scammed?

• Scan your computer to see if you have malware installed on your computer and get rid of it if so.
• Change all passwords you shared with someone.
• Contact your credit card company if you made payments with your card, and check your bank statement for any charges you did not authorize.
• Keep your security software up to date.

The Federal Trade Commission offers additional advice on tech support scams.

Identity theft occurs when someone uses your personal information (i.e. Social Security number, credit card number) without your knowledge to commit fraud.  These crimes are the most frequently reported crimes to the Federal Trade Commission today, and can be committed in person, by telephone, on the internet, or through the mail.

As technology continues to evolve, criminals are developing new ways to exploit or defraud organizations and consumers, like accessing bank and brokerage accounts online and stealing credit information or identities. 

As part of Union Bank’s ongoing commitment to protecting customer information, we continuously review and strengthen our security program, processes, and procedures.   Here are some examples:

• Requiring ID and authentication for information requests, account maintenance, and transactions conducted in person or by phone.
• Discontinuing check verifications for third parties when account information could be compromised.
• Ultraviolet verification equipment to deter counterfeit ID, checks, and currency.
• Posting strategic warnings online to alert our customers to recent incidents involving email and online fraud schemes.
• A vigorous ID Theft Prevention program to identify and respond to potential red flags.
• Partnership with other institutions to adopt best practices for fraud prevention.

Read more about ID theft and fraud.

Protect Your Computer and Use the Internet Wisely:

• Bank online using a secure computer only—avoid using computers in libraries or hotels.
• Be wary of public Wi-Fi—avoid logging in to sensitive accounts (such as your bank and credit card accounts). Save the important web surfing for when you're back on a secure network. If you must check your sensitive accounts when away from home—and you don't have a VPN—turn off your device's WiFi and log on using cellular data.
• Increase the security of your computer by installing a firewall and spam filter as well as antivirus, anti-malware, and anti-spyware protection to safeguard your computer against viruses and malware (malicious software) that can log your keystrokes or steal your data. Keep your software up-to-date.
• Check privacy and security settings on your browser (i.e.: Internet Explorer, Google Chrome, Firefox) turn on the pop-up blocker.
• Avoid clicking on boxes, ads or alerts that may appear while on the Web, even if they seem to be from reputable sources. Be aware of Ransomware, a type of malicious software that blocks your computer or files and demands a payment, or "ransom," to unlock your computer.
• If possible, use the private browsing option of your web browser. You may also want to use safe browsing options offered by antivirus software and some browsers that give you warnings when you navigate to dangerous sites or download dangerous files.
• Avoid getting too personal on social media—do not post your date of birth, for example. Cyber criminals often scour social media for personal information they can use to guess your passwords, date of birth, etc., and steal your identity. Check your privacy and security settings on each of your social media accounts periodically.
• Shop on secure websites showing HTTPS (the S means secure) and displaying the padlock icon or green address bar that indicates the website is secure.
• Create strong passwords of eight or more alphanumeric characters including special characters (%,&,*) for online financial accounts, and change them regularly. Avoid using the same password for all of your accounts.
• Consider using a password manager. Do not share your password with anyone. You may want to create a passphrase instead of a password that’s easy for you to remember but difficult for others to guess.
• Avoid using the same email account on multiple sites.
• Monitor your bank and credit card accounts frequently for unusual or unauthorized activity. Most banks and credit card issuers offer services that alert you when your accounts reach certain transaction and balance thresholds.

Be on the Alert for Fraudulent Email

• Always view unsolicited email of any kind with a heavy dose of skepticism. Send any requests for your private information to our online banking customer service department at [email protected].
• Never fill in information in an email that contains input fields. If you have sent any personal information via email or pop-up window, call us immediately at 1-800-238-4486.
• Be wary of email that appears to be from friends and includes a generic subject line, such as "You really need to see these pictures." Fraudsters can steal users' address books and send malware email to every addressee. Note: Union Bank will never contact you via email to ask for or validate any personal information.
• Be wary of offers that seem too good to be true. In advance-fee schemes, fraudsters ask you to pay money to someone in anticipation of receiving something of greater value, such as a car, loan, contract, rental deal, investment, or gift.  Other scams entice people to sign up to be "mystery shoppers" or with offers of employment. Victims receive fraudulent checks for thousands of dollars, with instructions to cash the checks and wire the funds to another bank. The checks bounce after the money is wired, leaving the victim responsible for paying the bank back.
• Use U.S. mail carefully and remove mail from your mailbox promptly. Place outgoing mail in post office collection boxes only. Even better, consider using Online Bill Pay to send payments. By making payments online, you can help prevent mail fraud while saving time and postage costs.
• Pay attention to billing cycles. Call companies if you do not receive an expected bill in a timely manner. An identity thief may have diverted your bill.
• Shred documents containing personal information, including preapproved credit offers, old bank statements, canceled checks, and ATM receipts. Union Bank offers Online Statements for checking, savings, and money market accounts.

Safeguard Your Cards and Accounts

• Report any lost or stolen cards immediately.
• Check your credit report at least once a year to be sure it's accurate and up-to-date. If your report shows accounts you didn't open, numerous inquiries from creditors, or negative items, take action immediately.
• Go paperless. Online statements and invoices minimize the number of hard-copy documents that bear your personal information and could get into the wrong hands.
• Memorize your PINs and change them regularly. Don't carry them in your purse or wallet.
• Sign up for account activity alerts. Online Banking alerts can help you monitor account activity.
• Download apps from reputable sources.
• Protect your Social Security number.  Keep the card in a safe place - not in your wallet. Don't print your Social Security or driver's license number on your checks.

Be Aware of Your Surroundings

• Pay attention to anyone who may be listening when you share personal information by phone or when inputting it on your computer or mobile device.
• Never give out personal information, such as your Social Security number, account numbers, or PINs, in email or during phone calls unless you personally initiated the contact. Thieves can hack into your list of email contacts and pose as trusted contacts to get information.

Secure Your Devices

• Keep both your personal and work computers and laptops secure. At work, keep your laptop docked and locked. If you are traveling, keep your laptop within reach, and put it in your trunk if you have to be away from your car.
• Put a passcode on both personal and business mobile devices including mobile phones and tablets. Keep mobile devices with you.
• Lock the screen of both your personal and work computers every time you walk away.

Read more about protecting yourself from ID theft and fraud.

If you are a victim of or suspicious about identity theft, take the following actions as soon as possible:

• Notify your banks and credit card issuers.
• Contact the fraud departments of the three major credit bureaus. You should call first then follow up in writing. As a victim of identity theft, you are entitled to a free credit report from each of the following agencies:

Equifax

Call 1-800-525-6285 

Write: Equifax Fraud Assistance 

P.O. Box 105069, Atlanta, GA 30348

www.equifax.com

Experian

Call 1-888-397-3742

Write: P.O. Box 949, Allen, TX 75013-0949

www.experian.com

TransUnion

Call 1-800-680-7289

Write: Fraud Victim Assistance Department

P.O. Box 6790, Fullerton, CA 92834

www.tuc.com

• Request that a fraud alert be placed in your credit bureau file. You can remove an alert at any time.
• Ask for copies of your credit reports and review them carefully. Check the inquiry section of the reports. When inquiries appear from companies that opened fraudulent accounts, request that the inquiries be removed from your reports.
• Change all of your passwords and PINs, including email passwords.
• Contact your local police or the department where the identity theft took place and file a report.  Having a copy of a police report can help provide evidence of fraud to creditors, including your bank.
• Contact the Federal Trade Commission (FTC) at 1-877-ID THEFT (1-877-438-4338). The FTC will put your information into a secure consumer fraud database and may share it with law enforcement agencies.
• Check your mail for account statements you did not apply for and contact the creditor. And, contact the post office if you are not receiving mail you usually receive.
• Review all of your accounts including credit cards, home equity lines of credit, bank accounts, investment accounts, and telephone statements. If you suspect fraud, report it to your creditor, financial institution, or broker immediately.
• Protect and start rebuilding your good credit.
• Open new accounts to replace any accounts you had to close.
• Continue to monitor your bank, credit card, and brokerage accounts frequently for any new activity that may be unauthorized.

Access additional government resources.

Learn the warning signs.