Due to the general uncertainty surrounding the Coronavirus/COVID-19 pandemic, there is an increase of criminals looking to take advantage of the situation. As a result, you may receive phishing emails, unsolicited calls, text messages or messages on social media regarding Coronavirus/COVID-19 updates or notices purporting to originate from Credit Suisse or governmental agencies such as the World Health Organization (WHO). These criminals will often use emotional pleas, threats or urgency to pressure you to take an action.

The below scams may not only include misleading information, but may request your personal information such as COVID-19 checks or loans. Oftentimes, these scams may include malicious links or attachments that should not be opened.

• Government impersonation scams such as fraudulent messages via text, email or social media, claiming to be from the government, tax authorities and regulatory bodies, formal press releases on Coronavirus/COVID-19 or notices coming from the World Health Organization (WHO) with misleading information on school closures, lockdowns, stimulus packages (government backed loans) or travel notices.
• Potential investment offerings that guarantee unrealistic returns in the current market or investment opportunities on facemasks, test kits, hand-sanitizers or products that falsely claim to prevent, detect or cure Coronavirus/COVID-19.
• False donations being solicited to fund efforts to address the pandemic by impersonating charitable or government organizations i.e., NHS, CDC, GoFundMe, etc.

Victims receive cold calls from fraudsters who promote shares, property or investment opportunities via phone, email or social media and later send a follow up email with a document attached or a DocuSign link.

Fraudsters are offering bogus financial documents such as fixed corporate bonds, purporting to originate from Credit Suisse. Such scams are sent via email or directly via social media, misusing Credit Suisse branding such as employee impersonation or fake websites or accounts.

While there is no guarantee to be 100% safe from cyber attacks, here are our 9 tips to help keep your personal information safe and to better protect you:

1. Avoid clicking on links or attachments: Cybercriminals do a good job of tricking people into clicking on links supposedly from their bank, telecom operator, utility company, tax service and other legitimate organisations. Think before you click – spelling errors, email addresses that don't seem right, and out-of-the blue communications from friends should be treated with utmost caution. It's better to manually enter the URL of the organisation in question to log into your account to verify any communications before clicking. In doubt, call the organization or your friend to verify before clicking.
2. Passwords are the keys to your digital kingdom: Use unique, complex passwords with a combination of lower and upper-case letters, numbers and symbols and do not use the same password across your accounts.
3. Keep your identity safe. Don't share passwords or choose one that can be easily guessed. Make sure to change them often. And where possible, use two-factor or strong authentication which combines something you know (username and password) with something you have (a credential such as a card, token or mobile phone) to verify an identity or verify a transaction.
4. Back-up your data – If your computer is infected by ransomware, malware or it crashes, the only way to definitely ensure that you will be able to retrieve your lost data is by backing it up and doing so on a regular basis. This also means that if you mislay data or accidentally delete something, it can always be recovered.
5. Ensure that you have a robust and up-to-date internet security package running – With online threats becoming increasingly more sophisticated and cybercriminals willing to jump on any social trend to spread malware, the online threat landscape is changing drastically by the minute. Security software from a recognised name is the best and safest option when it comes to stopping malicious software from installing on your PC as it can prevent it from taking over or slowing down your system.
6. Keep all software on your PC up-to-date with the latest updates and patches – by keeping your software up-to-date, potential vulnerabilities (including zero-days) can be patched and help keep cybercriminals and hackers at bay.
7. Verify the web site you are on is safe – before entering your payment details into any web site, check that the URL begins with https – the "s" stands for "secure." If a site has obvious typographical errors, or no evidence of security information or recognised symbols, avoid it. If in doubt, click on the VeriSign tick to verify a site's identity, and if possible use a high security web browser that displays the green EV SSL address bar.
8. Once online, always online: With anything you post online, it's out there for everyone to see, so be careful with the identifiable information you use in your social media profile and which sites you sign up to. Avoid posting information that could be used by hackers to glean answers to bank security questions (for example, FB posts stating "your quarantine name – the first name is your pets name and the last name is the street you grew up on".
9. Change the password to your home router. With an increase in remote working and confidential work-related information passing through home networks, there is an elevated risk of hackers attempting to access and use default router passwords as attack points.

Phishing is the simplest way for the cyber criminals to launch their attack. The criminals use fraudulent e-mails to convince you to click on a suspicious link or open an attachment to install malware or redirect you to a landing page to steal personal data and login details.

Hackers recreate well-known websites to capture your user credentials, such as passwords, Social Security numbers, credit card information, to name a few. They then use this stolen information to access your banking and other accounts.

Phishing materials often look genuine and may appear to originate from real people, organizations, institutions, and websites. While there is no guarantee to be 100% safe from cyber attacks, the following precautions are suggested to better protect you:

• Maintain a medium or higher level of security on your browser settings.
• Make sure the web address of any site you visit begins with "https://". Some browsers show a padlock icon next to the https:// to indicate that you have a secure connection
• Log out after using an Internet banking or e-commerce service to ensure your session has closed.
• Keep your cookies and browser cache clear so that hackers cannot access your history and obtain information.
• Remember that hackers increasingly target children on social media and gaming websites.
• Be mindful of the sites you visit: Do not visit sites that provide illegal downloads or illegal content (e.g., file sharing). Even if you do not download any files, you are vulnerable to viruses that can infect your computer.
• Keep pop-ups and ads blocked, and never respond to pop-ups asking you to submit or resubmit your log-in information.
• Beware of urgent emails requiring action (e.g., "Security Check", "Activation", "Verification" or any request to wire funds or make other payments).
• Do not provide sensitive personal information over email. A better practice is to call the sender directly.
• Change the password to your home router. With an increase in remote working and confidential work-related information passing through home networks, there is an elevated risk of hackers attempting to access and use default router passwords as attack points.

Please report all phishing emails and email headers related to Credit Suisse to security@credit-suisse.com.

While there is no guarantee to be 100% safe from cyber attacks, here are some tips on how to protect yourself while online shopping.  

• Regularly check your banking and credit card transaction histories and your statements for any suspicious transactions.
• Use two-step or multi-factor authentication when it's available – you confirm your ID in two steps each time you use an ATM – with a debit card and PIN. Do the same online.
• Enable private browsing whenever possible – prevent cookies and browsing history from being stored/saved to your device.
• Use trusted bookmarks for important sites – not email links or pop-ups
• Close windows containing pop-up ads or unexpected warnings using the X in the upper right-hand corner.
• Do not buy anything promoted in a spam message – even if it is a legitimate company, your purchase encourages spamming
• Remember every device carries a risk. Laptops, tablets and mobile phones are all susceptible to wireless security breaches. Do not connect to sites you don't know or recognize. Don't assume a Wi-Fi link is legitimate; hackers create fraudulent access points that appear to be identical to one that's legitimate. Instead, use a virtual private network (VPN), which allows only authorized users to access the network so data cannot be intercepted. Do not connect to sites you don't know or recognize.

As we become more connected through the use of our devices, below are tips to better protect yourself. Please note while these tips will reduce your risk against cyber attacks, these tips will not 100% guarantee your safety.

Best practice guidance for your personal devices

• Adjust your security settings to restrict access to your data via wireless and Bluetooth connections. Turn off Bluetooth when you don't need the connection – your device will be less vulnerable both to cyber-attacks and you will not drain the battery life. For Apple devices, your Bluetooth settings will reset daily.
• Keep your phone or computer locked – make sure it is password/PIN protected at all times.
• Turn off notification pop-ups for text messages that may show your two-factor authentication code on the screen.
• Update device's operating system software to ensure you have the latest security patches.
• Update the apps on your device when new versions become available, as these often include security patches.
• Avoid clicking on Internet ads: Ad-blocking apps exist for both Android and Apple devices, and browser settings can be adjusted to limit ad tracking.
• Install a security app to scan and remove malware-infected apps. 
• Encrypt sensitive information – if your mobile device or laptop has data encryption features, use them.
• Monitor how apps behave on your phone - keep track of permission access/requests from apps installed on your device. Use a reputable anti-malware/virus program and update regularly. Mobile devices are susceptible to the same risks as your home or office computers. If you think your device has been infected with malware, contact either the device maker or your mobile phone carrier for help.
• Choose a smartphone with anti-theft security features. If your phone is lost or stolen, set up remote access allowing you to lock it, wipe the data stored on it and identify its location.
• Regularly back up your devices to your home computer or cloud network so that you have access to information if your device is lost, stolen or corrupted.
• Do not try to bypass security controls in the device's operating system (i.e., don't jailbreak or root your phone).
• Erase all your personal data before selling or recycling your device 

Credit Suisse acknowledges the valuable role that independent security researchers play in cyber and information security. As a result, we encourage responsible reporting of any vulnerabilities that be found in Credit Suisse online applications and systems.

Credit Suisse is committed to collaborate with security researchers to verify and address any potential vulnerabilities that will be reported to Credit Suisse.

Please review our terms before you test and/or report a vulnerability. Credit Suisse pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems as long as they adhere to this policy.

Credit Suisse does not permit the following types of security research:

While we encourage you to report to us any vulnerabilities you find in a responsible manner, the following conduct is prohibited:

• Performing actions that may negatively affect Credit Suisse or its clients (e.g. Spam, Brute Force, Denial of Service, etc.)
• Accessing, or attempting to access, data or information that does not belong to you
• Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
• Conducting any kind of physical or electronic attack on Credit Suisse personnel, property, buildings or data centers
• Social engineering any Credit Suisse service desk, employee or contractor
• Conduct vulnerability testing of participating services using anything other than your own data in order to minimize the risk to our client's data
• Violating any laws or breaching any agreements in order to discover vulnerabilities

Reporting a potential security vulnerability:

• Privately share details of the suspected vulnerability with Credit Suisse by sending an e-mail to: security@credit-suisse.com. 
• Please provide the full details of the suspected vulnerability so the Credit Suisse security team may validate and reproduce the issue.

The Credit Suisse security team commitment:

We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Credit Suisse security team and associated development organizations will use reasonable efforts to:

• Respond in a timely manner, acknowledging receipt of your vulnerability report
• Provide an estimated time frame for addressing the vulnerability report
• Notify you when the vulnerability has been fixed

We are happy to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at Credit Suisse.

Please click the respective links below for further information:

Australia:

• Scams targeting ASIC customers | ASIC - Australian Securities and Investments Commission
• Companies you should not deal with - Moneysmart.gov.au
• Home | Scamwatch

Singapore:

• Singapore Cyber Security Awareness Alliance (formed by IDA & companies from public & private sectors)

Switzerland:

• Reporting and Analysis Centre for Information Assurance MELANI (Federal Administration of Switzerland)
• Swiss Bankers Association

United Kingdom:

• Prudential Regulation Authority (PRA)
• Financial Conduct Authority (FCA)
• UK Finance (formerly British Bankers' Association (BBA))

United States:

• Financial Industry Regulatory Authority (FINRA)
• Federal Trade Commission (FTC)
• U.S. Computer Emergency Readiness Team (US-CERT)