Citco Security Center
The security of our client’s information is always a priority. We have various security controls in place with regard to our people, processes and technologies (including dual-factor authentication) to help keep your information safe. You can be assured that we are committed to protect your personal information entrusted with us.
Working with Citco:
- Citco will never request personal or private information from you in an email.
- If you’re concerned that an email you’ve received from Citco might be fraudulent, or you want to confirm that the email originated from Citco, we will be more than happy to help you verify its legitimacy. Contact your Citco representative or refer to the contact details in the last section.
There are also certain steps you can take to keep safe online. Kindly consider them carefully.
- Protect your computer, network and mobile devices
- Protect your online identity and accounts
- Know the signs of phishing
- Report an online security issue to us
Protect your computer, network and mobile devices
By ensuring the security of your computer and mobile devices, you can reduce the risks of your personal information falling into wrong hands. As your first line of defense, here are things you can do to help prevent your computer, network and mobile devices from being hijacked.
Regularly update your OS, anti-virus, anti-spyware and use spam filters+ + -
Always make sure you run the current version of OS and patches, anti-virus and anti-spyware on your computer or mobile device. Using good spam filters also helps in blocking emails that may contain malwares. Malicious software, or also known as malware, can put you at risk for identity theft, including recording keystrokes and capturing personal information such as passwords and usernames.
Protect your home wireless network+ + -
Most often, the default configuration on a home wireless network is not secure and configured with a low level of encryption. You should enable strong encryption and be sure to change your router’s default password.
Use the right firewall for your computer+ + -
Generally, computers already have a firewall and it is automatically turned on. However, you may still want to check your firewall settings by referring to support pages for your computer’s operating system.
Password-protect and encrypt your device+ + -
In case someone steals or finds your device, make it harder to access information stored there. Check the section below for tips in creating strong passwords. Almost all smart phones and other mobiles devices to date are also equipped with device encryption features.
Be wary of unknown sources or senders of software downloads, emails and attachments+ + -
Download software from trusted sources only, and open emails and attachments from known and trusted senders only. Cybercriminals commonly send viruses and malwares thru legitimate-looking emails and trick users into downloading seemingly harmless software. Consider using a browser plug-in or proxy service to report on the safety of web sites.
Be smart when using wireless networks+ + -
Make sure you are using a legitimate Wi-Fi hotspot, not the one set up by hackers. An employee of the airport, restaurant or coffee shop you are in, will be happy to tell you what name to look for. Also, do not transmit sensitive data over public or open Wi-Fi. For example, never check your accounts or send confidential emails. The risks are just too great.
Always log out of your session+ + -
Always log out of your account when you are done with it. This helps protect your information from people snooping around the web. Also, if you're on a shared computer or public computer, logging out when you are done prevents other users from using your account.
Lock your device+ + -
Most devices and smartphones can be configured to auto-lock and require a passcode or password to unlock it. Use this feature whenever possible. They may also be configured (or invest in software) to automatically wipe the device in the event of too many incorrect password attempts. In some cases, you may be able to locate your device using its GPS.
Use modern browsers+ + -
Use only modern web browsers when doing your banking transactions since these are always up to date with the latest patch.
Test for vulnerabilities+ + -
Have your network and systems periodically tested for vulnerabilities.
Educate!+ + -
Educate your employees with regard to the latest security threats, especially phishing and Business Email Compromise (BEC) scams. Employees have become the last bastion or last line of defense; they are the firewall and are the most vulnerable to attack.
Protect your online identity and accounts
Hackers and perpetrators of identity theft and fraud are constantly coming up with ways to steal your personal data, which includes tricking you into giving it to them willingly or unwittingly. The steps below will help you fight any advances the cybercriminals are making in order to grab your personal data.
Create strong passwords and keep them private+ + -
Here are five tips for creating strong passwords. We highly recommend you follow them, whether in your personal or business life.
- Strong passwords are at least eight characters long.
- It must contain upper- and lowercase letters, numerals, and at least one special character (such as ! or @).
- Devise a “pass-phrase” that makes sense to you. For example, to turn “quick red fox” into a strong password, use it this way: qu1ckREDDfox! Not only do you have a strong password, it also helps you commit the password to memory or use a password vault or password keeper.
- Avoid reusing your password. If a hacker somehow learns, for example, your email password, then the first thing he’ll do is see if it’s also your banking and credit-card password. Create a unique password for every account.
- Never tell anybody your password. Never write down a password. Even just a risk of revealing it renders a strong and unique password useless.
Check your web browser is in secure session+ + -
Before making transactions online, or providing your personal information online, look for https as denoted by a padlock icon at the beginning of the website address. The “s” in https stands for ”secure” session, and this ensures you are sending encrypted information to the target computer (this does not guarantee though that the computer you are accessing is legitimate). You should see https persists in pages or otherwise, these may not be secure.
Note that https/padlock icon do not reflect the real intention of malicious websites since phishing sites use https, too!
Be careful of who is asking you for information+ + -
Be aware of phishing emails, online scams, web sites, phone calls and other means that cybercriminals use to steal personal information. Be suspicious of emails demanding you to act urgently and asking for your personal data such as usernames, passwords or PINs – even if it seems to be from someone you know. Never click any links or download any attachments on the suspicious email. See the section below for tips on how to spot phishing.
Don’t reveal too much+ + -
Avoid oversharing your personal information on social media sites. Don’t provide information about your physical address/location (also by turning off the location services/Global Positioning System - GPS in your mobile device), where you work or attend school. Never reveal personal information that might be the answer to a secret question used to reset your password. The trick is to treat your personal data as you would your money.
Monitor your account regularly+ + -
Taking time to look at your account information, at least once a month, will help you detect and address any suspicious activity before it can cause serious damage. Watch out for any indication that your identity may have been stolen or your accounts may have been tampered with. Also, staying vigilant goes hand in hand with acting quickly. Once you have suspected your account has been compromised, report it to us immediately. For contact details, refer to the last section.
Never reveal your government ID number+ + -
Never provide this information unless you have initiated the contact with the person or company that has requested it and have confirmed their identity.
Use two factor authentication or 2FA+ + -
Many institutions offer 2FA. During the authentication process, you will be prompted for additional information such as a one-time-passcode sent to you via SMS or email. You should choose to use 2FA whenever available.
Know the signs of phishing
Phishing is a scheme that uses legitimate-looking emails and phony websites to trick you into disclosing personal information. It is likely to be phishing, when it:
- Offers you money.
- Threatens some dire consequence if you do not immediately log on and take action.
- Threatens to close or suspend your account if you do not take immediate action by providing specific information about you or your company.
- Requires you to enter organizational or personal information directly into the e-mail or submit that information some other way.
- Solicits your participation in a survey where you are asked to enter personal information.
- States that your account has been compromised or that there has been third-party activity on your account and requests you to enter or confirm your account information.
- States that there are unauthorized transactions on your account(s) and requests your account information.
- Asks you to enter your UserID, password or account numbers into an e-mail or non-secure webpage.
- Asks you to confirm, verify, or refresh your account information.
- Directs you to a screen that asks you to provide additional data beyond your normal login information.
- Asks you to validate account information for banking systems you do not use.
If an email seems suspicious, do not open it, click links within it or respond to it. Simply delete it from your inbox.
IT security alert
Executive Summary+ + -
Microsoft and global news media outlets began announcing as early as March 2, 2021 that Microsoft Exchange on-premise software packages were being actively exploited. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.
In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
Citco Response+ + -
The recent news announcements that Microsoft's Exchange Email Platform is vulnerable triggered a check of our internal email systems as well as our test email systems in Azure.
While Citco does utilize the Microsoft Exchange email platform internally, we prohibit the use of Outlook Web Access (OWA) which is an internet-facing interface for email access and is one of the primary attack vectors. Citco immediately followed the advice from Microsoft and US Cybersecurity agencies and have verified that all of our systems have been patched and that no indicators of compromise or malicious web shells have been found to date. Malicious web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.
Citco will continue to monitor threat intelligence traffic looking for additional or potential vulnerabilities in the platform as they are announced.
Citco is actively notifying our staff about the dangers of this most recent vulnerability with specific focus on ensuring that any communication from our clients and other partners may be compromised and that abundant and extra due diligence may be required for all transaction or information related emails should be verified.
It is strongly recommended that all our business partners and clients that may rely on MS Exchange on premises, follow Microsoft and other governmental agencies mitigation advice.
Report an online security issue to us:
USA: 1.800.457.2251 / Ireland: 1.800.570015 / UK: 08.001693105 / SNG, HK, MNL: 1.800.48480000 then press ‘1’