Security Awareness

At SMBC, we take our responsibility to protect the privacy and confidentiality of your PII (Personally Identifiable Information) very seriously. While SMBC has robust security measures in place, customer awareness of security best practices can help protect against the advanced and very persistent threat posed by cybercriminals.

Below are some typical methods cybercriminals use to attack or defraud organizations and best practices to protect against these types of attacks.

Phishing: This is one of the most widely used attack methods by cybercriminals. Phishing refers to seemingly legitimate emails that tempt you to click on malicious links or open malicious attachments. Interacting with the email can enable the installation of malicious software (malware).

Watch for unsolicited emails which appear to be from a trusted organization, such as SMBC or a government agency. These emails often contain links to websites urging you to provide sensitive or personal information. These emails stress the urgency of their request, such as warning that your account will be shut down if you do not take immediate action.

Remember to Think Before You Click!

Never reply, click on a link, or open suspicious attachments if you suspect a phishing email. Instead, directly contact the sender using a secure phone number. It is also important that you report the phishing email to your email provider.

Vishing: Vishing refers to a form of cyber-fraud where a cybercriminal impersonates trusted officials over the phone or via text message (known as smishing). Examples include cybercriminals impersonating bank staff, law enforcement, customer care, a family member in distress, or another trusted organization. They may contact you by phone requesting online banking login details, passcodes, account numbers, or personal details to address a fictional ‘security or fraud incident.’ The cybercriminal can appear to call from a legitimate number that you know and trust, therefore making the call seem authentic. The cybercriminal can then use the information you provide to transfer your money to another account, withdraw cash, use your money to purchase gift cards, or sell your private information so that other cybercriminals can gain access to your finances.

Smishing: Smishing refers to fraudulent text messages which may appear to come from SMBC or other trusted sources. Like phishing, smishing messages often stress the urgency of the request. Examples include claims that your financial institution suspects there has been fraudulent activity on your account, that you may have won a prize, or that you have issues with the local authorities that demand additional action.

Social Engineering: Social engineering refers to a manipulation technique that exploits human error to gain private information, access, or valuables. It aims to trick individuals into revealing sensitive information or making decisions they would not ordinarily make.

Types of Social Engineering Practices Include:

Deepfakes: Deepfakes use Artificial Intelligence (AI) to impersonate someone’s voice or appearance. For example, a cybercriminal may use a deepfake to impersonate a trusted person or senior member of an organization and request that you set up a video call with the intention of pressuring you to make an urgent and confidential payment. Deepfakes can be difficult to detect, so if in doubt, validate the identity of individuals or businesses before meeting with them. This could include contacting the requestor on a verified phone number to confirm they are requesting the meeting.

Passcode Scams:

Cybercriminals may ask you to share a one-time passcode (OTP) which will allow them to conduct fraud or theft. Like phishing, password scams often stress the urgency of the request. Examples include claims that you need to share a code to stop an unauthorized payment or prevent a suspicious transaction. By providing the codes, you will be validating their fraudulent activity. Never share your codes with anyone.

Steps You Can Take to Protect Yourself and Your Organization:

Don’t:

• Don’t share your security details or information. Banks and other organizations, such as law enforcement or service providers, will never ask you for your PIN, password, or banking codes.

• Don’t share physical tokens. Sharing a physical token increases the risk of fraud. Because you have agreed to keep your physical token secure, any transaction that utilizes that token will be attributable to you.

• Don’t trust messages just because they appear authentic. Cybercriminals can mimic text headers and make their messages appear below previously sent messages you know are genuine.
• Don’t click on links in text messages or e-mails, or open or download attachments, unless you are sure they are safe.
• Don’t use any telephone numbers provided by a suspicious caller. If something does not feel right, immediately terminate the call and contact SMBC.
• Don’t provide Online Banking codes, such as your secure key, password, or an OTP, where the message says it is for digital use only.  Banks, law enforcement, and reputable organizations will never request such information.
• Don’t confirm a transaction you did not conduct. 
• Don’t share passwords.
• Don’t transfer money to an allegedly secure account for 'safekeeping.'
• Don’t allow third parties to take control of your device unless you have reached out to a trusted source. Be cautious of any messages asking you to share your device information or allow access.
• Don't withdraw cash and provide it to a third party to assist with an ‘investigation.’
• Don't provide anyone with your private information, including passcodes, which can then be used to gain access to your finances.
• Don’t let urgency in a request convince you of legitimacy. Cybercriminals intentionally create stressful or time-sensitive situations to pressure their targets into making a mistake.
• Don't click on unsolicited links or attachments, as they could contain malware.

Important Reminder: SMBC will never ever ask you for your password.

Do:

• If you suspect you fell for a phishing scam and/or shared your information to a suspicious third party, immediately run a virus and spyware scan on your devices, contact your financial institution using a trusted phone number, change your passwords, and consider putting a security freeze on your credit report.
• If you are a delegated administrator for your organization of an SMBC system, ensure that when employees leave or transfer to other roles, their user accounts are deleted from systems that they no longer require access to. It is important that physical tokens are not reassigned to new users.
• If you are a delegated administrator for your organization of an SMBC system, you are required to annually review user entitlements on the system to ensure access is appropriate and current.

• Ensure that the operating system on your device is up to date.
• Download security patches and install updates promptly. Turn on automatic updates to keep devices up to date.
• Turn your computer off when you are not using it. If you are not connected to the Internet, you are less likely to be hacked or infected.
• Create a h4 password. See below for password best practices.

Password Best Practices:

• Do not use the same password for multiple accounts.
• Use a unique combination of words, numbers, symbols, and upper- and lower-case letters.
• Avoid easily guessed passwords, such as “password,” “user,” birthdays, phone numbers, family members’ names, or pets’ names.
• Don’t store your passwords on your work device or write them down. If you must store them, ensure they are secure and encrypted.
• Regularly change your passwords (such as every three months). Change passwords promptly if you believe they have been compromised (e.g., you interacted with a suspicious message or a company with your information suffered a data breach).
• Always change default passwords.

Improve Your Online Safety:

• Access important banking sites by typing the URL into the search bar rather than clicking on hyperlinks and review their privacy policies to learn how they will use your information.
• Only use trusted Wi-Fi networks or service providers and enable security protection (e.g., Wi-Fi Protected Access) where possible. If using public Wi-Fi networks, do not provide any sensitive personal details, such as account numbers or passwords.
• Only use your corporate-issued devices and email for SMBC Corporate Banking applications.