Cybersecurity Archives

June 19, 2024

Pig Butchering: What It Is and How to Protect Yourself

Image of a pig standing near a cell phone

In 2023, the Financial Crimes Enforcement Network (FinCEN)^[1]." issued a critical alert about a virtual currency investment scam known as "Pig Butchering." According to most recent estimates, pig butchering schemes cost victims $3.3 billion in 2022, the most recent year that data was available.

What is "Pig Butchering"?

Pig butchering is a type of online investment fraud where scammers create fake personas to trick victims into fraudulent investment schemes by building trust over time. Scammers use various tactics to deceive victims into parting with their money. They establish an emotional connection and gain the trust of their victim over the long term. Unlike other scams that involve smaller, frequent transactions, pig butchering typically aims for a large, single payday that can drain victims' life savings.

Charcteristics of Pig Butchering

Gaining trust: Scams often begin with casual conversations initiated by the scammer, who may pretend to have received the victim's contact details accidentally or through a mutual acquaintance. These initial interactions are designed to build trust and may involve the use of attractive profile images to lure victims.
Introducing the investment: As trust is established, the scammer introduces the victim to a fraudulent investment scheme, promising significant returns in a short period. The scammers use persuasive tactics and counterfeit investment portfolios to convince victims of the scheme's legitimacy.
Collecting money: After convincing the victim to invest, scammers collect funds, often through digital payment platforms or cryptocurrencies, to complicate tracking and tracing of the transactions.
Disappearance of the scammer: Once a substantial amount has been collected, or when victims attempt to withdraw funds, scammers become unreachable, delete their online presence, or create new identities, leaving the victims with no way to recover their funds.

Investors need to be vigilant and conduct thorough due diligence before investing in cryptocurrency or any other investment scheme. Be wary of unsolicited investment offers and approach overly promising investment proposals skeptically. Review these actions to protect yourself:

Be careful who you trust: Fraudsters do their best to create emotional connections with their victims. Think critically before letting your guard down with someone you just met. They use your social media information and anything they can get you to share to manipulate and take advantage of you.
Beware of red flags: Never rush into any investment. Only use well-known and reliable trading platforms, including Cryptocurrency exchanges.
Don’t fall for FOMO: Fraudsters try to get victims to feel the Fear Of Missing Out (FOMO). Be very skeptical if a new acquaintance tries to get you to invest fast so you don’t miss an opportunity. That is often a trick to get you to give them money before your judgment kicks in.
Trust your instincts: Think twice before investing - if it seems too good to be true, it probably is.
Keep your information to yourself: Do not provide details about your financial positions or share sensitive information online or on unverified sites.
Verify Information: Validate individuals you meet online are trustworthy through mutual friends or acquaintances. Verify investment opportunities by conducting independent research and seeking advice from trusted financial professionals to ensure legitimacy.

Be Cautious and Conduct Your Due Diligence

"Pig butchering" continues to pose a significant threat to investors. Don’t make rash financial decisions with too-good-to-be-true promised results with people you meet online. If you suspect you are involved in a cryptocurrency scam or fraudulent activity, immediately report it to authorities and your financial institution. Always be cautious and conduct due diligence when considering investment opportunities.

Learn More. Read ‘Pig Butchering' Scams: What They Are and How to Avoid Them | FINRA.org.

[1] FinCEN is a bureau of the U.S. Department of the Treasury. FinCEN’s mission is to safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.

February 26, 2024

Protecting your Business from Fraud with Positive Pay

Hand with a magnifying glass magnifying a check

Even though evolving payment options means that fewer checks are being written, check fraud remains a threat to businesses. Positive Pay is one of the best fraud detection tools and River City Bank offers two options: Check Positive Pay and ACH Positive Pay.

ACH Positive Pay. ACH Positive Pay is a security feature that prevents unauthorized electronic debits from posting to your accounts. Whenever there are debits from new or unrecognized sources, they are highlighted as exceptions for your review. You can either add these new companies to your list of authorized debtors or return the transactions within the Commercial Cash Management platform.

Check Positive Pay. Check Positive Pay matches the check number and dollar amount of each check presented for payment against an approved list of authorized checks issued by your company. Both components of the check must match exactly to be paid. If there isn't a match, the check is flagged as an exception and a list will be emailed for authorization before payment will be made. A payee match is automatically added to enhance your check-positive pay review process.

At River City Bank, your account security is our priority. If you would like to learn more about Positive Pay, please contact our Cash Management Team at (916) 567-2660 or email at [email protected]

September 14, 2023

Bank CEO: Why Cyberattacks Keep Me Awake at Night

By Steve Fleming, President and CEO, River City Bank

Conceptual photo collage of cyber security

Cybersecurity keeps me awake at night, and it should worry you as well. As the CEO of River City Bank, I know it’s not a question of whether we will be targeted by hackers. Cybercriminals are attacking all our businesses daily—at an increasing rate. As the bad guys get more sophisticated, businesses—both large and small—are vulnerable. Cybercriminals view large business as a big pot of gold for them to steal, and small or medium-size business as an easy target. McKinsey & Co. estimates that cyberattacks will cause $10.5 trillion a year in damages by 2025, a whopping 300% increase from 2015.

No one is immune to the risk. The news earlier this year that San Bernardino County paid a $1.1 million ransom to hackers who installed malware on the sheriff’s office computer systems is a wake-up call to everyone. The county had cyber insurance, which covered half the bill. It’s likely that many local businesses haven’t purchased such insurance, even though experts say it’s a best practice to guard against losses.

Closer to home, the news of the Oakland ransomware attack keeps getting worse, with non-public personal information from current and former employees now surfacing on the dark web. Ransomware, a major threat for businesses of all sizes, now accounts for 24% of data breaches, according to the Verizon 2023 Data Breach Investigations Report. In a ransomware attack, the criminals pierce security systems and install code or software that can shut down your business or hold it hostage until you pay up. To make matters worse, stolen information can be sold on the dark web—even after ransom is paid.

All it takes to find yourself in a big mess is someone at your company clicking on the wrong link or attachment in an email. Last year, sophisticated scammers lured five Sacramento County employees into handing over their official log-in information, a breach that exposed more than 2,000 sensitive health records. This was just one incident of phishing attacks last year as the tactic reached record levels, with more than 4.7 million attacks being recorded.

The Responsibility Is in Our Hands

At the end of the day, the buck starts and stops with the CEO. We’re the final risk manager, and regardless of whether we run a bank, construction company, law firm, farm, nonprofit charitable organization, or public agency, this is one of the biggest risks we face. Ignoring cyber risk is a critical error that will likely result in a painful and expensive outcome.

Let’s face it: We do our best to manage and control our businesses, but cybercriminals know they can penetrate our information security defenses through our vendors (particularly those in the software supply chain), our customers, and our employees when they let down their guard.

We need to think about what’s at stake. A cyberattack can cost us time, focus, and money, but it also can lead to lost customers, a damaged reputation, and even regulatory scrutiny. In its 2023 report, IBM estimated the average cost of a data breach at $4.45 million. In the U.S., it’s twice that. And the average time to identify and contain the breach was 277 days. Who has that time to spare?

No wonder this issue keeps me up at night—it represents a risk for the business that I run, but also a risk for all our clients.

At River City Bank we instill a business culture that teaches our staff to be hypervigilant about cybersecurity, while recognizing that mistakes can, and will, happen. In fact, the Verizon report found that 19% of data breaches were due to “internal actors,” meaning our own people or contractors, either intentionally or through error.

If your business does not conduct regular cyber training for your staff, you’re putting your company in danger. Educated workers are less likely to click on a suspicious link or use a password that is easy to hack, and, thus, mistakenly put your life’s work in someone else’s hands.

Every business, no matter the size, needs to understand cybersecurity best practices and use them to minimize losses if an attack happens. Have a business continuity plan in place, and make sure your critical data is backed up and encrypted. Build defensible space throughout your IT network to limit the damage from malware that has taken advantage of a vulnerability in your network. These suggestions, as well as other ways to safeguard your company, are why we developed this cybersecurity overview for our customers.

Last, when all else fails, don’t forget about the benefits of cyber-risk insurance coverage. The cost of this insurance is rising due to the success of the cybercriminals. But ask yourself if you can afford a massive loss from a cyberattack.

Since September ’08, Steve Fleming has been President & Chief Executive Officer of River City Bank, the largest and most profitable bank based in Sacramento. With over 40 years of banking experience, immediately before joining River City Bank, he was the Founder and CEO of Presidio Bank in San Francisco. Steve also worked for over 20 years at Bank of America in a variety of progressively more senior roles, including as Head of Credit Administration for its Europe, Middle East, and Africa division.

September 6, 2023

Avoiding a Cyber-Attack

Cyber-attacks are a growing and significant concern for small and medium-sized businesses (SMBs). Despite the common misconception that hackers only target behemoths, SMBs make increasingly attractive prey. In fact, certain types of attacks, like phishing, are much more commonly aimed at SMBs. It is critical to both (1) institute best practices to minimize the chance of experiencing a cyber-incident, and (2) take measures now to minimize the potential damage in the event a cyber-incident does occur.

“Fifty percent of SMBs have been the victims of a cyber-attack and over 60% of those attacked go out of business.”

Dr. Jane LeClair
Chief Operating OfficerNational Cybersecuity Institute

Avoiding a Cyber-Attack

Cyber-attacks are a permanent and persistent threat to your organization, and there is no way to entirely remove that risk. However, by implementing cybersecurity controls, you can minimize the probability of a successful cyber-attack.

Keep your software, applications, web browsers, and operating systems up-to-date. Set updates to occur automatically. Do not use software that is no longer supported by the vendor.
Know where your important data is located. Secure your physical and electronic files. Ensure important files and systems are encrypted and regularly backed up. Perform periodic back up data recovery tests.
Require strong passwords, or passphrases which are longer and more complex than passwords, on all your applications and devices. Use a password manager to securely store all passwords.
Have formal policies and procedures for safeguarding data and systems.
Use Multi-Factor Authentication (MFA) wherever possible. MFA reduces risks associated with compromised passwords.
Enforce strong security standards before employees or vendors connect to your network.
Create a culture of security. Conduct employee information security awareness training consistently. Training should include common attacks and tactics used by cyber-criminals (such as social engineering, phishing, etc.). Refer to the FTC factsheets on Phishing, Ransomware, Business Email Imposters, and Tech Support Scams for additional information on training topics.
Know your vendors. Your vendors are ultimately your responsibility, and software supply chain risk is often an overlooked area of cyber risk. Review your software vendor contracts to understand what the vendor will be responsible for in the event that your business is affected by a cyber- incident, such as a supply chain attack. This also includes confirming your vendor’s own processes for overseeing subcontractors and managing risks. In addition, periodically conduct risk assessments for third-party relationships.

37% of companies hit by ransomware had fewer than 100 employees.

Employees of small businesses experience 350% more social engineering attacks than those at larger enterprises.

In 2020 alone, there were over 700,000 attacks against small businesses, totaling $2.8 billion in damages.

80% of all hacking incidents involve compromised credentials or passwords.

95% of cybersecurity incidents at SMBs cost between $826 and $653,587.

Limit the Damage of a Cyber-Attack

It is not a matter of if you will experience a cyber-incident, but when. Even with best practices to minimize the probability of a cyber-incident occurring, the risks are increasing and are difficult to avoid. It is important to take steps now to prepare and minimize the potential impact of a cyber-incident.

Defensible Space. Implement layered defenses to increase prevention, detection, and response capabilities. Consider building a “Zero Trust” security framework that requires all users to be authenticated and authorized before access to any applications/data is granted.
Cyber Insurance. Cyber insurance is one option that can minimize incurred costs in the event of a cyber incident. Review your cyber insurance to understand the policy coverage. Refer to the FTC Cyber Insurance factsheet for additional information cyber insurance.
Business Continuity Plan/Disaster Recovery (BCP/DR). Have a plan, and test it. Having a BCP/DR process in place prior to a cyber incident is crucial for a successful and expeditious recovery. Consider having incident response services (e.g. law firm, forensic specialist, ransomware negotiator, etc.) on retainer in the event of a cyber incident. Refer to the FCC Cybersecurity Planner and FTC Data breach Response Documents for additional information on BCP/DR preparation.

The FTC offers factsheets which provide additional information on the topics reviewed.

FTC Vendor Security factsheet has additional information on vendor security.
FTC Cybersecurity Basics factsheet and the FCC Cybersecurity Planner offers additional information on cybersecurity controls.
FCC Cybersecurity Planner and FTC Data Breach Response documents provide information for Business Continuity and Disaster Recovery preparation.
FTC Cyber Insurance factsheet has more details on cyber insurance.

Links to these factsheets can be found below:

FTC Cybersecurity Factsheets:
https://www.ftc.gov/business-guidance/small-businesses/cybersecurity

FCC Cybersecurity Planner:
https://www.fcc.gov/cyberplanner

CISA Cyber Resilience Review:
https://www.cisa.gov/uscert/resources/assessments

DHS Vulnerability Scans:
https://www.cisa.gov/cyber-hygiene-services

Free Cybersecurity Services and Tools:
https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools

FTC Data Breach Response:
https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business-042519-508.pdf

June 29, 2023

How to Protect Yourself from Automated Clearing House (ACH) Fraud

Conceptual illustration of automated clearing house fraud

ACH fraud occurs when unauthorized transactions are electronically posted to your account. It is on an exponential rise and starts with just two things: Your business checking account number and a routing number. These two pieces of information are all cybercriminals need to attempt a fraudulent ACH transaction.

According to the Association for Financial Professionals’ (AFP) latest Payments Fraud and Control Survey Report, fraud perpetrators are targeting ACH payment methods more frequently than check and wire transfers. As ACH transactions are typically considered safer and more difficult to compromise, the increased focus on ACH transactions suggests that fraudsters are acquiring more sophisticated techniques when targeting organizations.

Fortunately, there are steps you can take to guard against ACH fraud:

Monitoring your bank account regularly for unauthorized transactions is one of the best ways to notice potential ACH fraud. Set up account alerts to immediately notify you of any suspicious activity. If you see a fraudulent transaction, report it to your Bank immediately.
Use ACH Positive Pay. For businesses, this is a service allowing users to review unexpected incoming debits before they’re cleared to post in the bank account.
Use a secure payment gateway. A secure payment gateway is one of the best ways to prevent ACH fraud. It will encrypt your account information and protect it from unauthorized access.
Install anti-virus and malware software and keep it up to date. Staying safe online is an ongoing effort, and one of the simplest yet most effective ways to do so is to remain vigilant and keep your devices updated with the latest software. These software updates frequently come with software patches that fix security gaps and prevent a potential hacking effort across multiple logged-in devices. These patches keep one’s device secure and protect it from software holes that give hackers easy access to multiple devices and the data stored within them.
Be smart when creating passwords. Using secure passwords and PINs to secure your devices is one of the most essential steps taken while using multiple devices. It goes without saying that one must always use different passwords for different devices. Use strong passwords that can’t easily be guessed or decoded using brute force. Only store credentials in official password managers to keep everything secure.
Make sure websites are secure. A secure URL should begin with “https” rather than “http.” The “s” in “https” stands for secure, which indicates that the site is using a Secure Sockets Layer (SSL) Certificate. This lets you know that all your communication and data are encrypted as it passes from your browser to the website’s server; however, this doesn’t mean that you are connecting to the correct website. Double check the URL to ensure you are going to the correct and intended website.
Keep your firewall turned on. A firewall helps protect your computer from hackers who might try to access your system to steal your information. Always keep your firewall turned on and up-to-date.
Stay Educated. Stay Protected. Being vigilant is crucial to being more digitally secure. The best way to do this is to stay updated with the latest developments and be aware of the tactics implemented by those looking to compromise multiple systems. This can also help one spot potential risks and mitigate them before the need arises.
Verify payment requests. If you receive a payment request, make sure to verify the request before sending any money. Verify the requestor’s identity and ensure you understand the payment’s purpose. If you have any doubts, contact the requestor using a known and verified contact.
Don’t click on links and open attachments in suspicious emails. If you receive an email from a sender you don’t know, or if the email looks suspicious, don’t click on any links or open any attachments. They can be malicious and lead you to a website that will steal your information or compromise your device
Refrain from trusting a sense of urgency. Scammers often try to create a sense of urgency to get you to act quickly. Don’t let yourself be pressured into making a decision; take the time to verify any payment requests.

When it comes to preventing ACH fraud, it takes a village. We can only win this battle by implementing various layers of internal controls throughout the funds transfer process. If you believe you or your business is a victim of ACH fraud, contact us immediately to halt additional fraudulent transactions. Also, consider reporting the incident to law enforcement, which helps your business and others avoid similar fraud attempts.

Should you have any questions regarding your personal or financial information at the Bank, please do not hesitate to contact a Customer Service Representative at (916) 567-2899 or (800) 564-7144 or by email at [email protected].

November 28, 2022

Protect Yourself from Wire Fraud

Wire Fraud is on the rise, but it is preventable. Whether you’re managing business or personal accounts, verification is key to making sure the right person is receiving your money.

Before you initiate a transaction, ask yourself these questions:

Is this an entity or person you normally make payments to via wire?
Are the payment instructions different than in the past?
Have you spoken directly with your payee regarding the change/request? It’s the best way to ensure the change/payment request is valid.

Creating and following a wire verification process is essential to protecting yourself and your business. Do not take shortcuts and fall victim to fraudsters. You can outsmart them by carefully reviewing wire requests and following the process.

Customers cumulatively lost almost $200,000 this month alone by not following a wire fraud verification process. In all cases, the customers did not call back the beneficiary with the phone number on file to verify the wire transaction.

We’re all in this together to prevent electronic transaction fraud. We can only win this battle by implementing various layers of internal controls throughout the funds transfer process. If you believe you or your business is a victim of wire or ACH fraud, contact us immediately to halt additional fraudulent transactions. Also, consider reporting the incident to law enforcement, which helps your business and others avoid similar fraud attempts.

March 31, 2022

LinkedIn phishing scams increase 232% since February

Phishing attacks impersonating emails from LinkedIn have grown 232% since the start of February. The increase is likely related to more people looking for jobs, switching companies, or recruiting for open positions, thus making people more likely to click on emails from LinkedIn.

We have all received emails from LinkedIn saying things such as “You appeared in 4 searches this week,” “You have 1 new message,” and “Your profile matches this job.” Cybercriminals use email addresses with a LinkedIn display name to send fake emails with the same subject lines. In addition, the emails are branded with the LinkedIn logo, brand colors, and icons. To make the phishing attack more convincing, criminals use other well-known organizations’ names, including American Express and CVS.

The branded email templates lure victims to click on phishing links and enter their credentials into fraudulent websites. The hope is the credentials can be used for other websites that contain sensitive information.

What can you do to protect yourself?

Go directly to the LinkedIn website – To check messages and get updates, type in the full LinkedIn URL in your internet browser.
Slow down and review links – Hover over links to verify they direct you to the correct website.
Turn on two-step verification – Review your LinkedIn profile Settings & Privacy page. Turn on the two-step login verification system.
Report suspicious messages – LinkedIn encourages members to report suspicious messages to their help center. This helps their team identify scams and better secure the platform.

For more information on cyber security and protecting your personal and financial information, visit our Safety and Security page.

December 20, 2021

New TSA PreCheck Scam Seeks to Collect Your Personal and Credit Card Details

By Stu Sjouweman, Founder and CEO | KnowBe4.

Airport counter with a TSA PreCheck sign

Doing one of the best jobs impersonating a website ever seen, this new scam attempts to take those renewing or initially signing up through a believable process that most would fall for.

Most of the time, impersonation scams take you to a “website” that’s more than a single web page designed to look like the logon page of the impersonated brand. But a new scam centered around registering for or renewing with TSA PreCheck takes the impersonation website to an entirely new level.

According to security researchers at Abnormal Security, this new scam starts out as wonky as most phishing scams with an email that doesn’t quite feel like it’s really from the TSA. But where it gets interesting is when potential victims click the link and are taken to a pretty believable TSA registration site.

According to Abnormal Security, the scammer went through the trouble of not just collecting the salient personal details they can misuse later, but went as far as to ask nearly all the same questions found in the actual application. And unlike most scams, they are attempting to take your credit card where payment is solicited for up front. This scam takes “payment” when it normally would – at the end of the process.

This scam is one of the reasons KnowBe4 exists – to educate users through effective Security Awareness Training so they won’t be fooled by these kinds of scams. The sender email address and email copy are dead giveaways – something well-trained users will spot a mile away, avoiding the scam all together.

To view more security articles, visit KnowBe4’s Security Awareness Training blog at https://blog.knowbe4.com/.

September 29, 2021

Security Alert – Phishing URLs

Unfortunately, phishing scams are not going away. The use of business email compromise, smishing or text scams, and ransomware scams are still prevalent. However, the use of Phishing URLs has seen a sharp increase over the past year. Reported cases in April 2021 nearly tripled that of April 2020; 28,000 cases to over 63,000 cases.

Phishing URLs affect both businesses and consumers. This type of scam can generally be attributed to the increase in remote workers and the heavy use of convenient online services such as banking, shopping, and bill pay.

What is a Phishing URL?

A Phishing URL is a website domain or URL that appears to be the official website but has a slight variation. At a glance, the website address seems to be legitimate; however, it takes you to a different website. The scam website can mirror the legitimate website’s homepage, making this type of scam tricky for consumers and highly effective for criminals.

Examples of Phishing URLs:

Legitimate website URL: www.rivercitybank.com
Phishing URLs: www.river-citybank.com; www.rivercitybanking.com; www.river-city-bank.com
Legitimate URL: www.irs.gov
Phishing URLs: www.irs.org; www.irs.com; www.internalrevservice.gov

How Can You Avoid Phishing URLs?

Confirm the URL: Double and triple-check the website address before entering any credentials or clicking on links within the website.
Bookmark Frequently Used Sites: Use the bookmark or favorite’s functions to save frequently visited sites instead of conducting a web search each time. The bookmark will save the legitimate site, thus mitigating the risk of clicking on a Phishing URL.

For more information on cybersecurity, visit the River City Bank Safety and Security page.

December 23, 2020

Holiday Season Phone and Email Scams

The busy holiday season is here, and while this season may look different due to the pandemic, online shopping is at an all-time high. The increase in online shopping means cyber criminals are busier than ever.

There is a popular scam making its way across the country right now where scammers, purportedly from Amazon or Apple, call or email people conning them out of money or their banking credentials. Below are common variations of this scam and ways you can avoid being a victim.

Phone Scam Variations

You receive a call and a recorded message says it’s Amazon. The message says there’s something wrong with your account. It could be a suspicious purchase, a lost package, or an order they can’t fulfill.
In another twist on this scam, you get a recorded message that says there’s been suspicious activity in your Apple iCloud account or your account has been breached.

If you get an unexpected call or message about a problem with any of your accounts, hang up.

Do not press 1 to speak with customer support.
Do not call a phone number they gave you.
Do not give out your personal information.

If you think there may actually be a problem with one of your accounts, contact the company directly using a phone number or website you have verified.

Email Scam

You receive an email that appears to be from Amazon notifying you of a problem with your account. The scammer asks for your Amazon login information with the goal of accessing your account. The scammer will then order items and gain personal information.

If you receive an email asking you to click on a link or enter login information, do not take the bait.

Do not click on links provided in emails. Instead, open a new web browser window to visit a verified site.
Do not enter personal information, including username and password.
Do not call phone numbers given in the email. Look for a phone number on the verified website.

To learn more about cyber security and best practices, visit our Safety & Security page. If you feel you may be a victim of a cyber scam, contact our Customer Service team at (916) 567-2899 or (800) 564-7144 or by email at [email protected].