Fraud Information Center

National Penn takes the protection of your personal information and assets very seriously. To reduce the risk of online fraud, scams or identity theft, we employ a myriad of smart safeguards ranging from passwords and firewalls to the encryption of confidential banking data. We also believe that one of the best defenses is good consumer education. To help keep you abreast of the most current fraud protection information, check our alerts and informative links below.

Recent News & Alerts

OCC Alert
10 March 2015

Fictitious Correspondence Regarding the Release of Funds Supposedly Under the Control of the Office of the Comptroller of the Currency

Fictitious correspondence, allegedly issued by the Office of the Comptroller of the Currency (OCC) regarding funds purportedly under the control of the OCC and possibly other government entities, is in circulation. Correspondence may be distributed via e-mail, fax, or postal mail.

Any document claiming that the OCC is involved in holding any funds for the benefit of any individual or entity is fraudulent. The OCC does not participate in the transfer of funds for, or on behalf of, individuals, business enterprises, or governmental entities.

The correspondence may indicate that funds are being held by a specific financial institution and that the recipient is required to pay a “Clean Bill of Records Certificate (C.B.R.C.)” fee before the funds are released to the beneficiary.

E-mails being sent in regard to this scam appear to be sent from officials at the OCC, but they are not. The e-mail address used in the electronic correspondence may be from []. This material is being sent to consumers in an attempt to elicit funds from them and to gather personal information to be used in possible future identification theft.

Before responding in any manner to any proposal supposedly issued by the OCC that requests personal information or personal account information, or that requires the payment of any fee in connection with the proposal, recipients should take steps to verify that the proposal is legitimate. At a minimum, the OCC recommends that consumers

  • contact the OCC directly to verify the legitimacy of the proposal
    (1) via email at;
    (2) by mail to the OCC’s Special Supervision Division, 400 7th St. SW,
    Suite 3E-218, MS 8E-12, Washington, DC 20219;
    (3) via fax to 571.293.4925; or
    (4) by calling the Special Supervision Division at 202.649.6450.
  • contact state or local law enforcement.
  • file a complaint with the Internet Crime Complaint Center at if the proposal appears to be fraudulent and was received via e-mail or the Internet.
  • file a complaint with the U.S. Postal Inspection Service by telephone at 888.877.7644; by mail at U.S. Postal Inspection Service, Office of Inspector General, Operations Support Group, 222 S. Riverside Plaza, Suite 1250, Chicago, IL 60606-6100; or via the online complaint form at, if the proposal appears to be fraudulent and was delivered through the U.S. Postal Service.

Information regarding the subject of this or any other alert that you wish to bring to the attention of the OCC may be sent to

FBI Alert
24 February 2015

According to a recent FBI alert, cyber thieves stole nearly $215 million from businesses in the last 14 months using a scam that starts when business executives or employee email accounts are compromised or spoofed. The fraudster is able to steal money with the help of an unwitting accomplice, an employee who is fooled into submitting a wire request. From the perspective of the company’s financial institution, the transaction appears completely legitimate. Even confirmation calls or other out of band authentication will reach the employee who did indeed submit the request.

There are two versions of this scheme:

The first version is an invoice from a supplier or business partner via a spoofed email address. A fraudster compromises the email of a business user employed by their target company, for example, someone in Accounts Payable. They then monitor the email of the business user looking for vendor invoices. Once a legitimate invoice is found, they modify the beneficiary information such as the routing number and account number to which the payment is to be sent. The fraudster then spoofs the vendor’s email, by creating an email address that is so close to the vendor’s email that most people would not catch the change, and submits the invoice to the target company. The invoice is paid based on familiarity of the vendor name and services provided and would not be detected until the actual vendor contacts the company about a missing payment.

The second version is a payment request by an executive whose email account has been compromised. A fraudster compromises the email account of an executive such as the CFO. A wire transfer is then requested from the compromised email account to a second employee within the company who is normally responsible for processing such requests, such as the Controller. A wire is sent to the company’s financial institution and sent out, even after the financial institution’s verification process is completed, which can be, but not limited to a call back to the Controller.

While wire requests are the preferred method of extracting funds, ACH payments requests should not be ignored. Both schemes hinge on an email request that appears completely legitimate, either coming from an actual email account or one that is so similar that all but the closets scrutiny would miss the variation.

You can help deter this fraud by evaluating requests that are presented via email.
For example; is the request international, when normally the vendor payment is state side? Does the CFO of the company usually email such wire requests, is this out of the normal pattern of activity for them? If anything at all seems odd while processing the request, contact the person requesting by phone to verify the payment.

Fraudulent Correspondence Attributed to Officials of the
Office of the Comptroller of the Currency

13 November 2014

Fictitious correspondence, allegedly issued by the Office of the Comptroller of the Currency (OCC) regarding funds purportedly under the control of the OCC and possibly other government entities, is in circulation. Correspondence may be distributed via e-mail, fax, or postal mail.
Read more >

Ebola Phishing Scams and Malware Campaigns
17 October 2014

National Penn Bank would like to remind customers to protect against email scams and cyber campaigns using the Ebola virus disease (EVD) as a theme.  Phishing emails may contain links that direct users to websites which collect personal information such as login credentials, or contain malicious attachments that can infect a system.

A sample screenshot of this phishing attempt is provided below:

Please remember to use best security practices when reviewing email.  Do not open unsolicited emails which contain file attachments, embedded links or URL addresses to websites, as they may contain viruses or malware.

We encourage you to take the following preventative measures to help mitigate the security risks:

  • Do not follow unsolicited links and do not open unsolicited email messages.
  • Use caution when opening email attachments.
  • Use caution when visiting untrusted websites.

Community Health Systems Breach
21 August 2014

National Penn has been notified of a data breach with regards to the Community Health Systems network which operates 206 hospitals across the US.

Hackers have gained access to customer names, social security numbers, physical addresses, birthdays and telephone numbers.  Based on the information available at this time it is believed that no bank information has been compromised. 

For more information on the breach: 

For more information on Identity theft please visit the Federal Trade Commission (FTC) The FTC maintains a database of identity theft cases used by law enforcement for investigations, and can advise you on your next steps. The FTC may also be reached at 877.382.4357.

Protecting your Passwords
18 August 2014

Protecting your passwords is one way to keep your identity and your personal information safe while online. Creating complex passwords and changing them regularly are the best ways to combat your passwords being stolen or hacked into.

  • Make your passwords long. While 6-8 characters is a recommended setting, using over eight characters is one way to make your password more complex
  • Use  a combination of letters, numbers and special characters
  • Add numbers to the middle of the password instead of the beginning or end.

Example:  Pas123swor!d instead of using Password123!

  • Avoid using common terms or easy to guess words. Identifying information such as your date of birth, address or relatives names should only be used when combined with a complex password
  • Avoid using the same password for more than one site
  • Always keep any written record of passwords in a secure place
  • Make changing your passwords a priority. Mark your calendar and change them every three to six months.

How to Tell if You've Been Hacked
2 June 2014

Installing and updating antivirus software can go a long way toward protecting your computer and mobile devices from viruses and malware, but it’s important to remember that hackers are always tinkering with their tactics in order to evade detection. Watch out for these signs that you’ve been hacked.  Read more >

Back to Top