i. Look out for phishing emails that contain:
(a) Casual or informal wording that's not in the normal style of an email from a legitimate organisation
(b) Familiar language or tone but poor grammar and spelling
(c) 'Verify your account' request - KFHMB will never ask you to enter full account details, passwords or PIN onto a website
(d) 'There is a secure message waiting for you' - these messages work by putting the emphasis on reading a message - not your actual account. However, the link in the email will still ask for your personal account and financial information details
(e) 'If you don't respond within 48 hours, your account will be closed' - such messages convey a sense of urgency that can make you respond immediately without thinking. Phishing emails might even claim that your response is required because your account may have been compromised
(f) 'Click the link below to gain access to your account' - sophisticated email messages can contain links or forms that you may fill out just as you would do on a legitimate website
(g) 'Dear Valued Customer' - phishing emails are usually sent out in bulk and often do not contain your first name or surname

Some customers unknowingly fall into the trap and happily provide the requested information to what is believed to be a trusted site. As a result, the unsuspecting customer is 'phished' and at risk of account theft, identity theft and computer infection. And what are the cyber-criminals after?

ii. Everything you protect online:
a) Bank Account number
b) Credit Card and/or ATM/Debit card number
c) Password or Personal Identification Number (PIN )
d) Online Banking Log-In/Personal Identification

Questions or information
If you're unsure about any unusual e-mail requests that appear to be from KFHMB, just remember: You should contact KFHMB immediately at (603) (2055 7777) if you receive suspicious e-mail.

2. 'Spoofing' or Spoof Sites

As part of a 'phishing' scam, internet fraudsters create authentic-looking web sites to look like other sites. Financial institutions are the most targeted groups to be 'spoofed' (or have their sites copied). Through e-mail, the 'spoofed' or forged sites attempt to persuade readers to input personal and banking details by creating a sense of urgency around the request. Unfortunately, some readers react and respond quickly with the requested information trusting the request to be legitimate.

Many spoofed sites look very legitimate and are sometimes difficult to detect as fraud. The scammers use company logos, impressive graphics, text and credible-looking links. But don't be fooled by the e-mail or the links, and don't provide any information without checking directly with KFHMB first.

i.Categories of Phishing Strategies Scam:
(a) Request for Updates to Avoid Account Termination
Some phishing schemes request that readers update their banking, password and other personal information by threatening account suspension, termination or closure unless the request is completed quickly. Remember, financial institutions and other reputable businesses understand the magnitude and the danger of internet scams and would neither request personal information via e-mail, nor would they close or terminate an account as a result of your refusal to do so by e-mail.
(b) Request for Updates
Some spoof sites request verification of personal information to update billing records or in a false attempt to protect and enhance the customer's online security.
(c) System Upgrades and Account Verification
From a spoofed site, some phishers will claim that new or updated system changes require identity verification to use the upgraded service.
(d) Virus Hoax E-mails
While many virus notices should be taken seriously, some are sent purely to cause concern for readers and to disrupt businesses. While virus warnings should be taken seriously, check with other sites to confirm before sending the message to colleagues.

ii. How to Avoid Getting Phished Online:
Your best defense against online fraud and computer viruses is education and discipline. Never input personal information on any web site until you have followed these guidelines:
(a) Verify the validity of the sender and legitimacy of the request
Do not input any information online until you verify the credibility of the e-mail and the bank and/or company from which the e-mail has been sent. No reputable bank and/or company would request password or other personal information to update records through e-mail and you should immediately contact the bank and/or company in question if you suspect fraud. Only provide information that you initiate through an application, an online transaction or through the normal Log-in/Sign-Up process.
(b) Never input personal or banking information online without checking that the web site is in a 'secured' environment.
Look for an "https://" in the web site address line (URL) at the top of your browser. The 's' in "https://" denotes that the internet session is secured by encryption to keep the information you transmit online protected from unauthorized users. Secured sessions are used when you apply for credit, purchase items online or use online banking.
(c) Remember: Credit card issuers and financial institutions would not ask you to send or verify your password, bank account number, or PIN within an e-mail message.
Only provide information that you initiate through an application, an online transaction or through the normal Log-in/Sign-Up process. If you receive a suspicious e-mail requesting your personal or financial information, contact KFHMB by phone to question the validity of the e-mail received.
(d) Be suspicious of numerical web addresses or URL.
Anytime you visit KFHMB, you'll see the URL or the 'web address' within the top bar of your Internet browser. Typically, a Bank and/or company's web address includes part or a portion of the company name followed by .com, .org, or .net.
A spoof site that uses a numerical web address or includes an "@" sign within the address could be a tip off that the site has been spoofed and is fraudulent. Even if a site has a portion of the bank and/or company name, you can't be sure it's legitimate based on the web naming. Contact the bank and/or company of the spoofed site immediately.
(d) Virus Hoax E-mails
While many virus notices should be taken seriously, some are sent purely to cause concern for readers and to disrupt businesses. While virus warnings should be taken seriously, check with other sites to confirm before sending the message to colleagues.

3. Beware of fraudulent emails

As a reminder, KFHMB does not:
(a) Send emails regarding account deactivation, system upgrades, or other problems.
(b) Send patches, downloads or upgrades via email.
(c) Send emails asking you to provide, update or verify your personal, business, account or other confidential information.

What to do if you receive a suspicious email?
If you receive a suspicious email, do not respond to it or click any links within the email. Please forward the suspicious email to kfhonline@kfh.com.my and delete the original email.
When forwarding a suspicious email to us, do not modify the original subject line or content within the email, and please do not include any personal or confidential information such as your bank account number, User ID and Password, credit card, or etc.

4. KFHMB Security Measures

Protecting our customers and providing a secure online banking is a top priority for KFHMB.
(a) Secured login / Encryption
All communication from your computer to our secure systems is encrypted to ensure the confidentiality of all data sent and received. Secure Sockets Layer (SSL) Encryption technology is used within the Internet Banking session to encrypt your personal information before it leaves your computer in order to ensure no one else can read it.
KFHMB uses 128-bit SSL encryption technology. 128-bit encryption provides the highest and most secure form of data security available on the Internet today. Encryption converts your data into an encoded form before it's sent over the Internet. The encryption helps keep your information private between the Bank's computer system and your Internet browser.
Depending on your browser setting, a pop-up window will appear to notify you that you will be entering a secured page.
(b) Internal Systems Encryption
KFHMB employs multiple levels of encryption with multiple encryption algorithms on and between internal systems to ensure your data is kept secure and inaccessible to unauthorized users.
(c) Firewalls
KFHMB uses Firewall to block potentially destructive information from entering the computer systems and prevent unauthorized access. Firewall is installed as a barrier against hackers and viruses.
(d) Your Log-in Information
Your Internet Banking Log-In information is your access to your accounts online. Keep your Log-In information confidential. Your Username should be something you can easily remember but not easily guessed by someone else. If possible, avoid using family names, birth dates, telephone numbers or words that could easily be guessed. Longer Usernames are more secure and more difficult to guess, and we suggest you mix letters and numbers to provide additional complexity.
(e) Automatic time out
For your protection, KFHMB includes a Session Time Out feature for your online banking session. If your Internet Banking session remains idle for a given time, your session is ended automatically. This is done to protect your accounts from unauthorized access if your computer is left unattended or you have not logged-off your Internet Banking session.
If you forget to log-off after banking online and for a period of time during a session, then our systems automatically log you off. Pages viewed during a secure session are not recorded in your computer's temporary files.
(f) Automatic lock out
For added security, if someone does try to guess your password, your account will be locked after a pre-determined number of unsuccessful attempts. This will help prevent an unauthorised user trying multiple times to guess your password.
(g) Last Activity Log
When you login to KFHMB, the first page you see will show the date and time of your last login.
(h) Digital certificates
A digital certificate is used to verify the identity and authenticity of KFHMB website.
(i) Dedicated Staff
KFHMB is constantly reviewing its integrity, availability and security of the Internet Banking services. Dedicated system support and security staff monitors internet threats and regularly test the service to ensure it remains secure.
(j) Transaction Authorisation Code (TAC) and/or Security Device Token
KFHMB offers two-factor authentication via TAC and/or Security Device token. This means you can get added security by using a one-time password/PIN.
(k) Security Device Token
KFHMB is committed to protecting the security of our Internet Banking customers.
The Security Device token has been selected as the technology that best meets our customers' need for flexibility and portability, and our business volume requirements.
The two-factor authentication, while providing the following benefits to our customers:
i. The Security Device token itself generates the Security Code. As there is no dependency on a third party for security code generation, our customers do not need to rely on another party's service standard to access Internet Banking.
ii. The generation of the security code is not dependent on capacity issues, signal availability or the geographical location of our customers. The Security Device token is small, light and portable. It can be used on any internet-enabled computer. It does not require downloads, set-ups, system adjustments, etc.
Security Device token is a simple and convenient way to protect your banking transactions online. For certain transactions (eg. third party account transfers), the code is also required in order to add protection to you.
You should not allow anyone to keep, use or tamper with your Security Device token and you should not divulge the serial number of your security device token to anyone.
(l) Transaction Authorisation Code (TAC)
KFHMB is committed to offering the highest level of online security to you and we offer you the Transaction Authorisation Code. TAC is a single-use, random PIN that will be sent to you via SMS whenever you need to effect an online transaction at KFHMB.
1. Secure: Whether you are logging on from home, the office or elsewhere, the TAC when used with your User Name and Password, provides additional protection against unauthorised access of your online account information and from various forms of online fraud.
2. Simple: The TAC is simple to use. It is a single-use, random PIN that will be sent to you via SMS whenever you bank online.
3. Strong: The TAC is a form of strong authentication, also known as two-factor authentication.
For your convenience, KFHMB have made SMS the primary delivery mode of TAC. Therefore, it is important that you keep the bank updated with your current mobile phone number.
(m) Independent Review/Assessment
KFHMB regularly engages reputable independent consultants to verify the security of our systems. The work undertaken by the consultants includes reviews of areas such as architecture, firewall configurations, network device security, web server security and web application security.
(n) Protect your Personalised Identification Questions and Answers
In addition, KFHMB uses your Personalised Identification Questions and Answers to authenticate certain access or transactions.
To protect your information, choose questions whose answers cannot be easily guessed - in other words, those with a large number of possible answers.
(o) Strict Protection of Customer Information
KFHMB has strict standards of security and confidentiality to safeguard the confidentiality of customer information.
(p) Adherence to Regulatory Standards
KFHMB abide by all information security and online banking regulations set by the authorities with regular audits/review conducted to ensure compliance.

5. Best Practices On Online Banking Security

(a) General Security Tips
To ensure your Internet Banking sessions are secure, KFHMB recommends that you follow these simple security tips. Some of the most effective things you can do to protect yourself are simple to do. Here are some steps you should take.

• Disconnect from the Internet when not in use
• Do not share or write any of your account number, credit card number, PIN and/or passwords
• Change your passwords on a regular basis.
• Choose strong passwords using a combination of lower & upper case letters, numbers and special characters.
• Sign off and/or Log-out. Don't just close your browser.
• Set a screensaver password
• Log in regularly to monitor your transactions
• Be aware of your computer's vulnerability
• Disable File & Print Sharing
• Don't use the same password to access all sites that require a username and password. If you use a common password across different sites, then use different passwords for different classes of sites with different sensitivities.
• Don't click on a link unless you know where it goes, and get in the habit of cutting and pasting links.
• Shop with reputable dealers and be alert to fake websites:
• Think about whether the site has the "look and feel" of security.
• Use other means, such as the phone, to verify, if necessary.
• Avoid opening, running, installing or using programs or files you have obtained from a person or organisation that you do not know you can trust. Be particularly careful of unsolicited emails containing file attachments.
• Practice online "stranger danger" - if you have not met the person then be careful about trusting them.
• Always assume that a computer that you do not control (eg in airport terminals, cyber cafes or conferences) is unsafe for you to use for sensitive activities such as online banking.
• Never accept links or redirections from other websites or media for the purpose of logging into the KFHMB website.

(b) Anti-Virus protection
Run an anti-virus program on your computer on a regular, frequent basis to prevent computer viruses and worms from entering your computer system. Purchase programs that automatically upgrade your virus protection on a regular basis.
Learn about computer infections and be aware of the latest computer threats and other malicious programs designed to damage your computer or steal your personal information.
Don't open e-mail or e-mail attachments from unknown sources. Scan e-mail through your anti-virus software first.
Never double-click on an e-mail attachment that contains an executable file (such as '.exe' '.com' or '.vbs', etc.) unless you have run anti-virus software first. If a file is infected and opened, the virus can damage your hard drive, program files, and e-mail files.
(c) Beware Of Spyware
Spyware is a piece of software inserted in your computer that collects information about you and your Internet traffic. It is stored in your computer (with / without your consent) and typically bundled with free downloads, freeware or shareware programs you download from the Internet. Spyware is similar to a Trojan Horse because it is installed when the user installs another program. Spyware is also considered a form of 'malware' (malicious software) intended to cause harm to your computer and invade your online privacy.
Spyware is the term used to describe programs that run on your computer for the purpose of monitoring and recording the way in which you browse the web and the internet sites you visit. For example, spyware can combine information about your online behaviour with that of many other users in order to generate market research data. This information can be bought and sold by companies interested in improving the way websites are designed and how the internet is used.
Spyware can be used maliciously to gain access to your passwords, PIN, card numbers and Internet browsing history. Adware and spyware may also increase the risk of identity theft as the programs may have the ability to monitor keystrokes, scan files on your hard drive, change your default homepage on your browser, and relay information about your web visits for marketing purposes. They can also slow down your computer by consuming system resources leading to system instability or a crash.
Since most common anti-virus software cannot always scan or remove adware or spyware, special software must run regularly to remove threats and keep malicious programs off your computer.
(d) Personal Firewall
Install firewall software on your home and networked computers to prevent unauthorized individuals from gaining access to your computer system to use files, obtain personal information or to destroy computer data. This is especially important on computers that use a broadband connection to access the Internet (Cable modems or DSL). Since your Internet connection is on when your computer is on, the risk for malicious activity to your computer increases.
A firewall is another small program that helps to protect your computer and its contents from outsiders on the Internet. When properly installed, it stops unauthorised traffic to and from your computer.
(e) Browsers Download the latest security patches and operating system updates to your Internet browser as well as the latest anti-spam software.
Do not select the option auto save on browsers for storing or retaining user name and password when logging into online banking
(f) Navigate Safely Navigate the Internet safely to reduce the likelihood of online fraud.
(g) Avoid fraudulent websites

• Always enter the website address "http://www.kfhonline.com.my" directly into your browser address bar before you login to ensure that you are on the legitimate website instead of clicking on the link directly. If you suspect a website is fraudulent, leave the site.
• Click log out when you have finished your banking session. Do not just close your browser window.
• Do not follow any of the instructions it may present to you.
• Do update KFHMB when you change your contact details. This will enable us to contact you in a timely manner if we detect unusual transactions.

(h) Software Patches
From time to time, vulnerabilities are discovered in operating systems and internet browsers. Before the publisher can release a security patch to correct these weaknesses, they can be exploited by virus writers and hackers to gain unauthorised access to those computers that have not yet been patched.
To check for patches and updates you should visit the publisher's website, typically in their Download section.
(i) Email Security
Email Do's & Don'ts

• Never respond to or click on a link in a suspicious email.
Opening or clicking on a link could place a virus on your computer which can later capture your personal information.
• Inspect the logo used in emails and compare it to that used on the legitimate Web site. Look for any discoloration or disfiguration of the logo.
• If you receive an email that warns you that an account will be closed or online access will be terminated unless you reconfirm your billing information, do contact KFHMB using a telephone number or Web site address you know to be genuine.
• Take the time to ask whether this is the type of action KFHMB would ask you to take.
• Avoid sending personal financial information over the Internet unless you are sure you are on a secure site. Look for the padlock icon on your browser's status bar.
• You may also wish to contact your Internet Service Provider for support in blocking emails or subscribing to a spam filter they may offer.

(j) Do Not Use Public Or Shared Computers
You are responsible for keeping your password and/or PIN confidential. You should not use public or shared computers like those in internet cafes, airport terminals or even computers belonging to someone else for Internet Banking, you may be open to harmful or specific software programs housed within these computers, which could capture your personal information.
(k) Protect Yourself Offline
Never give out personal information to anyone on the telephone or from a web site unless you have verified the credibility of the source or have initiated the call, by phone and online. Reputable companies won't ask you for your password, PIN or other personal information through e-mail. KFHMB will never ask you for your password and/or PIN and you should contact KFHMB if you receive unusual email or telephone inquiries for personal information.
Do report lost or stolen cards immediately.
Review your bank statements for unauthorized transactions or withdrawals and notify KFHMB immediately if you suspect any discrepancies on your statement.
(l) Wireless Networks
You should set a password for your wireless point. This will prevent unauthorised users from accessing and using your wireless connection.
Disable broadcasting to your network name (SSID-Service Set Identifier) to prevent casual surfers from detecting and connecting to your wireless network.
You should use encryption on data transmission to protect your wireless network.
You should allow only registered machines for your wireless network.
You may also wish to contact your Internet Service Provider for support in blocking emails or subscribing to a spam filter they may offer.
(m) Pop-Up Ads
Pop-ups are unsolicited advertising that appear as a "pop-up" window on your computer. These pop-ups can be created to look like a Bank's request for personal information. You can set your computer preferences to block pop-ups, and you can also request spam-blocking programs from your Internet Service Provider.
(n) Online shopping
Online shopping is becoming more and more popular and convenient but there are issues to consider before you decide to buy goods and services over the internet. While the vast majority of virtual transactions are safe and secure, fake shopping sites are not unknown.

• Enter your card details on secure websites only - these are identified by a padlock or key symbol and a site address that changes from `http' to `https'
• Be careful about providing your account and card details to third parties. If you are at all unsure about buying something from any third party, do not proceed
• Never disclose your card password and/or PIN to any online seller
• Poor grammar or spelling on an email or website may indicate a scam is being attempted
• Remember - there is no guarantee that you will receive any item as displayed or described in an advertisement or from public auction sites

Whether buying or selling, it's always important to know who you are dealing with. And remember - giving your account details to an unknown third party may lead to identity theft.

6) Reporting Incidents,

If you suspect that there has been any unauthorised breach of your account(s) online, or that an online transaction has taken place that you did not initiate, you should notify KFHMB immediately.
Security incidents will be escalated to our technical support staff for evaluation. If any breach of security appears to have occurred, KFHMB will investigate it further.
KFHMB will provide you an interim update of our investigations and the status of your case. Final resolution of any incident, though, will depend on the nature and complexity of the incident, as well as the details surrounding the case.
While we investigate, our officers may ask you to provide more details surrounding the incident to allow us to resolve your case as quickly and as efficiently as possible.
KFHMB is committed to the security of your personal and financial information and will provide the tools and resources to secure your online experience.