• Our Data Center and other facilities have a number of technologies, back up systems and products that we use to protect our systems from intrusion and other criminal activity. We are continually monitoring fraudulent activity on the Internet as well as investing in technologies that can help combat this fraud.
• We protect account information accessible through Online and Mobile Banking with unique User ID and password requirements. To access account information, you must provide a User ID and a password. Your password is not displayed when you enter it (e.g., the password appears on screen as a series of dots). Your User ID and password are compared with what we have on file for you. If you enter your password incorrectly more than a few times, your Online and Mobile Banking accounts will be locked until you contact us to unlock your account and reset your password.
• We have implemented Enhanced Login Security to provide you with additional protection from fraud and identity theft. Enhanced Login Security allows us to recognize you as the true owner of your account by recognizing not only your login information but also your device. Whenever you login from a device that you have added extra security to, you automatically have additional protection and notice no difference in the way you login. However, if you login from a different device than the one you have added, you will be asked for additional information in order to login.
• Your banking session will "time out" after a specified time period of inactivity. This prevents other people from continuing your existing session if you walk away from the device or forget to log out.
• A number of different notification emails are sent to you when different activity takes place in your Online or Mobile Banking account. For example, when you change your email address, you will receive an email at both your old and new email addresses that will help you monitor any changes made. Also, any activity that you complete in External Funds Transfer will be followed up with a notification email to you. And, when you sign up for online statements, you will receive a confirmation email, along with notification emails whenever your new statements are available to view.
• Third Federal cannot guarantee the confidentiality of information you send using your own email service because the information may not be encrypted or in a secure network. We strongly discourage you from including any confidential or private information in any email that you transmit to us outside of the Online or Mobile Banking secured network. Specifically, we discourage you from including the following in unsecured email:
• Your Social Security number
• Your Third Federal account number
• Other confidential financial information
• Your Online Banking User ID and/or password
• Third Federal will not include such information in any unsecured email messages we send you. Third Federal is not responsible for any damages you sustain or the privacy and security of your account information if you transmit confidential or sensitive information to us via unsecured email.
• Third Federal will not ask you for confidential financial information, such as account numbers, PINs, Social Security numbers or passwords, via email. If you receive an email that appears to be from Third Federal and it solicits you for this type of confidential financial information, it is most likely fraudulent. You should contact our Customer Care Department immediately at 1-800-844-7333 or 216-441-6000 and, if possible, forward the email to abuse@thirdfederal.com.
• As always, Third Federal strongly advises you to not share your Online or Mobile Banking login credentials with anyone, including family members.

Below are some tips regarding what to do when your credentials may have been stolen:

• Try to determine all of the devices used with those credentials. Any or all of them may have malicious software installed; the malicious software may steal everything you typed and everything you saw on your screen.  If you find that malicious software was installed on your device, try to determine what other websites you logged into using other user names and passwords, as those credentials may also be stolen.
• Immediately examine the accounts or sites where you used those credentials for unusual activity, even if they have not been reported as stolen.
• If you used the same user name and/or password on any other websites, change them immediately, you should assume they are compromised.
• If you answered security questions during any on-line session on a device that may be compromised; you should assume the answers to those security questions are compromised be and may be used to compromise other accounts.
• Computer Security Professional “best practice” recommendations indicate you should assume all of your user names and passwords are stolen, and you should change every user name and password you use. It is also recommended that you consider changing your security questions at the same time.
• Consider putting a “fraud alert” on your credit reports to reduce the risk of credit being fraudulently opened in your name.
• If any of your accounts have fraudulent activity you should create an Identity Theft Report, which involves reporting the identity theft to the FTC and filing a police report.
• Consult with a computer professional on how best to check and repair your computer(s). Usually this means backing up your documents, pictures and other information and rebuilding the computer completely. Most malicious software uses multiple techniques to steal data. Anti-virus and anti-malware products might find 9 out of 10 techniques, which continues to leave you vulnerable.
• Computer Security Professionals recommend purchasing a “low-end” personal computer to use only (or maybe exclusively) for online banking and other high value activities; this computer should never be used for email or web browsing. This strategy reduces the likelihood of malware infecting the device.
• Any credit or debit card attached to an account that may have been compromised needs to be secured.  Traditionally, this has required that you call the bank that issued the card, cancel the card and have a new card issued. But Third Federal, as well as many other banks, now offer you Card Control via your online banking account.  Card Control gives you the ability to temporarily turn off your card until you can confirm that it has not been compromised.

Consumers lose millions of dollars each year to scams. Many scams involve the withdrawal of funds from deposit accounts. Before completing your withdrawal, consider the following questions:

• Has someone asked you for money or to borrow money? Many scams involve someone using the name of someone you know, even a child or grandchild, claiming to be “stuck” out of the country and needing cash after losing their wallet or credit cards.
• Have you been notified you won a prize or a lottery and you need to send money to cover expenses? Many scams ask the winner to wire funds or send cash to cover the cost of transporting a large prize like a car.
• Have you been contacted to help the FBI, FDIC, bank examiners, a police officer or other “official” to confirm an account, a transaction or help “catch” someone by asking you to go to a website, provide account information or send money? Many scams come from fraudsters using an official looking FBI or FDIC email and provide a website link to download your confidential account information.
• Has anyone been pressuring or threatening you to withdraw money?
• Have you been required to pay cash upfront for proposed services such as home improvements?

If you answered “YES” to any of these questions, you are likely the target of a scam. When you withdraw your funds, Third Federal is no longer responsible for them. Recovering funds is almost impossible once the thief has your money.

Things to keep in mind:

• By federal law, you can’t be required to purchase items or pay any upfront fees in order to receive sweepstakes prizes.
• Never wire money to someone you don’t know unless you are prepared to lose the money. Scammers are known to use Western Union, MoneyGram, Green Dot cards, and similar payment options that transfer funds electronically.
• Your bank is required to make deposited funds available long before they are able to determine a check is counterfeit. If you withdraw the funds from a counterfeit check, you may end up owing the withdrawn amount to your bank.

Finally, for personal safety, there is also the possibility that because you are in possession of a large sum of cash, you may become the victim of another type of crime, such burglary or robbery.

If you are concerned about the potential of being scammed, please don’t take cash from your account and let us call the police to help you before losing any money.

• It's very important to keep your home computer's anti-virus programs up-to-date. Every day there are different scams created on the Internet to steal confidential information. By routinely updating your computer's anti-virus programs, you can help shield yourself from these scams. Computer viruses can be spread to your system by email or by visiting infected websites. It isn't always obvious when a virus is spread to a computer without adequate virus protection. These viruses can attach themselves to your computer system, causing it to crash or impair its ability to process. Anti-virus programs are frequently updated to provide protection against the latest viruses. Take the time to understand your anti-virus programs on your computer. Look for an anti-virus program that recognizes current and past viruses, effectively reverses the damage, and updates automatically.
• Make sure you have a firewall for your home computer. A firewall watches for outside attempts to access your computer. Some operating systems come with a built-in firewall - make sure it is on if you have one. Several free firewall programs are available on the Internet as well. Make sure your firewall is enabled before accessing the Internet.
• Be cautious when downloading and running programs or Java or ActiveX applets as they may contain unsecure data which can't be filtered by firewalls or anti-virus software.
• Use spyware detection software tools to identify and delete known malicious programs on your personal computer that may monitor and collect your keystrokes and send personal information to third parties without your knowing it. Spyware is software installed without your knowledge or consent that adversely affects your ability to use your computer, sometimes by monitoring or controlling how you use it.
• Download the regular system updates for your operating system and software programs. The latest security measures are often included in these updates and by taking advantage of these updates, you're keeping your computer as up-to-date as possible.
• Regularly access your browser's website to download security patches. Installing security patches as they become available will protect you against a variety of software vulnerabilities. Take the time to understand the security features on your browser.
• Avoid downloading programs from unknown sources. Some sources may have hidden forms of spyware or viruses that could compromise the security of your computer.
• You can verify secure sites by "double-clicking" on the padlock icon located at the bottom of your browser application and reading the site information in the box that appears.
• Don't open e-mail attachments that have file endings of .exe, .pif, or .vbs. These are file extensions for executables, and are commonly dangerous files.
• Clear the cache of your browser on a regular basis. Browsers generally cache (save to your hard drive) images of pages they have downloaded to enhance performance. By clearing your browser cache after visiting secure sites, you ensure no one else can view any confidential information that may have been stored in the cache files on your computer. Please refer to your browser instructions for information on clearing the browser cache area.
• Regularly log into your online accounts to monitor activity. In addition, review your bank, credit card and debit card statements when they arrive to make sure all of the transactions are legitimate.
• Take the time to log off. Remember to log off when you are finished using your computer or Online Banking. Please use the Online Banking "log off" feature if, during the use of Online Banking, you are going to be away from your computer for any length of time. The "log off" feature will end your Online Banking session and you will be required to submit your User ID and Password before entering Online Banking again.
• Make sure to completely shut down your browser. Shutting down your browser is also a good way of preventing others from gaining unauthorized access to your account. For your protection, Online Banking contains an automatic five minute time out feature. Should you walk away from your computer during an Online Banking session and not exit from Online Banking, the session will automatically end in five minutes.
• Never use a public computer such as those found in libraries, airports or hotels to perform confidential tasks such as online banking or checking e-mail. Use of these computers is typically unmonitored and they may be infected with keystroke loggers or viruses that can capture your login information and send it to criminals.
• Never e-mail personal information or account numbers. Regular e-mail isn't secure. Some companies have special secure, encrypted e-mail systems they use to communicate with their customers but most do not. Third Federal has a secure e-mail system available after you login to Online Banking.
• Use the notifications feature in Online Banking to alert you of certain activities.

"Phishing" E-mails and Other Scams

Phishing (pronounced fishing) is a term coined by Internet hackers who use e-mail lures (messages) to 'fish' confidential passwords and financial data from Internet users. These e-mails are disguised to look like a request from a legitimate organization such as a bank, credit card company, or retail merchant with whom recipients may already have a relationship.

This practice of "phishing" or "spoofing" is growing rapidly. These fraudulent e-mails are most often mass-mailed or "spammed" to thousands of potential victims. "Phishing" messages often include a warning about a problem related to the recipient's account and requests the recipient to respond by providing specific confidential information.

Victims may be asked to provide confidential account information by responding via e-mail, or they may be directed to click on a link that takes them to a legitimate looking webpage on which they are instructed to provide the confidential information. This information will allow the perpetrator to gain access to the victim's accounts and steal the victim's identity.

Do not trust or act upon unsolicited e-mails that request confidential information. Third Federal will never ask you to submit information such as account numbers, PINs, Social Security numbers, passwords or other confidential financial information via e-mail. If you receive an e-mail that appears to be from Third Federal, and it solicits you for this type of confidential financial information, it is most likely fraudulent. You should contact our Customer Care Department immediately at 1-800-844-7333 or 216-441-6000 and, if possible, forward the e-mail to abuse@thirdfederal.com.

How to know if it is a phishing e-mail

• Fraudulent e-mail often presents end users with scenarios of negative consequences if they do not act immediately. No reputable business is going to take adverse action against your account with only an e-mail notification.
• The format of the e-mail typically includes stolen logos and branding, a "From" line disguised to appear as if the message came from a legitimate sender and a link to a website or e-mail address.
• All of these features are designed to assure the recipient that the e-mail is from a legitimate business source, when in fact, the information submitted will be sent to the perpetrator.
• Misspelled URLs or the use of subdomains are common tricks used by phishers, i.e.  www.thirdfederel.com. While many phishing e-mail scams often have misspellings and poor grammar, many of the criminals are getting smarter with the grammar. This used to be an easy way to detect a scam but it is becoming less reliable.
• Many times, the fraudulent e-mails include text such as "verify your account" or "confirm billing information". Some include an offer of a reward for completing a survey.
• Another common trick is to make the text for a link appear to be a valid URL when the link actually goes to a fraudulent website. Or the URL would contain an @ symbol following the correct URL (http://www.thirdfederal.com@phishing.com).
• Some e-mails contain phone numbers with incorrect area codes. Call the number listed on your statement or the back of your credit card.

Tips to help you avoid becoming a victim of an e-mail scam

• Only open e-mails from senders that you know.
• If you receive an e-mail, don't click on links within the e-mail if it says it will take you to a site that asks you to enter your personal information. Instead, type in the web address in the address bar of your browser page.
• If you have any doubts, don't respond at all!
• Discard suspicious e-mail without opening it. Some e-mail contains spyware, which can provide scammers access to your accounts.
• If an e-mail offers you a reward or a discount and then asks you to provide personal information to get the reward, don't provide your information.
• Keep track of your account activity and make sure they're not any unusual transactions or activity.
• Avoid putting personal data into an e-mail unless you can confirm that it is your bank and that it is a secured communication system.
• Do not fill out forms contained in e-mail messages requesting sensitive information.
• Type Third Federal's web address into your browser and bookmark it. Use this bookmark for all subsequent visits to Third Federal's website. Typing the correct URL in or using it as a bookmark is the best way to be sure you're not redirected to a fraudulent site.
• Be careful if you're sent to a website that first displays a pop-up window asking you to enter your user name and password. Phishing scams may direct you to a legitimate website but then use a pop-up to gain your confidential information.
• If you're not sure if a site is authentic and you're asked to provide your User ID and password, STOP! Call the site's telephone number and verify that it is legitimate before entering any information.
• If you receive an e-mail claiming to be from Third Federal, and you suspect it is aimed at defrauding you, contact Third Federal and, if possible, forward the e-mail to abuse@thirdfederal.com.
• When in doubt, close your browser, reopen it and type in the web address in your browser's address bar.

Managing User IDs and Passwords

Although User IDs and Passwords are a convenient way of protecting system access, users often put their accounts in jeopardy by carelessness or improper use of User IDs and Passwords. It is important that you choose and use User IDs and Passwords carefully and to protect the confidentiality of these items at all times.

Tips to consider:

• A strong User ID and Password is an important step in protecting your confidential information. A strong Password is one that is difficult for others to determine by guessing or by using automated programs.
• Your User ID and Password should be different.
• Your User ID and Password should be a combination of upper and lower letters, numbers and special characters. The longer they are, the stronger they are.
• Consider using unique User IDs and Passwords if you access more than one bank's online banking. By using the same User ID and Password with every bank, if you become a victim of Internet fraud, all of your bank accounts could be affected. While it's more convenient to have just one standard User ID and Password, you put yourself more at risk.
• When choosing a User ID, avoid using your first or last name or a combination of the two. By using your first or last name, it makes it easier for someone to guess at your User ID.
• Make sure you don't use the word "password" for your Password!
• Change your Password immediately if you think someone may know it. The same goes for your User ID.
• Choose a hard to break password. Don't select a password that would be easy for someone to guess such as your birthday, anniversary date, phone number, etc. 
• Consider using a passphrase instead of a password.  A passphrase is a sentence-like string of words used for authentication that is longer than a traditional password, easy to remember and more difficult to crack than a password.
• Protect your User ID and Password. Don't write them down. If you need to write them down, make sure you keep them stored in a locked location without any other identifying information (E.G., bank name, User ID, etc.).
• Never reveal your Password to anyone.
• Don't use the portion of your e-mail address before the @ symbol as your User ID or Password.
• Change your User ID and Password regularly and avoid repeating the previously used passwords. Even a strong password can be guessed. People who have enough time and computing power can eventually determine any password.
• If you register an external account for our Funds Transfer Service in Online Banking, you may be asked to provide your Online Banking User ID and password. It is your decision if you want to provide it - otherwise you can choose another method to register your accounts for Funds Transfer. More and more websites are featuring this option as a way to get immediate action - choose carefully whether or not you decide to do this.
• Use multi-factor authentication and/or biometric authentication when ever you have the option to do so. The more layers of authentication you use, the harder it is for fraudsters to hack your accounts

Remember that these tips apply not only to Online Banking, but also to your debit card and Personal MoneyLine Passwords.

Identity theft is the fastest growing white collar crime in the U.S. The Federal Trade Commission estimates that nearly nine million people have their identity stolen every year. While identity theft on the Internet is increasing, identities are also stolen by people taking your credit card or other financial information. Once stolen, re-establishing your identity is difficult. Keep yours secure.

Thieves can steal your identity by:

• Dumpster diving - Retrieving from the trash, credit card receipts, credit card offers, bank deposit slips or personal information.
• Skimming - Stealing credit/debit card numbers by using a special storage device when processing your card.
• Phishing - Pretending to be banks or companies and asking for personal or account information.
• Changing your address - Diverting your billing statements to another location by completing a change of address form.
• Old-fashioned stealing - Picking your wallet or purse. Robbing your mail of bank and credit card statements, pre-approved credit offers, new checks or tax information. Stealing personnel information or bribing employees with access.
• Pretexting - Using false pretenses to obtain your personal information from financial institutions.
• Shoulder surfing - Obtaining credit card number information as they stand nearby and you conduct a financial transaction over the phone or at an ATM.

You may be the victim of identity theft if:

• You are suddenly denied credit without a reason.
• Your regular financial statements stop arriving on time.
• You receive a bill or charge for a service or product you did not request or receive.

If someone steals your identity, you should immediately:

• File a police report.
• Contact your financial institution(s)
• Notify everyone with whom you have any kind of financial relationship.
• Close all accounts and have them marked they are closed at customer's request (such as credit cards, checking and savings accounts). If you suspect your identity has been stolen, but you're not sure, most banks will allow you to temporarily turn off your cards until you can confirm that your identity has not been compromised.  This feature is usually available to you through Online Banking. Third Federal calls this feature Card Control and offers it via it's Online Banking product.
• Notify the credit bureaus' fraud units. You'll find contact information for all three credit bureaus on our Additional Resources page.
• Use a password for telephone inquiries on credit card accounts.
• Place a fraud alert statement on your credit report. An initial fraud alert stays on your credit report for 1 year.  You can also place an extended fraud alert on your credit report for 7 years.  
• Report stolen checks to reporting companies.
• Request documentation in your file until all issues are resolved (free to fraud victims).
• Check the post office for any unauthorized changes of your address
• Follow up all telephone contacts with letters and keep copies of all correspondence

What to do if you suspect fraud

Notify Third Federal AT ONCE if you believe another person has improperly obtained your Online Banking password. Also notify us if someone has transferred or may attempt to transfer money from your account without your permission, or if you suspect any fraudulent activity in your account. Telephoning us is the best way of keeping your possible losses down. Call us at 1-800-844-7333 or 216-441-6000 or send us a secure e-mail through our Online Banking service

Tips on how to protect your identity

• If you are in the military and deployed, place an active military alert on your credit report which lasts one year.
• Never provide credit card, bank account or Social Security numbers or other personal financial information to unsolicited requests over the phone or by e-mail, even when solicitors say you've won a lottery or want you to deposit money owed to you.
• Shred any financial information before throwing it out. This includes credit card receipts, ATM receipts, and pre-approved credit card offers you don't intend to use.
• Do periodic reviews of your credit report to make sure someone hasn't been stealing your identity. Make sure to review reports from each of the three major credit reporting agencies. These credit bureaus are required by law to each give you a free copy of your credit report each year if you ask for it. You'll find contact information for all three credit bureaus on our Additional Resources page.
• Order merchandise online only at secure sites and make online purchases with your credit card to limit your liability if you do not receive what you paid for.
• Only carry necessary ID cards and limit the number of credit and debit cards. Don't carry your Social Security card with you unless you need it that day.
• If discarding a computer, use a "Wipe Utility Program" to erase everything from the hard drive. Deleting files isn't enough.
• Use only ATMs affiliated with banks or ATM networks you're familiar with. End or cancel transactions if someone is standing too close. Be aware of your surroundings - especially at night. Don't wait until you get to the ATM machine and take your card out of your wallet - have it ready in your hand. If you are receiving money from the ATM, don't count it until you get back to your car. If you are using a drive-up ATM, make sure all doors are locked and the passenger windows are rolled up.
• If the ATM or card reader doesn't look right for any reason, do not use it. Criminals have successfully replaced ATM and even grocery checkout card readers with their own.
• Don't use your deposit slips to write a note on and hand it to someone. Your deposit slips have personal information that you don't want to share with anyone.
• Think of your checks as being like money - you need to make sure that no one can steal your checks - keep them safely locked away when you aren't using them.
• Always write your checks in pen - never in pencil. When writing out the dollar amount on your check, draw a line to the far right, across the empty space so someone can't fill in any numbers in the empty space. When writing the name of the person you're giving the check to, make sure not to use abbreviations.
• Monitor your regular mailbox - know your billing cycles and follow up with companies if you don't receive your statements on time. A criminal could have filed for a change of address in your name and diverted your mail to them. Missing mail can be a clue that your identity has been stolen.

Because of this increased reliance, criminals target these devices by creating scam text messages, called Smishing, as a way to steal personal or account information.

Not all text messages are legitimate! Just as you are cautious in opening or responding to emails, it's the same for text messages.

What is Smishing?

Smishing is when a fraudster sends you a scam SMS/text message asking you to provide personal and/or financial information via a web link or a telephone number. The criminals impersonate a legitimate company to illegally acquire information via text message.

Here are some characteristics of a Smishing text message:

• These text messages typically appear to be from a company you do business with.
• Includes fraudulent phone number or website and urges you to either call or click.
• Will convey a sense of urgency and threaten that “bad things will happen” if you don’t respond.
• Will often have spelling or grammatical errors.
• Will attempt to scare you and convince you to provide personal information.
• The phone number displayed shows up as a shortened number, such as 5000.

How does Smishing work?

• For example, you receive a text message from your bank telling you to verify your personal information. You’re unaware that it’s really a smishing scam.
• By calling the phone number in the text, you may be asked to enter your account number to “unlock” your account, verify information or re-activate an account. Criminals even use the ruse that they are contacting you because fraud has been detected on your account!
• If you click on the link, you’ll be directed to a fake website or malicious software will be downloaded to your phone.

How to Protect Yourself Against Smishing

• If you aren’t sure if the text message is authentic, don't respond! You can contact the company to verify the text message. Be sure to use a telephone number that you know is legitimate.
• Report any Smishing text messages you receive, as well as any other fraudulent communications such as emails.
• Don’t reveal personal or financial information in a text message or an email.
• Don’t click on links in text messages or emails unless you requested the information.
• Make sure you have a password on your smart phone and change your passwords frequently.
• Don't open text messages unless you recognize the number or are expecting a new text message. When in doubt, delete the text message without viewing it.

Report Smishing

• If it’s a text message that appears to be from Third Federal, please forward it to abuse@thirdfederal.com and we will review it and contact you directly.
• Forward the text message to 7726 (SPAM on most keypads). This will alert your cellular carrier to block future text messages from the number.