Top 10 Tips from @MontecitoBank’s @805startups Cyber-Security Event


We had a really great event with Montecito Bank & Trust last week.  You missed out if you weren’t there!  See the top 10 takeaways below.

  • Exploit kits (compromises occurring through infected websites) are by far the most common method used to deliver malware (ransomware, banking Trojans, etc.)
  • Ransomware is becoming the most common type of malware we see because it’s so easy to deliver and profit from. In addition, banking malware runs in the background on your machine that is standing ready to collect your online banking credentials the next time you log in. This scheme, called “account takeover”, allows the thieves to log into your online banking account on your behalf to transfer your hard-earned money out of your accounts.  Consider the case of the California escrow firm, Efficient Escrow Group, who was hacked in December 2012 and January 2013. A banking Trojan allowed hackers to remotely issue wires totaling $1.5 million to Russia and China on 3 separate occasions.
  • Phishing can also be used to collect your credentials.  Emails or pop-ups might appear to be coming from legitimate banking institutions, or even VISA or MasterCard.  Instead of clicking on the links embedded within emails or in pop-up windows, locate the websites and phone numbers yourself off of prior correspondence or dealings and go directly to the source yourself.  Consider downloading Trusteer, a solution we have partnered with IBM on to offer our clients that will warn you of potential malware running on your computer, or risks inherent with sites you might be visiting.  Download the tool at or
  • Montecito Bank & Trust us also protecting our customers through its new .bank domain at  The .bank domain is only open to banks that are verified by their regulator. Because the .bank domain is verified and authenticated, phishing, spoofing, internet scams and malicious emails that target bank customers should be reduced.  In addition, the .bank extension incorporates the latest security requirements and best practices to ensure that you are landing on our actual website and not being misdirected to malicious ones. It also requires email authentication & verification to mitigate spoofing, phishing, and other malicious activities propagated through emails.
  • User awareness is critical, be suspicious.  Stop and think before reacting to emails with links or requests like wire transfers, even if the email appears to be from someone you know.  Fraudsters deliberately create a sense of urgency. Consider signing up for public service announcements from the FBI to keep abreast of new internet crime scams at  More information about the types of scams being investigated by the FBI can be found here: .
  • Update your software regularly and use the vendor’s automatic software update features.  Especially tools used to connect to the internet (OS, browser, plugins like java flash and acrobat).
  • If you run a website update your platform regularly and consider hardening your CMS by restricting /admin or equivalent to trusted IP addresses only, enable 2 factor authentication on registrar account and DNS provider.  If possible use a WAF like and enable rules specific to your platform (e.g. Joomla or WordPress). Filter websites especially the unrated/uncategorized sites if possible.
  • If you accept credit or debit cards as payment for your services, contact your bank for an EMV-compliant terminal.  You may also want to ask for a “contactless” terminal to enable you to accept other types of tokenized payment methods. ApplePay, SamsungPay, Android pay, etc. are improvements in both convenience and security.  When you use them your credit card information is never shared with the merchant. A “token” is a special code associated with your account number.  Tokenization technology is unique in that they replace your account data with a unique number that is useless if stolen:
  • We are seeing another type of fraud on the rise, called “business email compromise” or “masquerading”.  This is a type of payment fraud that involves the compromise of legitimate e-mail accounts for the purpose of requesting an unauthorized wire transfer.  After an e-mail account is compromised, actors use the compromised account or a spoofed account to send wire transfer instructions. The funds are primarily sent to Asia, but funds have also been sent to other countries all over the world.   Visit to download our “Need to Know: CEO Wire Fraud” sheet now for additional tips on protecting your business against email fraud.
  • Finally, as tax season is now upon us, remain alert to IRS email or phone scams claiming you owe taxes.  Also watch for requests to add users to your QuickBooks accounts, even if the requests appear to be coming from your CPA or local banker.  Crooks could be masquerading as someone you know through a hacked email account to get access to your money or accounts.  Consider employing a two-factor authentication protocol for your company to verify requests for credentials or for transferring money.