This topic explains the following types of online fraud:
“Phishing” (pronounced “fishing”) is when criminals use email to try to lure you to fake websites, where you are asked to disclose confidential, financial, or personal information like passwords, account numbers, or transaction information.
The most common type of phishing is an email threatening some dire consequence if you do not immediately log in and take action.
You should never respond or reply to email that:
Requires you to enter organizational or personal information directly into the email or submit that information some other way
Threatens to close or suspend your account if you do not take immediate action by providing specific information about you or your company
Solicits your participation in a survey where you are asked to enter personal information
States that your account has been compromised or that there has been third-party activity on your account and requests you to enter or confirm your account information
States that there are unauthorized transactions on your account(s) and requests your account information
Asks you to enter your user ID, password, or account numbers into an email or non-secure website
Asks you to confirm, verify, or refresh your account information
Directs you to a screen that asks you to provide additional data beyond your normal login information
Asks you to validate account information for banking systems you do not use
Phishing scams can have a phone connection. First, it was “phishing,” where criminals send email by the thousands in hopes of tricking unsuspecting users into sharing confidential information.
Now, there is “vishing.” In this latest twist, fraudsters use a telephone number in the phishing email instead. If you call, a person or an automated response system will ask for your personal or account information.
When you call J.P. Morgan, only call the phone numbers we have provided directly to you during your program implementation.
REMINDER: J.P. Morgan will never ask you for your password.
Hijacking is a type of network security attack in which the attacker takes control of a communication, just as an airplane hijacker takes control of a flight, between two entities and masquerades as one of them. Hijack attacks may be used simply to gain access to information or the attacker may pose as that user and do anything the user is authorized to do on the network (i.e., move money).
If you are not able to successfully access PaymentNet during normal business hours and you receive one of the responses below, you should immediately contact your program administrator and then call your J.P. Morgan Customer Service representative or Client Application Support:
A message that the system is down for maintenance (especially during normal business hours) that is not consistent with the pre-advised extended outage Alerts
You receive a blank screen, instead of the PaymentNet home screen
The PaymentNet home screen does not look normal (options are missing)
The PaymentNet Log In screen appears repeatedly and requests that you log in again
Recent developments in the area of cyber security point to a sharp increase in the number and complexity of online security attacks. These attacks are of particular concern because they can target users of financial applications at large banking institutions such as J.P. Morgan.
One of the most common of these attacks injects malicious software, known as “malware” onto a user’s machine. The malware is then able to “enslave” the machine as part of a network of “robot” computers. A network of robot computers is referred to as a “botnet.”
The use of malware distributed via botnet allows fraudsters to override existing security methods as well as harvest highly sensitive data and security credentials and possibly perform fraudulent transactions.
Malware or a Botnet can:
Record all keystrokes entered via the users keyboard, including all passwords, user IDs, account numbers, Social Security Numbers, and so forth. This is called key stroke logging and is a common feature of malware exploits.
Forward this confidential information back to a central fraud database for use immediately, a later time, or to be sold to another fraudster for a profit.
Allow a fraudster to take direct control of a user’s machine and all of the applications without presenting security credentials to gain access.
Enslave the user’s machine within the botnet, allowing the fraudster to launch subsequent security attacks from the machine, which helps the fraudster avoid detection by law enforcement.
The best way to avoid falling victim to malware attacks is to practice good computer hygiene by following the recommended security best practices for PaymentNet users described here.