The Best Offense is a Good Defense

SHIELDThe

A Security Newsletter for Business

In this issue:Accept or Reject? What a certificate alert means and how to respond.

Strength in NumbersPublic and private sectors join forces to defend against cyberthreats.

Heightened FraudulentActivity Alert

Winter/Spring 2015

This newsletter outlines certain

practices that businesses should consider

to reduce the likelihood of loss related

to site certification issues and other

online security issues. The content

does not purport to identify all existing

related issues or all fraud mitigation

measures that your business should

consider implementing. There is no way

to guarantee that any set of protective

measures will eliminate loss caused by

online fraud and identify theft. U.S. Bank

is not responsible for losses caused by

site certification issues and other online

security issues.

Want to learn more about best practices

you can implement for a good defense?

Contact your U.S. Bank representative

or check usbank.com/security.

What can a company do in the face

of new and ever-changing IT threats?

One of the easiest approaches is to

follow recommended best practices to

create multiple layers of cyberdefense.

One best practice that is often ignored

is to stay aware of SSL (certificate)

warnings when visiting websites. For

example, when your Internet Explorer

browser presents this warning for a

perceived certificate issue: “There is

a problem with this website’s security

certificate,” what should you do and why?

Another good defense is the collaboration

underway between financial leaders,

federal government and state governments

as they work to secure our online technology

against threats.

In this issue, learn more about site certifications, plus new developments to strengthen online security.

The Best Offense is a Good Defense

The Shield newsletter is for...

• Business professionals and leaders with responsibility for business

account management, including payroll, wire transfer and/or ACH services.

• Business owners without IT support, or businesses that do not have Information

Security and/or business account management policies or processes in place.

• Clients of U.S. Bank and other financial institutions. Information shared

in this newsletter is not intended to supersede your existing IT, account

management and/or security processes, systems or policies in your workplace,

or those of your current FI. Please consult your IT support and your Financial

Institution providers for more assistance.

Strength inNumbersPublic and private sectors join forces to defend against cyberthreats

Faced with a deluge of cybersecurity concerns, private

companies concerned about liability or competitive advantage

are sometimes reluctant to share information with other

businesses and with government. That hesitation and reluctance

can hinder government and business efforts to defend and protect

U.S. business interests. This perspective is slowly changing. For

example, banks who experienced DDoS attacks two years ago

shared their knowledge with the security teams of other banks

to help them avoid becoming the next victim.

U.S. Bancorp leaders collaborate to strengthen technology support

U.S. Bancorp CEO Richard Davis and Chief Information Security

Officer Jason Witty have teamed up with financial leaders and

government officials to create innovative and new solutions to

cyberthreats. The first is Soltra Edge, a technology that collects

huge amounts of cyberthreat intelligence from multiple sources

and enables companies across the world to quickly and cost-

effectively share and use the information to defend against

cyberattacks.

Additionally, U.S. Bancorp has championed a new “.bank” Internet

domain with enhanced security controls, scheduled to launch

in 2015. Only verified banks can register .bank addresses and

will be required to adhere to strict standards. Consumers who

do financial transactions on a .bank site will have additional

assurance their data is being protected.

Federal guideline lays tracks for secure infrastructure

In February 2013, President Obama issued an Executive Order

for the U.S. government to improve cybersecurity in the nation’s

“critical infrastructure,” including the transportation, energy and

finance sectors, and to “increase the volume, timeliness and quality

of cyberthreat information shared with U.S. private sector entities.”

Through collaboration between government and private cybersecurity

experts, in February 2014, the National Institute of Standards and

Technology (NIST) published the Cybersecurity Framework. This

document outlines voluntary cybersecurity guidelines for public and

private organizations as part of the critical infrastructure. Experts

from U.S. Bancorp participated in the development of this Framework.

Further commentary from the White House in early 2015 has

renewed the push for legislative efforts and further collaboration

among the public and private sectors. U.S. Bancorp will stay atop

these legislative developments in our continued efforts to safeguard

our clients and the financial sector as a whole.

We all gain advantage

As government and private industry are learning, everyone wins

when we join forces to strengthen cybersecurity and defend

ourselves and our clients.

Accept or Reject?What a certificate alert means and how to respond

What is a site certificate?

Websites that use secure transmission, such as

U.S. Bank SinglePoint®, must request certification

from a recognized authority, such as Entrust or

Verisign.* They validate the identity of the server

owner and organization and they issue a digital

site certificate. This certificate is stored within a

website to verify its identity.

How to spot a secure site

When you navigate to a secure website, your

browser (such as Google Chrome, Mozilla Firefox

or Internet Explorer) checks the website’s

certificate to verify that:

• The website address matches the address on the certificate.

• The certificate is signed by a trusted certificate authority.

• The URL starts with “https:” instead of “http:” (for example: https://www.usbank.com).

• A closed padlock image, depending on the browser, will appear either in the status bar at the bottom of the page or to the right of the address field.

What happens if it is not valid?

You’ll get an SSL (certificate) error message if

the browser finds one of these problems:

• The website name doesn’t match the name registered to the certificate.

• The certificate wasn’t signed by a trusted certificate authority.

• The certificate is expired, compromised or superseded by a newer certificate.

You will be prompted to choose: “Do you want to

accept the certificate and continue using the site, or

reject the certificate and leave the site.” You

can also accept the certificate for just this one visit

or for all future visits.

What should you do?

• Close your browser.

• Do not enter any personal information on that website!

The risk is that the certificate

has been compromised by an

individual wishing to intercept

your secure traffic. If you ever

encounter a certificate issue

on a U.S. Bank site, please

contact your designated

customer service team.

U.S. Bancorp has over 6,000 certificates for websites and applications that leverage secure transmission.

Heightened Fraudulent Activity AlertOn January 22, 2015, the FBI released a Public Service

Announcement regarding the fraudulent wire transfer schemes.

We encourage our clients to review this alert from the FBI and

continue to be aware of this evolving threat.

Over the past several months, the financial services industry has

seen a growth in social engineering activities targeting businesses’

use of wire and ACH funds transfers. These fraud attempts have

originated from increased foreign and domestic social engineering

focused more on deceiving businesses’ employees and internal

financial processes, rather than attacking the underlying financial

technologies. Here are some details regarding recent schemes, and a

few tips for avoiding a potentially significant adverse financial impact.

How does this social engineering work?

These attacks use techniques that convince organizations to

unintentionally move money to accounts controlled by cyberthieves.

In many of these cases, a delay in discovering and reacting to the

crime may serve to reduce or eliminate the chance of stopping the

transaction or being able to recall the funds.

Recalling funds after a fraudulent transaction

In the event of a fraudulent transaction, a successful recall of

unauthorized funds is never guaranteed. Foreign banking laws

and policies can impede or prohibit the refund of unauthorized

funds. Your organization will be responsible for the lost funds,

resulting in a potentially material loss.

DID YOU KNOW?E-Payment Service Upgrade

U.S. Bank will be upgrading the U.S. Bank E-Payment Service

infrastructure during first quarter 2015 to further increase security

against cyberattacks by supporting new Secure Hash Algorithm

(SHA) certificates. All of the major web browsers are in the process

of converting from SHA-1 certificates that are currently in place

to the more secure SHA-2 certificates. U.S. Bank’s scheduled

upgrades are consistent with the industry standards which have

evolved, necessitating the support of SHA-2 certificates. Additional

communication regarding this topic will also be sent from our

E-Payment Service team. If you have any questions, please contact

your U.S. Bank Commercial Customer Service Team.

Link to FBI I3C Public Service Announcement, 22 Jan 2015

Additional reading

Targeted Wire Transfer Scam Aims at Corporate ExecsCorporate Executives Targeted in New Email Scam

both) from the leader to financial staff with an urgent tone.

a. A variant to this attack may request a change in account information from someone posing as a key vendor receiving payment. This is especially prevalent for vendors operating out of a foreign country.

b. The email domain of the sender of the fraudulent email may be extremely close to that of the actual company (i.e., using an “n” instead of an “m”).

3. Based on the urgency of the email (or phone call), the financial staff may quickly complete a wire (or ACH) transfer without contacting the original requestor to confirm the payment details ensuring validation of the request. Any secondary approvers may also be informed that it was an urgent request and will likely approve without verification.

4. The funds are received by an intermediary (often a money mule) who sends the money directly to the fraudster or may be directly received by the fraudster, typically, if a foreign wire.

What can you do to help protect your organization?

• Trust, but verify - Consider enhancing your operational money movement controls to verify the source of any email or phone-based request via an alternate communication method. For example, if a request is received from the CFO via email, use the company directory phone number (not the one in the email) to call and confirm the transfer details. Apply further scrutiny if the

funding account is new and has not been used in past transactions.

• Create awareness - Inform your financial staff of these scams and ensure they understand operational protocol.

• Use email blocking - Work with IT staff to assess the viability of filtering or blocking messages of this nature.

• Communicate quickly - Inform your U.S. Bank relationship manager and your IT security staff immediately when these events occur. It may also be

appropriate to contact U.S. law enforcement agencies as well as law enforcement agencies with jurisdiction over the recipient account’s bank.

• Implement dual control - If you haven’t already, contact us to update your U.S. Bank SinglePoint® security settings to enforce dual control for ACH and wire transactions. This will ensure two separate individuals are required to approve each transaction request. Dual control also helps mitigate the risk of fraudulent transactions due to malware account takeover.

• Protect workstations - Aside from social engineering attacks, threats also continue to come from malware inadvertently installed on workstations. U.S. Bank recommends installing IBM® Security Trusteer Rapport™ to protect against financial malware fraud. This tool is being provided at no cost to U.S. Bank SinglePoint clients. Click here for details.

Executive email spoofs - be wary of this fraud technique

1. The scheme starts by gathering information about a company’s organizational structure and leadership through social media (Facebook, LinkedIn), Google searches or other publicly available documentation.

2. The fraudster identifies key leaders who may request a payment to a third party (for example, C suite, high-level executive) and spoofs an email or call (or

*Entrust Inc., owned by Entrust Datacard, www.entrust.com; Verisign, Inc., owned by Symantec, www.verisigninc.com

U.S. Bank SinglePoint is a registered trademark of U.S. Bank National Association.

©2015 U.S. Bank. Member FDIC. usbank.com.