Malaga Bank

Malaga Bank FSB (the "Bank", "we", "us" or "our") is committed to respecting the privacy rights of all users ("you" or "your") of its web site (the "Site"). Certain information about visitors to this site is being collected by DHI Computing Services, Inc., 1525 West 820 North, Provo, UT 84601 on their web servers. The following policy describes how the Bank seeks to assure its visitors about how it protects information provided or collected through this Site.

What information do we collect about you and how do we use it? When applying to use our Online Banking Site, you are required to provide your name, e-mail address, street address and telephone number, social security number, and your account number(s). Later, you will be asked to create a password to access the online banking services ("Services") offered on our Site. This information allows us to keep a user profile so that we may provide you access to the Services, customize preferences, and provide a faster method for you to submit and receive information to and from us.

We may also collect general information in connection with your use of our Site, such as, for example, the length of time you spend on our site, what pages on our site you visit most frequently, how often you visit our site, what kind of browser software you are using, and your domain name, if applicable. If you communicate with us by e-mail, we may collect your e-mail address and any other information contained in the e-mail. Since e-mail transmissions may be subject to interception, please do not include sensitive or personal information in any e-mail you send to us.

Information is collected for the purpose of processing your application, transaction, or request for information. The information will be used for the purposes of meeting your banking needs and requests, and providing services to you in the future. The Bank does not share customer information with third parties, except as permitted by law.

If you do not want your personal information collected, you may refrain from supplying the information, whether through e-mail or our Site.

How do we protect your information? The Bank implements a variety of security measures to maintain the safety of the information you provide to us. Your information is contained behind secured networks and is only accessible by a limited number of employees who have special access rights to such systems. All sensitive information supplied by users is transmitted via Secure Socket Layer (SSL) transaction security protocol (which was developed by Netscape and is now largely accepted as an industry standard) and then encrypted into the Bank's databases. The Bank recommends using one of the following browsers, each of which can be downloaded free of charge: Netscape Navigator ('http://www.netscape.com'), or Microsoft Internet Explorer ('http://www.microsoft.com/ie'). To ensure the highest level of security available today, the Bank suggests that users choose the 128-bit encryption version from the download options. If a user does not have access to a browser that supports at least 48-bit encryption, the Bank's servers will not process such user's information.

You may review the information we collect about you and correct any errors in that information by reviewing account statements and any other correspondence from us and notifying us of any inaccurate or outdated information at the address or phone number on your statements.

Furthermore, if the Bank chooses to make chat rooms, forums, message boards, individual web pages, and/or news groups available to its users, please remember that any information that is disclosed in these areas becomes public information and each user should exercise caution when deciding to disclose any of his/her information.

Do we use "cookies"? Cookies are bits of electronic information that a Site can transfer to a user's hard drive to help tailor and keep records of a user's visit to a Site. Cookies allow web site operators to better customize visits to a web site to the user's individual preferences. The use of cookies is standard on the Internet and many major web sites use them. Although most web browsers automatically accept cookies, users can usually change browser settings to prevent or provide notification whenever a cookie is sent, thereby giving users the chance to decide whether or not to accept it. Even without accepting a cookie, users can still access most of the features on the Site. The Bank may use cookies in order to help provide you with a better experience on our Site. To obtain more information about cookies, please visit http://www.cookiecentral.com.

OUR SPECIAL NOTE TO PARENTS
Due to the nature of the high-end services offered on our Site, and lack of marketing toward children, we believe that children are unlikely to visit us on the Internet. Nonetheless, we encourage parents and guardians to spend time online with their children, and to participate in the interactive activities offered online. No information should be submitted to or posted at our Site by guests under eighteen (18) years of age without the consent and supervision of their parent or guardian. In addition, we will use our best efforts to comply with the Federal Children's Online Privacy Protection Act (COPPA). In an effort to comply with COPPA, we will not knowingly allow children under the age of thirteen to use our Site.

However, we also believe that it is the parents' responsibility to supervise their children's online activities and parents should therefore consider using parental control tools available from online services and software manufacturers that help provide a child-friendly online environment. These tools can also prevent children from disclosing their name, address, and other personal information online without parental permission.

THIRD PARTY LINKS
In an attempt to provide increased value to our users, we may choose various third party web sites to link to, from, and frame within, our own Site. However, even if the third party is affiliated with us, we have no control over these linked web sites, each of which is independent of our Site and may have separate privacy and data collection practices. We have no responsibility or liability for these independent policies or actions, and are not responsible for the privacy practices, content or any other aspect of such web sites. These linked web sites are only for your convenience and you therefore access them at your own risk.

YOUR CONSENT
By using our Site, you expressly consent to the collection and use of information by us as described in this privacy statement. If we decide to change our privacy statement, we will post those changes at www.malagabank.com, so that you are always aware of what information we collect, how we use it, and under what circumstances we disclose it.

CONTACT US
We welcome your questions, comments, and concerns about privacy. Please send us any and all feedback pertaining to this, or any other issue, at malagabank@malagabank.com.

Or you can reach us by posted mail at:
Malaga Bank FSB
2514 Via Tejon
Palos Verdes Estates, CA 90274
By telephone: 310-375-9000
Or by facsimile: 310-373-3615

If you feel the Bank has not met its obligations in the protection or use of your personal information, you may contact the following government agency for specific regulations:

Office of Thrift Supervision
Department of Consumer Affairs
Washington, DC 20553

INTERNET ACCESS AGREEMENT
Please also visit our Internet Access Agreement establishing the use, disclaimers, and limitations of liability for the Online Banking Site.

DOCUMENTATION
Please print out and keep a copy of this privacy statement, or please visit http://www.malagabank.com/privacy.htm to view this privacy statement and any revisions made to it.

SECURITY and BROWSER REQUIREMENTS

Security Issues

To help maintain security, you should close your browser when you have completed your Internet banking session. This will help prevent unauthorized persons from viewing your private account information.

Never share your password with another person. Keep your password secret.

Browser Requirements

To help ensure security and proper functionality, you must use a browser that meets or exceeds the following requirements:

128 bit encryption
You must have Cookies and JavaScript enabled
We recommend you use the latest, patched version of any modern browser such as: Google Chrome, Apple Safari, Mozilla Firefox, Opera or Microsoft Internet Explorer.
We also highly recommend that you have a personal firewall, virus and spyware protection that is up-to-date with all security patches and that the operating system is also up-to-date with all security patches.

PROTECT YOUR PERSONAL INFORMATION

Every day you share personal information about yourself with others. It's a routine that you may not even realize you're doing. You may write a check at the grocery store, charge tickets to a ball game, rent a car, mail your tax returns, buy a gift online, call home on your cell phone, schedule a doctor's appointment, or apply for a credit card. Each transaction requires you to share personal information: your bank and credit card account numbers; your income; your Social Security number (SSN); or your name, address, and phone numbers.

Because you can control the information you choose to release, you are the single best person to protect your information. There are some easy ways to do this by keeping anything with any personal or account information in a safe place, providing your information only to trusted sources, and reducing the amount of mail you receive with your information on it.

It's okay to be skeptical when providing your personal information. If you can't verify the legitimacy of the business or person that you may be providing your information to, or if you don't understand why a piece of information is needed, you may want to think twice about the transaction.

Take care of your personal information

Your personal information is present on mail, credit cards, and identification. Protecting these pieces of information is the first step in reducing your risk of identity theft and fraud.

Treat your credit cards and ATM/Debit cards like cash.
Retrieve incoming mail from your mailbox quickly. Do not leave outgoing mail in an unsecured mailbox or any other location.
Make copies of all of the financial information that you carry with you daily and store the copies in a safe place.

Safeguarding your Social Security number

Carry only necessary identification with you. Don't carry your Social Security card.
Never provide your Social Security number unless you have initiated the contact and have confirmed the business or person's identity.
Do not use your full or partial Social Security number as a Personal Identification Number (PIN) or as a password.
If you must send your Social Security number in an email ensure that the email is encrypted.
Only enter your Social Security number into internet websites when the site is secure and you know how the recipient will protect it.
Be cautious of your surroundings when disclosing your Social Security number. For example, if a retail store requests your Social Security number to look up your store credit card number.
Do not transmit your Social Security number over the Internet unless you know that the connection is secure or you have encrypted the Social Security number.
Be cautious when faxing your Social Security number, double check the fax number to ensure it is the correct number.
Do not record your Social Security number on a check, traveler's check, gift certificate, money order or other negotiable instrument unless required by law.

Provide information only to trusted sources

You should share your information only with trusted sources. If you can't verify the identity of the source asking for your personal information, you should be very cautious about sharing any information with this source.

Never provide personal information unless you have initiated the contact and have confirmed the business or person's identity.
Be cautious of telephone and door-to-door solicitations.
Be skeptical of offers that seem "too good to be true". They usually are.

Eliminate paper and increase security

Recent studies have shown that a very easy way to protect your personal information is to limit the amount of paper that has your personal information printed on it. Criminals have been known to get to this paper by stealing mail from your mailbox or even by taking it out of the trash.

Here are some ways you can eliminate paper and increase your security:

Reduce the amount of mail you receive that displays personal information.
Shred unnecessary financial documents immediately before throwing them away.
Stop receiving your account statements/imaged checks in the mail. Sign-in to www.malagabank.com, go to Other Services tab, and click Statement Preferences to change your statement delivery method from paper to electronic.
Opt-out of pre-approved credit card offers by dialing 888-567-8688. This will communicate your preference to all three of the major credit bureaus.

SECURE YOUR COMPUTER

We recommend using all the following security tools to help protect your personal information anytime you are online. A properly protected computer provides for a safer online experience.

Anti-spyware protection

Make sure your computer has an anti-spyware protection program that detects and removes all forms of spyware, which can steal vital information. Use this program to scan your computer frequently. Many software companies offer software that will protect you from a wide variety of spyware threats, and also will provide customer service in case you have questions.

Anti-virus protection

Make sure your computer has an anti-virus protection program that detects and removes viruses. Software from major providers will protect you from a wide variety of threats, and also will provide customer service in case you have questions. Be sure to always keep your anti-virus program updated.

There are several easy ways to protect your computer against viruses and spyware:

Automatic upgrades. Buy a protection program that automatically upgrades your spyware or virus protection on a recurring basis. If you don't have this automatic upgrade feature, make sure you update your spyware and virus detection programs weekly, as well as whenever you hear of a new computer threat.
Attachments. Don't open attachments, CDs, thumb drives or any other portable media unless you're sure that you can trust the source. Learn how to manually screen portable media and attachments if your anti-virus software doesn't automatically do so.
Contact your ISP. Your Internet service provider (ISP) may have more recommendations and technical support for protecting yourself. Contact your ISP for recommendations specific to your computer and network.

Recognizing spyware and viruses

Spyware and viruses are malicious programs that are loaded onto your computer without your knowledge.

Spyware is designed to allow unauthorized access to computer systems. Spyware can be used to steal your personal information. Some spyware programs can detect the numbers and letters you enter on your keyboard such as passwords.
Viruses are designed to make copies of themselves, quickly using up your computer's memory. Some viruses can transmit across computer networks.

Firewall

Add a firewall to your computer system. A firewall refers to any of a number of security services that prevent unauthorized users from gaining access to a computer or that monitor transfers of information to and from the computer.

Operating System & Software Updates

Install all software fixes (sometimes called "patches" or "service packs") that are made available for your computer programs as soon as possible, especially if the fix addresses a security hole. All programs, such as your Windows, Mac, or Linux operating systems, need to be updated from time to time.

Use a current Web Browser

Newer browsers are being deployed with your security in mind.

Activate a Pop-up Blocker

Activate a pop-up blocking tool. Pop-ups can be more than an annoyance.

BANK ACCOUNT SECURITY TIPS

Report lost or stolen cards and checks immediately.
Review account statements carefully. Regular account review helps to quickly detect and stop fraudulent activity. Ask about suspicious charges.
With Malaga's Online Banking you can monitor your account online any time and as frequently as you like.
Limit the amount of information on checks. Don't print your driver's license number or Social Security number on your checks.
Store new and imaged checks in a safe and secure location.
Carry your checkbook with you only when necessary.

ATM/DEBIT CARD SECURITY TIPS

Always keep your ATM/Debit card in a safe and secure place. Treat it as you would cash or checks. Contact Malaga Bank immediately at 310-375-9000 if your card is lost or stolen, or if you suspect unauthorized use.
Do not send your card number through email, as it is typically not secure.
Do not give out your card number over the phone unless you initiated the call.
Regularly review your account statements as soon as you receive them to verify transactions. Contact Malaga Bank immediately if you identify any discrepancies.
If you have forgotten your Personal Identification Number (PIN) or would like to select a new one, please visit one of our Malaga Bank locations.
To protect your account, Malaga Bank recommends that you change your PIN every six months.
Cancel and cut up unused ATM/Debit cards.
If you receive a replacement card, destroy your old card.
When selecting a PIN, don't use any number or word that appears in your wallet (such as name, birth date, or phone number).
Ensure no one sees your PIN when you enter it.
Memorize your PIN. Don't write it down anywhere, especially on your card, and never share it with anyone.
Shop with merchants you know and trust.
Make sure any internet purchase activity you engage in is secured with encryption to protect your account information. Look for "secure transaction" symbols like a lock symbol in the lower right-hand corner of your web browser window, or "https://�" in the address bar of the website. The "s" indicates "secured" and means the web page uses encryption.
Always log off from any website after a purchase transaction made with your debit card. If you cannot log off, shut down your browser to prevent unauthorized access to your account information.
Safe-keep or securely dispose of your transaction receipts.

ATM SECURITY TIPS

Use ATMs with surveillance cameras. All Malaga Bank ATMs are monitored by surveillance cameras, which record activity in the area of the ATM.
Be aware of strangers. When you enter or exit an ATM in an enclosed area, be sure you close the entry door completely. Do not open locked ATM vestibule doors for others, or allow any unknown persons to enter the ATM area while you are making your transaction. Authorized customers should have their own access.
Put away your card and cash. After completing your transaction, secure your card and cash immediately, before exiting the ATM area. Count your cash later, in the safety of your locked car or home.
Treat your ATM card like cash. Always protect your card by keeping it in a safe place. If your card is lost or stolen, contact us immediately.
Protect your privacy. Shield the ATM keypad with your hand or body while entering your PIN. Do not leave your transaction record at the ATM. Keep your transaction record in a safe place, so you can compare it to your later statements.
Be cautious at drive-up ATMs. If you use a drive-up ATM, be sure your passenger windows are rolled up and your doors are locked.
Be careful at night. Be aware of your surroundings, especially after dark. If you must use an ATM at night, consider taking someone with you.
Stay alert. If you notice anything suspicious or that you deem unsafe, such as the lighting around the ATM not working, use another ATM or return later.
Report suspicious behavior. Report all crimes immediately to us and the local law enforcement agency.
Request emergency assistance and security. If you need emergency assistance, call 911 from the nearest telephone. If you have a complaint about the security of a Malaga Bank ATM, call our Corporate Office at 310-375-9000.

ONLINE SECURITY TIPS

Use a current web browser.
Avoid downloading programs from unknown sources.
Do not use your Social Security number as a username or password. Change your usernames and passwords regularly and use combinations of letters, numbers, and "special characters" such as "pound" (#) and "at" (@) signs. Do not use your online banking password as a password for other online accounts. If your current Malaga username or password is your Social Security number, change it following these directions:
- Sign in to Online Banking
- Click on the Other Services tab
- Select Change User ID or Change Password
Protect your online passwords. Don't write them down or share them with anyone.
If we detect any unusual or uncharacteristic behavior involving your account, we will ask you to answer your security questions or receive a phone call to make sure that it's really you. You will be asked to refresh your security questions annually.
Protect your answers to security questions. Select questions and provide answers that are easy for you to remember, but hard for anyone else to guess. Do not write down your security questions or answers or share them with anyone. If you have selected security questions on other websites, avoid using the same questions to protect your Malaga online account. Please note that we will never ask you to provide answers to your security questions via email.
Use secure websites for transactions and shopping. Shop with merchants you know and trust. Make sure internet purchases are secured with encryption to protect your account information. Look for "secure transaction" symbols like a lock symbol in the lower right-hand corner of your web browser window, or "https://�" in the address bar of the website. The "s" indicates "secured" and means the web page uses encryption.
Always log off from any website after making a purchase with your credit or debit card. If you cannot log off, shut down your browser to prevent unauthorized access to your account information.
Close your browser when you're not using the internet.

MOBILE BANKING SECURITY TIPS

When you use a mobile device (cellular phone, blackberry, etc.) for browser or text-based account access, keep these tips in mind:

Use the keypad lock or phone lock function on your mobile device when it is not in use. These functions password-protect your device so that nobody else can use it or view your information. Also be sure to store your device in a secure location.
Frequently delete text messages from your financial institution, especially before loaning out, discarding, or selling your mobile device.
Never disclose via text message any personal information (account numbers, passwords, or any combination of sensitive information like your social security number or birth date that could be used in ID theft).
Avoid following links in e-mails especially those that require you to enter passwords or other confidential information.
Use your browser bar to enter https://www.malagabankonline.com/m and save the web link as a bookmark to avoid the possibility of mistyping the URL.
Contact Malaga Bank immediately if you lose your phone.

COMPUTER SECURITY TIPS

Keep your computer operating system up to date to ensure the highest level of protection.
Install a personal firewall on your computer.
Install, run, and keep anti-virus software updated.
Turn your computer off completely when you are finished using it - don't leave it in sleep mode.
Conduct online banking activities on secure computers only. Public computers (computers at internet cafes, copy centers, etc.) should be used with caution, due to shared use and possible tampering. Online banking activities and viewing or downloading documents (statements, etc.) should only be conducted on a computer you know to be safe and secure.

EMAIL SECURITY TIPS

Be wary of suspicious emails. Never open attachments, click on links, or respond to emails from suspicious or unknown senders.
If you receive a suspicious email that you think is a phish email, do not respond or provide any information.
If you respond to a phish email with personal information, contact Malaga Bank at 310-375-9000. You also may report phishing email to reportphishing@antiphishing.org.
Malaga Bank will never request you to send personal information via email. If you encounter a suspicious email or website that says it's from Malaga Bank, do not respond to it.

SCAM PREVENTION TIPS

First and foremost, use common sense. If it sounds too good to be true, it probably is.
Never give personal information to a stranger who contacts you, whether by telephone, email, or other means.
Don't accept payments for more than the amount of the service with the understanding that you send the buyer the difference.
Don't accept checks from individuals you've only met online.
Don't accept jobs in which you are paid or receive commission for facilitating money transfers through your account.
No matter how urgent someone claims a deal is, you can always wait a few days to research and confirm legitimacy. Time is on your side, not the fraudster's.
You are ultimately responsible and liable for all deposits made into your account, whether they are a check, money order, transfer, etc.

IDENTITY THEFT

What is Site-to-User?

A security enhancement designed to confirm that you are logging in to Malaga Bank's legitimate Web site and not a fraudulent Web site designed to look like Malaga's.
Assists customers in the fight against identity theft.
You choose a unique image and phrase known only to you and our internet banking system.
Each time you log in, you will see your unique image and phrase.
If you do not see your image and phrase, do not log in.

How does this increase security?

Site-to-User helps you know you are really on Malaga Bank's legitimate Web site and not a fraudulent Web site set up to steal your personal information without your knowledge.
Malaga Bank does all it can to confirm that you are who you claim to be.
Site-to-User helps you know that we are your bank.
If our Malaga Bank site knows that you are who you claim to be and you know that our site is legitimate, we can transact business more safely and securely.
During phishing and pharming attacks, users are often lured to fraudulent Web sites that look genuine. Such sites may ask a visitor to enter private information.
Site-to-User helps you know the difference between a fraudulent Web site and our legitimate site.

How will my login process change?

First, you will input your username without a password.
Then you will be asked to input your password.
You will then be required to select an image and phrase.
When your selected image and phrase is displayed on our site, it confirms to you that the site is indeed authentic.
You will then continue to access your accounts with a greater level of security.

Do I have to use Site-to-User?
Yes. If you have questions about this, please contact Malaga Bank at (310) 375-9000.

Do I have to do anything special to get Site-to-User?
No. The first time you log in after this feature is activated, you will be asked for your user name and password. After the system recognizes you as a legitimate user, you will then be asked to choose a unique image and phrase. Once you have chosen an image and phrase, you should see that image and phrase every time you log in.

Do I have to choose an image and phrase?
Yes. We require all users to choose an image and phrase.

Can I change my image and phrase?
Yes. Simply choose Other Services, from the menu and then select Change Image/Phrase.

Can I use my own picture?
No. But there are many images to choose from.

What if the image is not my image when I log in?
Do not log in. If this happens to you, it could be caused by one of the following things:

You may have entered an invalid login name
You are on a fraudulent site; or
You (or someone with your credentials) changed your image.

If this happens, you should try starting the login process over completely. If the wrong image continues to appear, or if there is not an image, contact Malaga Bank at (310) 375-9000 for help.

ATM SKIMMING

ATM and credit card skimming fraud is on the rise. As you know, the back of your card has a magnetic strip which is scanned either by merchants or by ATMs or Automated Teller Machines to record your account information. Unfortunately, thieves also have access to those skimmers which can be secretly embedded into ATMs or used by unscrupulous waiters, store clerks and others you hand your card to.

Here's how the fraud works:

A "skimmer" is a small device that goes over the normal card reading slot of an ATM and reads your card's magnetic strip. The skimmer is used to capture your ATM card number and is disguised to look like normal ATM equipment.
At the same time, a wireless camera, hidden behind a brochure holder is mounted in a position to view the ATM PIN entries. Often, the scam artists will sit in a nearby car receiving the information wirelessly transmitted from the skimmer.
Scam artists are able to copy the information stored on the magnetic strip of the ATM cards and use the PIN numbers to withdraw funds from an account.


Example of a skimmer being installed in front of an existing bank card slot.	Example of a PIN reading camera being installed on the ATM housed in an innocent looking leaflet enclosure.

Skimmers can also be handheld devices that a dishonest merchant can keep in his pocket. For example, when charging your card when you're out at dinner, a scam artist can run your card through a skimmer as well.

How Can You Protect Yourself?

It is important to always be aware of the ways you can protect yourself from being scammed. Here are some ways to avoid becoming a victim of a skimming scam:

Examine the ATM to make sure there's nothing attached to the front.
Cover your hand as you type in your PIN so that a hidden camera can't record it.
If the ATMs pad is stiff or difficult to punch, there is a possibility that a recording device could have been placed on top of it.
Make it a habit of using the same ATM as often as possible.
Use ATMs where video cameras are installed so that criminals will have a harder time installing skimmers.
Don't type in your PIN at the pump. Gas pumps are notorious for skimming. Use a credit card when you fill your tank. If you must use a debit card, choose the screen prompt that identifies it as a credit card so you don't have to type in your PIN.
Be aware of who you give your debit or credit cards to. If a waiter or clerk takes it into a back room, there is the possibility they could skim the card and write down the expiration date and the three or four digit security code on the back or front of the card. That's all they need to misuse your card.
Check your statements carefully but - better yet - get an online banking account and check recent activity on a regular basis. Transactions are typically posted online in real time or within a couple of days.

If you see alterations or anything appearing unusual on our Malaga Bank ATMs, do not attempt to remove these devices, immediately contact our Corporate Office at 310-375-9000.

COUNTERFEIT CHECK SCAMS

Work from Home Scam
SCENARIO: A victim answers an online email or newspaper ad or posts their resume on a popular Internet website and is then awarded a job title called something like "Payment Processing Clerk" or "Accounts Receivable Clerk." The job description includes receiving checks on behalf of the company, depositing the checks into the victim's personal bank account, and wiring the monies when the funds are posted to the account. The victim is instructed to keep 5% to 10% of the value of the checks as their "salary." The victim deposits the checks and sends the money to the employer via wire or Western Union when the funds are available and posted to their bank account.

SCAM: The "employer" was a fraudster and the checks or money orders that were deposited are counterfeits. They are frequently drawn off well-known businesses or US Postal Money Orders, so they seem legitimate, but they are not.

Internet Auction/Overpayment Scheme
SCENARIO: The victim sells or auctions goods (usually high-priced items) via the Internet. The buyer sends the victim a check or money order for more than the purchase price and asks the victim to wire the excess money to a third party, often in a foreign country. The victim is informed that the excess money will be used as payment for the shipper who has been hired to pick up and ship the merchandise on the buyer's behalf.

SCAM: The "buyer" and "shipper" were fraudsters. The check or money order that the buyer has used to purchase the goods is returned as counterfeit or stolen, and the victim has lost the money wired to the shipper. This scheme is often used when selling large items such as automobiles, motorcycles, boats, etc. The check or money order is frequently drawn off well-known businesses or US Postal Money Orders, so it seems legitimate, but it is not.

Canadian/Foreign Country Lottery Scam
SCENARIO: The victim receives an email or letter stating that they have an opportunity to receive a substantial sum of money. The letter states that the victim has won the Canadian Lottery (or some other country's Foreign Lottery). The letter informs the victim that they must pay a processing or transfer tax or fee before receiving the money. A check or money order will be enclosed to cover the required fees, and the victim is instructed to deposit the check into their bank account and wire the money to a third party, usually in a foreign country.

SCAM: The person who contacted the victim about the "Lottery" was a fraudster, and the victim has not won any money. The checks or money orders that were deposited are counterfeits. They are frequently drawn off well-known businesses or US Postal Money Orders, so they seem legitimate, but they are not.

Foreign Business Offers/Advance Fee Scams
SCENARIO: The victim receives an email from a foreign official or businessperson who has a business proposal. The businessperson wants to move a large sum of money from a foreign country and needs assistance. The victim is usually offered 25% to 40% of the proceeds as payment for their trouble. If the victim agrees, they usually receive a large check in the mail. The victim deposits the check into their bank account and the funds are posted to their account. However, the businessperson now needs an advance fee of $30,000 to $40,000 to bribe an official, pay transfer fees or attorney fees, settle taxes, etc. The victim believes the previously deposited check was genuine, so they honor the request and wire funds to the businessperson.

SCAM: The "official" or "businessperson" was a fraudster, and the checks or money orders that were deposited are counterfeits. They are frequently drawn off well-known businesses or US Postal Money Orders, so they seem legitimate, but they are not.

Romantic Chat Room/Love Losses/Russian Bride Scheme
SCENARIO: The victim has been in an ongoing Internet relationship and is informed that funds are needed to pay for travel expenses for their Internet mate to travel to the United States and begin their life together. The victim soon receives checks or money orders and is instructed to deposit the checks or money orders into their bank account, then to transfer a portion of the funds, via a wire service, to cover their Internet mate's expenses. The funds are posted to the account and the money is wired.

SCAM: The "Internet mate" was a fraudster, and the checks or money orders that were deposited are counterfeits. They are frequently drawn off well-known businesses or US Postal Money Orders, so they seem legitimate, but they are not.

Roommate/Rental Schemes
SCENARIO: The victim posts an on-line or newspaper ad looking for a roommate or to sublet an apartment, condo, house, etc. The victim enters into an agreement with a new roommate and receives a check covering the first and last month's rent, utilities, security deposit, etc. Shortly after the check or money order is deposited by the victim, the new roommate contacts the victim with a tragic personal tale and informs them they will not be able to rent the property. They are requesting a refund of a portion of the money they sent, minus a fee for the victim's time and trouble. The money is wired back to the fraudster.

SCAM: The "new roommate" was a fraudster, and the checks or money orders that were deposited are counterfeits. They are frequently drawn off well-known businesses or US Postal Money Orders, so they seem legitimate, but they are not.

Nanny Scams
SCENARIO: A wealthy family registers at a nanny-matching website looking for a nanny. They are willing to pay an excellent wage in exchange for child-care duties, and to attract a prospective nanny, they are willing to advance a generous amount of money in the form of a check or money order. The victim signs up, but then the wealthy family immediately says that they mistakenly sent too much money and requests that the remaining balance of the advance be returned via Western Union or other electronic means. The victim sends the requested money back.

SCAM: The "wealthy family" was a fraudster. The key here is, because the fraudsters ask for the money back immediately, the original payment hasn't cleared the bank yet. The checks or money orders that were deposited are counterfeits. They are frequently drawn off well-known businesses or US Postal Money Orders, so they seem legitimate, but they are not.

Inheritance Scam
SCENARIO: The victim receives notification from an authoritative source such as a law firm, an executor of a will, or a barrister, notifying the victim of an inheritance from a long-lost relative or friend. The official has the victim provide their bank account number for funds to be deposited into their account, on the agreement that a fee must be made. The official may then do 1 of 2 things:

Tell the victim how much the fee is and request that it be sent via Western Union or other electronic means. The victim sends the requested fee.
Send the victim their inheritance as a check or money order, but then immediately say that they mistakenly sent too much money and request that the remaining balance of the advance be returned via Western Union or other electronic means. The consumer sends the requested money back.

SCAM

The "lawyer" is a fraudster who cannot help with any inheritance. The fraudster keeps the fee that the consumer has sent.
The key here is, because the fraudsters ask for the money back immediately, the original payment hasn't cleared the bank yet. The checks or money orders that were deposited are counterfeits. They are frequently drawn off well-known businesses or US Postal Money Orders, so they seem legitimate, but they are not.

Charity Scam
SCENARIO: The victim wants to help charities such as those for the victims of natural disasters like Hurricane Katrina and the 2004 Sumatran Tsunami, so they sign up online to help out. Through a series of emails, the victim is hired to be the "middleman" or "broker" to receive donations into a new bank account they are told to open. The job description includes receiving checks, depositing the checks into their newly opened bank account, and wiring the monies when the funds are posted to the account. The victim is instructed to keep a certain percentage of the value of the checks as their "salary." The victim deposits the checks and sends the money via wire or Western Union to the charity when the funds are available and posted to their bank account.

SCAM: The "charity" was fraudulent. And the funds sent to the newly opened bank account and then on to the charity belong to fraud victims' from other banks, who may have had their identities stolen or responded to a phishing email on the Internet. The victim not only has received and kept fraudulent funds, but has also forwarded a portion of those funds on to the fraudster.

How to Protect Yourself

Be cautious of any offer that sounds too good to be true.
Verify any calls or emails that you receive about a security or fraud investigation with your bank or financial institution.
Be wary of any offer that requires you to wire money, withdraw cash from your account, or provide account information.

Other Check Fraud Security Tips

Store your checks, deposit slips, bank statements, and cancelled checks in a secure and locked location. Never leave your checkbook in your vehicle or in the open.
Unless needed for tax purposes, destroy old cancelled checks, account statements, deposited checks, ATM receipts, etc.
Reconcile your bank statements within 30 days to detect any irregularities.
Never give your account number to people you do not know, especially over the telephone to unsolicited phone sales calls. Please note that Malaga Bank will NOT send out email asking you to verify personal data.
When you receive a new or replacement check order, make sure all the checks are there and that none are missing.
Mail your bills from the Post Office or sign up for Online Bill Pay.
Limit the amount of personal information on your check. For example, do not include your Social Security Number or Driver's License Number on your check.

Malaga Bank is committed to educating our customers on check and deposit fraud schemes.

FRAUDULENT EMAILS and WEBSITES

Phishing is usually a two-part scam involving emails and spoof websites. Fraudsters, also known as phishers, send an email to a wide audience that appears to come from a reputable company. This is known as a phish email.

In the phish email, there are links to spoof websites that imitate a reputable company's website. Fraudsters hope to convince victims to share their personal information by using clever and compelling language, such as an urgent need for you to update your information immediately or a need to communicate with you for your own safety or security. Once obtained, your personal information can be used to steal money or transfer stolen money into another account.

Use caution if you receive an email expressing an urgent need for you to update your information, activate your online banking account, or verify your identity by clicking on a link. These emails may be part of a phish scam conducted by fraudsters to capture your confidential account information and commit fraud.

How Fraudsters obtain Email Addresses

Fraudsters obtain email addresses from many places on the Internet. They also purchase email lists and sometimes guess email addresses. Fraudsters generally have no idea if people to whom they send banking-related phish emails are actual bank customers. Their hope is that a percentage of those phish emails will be received by actual bank customers.

If you receive a fraudulent email that appears to come from Malaga Bank, this does not mean that your email address, name, or any other information has been taken from Malaga Bank's systems.

Fraudulent Websites (Phish or Spoof Websites)

Fraudsters may attempt to direct you to spoof websites via emails, pop-up windows or text messages. These websites are used to try to obtain your personal information. One way to detect a phony website is to consider how you got to the site. Use caution if you may have followed a link in a suspicious email, text message, online chat or other pop-up window requesting your personal or account information.

Telephone or voice phishing

Known as vishing, or voice phishing, this tactic is a phishing attempt made through a telephone call, fax or voice message. If you are uncomfortable continuing a phone call that was not initiated by you, ask for a reference number and call Malaga Bank, using legitimate sources of contact information. This includes information found on your bank statements, and phone numbers listed on your ATM/Debit card.

Text-message phishing

A phishing attempt sent via SMS (Short Message Service) or text message to a mobile phone or device. This tactic is also referred to as smishing, which is a combination of SMS and phishing. The purpose of text message phishing is the same as traditional email phishing: convince recipients to share their sensitive or personal information.

Never disclose via text message any personal information, including account numbers, passwords, or any combination of sensitive information that could be used fraudulently. Use caution if you receive a text message expressing an urgent need for you to update your information, activate an account, or verify your identity by calling a phone number or submitting information on a web site. These messages may be part of a phishing scam conducted by fraudsters to capture your confidential account information and commit fraud.

Learn to Recognize Fraudulent Emails

Although fraudsters use various tactics in their phish, there are common elements you should familiarize yourself with.

Fraudulent emails are trying to trick you in to providing your personal information. Bank emails will never ask you to reply to an email with any personal information or data, such as your Social Security number, ATM/Debit Card PIN, or any other sensitive information. In addition, when you sign in to Online Banking always make sure to look for your SiteKey.
Awkward greeting. A phish may address the customer with a nonsensical greeting or may not refer to the customer by name.
Requests for security information or urgent language. An urgent need to communicate with you for your own security, or a request to update your information immediately. Malaga Bank will not ask you to verify information in this way.
Typos and incorrect grammar. Look for typographical or grammatical errors; awkward, stilted, or inappropriate writing; and poor visual or design quality. These tactics are used to bypass email filters.
Strange or unfamiliar links. This link looks official, but notice what happens when the mouse curser rolls over it. The link's source code points to a completely different web site. Remember that you can always type a URL into your web browser instead of clicking on a link.
Mis-spelled company name. Another tactic used to bypass email filters.
Too-good-to-be-true offers. Don't get mixed up in fraudulent activity by believing emails or web advertisements that offer to help you earn money by transferring cash.

COMMON FRAUD SCHEMES

Nigerian Letter or "419" Fraud

Nigerian letter frauds combine the threat of impersonation fraud with a variation of an advance fee scheme in which a letter, mailed from Nigeria, offers the recipient the "opportunity" to share in a percentage of millions of dollars that the author, a self-proclaimed government official, is trying to transfer illegally out of Nigeria. The recipient is encouraged to send information to the author, such as blank letterhead stationery, bank name and account numbers and other identifying information using a facsimile number provided in the letter. Some of these letters have also been received via E-mail through the Internet. The scheme relies on convincing a willing victim, who has demonstrated a "propensity for larceny" by responding to the invitation, to send money to the author of the letter in Nigeria in several installments of increasing amounts for a variety of reasons.

Payment of taxes, bribes to government officials, and legal fees are often described in great detail with the promise that all expenses will be reimbursed as soon as the funds are spirited out of Nigeria. In actuality, the millions of dollars do not exist and the victim eventually ends up with nothing but loss. Once the victim stops sending money, the perpetrators have been known to use the personal information and checks that they received to impersonate the victim, draining bank accounts and credit card balances until the victim's assets are taken in their entirety. While such an invitation impresses most law-abiding citizens as a laughable hoax, millions of dollars in losses are caused by these schemes annually. Some victims have been lured to Nigeria, where they have been imprisoned against their will, in addition to losing large sums of money. The Nigerian government is not sympathetic to victims of these schemes, since the victim actually conspires to remove funds from Nigeria in a manner that is contrary to Nigerian law. The schemes themselves violate section 419 of the Nigerian criminal code, hence the label "419 fraud."

Some Tips to Avoid Nigerian Letter or "419" Fraud:

If you receive a letter from Nigeria asking you to send personal or banking information, do not reply in any manner. Send the letter to the U.S. Secret Service, your local FBI office, or the U.S. Postal Inspection Service. You can also register a complaint with the Federal Trade Commission's Consumer Sentinel.
If you know someone who is corresponding in one of these schemes, encourage that person to contact the FBI or the U.S. Secret Service as soon as possible.
Be skeptical of individuals representing themselves as Nigerian or foreign government officials asking for your help in placing large sums of money in overseas bank accounts.
Do not believe the promise of large sums of money for your cooperation.
Guard your account information carefully.

Advance Fee Scheme

An advance fee scheme occurs when the victim pays money to someone in anticipation of receiving something of greater value, such as a loan, contract, investment, or gift, and then receives little or nothing in return.

The variety of advance fee schemes is limited only by the imagination of the con artists who offer them. They may involve the sale of products or services, the offering of investments, lottery winnings, "found money," or many other "opportunities." Clever con artists will offer to find financing arrangements for their clients who pay a "finder's fee" in advance. They require their clients to sign contracts in which they agree to pay the fee when they are introduced to the financing source. Victims often learn that they are ineligible for financing only after they have paid the "finder" according to the contract. Such agreements may be legal unless it can be shown that the "finder" never had the intention or the ability to provide financing for the victims.

Some Tips to Avoid the Advanced Fee Schemes:

If the offer of an "opportunity" appears too good to be true, it probably is. Follow common business practice. For example, legitimate business is rarely conducted in cash on a street corner.
Know who you are dealing with. If you have not heard of a person or company that you intend to do business with, learn more about them. Depending on the amount of money that you intend to spend, you may want to visit the business location, check with the Better Business Bureau, or consult with your bank, an attorney, or the police.
Know who you are dealing with. If you have not heard of a person or company that you intend to do business with, learn more about them. Depending on the amount of money that you intend to spend, you may want to visit the business location, check with the Better Business Bureau, or consult with your bank, an attorney, or the police.
Be wary of businesses that operate out of post office boxes or mail drops and do not have a street address, or of dealing with persons who do not have a direct telephone line, who are never "in" when you call, but always return your call later.
Be wary of business deals that require you to sign nondisclosure or non-circumvention agreements that are designed to prevent you from independently verifying the bona fides of the people with whom you intend to do business. Con artists often use non-circumvention agreements to threaten their victims with civil suit if they report their losses to law enforcement.

Letter of Credit Fraud

Legitimate letters of credit are never sold or offered as investments. Legitimate letters of credit are issued by banks to ensure payment for goods shipped in connection with international trade. Payment on a letter of credit generally requires that the paying bank receive documentation certifying that the goods ordered have been shipped and are en route to their intended destination. Letters of credit frauds are often attempted against banks by providing false documentation to show that goods were shipped when, in fact, no goods or inferior goods were shipped.

Other letter of credit frauds occur when con artists offer a "letter of credit" or "bank guarantee" as an investment wherein the investor is promised huge interest rates on the order of 100 to 300 percent annually. Such investment "opportunities" simply do not exist.

Some Tips to Avoid Letter of Credit Fraud:

If an "opportunity" appears too good to be true, it probably is.
Do not invest in anything unless you understand the deal. Con artists rely on complex transactions and faulty logic to "explain" fraudulent investment schemes.
Do not invest or attempt to "purchase" a "Letter of Credit." Such investments simply do not exist.
Be wary of any investment that offers the promise of extremely high yields.
Independently verify the terms of any investment that you intend to make, including the parties involved and the nature of the investment.

For additional Common Fraud Schemes and updates.

EXTERNAL RESOURCES

Malaga Bank may provide access to information, products or services offered on websites that are owned or operated by other companies ("third party websites"). We provide this access through the use of hyperlinks that automatically move you from a Malaga Bank website to the third party site.

While we do our best to provide you with helpful, trustworthy resources, Malaga Bank cannot endorse, approve or guarantee information, products, services or recommendations provided at a third party website. Because we may not always know when information on a linked site changes, Malaga Bank is not responsible for the content or accuracy of any third party website. Malaga Bank shall not be responsible for any loss or damage of any sort resulting from the use of a link on its websites nor will it be liable for any failure of products or services advertised or provided on these linked sites.

The following sites provide excellent resources about privacy and security.

Identity Theft Information and Assistance

Federal Trade Commission (FTC) Identity Theft - a national resource to help you deter, detect, and defend against identity theft

Identity Theft Resource Center (ITRC) - provides step-by-step resolution instructions, form letters and other resources to assist identity theft victims

General Consumer Resources

Free Annual Credit Reports - information provided by the FTC on how you can request and receive a free copy of your credit report every 12 months from each of the national credit reporting companies

Federal Deposit Insurance Corporation (FDIC) Consumer Protection - offers a variety of information for consumers on financial topics, from understanding financial privacy to filing complaints

Federal Bureau of Investigation - advice and tips for protecting your family, your community, and your workplace.

Cyber Security

National Cyber Security Alliance (NCSA) Stay Safe Online - a nonprofit, public-private partnership focused on promoting cyber security, safety awareness and safe online behavior

Anti-Phishing Working Group (APWG) - a global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that results from phishing, pharming and email spoofing of all types

Microsoft� Security At Home - a Microsoft site committed to providing you with easy steps and resources to secure your computer at home

FREQUENTLY ASKED QUESTIONS and ANSWERS on COMPROMISED DEBIT CARDS

You may have read it in the paper or seen it in the news, there has been a lot of media attention in relation to credit card and/or debit card information being compromised. In an effort to educate our customers about compromise and how Malaga Bank handles compromise notifications, we have put together some helpful information and answered some of your most commonly asked questions.

What does it mean that my card was compromised?

Data compromise, also known as hacking, occurs when an individual or group of individuals gain unauthorized access to a computer system for the purpose of corrupting or stealing data. When you use your card at a merchant such as a store, gas station, over the internet or on the phone, your debit card information (for example, card number, name and expiration date) is recorded into a database that is retained by the merchant for a period of time. The unauthorized individuals may gain access to this stored information and may use it to perform fraudulent activity on your debit card.

What information was compromised on my debit card?

The only information that is encoded on your debit card is your name, debit card number and the expiration date. Your Malaga Bank checking or savings account number is not encoded on your debit card. Any accounts linked to your debit card are not revealed to a merchant when you make purchases, ATM withdrawals or point-of-sale transactions.

Could the Bank have prevented this incident?

The Bank has no control over where you use your card and how the merchants store your information. Each merchant must attempt to protect customer's information by ensuring that your information is secure.

How will I know that my card was compromised?

We will send a letter with details about your card replacement. Our process to notify and protect customers begins immediately after receiving a list of potentially compromised card numbers from Visa�.

Does this mean I have fraud on my account?

Not necessarily. A compromised card letter does not mean any fraudulent activity occurred on your account, merely that it's possible. In fact, among the list of card numbers we periodically receive, only a few have been affected by fraud. Take the opportunity to review your monthly statement(s). Remember to review your daily transactions using Online Banking.

Why was I not notified by telephone?

Depending on how many cardholders were affected, it would be difficult to call every Malaga Bank customer. Instead we focus our efforts on reissuing new cards and reducing existing purchase card limits.

Why is the Bank reducing my limits and ordering me a new card?

As a precaution, the Bank wants to protect the customer information and limit the Bank's liability in case of fraudulent activity. When a card is compromised we reduce the cash limits on ATM withdrawals and point-of-sale purchases for a limited time. We do this so that the customer will be able to make ATM withdrawals and purchases for small amounts until they get their new card in the mail. We send out letters to customers as quickly as possible to notify them of our action.

Can you raise my limits, especially if I need to make a purchase over the reduced limit?

We can make exceptions to raise limits temporarily on a case by case basis. Contact your local Retail Banking Manager.

How long will it take for me to receive a new Card?

It usually takes 5-7 business days to receive a new card. You will receive your new card first in the mail and shortly thereafter; you should receive your PIN (Personal Identification Number) mailer unless you pre-selected your pin in the branch. The pin mailer will reveal your new PIN number on it. If you would like to change your four digit PIN number, you must visit one of our branches to have your debit card re-encoded.

What happens if I do not receive my card by this time?

Please contact your local Retail Banking Manager so we can check on this immediately.

What should I do with my old card?

Once the new card arrives, you should destroy the old, compromised card. The Bank will place a restriction on the card as of the date on the notification letter, which should provide time for a new card to arrive.

Why don't you disclose the name of the merchant in the letter that you send me?

We never receive the names of the merchants involved. We receive a list indicating that an undisclosed merchant's database was compromised. Once the case is closed, the merchant may be revealed at a later date.

What if I do not want to have my compromised card blocked?

Compromises are serious. Fraudulent activity may occur if the card is not blocked. The fraud dispute process can be more inconvenient to customers than simply having a card replaced. While, many customers do not experience fraud when a compromise is reported, the risk exposure still exists if the card is not blocked and replaced. To protect our customers, minimize inconvenience and losses, Malaga Bank requires compromised cards to be closed and replaced.

What is Malaga Bank doing to protect my account?

We will replace all debit cards at our expense to all potentially compromised customers. In addition to your personal monitoring efforts, Malaga Bank uses sophisticated fraud monitoring services for all of our customers. We actively monitor all debit cards for fraud 24/7.

Should I be giving out my PIN?

At no time will Malaga Bank or any representative request your PIN or your full card number. We will ask to verify recent debit card activity with you. If it is determined that your debit card is being used fraudulently, you will instantly have your card blocked to prevent further transactions from occurring and a new card will be sent to you.

What if I have preauthorized debits made on my comprised card?

You should contact the merchant immediately upon receipt of your replacement card and provide them with the new card number and expiration date. This process may be as simple as logging into the corresponding merchant's site and updating the information yourself. If this is not the case, you may need to write the merchant and let them know of your card number change.

Are my joint account owners'/signers' cards affected?

Cardholders do not share card numbers, so if one card is compromised the other account owners'/signers' will not be affected.

Can this information be used to steal my identity?

The information encoded on the card pertains strictly to the card. Other confidential information such as Social Security numbers, driver's license, addresses and dates of birth are not stored on the card.

What can I do to keep this from recurring?

Unfortunately, we have no way of stopping criminals from hacking into databases of merchants. While the possibility of a card being used fraudulently is low, we recognize the aggravation customers face in acquiring a replacement card or to have fraudulent activity removed from their account.

Is there anything I can do to insure that fraud doesn't occur on my card?

Always know where your card is, and if you misplace it, call the Bank immediately so we can block the card from use. Never write your PIN on the card or carry the written PIN with you.

If you have any further questions, please contact your local branch.