Citizens Bank
Online Banking Online Banking


Online Banking Customer Awareness Program

As internet usage is expanding it is increasingly important to know how to take steps to protect yourself from becoming a victim of fraud and identity theft.  We want to help our customers to better protect themselves in the current online banking environment. Below are areas that you may find helpful to assist in maintaining online safety while utilizing the internet: 

Electronic Funds Transfer Act

(Regulation E)

Regulation E establishes the basic rights, and responsibilities of consumers who use electronic fund transfer services and of financial institutions that offer these services. The primary objective of the act and this part is the protection of individual consumers engaging in electronic fund transfers.

Regulation E Points:

  • Banks follow specific rules for electronic transactions issued by the Federal Reserve Board known as Regulation E. These rules cover all kinds of situations revolving around transfers made electronically. Under the consumer protections provided under Regulation E you may be able to recover internet banking losses according to how soon you detect and report them.
  • In general, these protections are extended to consumers and consumer accounts.
  • Tell us at once if you believe your card and/or code has been lost or stolen, or if you believe that an electronic fund transfer has been made without your permission using information from your check. Telephoning is the best way of keeping your possible losses down. If you report the losses within two days after you learn of the loss or theft of your card and/or code, you can lose no more than $50.  Also, if you do NOT tell us within two business days after you learn of the loss or theft of your card and/or code, and we can prove we could have stopped someone from using your card and/or code without your permission if you had told us, you could lose as much as $500. Also, if your statement shows transfers that you did not make, including those made by card, code or other means, tell us at once. If you do not tell us within 60 days after the statement was mailed to you, you may be legally liable for the full amount.
  • Regulation E protects individual consumers engaging in electronic fund transfers (EFT). Non-consumer (or business) accounts are not protected by Regulation E.
  • Regulation E is a consumer protection law for accounts established primarily for personal, family or household purposes. Non-consumer accounts, such as Corporations, Partnerships, Trusts, etc. are excluded from coverage. Regulation E give consumers a way to notify their Bank that an EFT has been made on their account(s) without their permission.

For a complete detail explanation of protections provided and not provided under regulation E, please visit the following link:

Debit Card Protection

Debit card usage has increased dramatically in recent years and fraudulent use of debit cards has also increased. Citizens' Bank receives alerts and notification of compromised cards. Our policy is to close the exposed card and reissue a new card to mitigate any future risk. We also have a fraud alert monitoring program in place and is based on a model that monitors debit card transactions and uses commercially reasonable efforts to identify potential fraudulent activity. From time to time you may receive a verification call of noted suspect transactions. The caller will always identify themselves from "Citizens' Bank".  Below are some suggestions for you for the care and usage of debit cards:

  • NEVER give your debit card information when requested by phone, email or texting.  Citizens’ Bank will NEVER request information from you in this manner.
  • In a situation where another person takes your debit card out of sight to process a transaction, it may be better to pay with a credit card. For instance when at a restaurant and the waiter takes your card.
  • Review your account statements in a timely manner and contact us immediately of any unauthorized transactions.
  • Do not keep your Personal Identification Number (PIN) with your card.

Phishing, Malware and Other Fraudulent Communication

Malware, also known as malicious code, refers to a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim's data applications, or operating system.  Malware is the most common external threat to most hosts, causing widespread damage and disruptions and necessitating extensive recovery efforts within most organizations. Common forms of malware are viruses, worms, Trojan Horses, malicious mobile code and blended attacks. Blended attacks uses multiple infection or transmission methods such as using methods of viruses and worms.  Generally recommended practices for avoiding malware incidents are as follows:
  • Not opening suspicious emails or email attachment, clicking on hyperlinks, etc. from unknown or known senders, or visiting websites that are likely to contain malicious content.

  • Not clicking on suspicious web browser popup windows.

  • Not opening files with file extensions that are likely to be associated with malware (e.g., .bat, .com, .exe, .pif, .vbs).
  • Not disabling malware security control mechanisms (e.g., antivirus software, content filtering software, reputation software, personal firewall).
  • Not using administrator-level accounts for regular host operation.
  • Not downloading or executing applications from untrusted sources.
Current malware sometimes rely on social engineering, which includes phishing, and is a general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign that are actually malicious. Examples of recommendations for avoiding phishing attacks and other forms of social engineering include:
  • Never reply to email requests for financial or personal information. Instead, contact the person or the organization at the legitimate phone number or website. Do not use the contact information provided in the email, and do not click on any attachments or hyperlinks in the email.
  • Do not provide passwords, PINs, or other access codes in response to emails or unsolicited popup windows. Only enter such information into the legitimate website or application.
  • Do not open suspicious email file attachments, even if they come from known senders. If an unexpected attachment is received, contact the sender (preferably by method other than email, such as phone) to confirm that the attachment is legitimate.
  • Do not respond to any suspicious or unwanted emails.  (Asking to have an email address removed from a malicious party's mailing list confirms the existence and active use of that email address, potentially leading to additional attach attempts). 
Forward phishing emails to – and to the company, bank, or organization impersonated in the email.
Victims of phishing could become victims of identity theft; there are steps you can take to minimize your risk.
Visit the FTC's Identity Theft website at

Protecting your Business

It is suggested that commercial online banking customers perform risk assessments and control evaluations periodically to help identify potential threats and to determine the strength of their controls. Corporate account takeover is a type of fraud where thieves gain access to a business’ finances to make unauthorized transactions, including transferring funds from the company, creating and adding new fake employees to payroll, and stealing sensitive customer information that may not be recoverable. We continually strive to improve security for our customers, we recognize that we cannot single-handedly protect our customers from online threats. Customers also have an important role to play in their own online banking security. Here are some recommended general practices to help avoid an account takeover:

  • Educate your employees. You and your employees are the first line of defense against corporate account takeover. A strong security program paired with employee education about the warning signs, safe practices, and responses to a suspected takeover are essential to protecting your company and customers.

  • Protect your online environment. It is important to protect your cyber environment just as you would your cash and physical location. Do not use unprotected internet connections. Encrypt sensitive data and keep updated virus protections on your computer. Use complex passwords and change them periodically.
  • Partner with your bank to prevent unauthorized transactions. Talk to your banker about programs that safeguard you from unauthorized transactions. Positive Pay and other services offer call backs, device authentication, multi-person approval processes and batch limits help protect you from fraud.
  • Pay attention to suspicious activity and react quickly. Look out for unexplained account or network activity, pop ups, and suspicious emails. If detected, immediately contact your financial institution, stop all online activity and remove any systems that may have been compromised. Keep records of what happened.
  • Understand your responsibilities and liabilities. The account agreement with your bank will detail what commercially reasonable security measures are required in your business. It is critical that you understand and implement the security safeguards in the agreement. If you don’t, you could be liable for losses resulting from a takeover. Talk to your banker if you have any questions about your responsibilities.

Alternative Risk Control Mechanisms

Citizens' Bank provides enhanced security controls over account activities when using Online Banking such as a layered security approach which uses different controls at different points of a transaction so weakness in one control can be compensated for by the strength of another control as well as multi layered security in the authentication process.  Some of the security features employed within Online Banking for our customers are as follows:

  • Fraud detection and monitoring systems which consider customer history and enable a timely and effective response.
  • Internal control of administrative functions including enhance controls for system administrators who set up or change system configurations.
  • Enhanced control over account maintenance activities performed by customers or through customer service channels.
  • Processes internally designed to detect and respond to suspicious activity related to initial login and initiation of electronic transactions.
  • Multifactor authentication for transaction approvals for ACH, wires and external account transfers.
  • Transaction related security alerts via email and/or SMS when:

               ♦ A security related change is made (passcode, email address, phone(s),security questions/answers)

               ♦ Online Transfer is processed (On-Us)

               ♦ External Transfer is processed

               ♦ ACH batch approval

               ♦ Receiver for ACH origination added/modified

               ♦ Wire Transfer Approved

               ♦ Beneficiary for wire transfer added/modified

               ♦ New payee bill payment alert

  • Dual control for commercial activity (ACH origination, wire transfers) and Sub-User administration.
  • Security Token PIN for commercial activity (ACH origination, wire transfers).
  • Out-of band verification for transactions via email.
  • Dollar limits are set for External Transfers, ACH origination and Wire Transfer Requests.
  • Offer user initiated Notify-Me Alerts.
  • Reminders to users every 120 days to change password and update security questions semi-annually.

Helpful and Useful Tips to Mitigate Risk are Outlined Below:  


  • Memorize your User Name and Password.  Your online User Name and password authenticate you when you begin an Online Banking Session. You should never write it down anywhere, save to your computer, or reveal it to anyone.
  • Create a complex unique password for online banking that: 
                   ♦ Is 8-12 characters in length. The longer the Password, the better.
                   ♦ Includes both letters and numbers.
                   ♦ Has at least four different characters (no repeats).
                   ♦ Has at least one special character.
                   ♦ Is obvious or easily obtainable information. Avoid dictionary words, children's names or birthdates.
  • Do not use the password auto-save feature on your browser.
  • Change your password periodically and often.

Personal Computers

  • Always sign out or log off and close your browser when you are finished. Don't rely on our Online Banking time-out feature.
  • Update software frequently and keep systems current.
  • Virus software, “definitions” should be updated daily.
  • Install and activate a personal firewall.
  • Install and run most recent version of Antivirus software.
  • Keep your operating system (OS) current.
  • Activate the automatic update feature.
  • Set your browser’s security level to the default setting or higher.
  • If your computer is infected with a virus, run anti-virus software to remove the infection and change passwords on all your financial and business accounts including your email account using a secure device.

General Best Practices

  • Keep your personal information private and secure.
  • Check your account balance regularly.
  • Do not access your account from a public location.
  • Be skeptical of email messages, for example, from someone unlikely to send an email such as the IRS.
  • Do not open suspicious emails and do not click on the links. Should this happen, stop work and have a diagnostics performed immediately.

Identity Theft Tips

  • Shred receipts, billing statements, expired cards, and similar documents.
  • Review statements promptly and carefully.
  • Only give personal information if you initiate the contact.
  • Periodically check your credit report. You are entitled to receive one credit report from each credit bureau annually at no cost.


  • Watch out for copycat websites that deliberately use a name or web address very similar to, but not the same as, that of the real financial institution or business.
  • Wireless access should be secured with strong password encryption. Be cautious when using public hotspots and consider your WI-FI auto-connect settings.
  • Check for the yellow lock icon in the status bar of your browser. This means the website uses encryption to protect your information. Make sure the yellow lock is closed, indicating the encryption is on. Double-click it to display the security certificate. The security certificate information should match the name of the site you intended to be on. 
  • Pay using credit cards.
  • Avoid using a public or shared computer for business and financial transactions. Only conduct Online Banking and financial transactions using a trusted computer.
  • Shred credit card, medical and other statements with personal information.
  • Never click on suspicious links.
  • Only give sensitive information to websites using encryption, verified though the web address.
  • Use social media wisely and don’t reveal too much.

Mobile Devices

  • Use passcodes.
  • Avoid storing sensitive information.
  • Keep software up-to-date.
  • Install remote wipe if the device is lost or stolen it can be cleared off.

Using ATM’s safely

  • Protect your ATM card and PIN. If lost report as soon as possible.
  • Choose a PIN different from your address, telephone #, and birthdate.
  • Be aware of people and your surroundings.
  • Put away your card and cash.
  • Skimming – observe the card reader; if it appears damaged don’t use it.

Listing of Bank Contacts

Contact any Citizens’ Bank Branch Locations click here, in the event you notice suspicious account activity or experience customer information security-related events.


To report a lost or stolen ATM/Debit Card during regular business hours please call (251)947-1981. After regular business hours please call (800)500-1044.


To report a suspicious email that uses Citizens' Bank's name, forward it to .


Report any suspected fraud to the Bank and immediately to the fraud units of the three credit reporting agencies:    TransUnion (800) 680-7289 - Experian (888) 397-3742-
Equifax (800) 525-6285


For more help and tips on Identity Theft please visit our webpage click here


Other Researched Security References:

Annual Credit Report


Bureau of Consumer Protection


Department of Homeland Security Cyber Report


FTC- Privacy & Security


Internet Crime Complaint Center











FDIC Equal Housing Lender