Security Centre

Cyber crime is a growing threat to corporations and consumers. As we increasingly adopt digital technology to run our businesses and lives, it is predicted that it will cost the global economy in excess of USD 10.5 Trillion annually by 2025.
We all need to be aware of cyber risks, understand the motivations of cyber criminals and take the necessary measures to safeguard our systems and defences together.

Top ten tips

1. Be mindful of phishing. Never open unsolicited emails, or links they contain, even if they are purportedly from your bank or a trusted organisation.
2. Is it real? Always check that the email is authentic even if the message looks credible.
3. Don’t share your credentials. Never disclose your Straight2Bank Log-In / authentication credentials, including One-Time Passcodes.
4. Is it the right time and place to do your banking? Never conduct financial transactions, such as accessing your online banking, while you are connected to unsecured Wi-Fi in public places such as cafes and airports.
5. Does everyone need to see it? Always be careful with what you post on social media including work-related information involving suppliers or clients. It can be used by fraudsters to build a convincing scam to trick you.
6. Keep your devices protected. Install Antivirus or Antimalware software and ensure this is continuously updated to the latest version.
7. Plan to scan. Enable auto-malware scanning before every device or software access, such as inserting a USB drive or downloading a file.
8. Have you backed-up recently? Always ensure files are backed-up offline (e.g. hard drive) to minimise disruption in the event of a device takeover.
9. Are you being rushed? Pause, think and protect. Never accede to urgent monetary requests without independently verifying the request, even if they are purportedly from your senior management.
10. If you suspect it, report it. Immediately report any suspected infection or any unusual behaviour/activity to your client service team or email be.secure@sc.com

Device Security

How can your devices get infected?

Viruses are a type of malicious software that can harm devices such as computers, laptops, smartphones and tablets. Once your device has been infected, this malicious software (also known as malware) can steal your data, erase it completely, hold your data to ransom, or even prevent you from using your device. Devices can become infected by accidentally downloading an email attachment that contains malware, or by plugging in a USB stick that is already infected. You can even get infected by visiting untrustworthy websites. For these reasons, it’s important that you always use antivirus software on your laptops and PCs. Smartphones and tablets should have their operating systems updated when available, to keep the device patched. Applications should be installed from official stores such as the Google Play Store and Apple’s App Store

Turn on your Antivirus product

Antivirus products detect and remove viruses and other kinds of malware from your computer, laptop or MAC, and should always be used.

• Make sure your Antivirus product is turned on and up to date.
• New computers often come with a trial version of additional Antivirus software. You may want to carry out your own research to find out if these products are right for you.
• Make sure your Antivirus software is set to automatically scan all new files, such as those downloaded from the internet or stored on a USB (Universal Serial Bus) stick, external hard drive, SD (Secure Digital) card, or other type of removable media.
• If you think your computer has been infected, open your Antivirus software, and run a full scan. Follow any instructions given.
• If you receive a phone call offering help to remove viruses and malware your computer, hang up immediately (this is a common scam).

Keep all your devices up to date

Don’t put off applying updates to your apps and your device’s software; they include protection from viruses and other kinds of malware.

• Applying software updates is one of the most important activity you can do to protect your devices. Update all apps and your device’s operating system when you’re prompted.
• Set all software and devices to update automatically, including your Antivirus software.
• You should consider replacing devices that are no longer supported by manufacturers with newer models. You can search online to see how long your current device will be officially supported.

Only install official apps

Only download apps for smartphones and tablets from official stores (like Google Play or the App Store). Apps downloaded from official stores have been checked to provide protection from viruses and malware.

Always backup your most important data
Safeguard your most important data, such as your key documents, by backing them up to an external hard drive or an authentic cloud-based storage system.
If your device is infected by a virus, malicious software (malware) or accessed by a cyber criminal your data may be damaged, deleted or held to ransom by ransomware preventing you from accessing it. Backing up your data means you have another copy of it, which you can always access.
Make sure that the external hard drive you are using to back-up your data is not permanently connected to the device you are backing up either physically or over a local network connection.

How we keep your data secure

Data Privacy
End-to-end encryption of transmitted information between your browser and Straight2Bank Web
Every data file transmitted to us via Straight2Bank Access must be signed and encrypted with industry standard tools
We encrypt all reports sent to your email addresses. The password for the reports will be set in your account
Our employees must have the appropriate entitlements credentials and authenticate before they can access your data.
Secured network
Our firewall perimeters protect Straight2Bank from unauthorized connections.
We employ distributed denial of service mitigation tools and push out regular software patches to protect our channels from intrusion.
We conduct intrusion detection monitoring and regular penetration testing on Straight2Bank.
As a client-facing system, new functionalities pushed out of Straight2Bank must undergo stringent application vulnerability testing before going live.
IP addresses can be restricted to control where users can access Straight2Bank from, to prevent use on unsecured networks.
Authentication
Multi-factor authentication and transaction signing.
Stringent login management controls to protect the integrity and use of Straight2Bank passwords.
Our secure password reset policy is designed to keep unauthorised users at bay.
User accesses are segregated by functional and data entitlement controls.
Hardware security modules are used to safeguard and manage digital keys for authentication in Straight2Bank.
Transaction monitoring
Two-levels of verification designed to check for duplicate payment files.
Hash-based comparisons ensure that payments have not been tampered prior to processing. Straight2Bank will only process transactions when the hash matches.
User activities are logged, and Straight2Bank provides you with an audit trail report for enhanced visibility.
You can configure out-of-band security notifications to alert you of, say, high-value transactions or for potential security risks.
A cyber threat monitoring solution on Straight2Bank provides real-time detection for device anomalies and suspicious activity based on a risk-score model.
Operational security
There are multiple security levels ensuring only legitimate transactions are processed.
Our system administration function allows you to monitor and manage user access. Dual control administration is recommended
Robust on-boarding and new user setup ensures integrity of Straight2Bank usage.
Change management controls in place, with production access credentials and job
segregation to prevent unauthorised activity
An enhanced authorisation matrix can be configured for ad-hoc payments.

Incident management
We have a robust crisis management framework that guides our quick and effective responses to suspicious events.
Data and systems are backed-up daily and periodically based on criticality, local regulatory requirements and more. This is only handled by staff with appropriate access rights.

Phishing

What is Phishing?

Phishing is when attackers attempt to trick users into doing ‘the wrong thing’, such as clicking a bad link that will download malware or direct them to a suspicious website. Phishing can be conducted via a text message, social media, or by phone, but the term ‘phishing’ is mainly used to describe attacks that arrive by email. Phishing emails can reach millions of users directly and hide amongst the huge number of benign emails that busy users receive. Attacks can install malware (such as ransomware), sabotage systems, or steal intellectual property and money.

Phishing emails are a threat to organisations of any size and type. You might get caught up in a mass campaign (where the attacker is just looking to collect some new passwords or make some easy money), or it could be the first step in a targeted attack against your company, where the aim could be something much more specific, like the theft of sensitive data.

In a targeted campaign, the attacker may use information about your employees or company to make their messages even more persuasive and realistic. This is usually referred to as spear phishing.

Whaling is a highly targeted phishing attack, aimed at senior executives, masquerading as a legitimate email. Whaling is digitally enabled fraud through social engineering, designed to encourage victims to perform a secondary action, such as initiating a wire transfer of funds.
Whaling does not require extensive technical knowledge yet can deliver huge returns. As such, it is one of the largest risks facing businesses. Financial institutions and payment services are the most targeted organisations; however, cloud storage and file hosting sites, online services and e-commerce sites are receiving a larger share of attacks.

Whaling emails are more sophisticated than generic phishing emails as they often target chief (‘c-level’) executives and usually:

• contain personalised information about the targeted organisation or individual
• convey a sense of urgency
• are crafted with a solid understanding of business language and tone

What are the consequences?
Whaling emails are a form of social engineering which aim to encourage their victim to take a secondary action such as:

• clicking on a link to a site which delivers malware
• requesting a transfer of funds to the attacker’s bank account
• requests for additional details about the business or individual in order to conduct further attack

Spotting suspicious messages

Spotting scam messages and phone calls is becoming increasingly difficult. Many scams will even fool the experts. However, there are some tricks that criminals will use to try and get you to respond without thinking. Things to look out for are:
Authority – Is the message claiming to be from someone official? For example, your bank, doctor, a solicitor, or a government department. Criminals often pretend to be important people or organisations to trick you into doing what they want.
Urgency – Are you told you have a limited time to respond (such as ‘within 24 hours’ or ‘immediately’)? Criminals often threaten you with fines or other negative consequences.
Emotion – Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.
Scarcity – Is the message offering something in short supply, like concert tickets, money or a cure for medical conditions? Fear of missing out on a good deal or opportunity can make you respond quickly.
Current events – Are you expecting to see a message like this? Criminals often exploit current news stories, big events or specific times of year (like tax reporting) to make their scam seem more relevant to you.

Please be aware and vigilant against e-mail frauds. An example of e-mail fraud commonly used by fraudsters is

• E-mail communication between buyer and suppliers is intercepted by fraudsters.
• Pretending to be the supplier, fraudsters sends fictitious e-mails to the buyer requesting a change of supplier’s bank account details and for buyer to remit money to the fraudulent account.
• If the fictitious e-mail is received in a format identical to the genuine supplier’s e-mail, clients may, without verification, remit money to the fraudulent account provided by the fraudsters.
• Money remitted into this account will then be quickly withdrawn by the fraudsters.

How can I overcome email fraud?

Exercise vigilance. Always call your beneficiary to verify the authenticity of any new account detail before updating the payee records in your accounting system and on Straight2Bank.

Business E-Mail Compromise

Business email compromise (BEC) and Email account compromise (EAC), is a type of email cyber crime scam in which an attacker takes over an email account and then targets businesses and individuals with the objective to commit fraud or data theft.

Look out for these signs, that the email may not be what it seems:

• High-profile individuals asking for unusual information.
• Requests to not communicate with others
• Requests that bypass normal channels
• Language issues and unusual date formats
• Email domains and “Reply To” addresses that do not match sender’s addresses

If you suspect you’ve received a BEC or EAC email from Standard Chartered Bank:

• Do not respond to the sender.
• Report the incident via email to: be.secure@sc.com so we can try to track where it’s coming from.

Tips:

• Always be vigilant when reviewing and confirming e-mail payment instructions, especially those containing new beneficiary banks, account names or account numbers.
• If you have been requested to initiate wire transfers urgently or due to an emergency, even if it is purportedly from senior management, it may be a scam. Fraudsters tend to create a false sense of urgency to get you to act quickly and minimise verifications.
• Regularly check your account activities for any suspicious transactions.

Clients who notice unusual behaviour or discover account discrepancies should contact their Relationship Manager(s) or Standard Chartered’s Client Service Team immediately. Details of your in-country Client Service team can be found on Straight2Bank’s login page under “Contact Us”.

Spyware

Spyware is a type of software inserted into your computer that collects information about you and your internet traffic. It is usually stored on your computer unknowingly when you download something from little-known websites. Once your computers and systems have been compromised, it can be used maliciously to gain access to your confidential personal data such as your passwords, PINs and internet browsing history.

Tips:

• If you have installed any software that claims to speed up your internet connection or have additional third-party internet browser plug-ins, we recommend that you uninstall them as these could potentially be tracking your internet sessions.
• Refrain from logging onto Straight2Bank until the problem has been resolved.

Trojan Horses

rojans are a type of computer virus that is capable of performing sophisticated tasks. Some variants can install a “keystroke logger”, which will capture all keystrokes entered by your keyboard; others are designed to capture specific information entered at certain websites such as online banking websites, either by keystroke logging or taking screen shots. The information is then sent to the criminals over the Internet directly from your computer without your knowledge.

A common method of infection includes clicking on hyperlinks in random e-mails or through a malicious website. These websites may use vulnerabilities in web browsers that are exploited to download and install the specific Trojan.

How can I avoid being a victim of a Trojan Horse attack?

At present, Trojans take advantage of vulnerabilities in web browsers and operating system. To prevent them from infecting your operating system and web browser, you should:

• Be cautious about all unsolicited email (especially those from unknown senders) and never click on hyperlinks from these emails to visit unknown websites.
• Install and keep updated anti-virus software and run regular scans
• Install and use a personal firewall (hardware or software based)
• Install the latest security updates, for your browser and operating system

Remember, under no circumstances will Standard Chartered contact you to ask for your login details and sensitive information.

To avoid being a victim of these scams, check out some of the security features on Straight2Bank and security best practices on this page. Alternatively, contact your Relationship Manager to find out more about cyber security.

Encrypting the online banking sessions and data transmissions using TLS 1.2/1.3 (Transport Layer Security) which is the highest level of encryption commercially available.
Installing multiple tiers of firewall perimeter with stealth capability.
Conducting 24/7 network intrusion detection and security monitoring.
Installing anti-virus programs on our operating systems and ensuring that they are regularly updated.
Implementing strong controls around password management, system administrations and physical controls to all our systems.
Regularly updating our operating systems with security patches, as and when they are released.
Continuously researching and adapting against emerging security threats, as well as engaging with industry experts and partnerships around cyber intelligence.
Conducting regular testing on our systems to ensure they stand up to the latest intrusion attempts, using independent security firms to benchmark our security standards.

Keep Your Computer Protected

• Install a robust anti-virus, anti-spyware and firewall software on your devices and update it regularly.
• Perform regular scans of your systems for malware, spyware and other risks.
• Regularly download and install the latest updates to your operating system (e.g. Windows) and browsers. Recent advisories from security agencies recommend scanning your PC in Windows Safe Mode. (Press F8 while rebooting your PC to enter Safe Mode, and then scan your PC).
• Do not open e-mail attachments or click on links from unknown sources. Watch out for file extensions (like .doc, .rtf) and delete any files that have double extensions as they are likely to be a virus.
• Do not install software or programs of unknown origin in your PC. Before you run any software or program, ensure that it comes from a trusted source.
• Always log off from your online session when you leave your computer unattended and clear your browser cache after logging off.
• Avoid file sharing in your computer(s) and printers outside your organization’s network.

Check where you are logging in

• Always type https://s2b.standardchartered.com in your web browser instead of accepting links or redirections from e-mails or other websites. The ‘s’ in https indicates that the session is secure. It is not a normal practice for our bank to redirect from other websites to our login page and request for credentials.
• Check that the TSL certificate (by clicking on the pad lock icon in your browser) has valid dates and is issued to s2b.standardchartered.com

Manage Passwords and Pins securely

• Create strong passwords and Vasco token PINs. Passwords should have at least 8 characters and contain upper case, lower case, numbers and special characters. Vasco Token PINs are 6 numeric characters
• Avoid using sequential characters of numbers (such as abcdef, 12345) or the same character digit more than twice (such as mmssee, 123222). Do not use a PIN or password that is easily identifiable such as your birthday, telephone number or other personal information
• Change your password regularly, and it should not be any of the last 8 passwords you have used for Straight2Bank.
• Change your password IMMEDIATELY if you suspect it has been revealed or compromised.
• Never share your login details (ID, password, security token PIN) with anybody – verbally or in writing, or allow them to observe you entering them. If you have a Vasco token, never share PIN numbers, approval codes, or the token serial number with anybody else or allow anybody to tamper with it.
• Never write down your user ID and password anywhere (keyboard, desk, notebook, hard disk of your PC, any portable devices such as your mobile, thumb drive, etc.)

Adopt Strong operational Control

• Reconcile your account balances and transaction records frequently and report any discrepancies.
• Review regularly the statements and notifications sent by the Bank and flag any suspicious transactions.
• Always keep your bank up-to-date with any changes in contact details to ensure that all notifications will reach you.
• Do not disclose personal, financial or credit card information to unknown websites.
• Configure regular back-ups of your critical data.
• Use encryption to protect confidential information.
• Set up strong transaction authorisation rules with additional approval for ad hoc or high value payments
• Increase the number of ‘Approvers/ Checkers’ required to authorise a payment before sending it to the Bank
• Never log on to Straight2Bank Web from a public or shared computer or from a computer or device that cannot be trusted.

Protect your mobile (smart) devices

• Download applications from trusted sources.
• Update your smart devices, operating systems and applications regularly.
• Restrict access to your smart device with a strong password, PIN or pattern and turn on security controls (wipe after failed attempts, set your device to lock after a short period of inactivity etc).
• Avoid jail-breaking or rooting your smart devices as it may compromise security.
• Do not store passwords or account numbers on your mobile phone (unless you use a secure password vault software).
• Avoid connecting to public or unencrypted Wi-Fi hotspots and network. Always use home office or known networks.

Reminder: It Is NOT Our Practice To

• Send e-mails requesting for you to enter personal security information directly into the e-mails
• Send e-mails requesting for your personal or business information in your reply
• Send e-mails threatening to suspend or close your account if you do not provide your personal or business information immediately
• Share your name with any contacts outside our company in a manner inconsistent with our Privacy Policy.

For Financial Markets Users

Below are steps to improve cyber awareness, and help you better manage cyber events if required.

• Inform your Straight2Bank Markets users not to share passwords or OTP tokens with other users and not to reuse the same passwords for other transaction sites.
• Lock your computer screen when it is unattended to prevent unauthorised access or trading on Straight2Bank Markets.
• Be wary of phishing, an attempt used by cyber criminals to trick you into downloading malware or giving valuable information that can be used for other fraudulent activities. Treat all unsolicited emails with caution and be wary when downloading attachments (especially Microsoft Office documents with macros) or clicking on links in emails. The bank will never ask you to click on links to the Bank’s transaction systems.
• Be wary of Business email compromise (BEC), where cyber criminals may have hijacked an email account and are requesting unusual business or personal information. When in doubt, please contact your Client Service team, or Relationship Manager.
• Be wary of vishing, a phishing attempt done over the phone. Verify if the caller is legitimate – if you are unconvinced, ask for the caller’s company details and call back using the official phone number. The bank will never call you requesting for personal information.
• If you receive an unknown call claiming to be a staff in Standard Chartered Bank, hang up the phone and call back using the official contact number found on the website (sc.com). When in doubt, report it to be.secure@sc.com.
• Do not plug in unauthorised USB drives (USB baiting) into your computer and be very wary when you download / install / click on unverified software / links while browsing the web.
• If you encounter spoof/fake Straight2Bank Markets websites or software, please report it to be.secure@sc.com

Notify the Bank if

• You receive an e-mail (or phone call) asking for your Straight2Bank ID, password, Vasco PIN or other security credentials, or a link to online banking site which prompts for your details. Phishing or vishing attempts should be reported to be.secure@sc.com or to your dedicated client service team, who will escalate for investigation and if required have the site taken down.
• You notice unusual behaviour and have been advised or suspect that you may have malware on your computer or device, or you think your log on credentials may have been compromised.
• You come across anything suspicious when you bank online such as unusual web pages asking for banking information.
  • You do not see any of the security features mentioned in this guide such as padlock sign or security symbol in your browser, or if the site starts with http:// instead of https://.
  • You lose your mobile phone or device that you use for online banking.

Here’s How To Reach Out To Us:

• Reach out to your relationship managers out to your in-country dedicated Client Service Team. Their details can be found on our website (s2b.standardchartered.com) through this button shown below.

• It is important that you contact us immediately so that we can take steps to prevent or stop a security breach.
• Please note that Standard Chartered is only liable for direct losses as a result of fraud, gross negligence, or willful misconduct on our part.

If you are a Financial Markets customer, please contact our eClient services team as follows

Singapore: +65 6622 7192

Hong Kong: +852 3013 4426

Bahrain: +973 1654 8913

United Kingdom : +44 203 564 6553

United States : +1 917 4217 292

Email: eClientServices@sc.com