Fraud Prevention - JP Morgan

Fraud scheme: Check fraud

Many individuals and businesses leverage checks as a form of payment. However, traditional paper checks present fraud risks that can lead to exposure of personal and account information, or a financial loss. Checks contain sensitive and personal information such as your name, address, account number, routing number and signature, which fraudsters can use to gain unauthorized access to your accounts.

Common types of check fraud include:

• Theft and forgery: Stealing physical checks and fraudulently endorsing them to gain access to funds in the associated account The information on the check can also be used to set up unauthorized Automated Clearing House (ACH) payments

• Counterfeiting: Making withdrawals or payments with fake checks that contain genuine routing and account details

• Check washing: Chemically removing and replacing the information on the check, such as payee or amount

• Fake check scams: Fraudsters may trick you into depositing a fraudulent check. Often, they request a reimbursement or return of overpayment through a different method, including wires, ACHs or person-to-person payments. Before returning funds, verify the legitimacy of the check by ensuring the check has cleared the maker’s account

Note: Prior to depositing checks into your account, validate their legitimacy. Examine the security features on the back to ensure everything is present. Also, while funds from a check may appear available, do not use those funds until you have ensured they have completed the clearing process. Funds from a deposited or cashed fraudulent check must be returned.

How to help protect against check fraud

1. Use online bill payment systems, and sign up for paperless statements.

• Routing and account numbers printed on checks can sometimes be used to commit ACH fraud. When you use online bill payments systems, J.P. Morgan sends a check on your behalf without disclosing your personal checking account number

2. Add advanced check fraud prevention services, such as Positive Pay, Reverse Positive Pay and ACH Debit Block on your business or commercial checking accounts.

3. Check your accounts regularly for unauthorized activity, and enable online alerts such as Positive Pay, Reverse Positive Pay and ACH Debit Block on your business or commercial checking accounts.

4. Leverage a reputable company when ordering checks, and ensure the check contains many security features such as:

• High-security background colors green, burgundy, blue, yellow and purple

• True watermark watermark is pressed into the paper and detected when held up to the light and cannot be reproduced by copiers/scanners

• Chemical wash detection area alteration attempts result in speckling or stains

5. Request a delivery signature for check orders so they are not left outside unattended.

6. Examine new checkbooks for missing checks, and shred any blank, unused or unwanted checks.

7. Use a bold, dark font when generating digital checks to prevent fraudsters from erasing the text then replacing it with fraudulent details to conceal the forgery.

8. When writing checks, use a security gel pen to help bond the ink to the paper, and limit the amount of blanks space by adding lines before and after the amount, making it more difficult to alter.

9. Do not include excess personal information on checks, such as your home address, Social Security number or phone number.

10. Store checks in a secure location to prevent unauthorized individuals from stealing your personal information.

We can help

If you believe that you, or your organization, may have been a victim of check fraud, speak with your J.P. Morgan team immediately.

This document is provided for educational and informational purposes only and is not intended, nor should it be relied upon, to address every aspect of the subject discussed herein. The information provided in this document is intended to help clients protect themselves from fraud. It does not provide a comprehensive listing of all types of fraud activities and it does not identify all types of fraud prevention best practices. You, your company or organization is responsible for determining how to best protect itself against fraud activities and for selecting the fraud prevention best practices that are most appropriate to your needs. Any reproduction, retransmission, dissemination or other unauthorized use of this document or the information contained herein by any person or entity is strictly prohibited.

J.P. Morgan is committed to making our products and services accessible to meet the financial services needs of all our clients. If you are a person with a disability and need additional support, please contact your J.P. Morgan team or email us at accessibility.support@jpmorgan.com for assistance. https://privatebank.jpmorgan.com/gl/en/disclosures/legal-disclaimer

Fraud scheme: Identity theft

The most important commodity an individual possesses is their identity—those distinguishing details that define you as you, such as your name or Social Security number. That information is leveraged by the companies and institutions you do business with to validate who you are, and it’s the same information fraudsters want in order to commit fraud against you.

By gaining access to your personally identifying information, fraudsters can impersonate you to apply for lines of credit (mortgages, personal loans and credit cards), open new banking accounts, claim benefits (unemployment), or even file fake tax returns without your knowledge.

Identity theft incidents continue to increase year-over-year. In 2022, according to the Federal Bureau of Investigation, more than 27 thousand victims lost over $189 million to this type of fraud.

To protect yourself from becoming a victim, it is important to understand how identity theft happens, and the best practices you can implement.

Common ways identity theft happens

• Social engineering scams: Sharing personal and confidential information in response to deceptive emails, text messages and phone calls, or allowing a fraudster to remotely access your device

• Unsecure Wi-Fi: Leveraging open internet connections in airports, hotels, coffee shops and other public locations could expose your information to fraudsters

How to help protect against identity theft

• Implement a credit freeze, also known as a security freeze, to restrict access to your credit report by a person, merchant or institution unless you temporarily lift or remove the freeze, making it more difficult for identity thieves to open accounts in your name and/or abuse your credit

Request an Identity Protection PIN (IP PIN) to prevent fraudsters from submitting a tax return using your SSN or Individual Taxpayer Identification Number

Contact each of the major credit bureaus to implement a freeze

• Leverage credit monitoring services such as Credit Journey, which alerts you to changes against those accounts listed on your credit report

Request a copy of your credit report to ensure the information contained within is accurate

• Data breaches: The intentional or accidental exposure of an individual’s confidential information

• Physical theft: Access to your personal information by stealing your laptop or mobile device, or by redirecting your mail or stealing it from unsecured receptacles

• Be wary when sharing personal information, even during the course of business. You should not assume a request or provided information is genuine

Never trust the caller ID of a phone call or text message, as fraudsters spoof the details to make it appear it is coming from a known phone number

Avoid answering calls from unknown numbers, and allow them to go to voicemail. If the call is important, the caller will leave a message

Use extreme caution when providing personal information such as PINs, passwords or one-time passcodes (J.P. Morgan will never ask you to share your passwords.) You should not assume a request or provided information is genuine

• Safeguard your devices by keeping the operating systems and antivirus software up-to-date. Enable automatic updates to keep them protected

To order your report:

800.685.1111

To report fraud: 888.766.0008

To place a credit freeze: www.equifax.com/personal

To order your report: 800.888.4213

To report fraud: 800.680.7289

To place a credit freeze: transunion.com/creditfreeze

To order your report: 888.397.3742

To report fraud: 888.397.3742

To place a credit freeze: experian.com/freeze

To order your report: 800.540.2505

To report fraud: 800.540.2505

innovis.com/personal/ fraudActiveDutyAlerts

To place a credit freeze: 800.540.2505 innovis.com/personal/ securityFreeze

To place a security alert: 888.478.6536 or click here

To place a security freeze: Click here

We can help

If you believe you may have been a victim of identity theft, speak with your J.P. Morgan team immediately.

This document is provided for educational and informational purposes only and is not intended, nor should it be relied upon, to address every aspect of the subject discussed herein. The information provided in this document is intended to help clients protect themselves from fraud. It does not provide a comprehensive listing of all types of fraud activities and it does not identify all types of fraud prevention best practices. You, your company or organization is responsible for determining how to best protect itself against fraud activities and for selecting the fraud prevention best practices that are most appropriate to your needs. Any reproduction, retransmission, dissemination or other unauthorized use of this document or the information contained herein by any person or entity is strictly prohibited.

J.P. Morgan is committed to making our products and services accessible to meet the financial services needs of all our clients. If you are a person with a disability and need additional support, please contact your J.P. Morgan team or email us at accessibility.support@jpmorgan.com for assistance.

Fraud scheme: Mobile device takeover

Fraudsters have figured out how to take over your mobile phone without actually stealing it. Instead, they impersonate you to your mobile phone service, which allows them to hijack your phone number by transferring it and your phone data from your existing device to one under the fraudster’s control. Once fraudsters gain access, they have the ability to reset your passwords on accounts that use your phone number for auto recovery, and are able to receive one-time verification codes sent to the mobile number by text, phone call or email.

Disruption of your telephone service, such as the inability to receive calls or text messages in a location that normally offers service, can be a sign that you are a victim of mobile device takeover. In the event of a disruption of approximately 15 to 30 minutes, call your service provider immediately to identify the root cause. Also call your J.P. Morgan team to ensure that we are able to partner with you to help remediate the issue as quickly as we can.

Ways mobile device takeover can occur

Fraudsters have also learned that compromising a mobile phone number, by tricking an individual into clicking on a link within a text message, or through the use of a physical SIM card, can be leveraged to commit fraud. Through social engineering, they will attempt to obtain that individual’s phone number, name, address and other personally identifying information. Using that information, fraudsters will impersonate the individual when contacting the service provider.

Phone porting

Phone porting is a service offered by mobile carriers to allow customers to easily switch providers without creating a new phone number. Fraudsters leverage this common practice to redirect an individual’s phone number to gain access to it and all associated data.

SIM swap

The SIM (Subscriber Identity Module) card stores subscriber data and connects an individual’s device (and phone number) to the mobile network. Without a SIM card, an individual would not be able to place or receive a phone call or text messages. Fraudsters leverage this process to trick the mobile service provider into activating a new SIM card that the fraudster possesses.

Call forwarding

Telephone providers offer a feature that allows inbound calls to be forwarded to another number. Fraudsters use this service, by hacking into your online mobile account, or calling the provider, to redirect your phone number to another number, which they control

To help mitigate these risks, consider the following best practices:

1. Contact your mobile service provider

• If you experience an unexpected interruption in service for a significant period of time

• To add a verbal password to your account and lock your account to prevent your phone number from being transferred or ported without your authorization (Note: Many mobile service providers now have a service to prevent unauthorized transfers, but not all do. See below for details on how to initiate this security feature)

2. Protect your mobile devices and tablets with your fingerprint or facial recognition technology, if available; if these security features are not available, use strong, complex passwords:

• Avoid using the same PIN for multiple devices

• Enable multi-factor authentication for all online accounts, if offered by the mobile service provider

3. Enable your device to automatically lock itself after a period of inactivity

4. Install antivirus software on your mobile device and activate automatic updates to ensure the devices remain protected

5. Avoid answering calls from unknown individuals; be wary of impersonators attempting to deceive you into divulging information or taking action on a financial account

• Verify the caller before providing any information. If you are unsure, call the business on a known number. For example, if you receive a call from JPMorgan Chase, call the number on the back of your card, or call your J.P. Morgan team before providing any information

• Never provide your full card number, PIN or one-time authentication passcode to an unknown caller, even if the caller claims to be from J.P. Morgan

6. Before trading in an old device, erase any personal information it may contain by resetting it to its factory settings

Contact your mobile service provider to implement additional controls on your account:

In the United States

AT&T Wireless

• Add extra security to your wireless account

Log in to your online profile > Account setting > Linked Accounts > Manage extra security > Extra security > Re-enter passcode if prompted

• Download the AT&T ActiveArmor security app to protect your personal data

• Download the Lookout app to protect your device from viruses, malware and spyware

• For additional tips on how to protect your AT&T account(s), go to https://www.att.com/help/fraud-and-security.html

Verizon Wireless

• Set up an account PIN to verify your identity when you contact Verizon

Log in to your “My Verizon” app > Account > Edit profile & setting > Security > Manage Account PIN

• Download the Verizon Call Filter app to receive alerts on incoming spam calls, and easily report and block unwanted numbers on your mobile phone; go to https://www.verizon.com/ support/how-to-use-call-filter/

In Europe and Asia

EE

• To block incoming unsolicited calls, open your phone dialer and go to “Settings” > Call blocking > Manage the list of unwanted callers

• To block unwanted text messages, open your phone’s messaging app and go to “More/Settings” > “Block” > Select the number

• If your phone shows the message “This phone has been disabled by EE…,” the phone has been reported as having been obtained by fraud. That means you won’t be able to make calls or access data on the phone. Immediately call EE, as only EE can re- enable the phone

• To protect your account from mobile porting, go to Log in to your “My Verizon” app > Account > Settings > Security > Number Lock

• For additional tips on how to protect your Verizon account(s), go to www.verizon.com/about/responsibility/account-security

T-Mobile

• Set up an account PIN for when you contact T-Mobile Log in to your “My T-Mobile” > Choose a verification method (text message or security question) > Next > Follow the prompts > Enter your desired PIN/Passcode To protect your account from mobile porting, set up T-Mobile’s NOPORT security feature Call 611 from your T-Mobile number or call 1-800-937-8997 from any phone number to add this feature to your account

• Set up multi-factor authentication through “account profile” online or by calling T-Mobile

• Download the T-Mobile Scam Shield app to identify suspected spam calls and block numbers from which you don’t want to receive calls from

• Download the Lookout app to protect your device from viruses, malware and spyware

• For additional tips on how to protect your EE account(s), go to https://ee.co.uk/help/help-new/safety-and-security

O2

• Set up a PIN to protect your mobile device under Settings > General or Security > Passcode lock or Screen lock based on your cellular device

• For additional tips on how to protect your O2 account, go to https://www.o2.co.uk/help/safety-and-security/mobile-security

FRAUD PREVENTION

Swisscom

• Activate “Callfilter” on your mobile phone to block incoming unsolicited advertising calls

Log in to your “My Swisscom” app > Swisscom Cockpit > “Call Settings” > “Callfilter”

• If your phone is stolen, block your SIM in the Customer Centre to prevent the thief from using your mobile to make calls, and then report the theft to the police

In Asia

Singtel

• ZoneAlarm is a mobile security application that protects against online attacks, viruses and spyware. Your mobile device and personal data are protected as you navigate the internet and download files

Sign up for ZoneAlarm by going to https://www.zonealarm.com

• For additional information, go to https://www.singtel.com/ personal/i/faq/zonealarm

Etisalat

• Set up a 4-digit PIN to verify your identity when you contact Etisalat

• For additional information, go to https://www.etisalat.ae/en/ consumer/support/mobile/prepaid/4digit_security_pin_faqs.jsp

Vodafone

• Download the Vodafone Secure Net app to protect your device from viruses and harmful websites

• Forward spam texts to 7726 (Android devices can tap the Report Spam button in the messing app)

• For additional tips on how to protect your Vodafone account(s), go to https://www.vodafone.co.uk/privacy/protecting-you

1010/CSL

• Set up a PIN for your account

Log in to “1010.com” with your mobile number > Onetime password > Enter the password and verify

• Download SafetyNet, which detects whether content contains malicious software or poses a security risk

• For additional tips on how to protect your 1010 account(s), go to https://www.1010.com.hk/jsp/our_services/network_protect/ mobile_protect_eng.htm Maxis

• Protect your device by requesting SIM/Device blocking and report lost or stolen devices by contacting Maxis customer service or visiting a Maxis store

We can help

If you believe you have been a victim of fraud, speak with your J.P. Morgan team immediately.

This document is provided for educational and informational purposes only and is not intended, nor should it be relied upon, to address every aspect of the subject discussed herein. The information provided in this document is intended to help clients protect themselves from fraud. It does not provide a comprehensive listing of all types of fraud activities and it does not identify all types of fraud prevention best practices. You, your company or organization is responsible for determining how to best protect itself against fraud activities and for selecting the fraud prevention best practices that are most appropriate to your needs. Any reproduction, retransmission, dissemination or other unauthorized use of this document or the information contained herein by any person or entity is strictly prohibited.

J.P. Morgan is committed to making our products and services accessible to meet the financial services needs of all our clients. If you are a person with a disability and need additional support, please contact your J.P. Morgan team or email us at accessibility.support@jpmorgan.com for assistance.

By visiting a third-party site, you may be entering an unsecured website that may have a different privacy policy and security practices from J.P. Morgan standards. J.P. Morgan is not responsible for, and does not control, endorse or guarantee, any aspect of any linked third-party site. J.P. Morgan accepts no direct or consequential losses arising from the use of such sites.

Keep yourself safe from fraud

At J.P. Morgan, protecting your information and assets is our top priority. While we deploy sophisticated fraud prevention strategies, you are an integral component to preventing fraudulent activity. To improve your security posture and mitigate fraud risk, it is vital for you to understand the ways fraudsters can trick you into performing actions or divulging confidential information, and best practices to prevent against identity theft.

HOW DOES IT HAPPEN?

Social engineering Fraudsters go to great lengths to deceive individuals into providing confidential or sensitive information via email (phishing), phone (vishing) or text message (SMiShing) by claiming to be a trusted associate or organization.

Email compromise Fraudsters target individuals and businesses that regularly perform wire payments by using language specific to you or your company, and attempt to impersonate you or your trusted associates via email, in order to redirect funds to their accounts.

Email compromise can occur through hacking, when a fraudster gains unauthorized access to a legitimate email account, and/or spoofing, when a fraudster creates an email address that looks similar to a legitimate email address in order to trick individuals into believing it is genuine.

Remote access Fraudsters can gain remote access to your computer through malware or social engineering attempts claiming to be reputable service protection providers.

JPMorgan Chase will never ask you to disclose confidential information, credentials (including passcodes) or request the ability to remotely access your device via email, phone or text message.

Third-Party Email Compromise: Both individuals and organizations can fall victim to third-party email compromise fraud. Fraud occurs when fraudsters exploit trusted relationships between you, your business and third-party service providers you work with. They may hack the third party’s email system or spoof their email address, and send genuine-looking invoices to deceive you or your business.

With this access, fraudsters can control your computer and complete transactions without your knowledge.

Wire fraud Wire fraud occurs when a fraudster transfers funds to an account unbeknownst to the account holder, or when the account holder unintentionally sends a wire transfer to a fraudulent account.

Check fraud Traditional paper checks contain sensitive and personal information such as your name, address, account number, and signature, which fraudsters can use to illegally access your accounts. Check fraud occurs when fraudsters steal, forge and/or fraudulently endorse physical checks, create counterfeit checks using genuine account and

Online banking fraud

Online banking fraud occurs when fraudsters are able to obtain your log-in credentials and bypass the multi-factor authentication controls. They can commit the fraud by purchasing compromised credentials on the dark web, tricking you into providing your credentials and OTP

ACH fraud Automated Clearing House (ACH) is an electronic payment network that enables businesses and individuals to securely transfer funds via their banks. ACH fraud occurs when fraudsters trick you into sharing your bank routing number and account number, or by obtaining the

Mobile device takeover fraud Fraudsters have figured out how to take over your mobile phone without actually stealing it. Through social engineering, they will attempt to obtain your phone number, name, address and other personally identifying information.

Mobile Device Takeover (MDT) fraud occurs when fraudsters call service providers and impersonate victims. By tricking mobile phone service providers, fraudsters can hijack your phone number from your existing device to one under the fraudster’s control. MDT fraud can

routing details, chemically remove and replace details on a check (check washing), or trick individuals into withdrawing funds against a check that has not cleared (check kiting).

(one-time passcode), or installing malware on your device. Once your online account is compromised, a fraudster is able to view account information, initiate payments and update contact information.

information from a check. Fraudsters can sometimes initiate payments from your bank account through a third-party service provider by knowing these two pieces of information. Report unauthorized transactions immediately to avoid a potential loss.

be executed through phone porting (transferring a phone number to a new provider), SIM (Subscriber Identity Module) swapping (transferring phone data to a new SIM card) and call forwarding (redirecting phone calls to new phone number).

Once fraudsters gain access, they have the ability to reset your passwords on accounts that use the phone number for auto recovery, and are able to receive one-time verification codes sent to the mobile number by text, phone call or email.

Top 9 actions you can take to protect yourself from fraud

Money movement and online banking

1. Always validate payment instructions by calling the originator on a known number when instructions are received via email, even if the email is from a senior member of the company or a trusted third party.

2. Check your accounts for unauthorized activity periodically, and enable online alerts to notify you of account changes and potentially suspicious transactions.

3. Do not assume a phone call is genuine because the person on the other end has your information:

• Call a known number (i.e., back of the card or your J.P. Morgan team) to verify you are speaking to a J.P. Morgan team member.

4. Set up paperless statements to help protect your account information from being lost or stolen in the mail.

5. Sign up for online bill pay to reduce the risk of check fraud; J.P. Morgan will send a check on your behalf without disclosing your personal information.

Computer, email and telephone

1. Create strong user names and passwords, never share them, and never log in to your online banking from a public computer or Wi-Fi.

2. Adopt multi-factor authentication for all online banking accounts, and always log off your online banking account when not in use:

• Leverage a token for added security, which provides a randomly selected code (that changes every minute) required in addition to the password you create

• Ensure operating systems and data protection software, including antimalware and antivirus software, on your computer and mobile devices are up-to-date

3. Be wary of the following red flags in emails:

• Spoofed email address

• Poor grammar or spelling

• Urgency around payment transmissions

• Late changes of payment instructions

• Suspicious attachments or links

• Blurred company logo on an invoice

4. Do not allow anyone to access your computer remotely. If you have done so, review your emails, including emails in the sent and trash folders, and rules that may have been set up by the fraudster, to determine if any personal information has been compromised. If concerned, take your device to a reputable service provider to be scrubbed.

Remember, if you receive a request to provide personal or financial information, take a step back from the situation to evaluate it. Even if the requestor claims to be your bank or other trusted organization, don’t rush to action!

We can help

If you believe you have been targeted by a fraud scheme or your log-in credentials have been compromised, please contact your J.P. Morgan team.

This document is provided for educational and informational purposes only and is not intended, nor should it be relied upon, to address every aspect of the subject discussed herein. The information provided in this document is intended to help clients protect themselves from fraud. It does not provide a comprehensive listing of all types of fraud activities and it does not identify all types of fraud prevention best practices. You, your company or organization is responsible for determining how to best protect itself against fraud activities and for selecting the fraud prevention best practices that are most appropriate to your needs. Any reproduction, retransmission, dissemination or other unauthorized use of this document or the information contained herein by any

or entity is

prohibited. J.P. Morgan is committed to making our products and services accessible to meet the financial services needs of all our clients. If you are a person with a disability and need additional support, please contact your J.P. Morgan team or email us at accessibility.support@jpmorgan.com for assistance.