• Privacy & Security

  • Last Updated January 1, 2020


    CIT Group Inc. and its Affiliates (as defined below) (collectively "CIT," "we," "us," or "our") respect your privacy and are committed to treating and using Personal Information (as defined below) about you responsibly.


    This Privacy Statement ("Statement") explains how CIT collects, uses and shares Personal Information, from or about you in connection with CIT products and services, as well as when you use CIT’s websites or mobile applications that link to this Statement (each, a “Site”, and collectively, “Sites”).

    Throughout this Statement, we refer to "Personal Information", which means information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with you or your household. Personal Information does not include Public Information (for example, information from federal, state or local government records), Aggregated Information (information relating to multiple individuals that has been combined and grouped together, resulting in a data set that contains no personal information) or De-identified Information (information that is not attributable to an identified or identifiable individual).

    This Statement also describes certain rights that California Consumers have under the California Consumer Privacy Act of 2018 (“CCPA”) with respect to their Personal Information. A “California Consumer” is a natural person who resides in California. For further information, please reference the “ VI. CALIFORNIA CONSUMER PRIVACY ACT – RIGHTS FOR CALIFORNIA CONSUMERS” on page 4.

    If you are an individual and have a CIT financial product or service for your personal, family or household purposes, please see our CIT Consumer Privacy Notice for additional details about how we use and share Personal Information that we collect in connection with providing you those financial products or services.

    CIT operates general audience Sites that are accessible to the public. Our Sites are not intended for children under 16 years of age. We do not knowingly market our products or services to children, nor do we knowingly collect or sell Personal Information from children under 16 years of age.


    How we collect Personal Information

    The types of Personal Information we collect depends on your interaction with us, including the types of products or services you applied for or use. We, or entities that we contract with to provide services to support our business and delivery of our products and services (“Service Providers”), may collect Personal Information:

    • Directly from you, such as when you apply for or obtain one of our products or services, or if you apply for a job with CIT;
    • From financial and non-financial companies related by common ownership or control (our “Affiliates”), based on your relationship with them and as permitted by law; and/or
    • From other entities that we work with who are not Service Providers (“Third Parties”), such as credit bureaus.

    We (or our Service Providers) may also collect Online Information, such as IP address, browser or device information, or other information about you indirectly through interactions with our Sites or ads, such as:

    • The types of devices you use to visit our Sites and interact with us;
    • Your device’s browsing history on our Sites;
    • Information about the ads or content from us (or our service providers) that you view, access or click on; or
    • The location of the device you use to visit our Sites (with your consent)

    Though Online Information may not, alone, reveal your specific identity, some of this information may be used or associated with Personal Information, or may itself be considered Personal Information. Please see Section III for more information.

    How we use Personal Information

    We (or our Service Providers) may use Personal Information for the following business purposes:

    • To deliver products, information, or services, that you may request, including to:
      • complete transactions;
      • provide account services;
      • recognize and remember you when you visit our Sites;
      • improve our Sites and make them easier to use;
      • notify you about updates to your accounts, products, and/or services;
      • perform quality assurance activities that maintain the quality of services provided to you; or
      • respond to your inquiries.
    • To provide advertising about our products and services including:
      • sending marketing materials inclusive of special offers, email notifications, or other notices regarding CIT’s products, services, or news; or
      • presenting personalized content or tailored ads that may relate to your interests and/or location.
    • To manage security risks and prevent fraudulent activity, including to:
      • detect security incidents and protect against malicious, deceptive, fraudulent, or illegal activities;
      • debug to identify and repair errors that may impair existing intended functionality;
      • verify your identity such as when you apply for an account or access our online/mobile services; or
      • assess your creditworthiness, including obtaining credit reports if you apply for credit or apply for a financial product or service.
    • To conduct employment-related activities at CIT, including to:
      • perform background checks;
      • deliver employee benefits programs; or
      • contact references you provide during your application process.
    • To perform other activities, as permitted or required by law including:
      • to perform internal research;
      • in connection with litigation;
      • to comply with regulatory record retention requirements; or
      • for audit purposes within our organization. 

    How we share Personal Information

    We may share your Personal Information, as permitted or required by law with:

    • CIT Affiliates;
    • Service Providers;
    • Regulatory authorities or governmental agencies to meet regulatory or legal requirements; or
    • Third Parties, with your consent or as permitted by law.


    Online Information

    When you visit or browse our Sites, we may collect Online Information as described in Section II of this Statement. The purpose of collecting this information is to improve the effectiveness of our Sites and product offerings. The collection of this information allows for the compilation of anonymous and Aggregated Information about the usage of our Sites and can help us improve your use of our Sites, for example, providing quick login, streamlining site navigation and maintaining up-to-date content for all users. Should you configure your browser to reject Cookies, you may disable some of our online service's features.

    Online Behavioral Advertising, “Cookies”, and Similar Technologies

    CIT and our digital Service Providers (e.g. ad network or agency) may use Cookies, mobile advertising identifiers, and other information for the purposes of delivering tailored advertising to you on other party websites. “Cookies” are pieces of data stored by your browser and used by web servers to uniquely distinguish your browser from all others and remember your browser over time, including preferences and other information. We and our Service Providers may also use Web Beacons with or without Cookies for various purposes, including analytics and targeting interest-based advertising. “Web Beacons” are small image files that are loaded when a web page or other online resource is processed by your browser (including when emails are opened). If you click on one of our ads on another party’s website, Cookies may also be used to track the effectiveness of our online advertising and for the purposes of delivering ads that may be relevant to you in the future.

    Links to Other Sites and Other Privacy Policies

    Our Sites may contain links to other party websites. When you click on these links, you may be providing information, including Personal Information, to the other party, us, or both. CIT has no control over the privacy practices or content of these linked websites, so we recommend that you carefully review the privacy policies or statements of every other party website that you visit.


    You have choices about how we use your information, including what kinds of marketing you want to receive from us.

    You can opt-out of having our Service Providers use your web browsing behavior for purposes of serving interest-based advertising by opting out here. You may still see some of our untailored ads, but these will not be served to you based on your inferred interests or web browsing activity on our online services. Please note this opt-out works via Cookies, so if you delete Cookies, use a different device, or change web browsers, you will need to opt-out again.

    You can also opt out of receiving marketing offers via email, telephone or direct mail. Every offer will include instructions on how to opt out, or if you prefer, please send your opt-out request to privacy.questions@cit.com. We will still contact you for transactional purposes, such as to service your account or respond to an inquiry.


    We currently do not employ technology that changes how our servers treat your browser if our servers receive a "do-not-track" signal from your browser.


    CIT uses reasonable physical, electronic, and procedural safeguards to protect Personal Information from unauthorized access, deletion or alteration. As part of our security practices, CIT does not send requests for Personal Information to our customers via e-mail or texts. Any Personal Information you request CIT to send you via email, such as your account balance, is encrypted. However, standard email communications are not. Therefore, you should not transmit your Personal Information to us through email. Please note that no company can guarantee perfect online security, and please remain careful and vigilant in your online activities.


    The CCPA requires us to make certain additional disclosures and provides California Consumers with the ability to request additional information about their Personal Information. This section explains these rights and describes how California Consumers may submit a request to exercise those rights.

    Please note that the rights under the CCPA do not apply to Personal Information collected, processed, sold or disclosed pursuant to:

    • Gramm-Leach-Bliley Act (Public Law 106-102), the federal privacy regulation. Generally, this will apply to any Personal Information obtained in connection with CIT financial products or services that are used primarily for personal, family or household purposes; or
    • Fair Credit Reporting Act (12 CFR 1022). Generally, this will apply to Personal Information related to credit history or credit worthiness.

    Categories of Personal Information We Collected Recently

    In the 12-month period prior to the date of this Privacy Statement, CIT or our Service Providers have collected the following categories of Personal Information, which we may have shared for a business purpose, as permitted or required by law:

    Category of Personal Information collected in the previous 12-months Was the Personal Information shared for a business purpose*?
    Identifiers, such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. Yes
    Category of Personal Information collected in the previous 12-months (continued) Was the Personal Information shared for a business purpose*?
    Certain, sensitive types of Personal Information, such as gender, age, marital status Yes – only with our Service Providers to the extent necessary for a business purpose
    Commercial information, such as records of personal property, products or services purchased Yes
    Audio, electronic, visual, thermal, olfactory, or similar information, such as phone recordings; ATM and in-branch video monitoring Yes
    Internet or other electronic network activity information, including, but not limited to browsing history, search history, geolocation data (with your consent) and information regarding your interaction with our Sites, collectively “Online Information” Yes
    Professional or employment-related information, such as job title, employer name, or languages Yes
    Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)), such a school name, number of years attended Yes – only for applicants of employment and employees
    Inferences drawn from Personal Information to create a consumer profile that may reflect consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes Yes

    *For more information on our sharing practices and the related business purposes, please reference Section II of this Privacy Statement above.

    Your rights under the CCPA

    The CCPA grants California Consumers various rights around the Personal Information that is collected about them. The rights are explained in further detail below:

    1. Right to Know About Personal Information Collected and/or Disclosed
      California Consumers have the right to request information about their Personal Information that CIT has collected in the preceding 12 months. Upon our receipt of a verifiable request from you, we will disclose the following information:
      1) The categories of Personal Information we have collected about you.
      2) The categories of sources from which the Personal Information was collected.
      3) The business or commercial purpose for collecting your Personal Information.
      4) The categories of third parties with whom we share your Personal Information.
      5) The specific pieces of Personal Information we have collected about you.

    2. The CCPA allows California Consumers to submit a maximum of two (2) requests in any 12-month period.

    3. Right to Request Deletion of Personal Information
      California Consumers have the right to request that CIT (and any Service Provider) delete any Personal Information about you which we have collected from you. This right to request deletion does not apply to any of your Personal Information that is subject to an exception in the CCPA, for example, where we need to retain the Personal Information to complete a transaction for which the Personal Information was collected, to prevent fraud or to comply with a legal obligation.

    4. Right to Opt-Out of the Sale of Personal Information
      CIT does not sell Personal Information and will not sell Personal Information without providing you with prior notice and an opportunity to opt-out, as required by law.

    5. Right to Non-Discrimination
      CIT does not discriminate against any California Consumer who exercises any of the rights described above. This includes denying goods or services; charging different prices or rates; or providing a different level of service or quality of goods or services.

    How to Submit a Request

    California Consumers can submit a request, by either completing the Online Request Form or by calling us at 1-866-206-2711, Monday through Friday from 8:00 a.m. to 4:30 p.m. PST.

    Submitting a Request through Your Authorized Agent

    California Consumers have the option to designate an authorized agent to submit a request on their behalf. To do this, the authorized agent must select “authorized agent” in the Online Request Form and provide all of the required information, along with proof of authorization in the form of a notarized authorization form, signed by the California Consumer who is the subject of the request. We will also contact the California Consumer directly to verify the request.

    We will respond to requests within 45 days and will notify the requester if we need additional time.

    Changes to this Statement

    This Statement is subject to change. If we make changes to this Statement, we will revise the “Last Updated” date at the top of this Statement. Your use of the Site means that you accept the terms of this Statement.

    Any dispute related to this Statement will be governed by our Terms of Use.

    Contact for More Information

    If you have questions or concerns about CIT’s privacy practices or this Statement, please email us at privacy.questions@cit.com.

    Last update: March 2020 

    Download Privacy Notice

    Why? Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do.

    The types of personal information we collect and share depends on the product or service you have with us. This information can include:

    • Social Security number and income
    • account balances and payment history
    • transaction history and credit history

    When you are no longer our customer, we continue to share your information as described in this notice.

    How? All financial companies need to share customers’ personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers’ personal information; the reasons CIT chooses to share; and whether you can limit this sharing.
    Reasons we can share your personal information Does CIT share? Can you limit this sharing?
    For our everyday business purposes - such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus Yes No
    For our marketing purposes - to offer our products and services to you Yes No
    For joint marketing with other financial companies No We don't share
    For our affiliates' everyday business purposes - information about your transactions and experiences Yes No
    For our affiliates' everyday business purposes - information about your creditworthiness No We don't share
    For non-affiliates to market to you No We don't share

    Call 1-866-206-2711 or go to www.cit.com/privacy 

    Who we are
    Who is providing this notice? CIT Bank, N.A. and its OneWest Bank and CIT Bank Residential Servicing divisions.
    What we do
    How does CIT protect my personal information? To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. Measures include computer safeguards and secured files and buildings.
    How does CIT collect my personal information?

    We collect your personal information, for example, when you:

    • open an account or make deposits
    • pay your bills or apply for a loan
    • give us your contact information

    We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.

    Why can't I limit all sharing?

    Federal law gives you the right to limit only:

    • sharing for affiliates' everyday business purposes - information about your creditworthiness
    • affiliates from using your information to market to you
    • sharing for nonaffiliates to market to you

    State laws and individual companies may give you additional rights to limit sharingSee below for more on your rights under state law.

    Affiliates Companies related by common ownership or control. They can be financial and nonfinancial companies.
    • Our affiliates include companies with a CIT name such as CIT Group, Inc.

    Nonaffiliates Companies not related by common ownership or control. They can be financial and nonfinancial companies.
    • We do not share with nonaffiliates so they can market to you.
    Joint marketing A formal agreement between nonaffiliated financial companies that together market financial products or services to you.
    • We do not jointly market.

    Other important information

    California residents: If you are a California resident, we will not share nonpublic personal information about you with our affiliates or any nonaffiliated third party, other than as permitted by law or with your consent.

    Vermont residents: If you are a Vermont resident, we will not share nonpublic personal financial information about you with our affiliates or any nonaffiliated third party, other than as permitted by law, or with your consent.

    Nevada residents: Nevada law requires that we provide you with the following contact information regarding "do- not-call" lists: (a) Bureau of Consumer Protection, Office of the Nevada Attorney General, 555 E. Washington St., Suite 3900, Las Vegas, NV 89101; Telephone 702-486-3132; email: BCPINFO@ag.state.nv.us; and (b) If you wish to be placed on our internal "do-not-call" list contact CIT Bank, N.A., P.O. Box 7211, Pasadena, CA 91109-7311; Telephone: 800-669-2300; email: Privacy.Questions@cit.com

    The USA PATRIOT Act, a federal law, requires all financial institutions to obtain sufficient information to verify your identity when creating a new banking relationship. You may be asked several questions including your name, address, date of birth, Social Security number or other government-issued identification number, and to provide one or more forms of identification to fulfill this requirement. In some instances, we require other identifying documents and/or use a third party information provider for verification purposes. Our established Privacy Policy helps protect your personal information

    At OneWest Bank we're committed to securing your personal information.

    At OneWest Bank, we are committed to the security of your financial information. However, you must also take every step to ensure the safety and privacy of your information. In order to help educate you on identity theft, online fraud and lottery scams on all fronts, we've detailed the major threats on the Internet today, as well ways to take action to both prevent and manage these issues if they occur.

    Regulatory and government agencies are warning about a continued and significant increase in BEC scams. Fraudsters have tried to steal billions of dollars from businesses, posing as company executives and ordering huge wire transfers. These scams can be in the form of emails, phone calls or texts. Many of the attempts are targeted to specific individuals or business functions (e.g., Payroll, HR, Accounting) and appear to be about everyday business processes. A common tactic is to convey a sense of urgency and/or secrecy. Often, the emails arrive late in the day, just before a holiday or weekend, or when the purported sender is out of the office. If you receive an email that appears suspicious, be sure to check the authenticity of the email prior to performing any wire transfers. Any suspicious email that you have questions about can be directed to the CIT Antifraud Group, by emailing CorporateInvestigations@cit.com or calling 1.877.331.3785.

    10 Secure Mobile Banking Tips:

    1. Risk: Mobile devices without passwords:

      Mobile devices often times do not use passwords to authenticate users and control their access.

      Protecting yourself:

      Enable user authentication: Ensure your device is configured in a way that forces the use of "Passwords and Personal Identification Numbers (PINs)" to gain access. The password field should also be masked to prevent casual viewing. Consider activating idle-time screen locking. This will force the need to have proper credentials being granted access to your information.

      Enable auto-wipe feature after excessive password failures.

    2. Risk: Near Field Communications (NFC) broadcast the presence of your mobile device.

      Mobile devices sometimes have NFC enabled to permit the exchange of information directly between two devices. This exchange of information between two devices can happen between you and a trusted friend or between you and a criminal, allowing them to capture the sensitive personal information stored on your device.

      Protecting yourself:

      At a minimum, follow these simple instructions: (1) Read the fine print that comes with your NFC-enabled device and applications; (2) Ensure that you apply software updates to your device in a timely manner; and (3) When not using your NFC capability, be sure to turn it off.

    3. Risk: Clicking on a banking link received in a text message or email:

      Be suspicious of any URL links that you may receive from the bank sent via text message or email. Links received in this fashion can be very dangerous, redirecting you to malicious websites owned by cyber-criminals.

      Protecting yourself:

      Enter the bank's web address into your mobile device and bookmark the link. Then use this link instead of the one that was sent to you. Using this technique will prevent you from being tricked into going to fake websites. Also, be sure not to send sensitive or personal information such as account information or password in a text message or email.

      Important Tip:

      Here are two ways to ensure validity of the links:

      1. Hover your mouse over URL links to determine its validity prior to clicking on it. Or,
      2. Copy the link into your browser; the part of the URL you don’t see will be copied and any potentially hidden malicious site URL will be revealed
      Important Note:

      At times CIT will send out emails that include URL links to our company websites www.cit.com, www.bankoncit.com and www.onewestbank.com. The emails will come from donotreply@bankoncit.com or donotreply@owbmail.com.

    4. Risk: Failure to delete all sensitive information from devices that are no longer in use.

      Leaving the names of banks or credit unions, passwords, or other personal information on your device could result in identity theft.

      Protecting yourself:

      You must delete the data from your old phone before disposing or passing it on to another person. The easiest way to accomplish this is to wipe the device by performing a factory reset and then entering fake data to overwrite any traces of the original data. Follow the instructions provided by you device manufacturer to accomplish this process prior to disposing of the device.

    5. Risk: Downloading applications from unofficial sites that contain malicious software.

      It is not uncommon for consumers to inadvertently download applications that are disguised as useful programs, but in reality, contain malware that serves the intent of the cyber-criminal.

      Protecting yourself:

      Be sure that your application is sanctioned by the bank prior to downloading and installing it. Follow your device's software update procedures to verify the application's signature and to confirm the package is authentic and complete.

      Download mobile apps only from reputable sites:

      • iOS: App Store
      • Android: Google play and Amazon App Store

      For Android users, evaluate apps before installing. Look at the number of downloads, read customer reviews and look at the app's rating; if low, be suspicious as this means there has not been thorough vetting of the app (e.g., for security issues, functionality, etc.). Be aware of what permissions an app has access to (e.g., location, contacts, photos, camera, microphone); be suspicious of requests for excessive access (e.g., does a game app really need access to your contact list or the ability to send text messages?)

    6. Risk: Loss of Mobile device:

      Losing a mobile device can potentially result in divulging your sensitive information to thieves.

      Protecting yourself:

      Install tracing and remote deletion software will help you find the device's location in the event it is ever lost or stolen. Also, if plausible, install software that permits you to perform remote deletion. You should also consider leveraging the device's locking capabilities depending on the device you will need to trace a pattern, or insert a Personal Identification Number (PIN) into your phone to enable the device locking feature. This added layer of security will slow a criminal down long enough for you to disable you bank account before any unauthorized access occurs.

    7. Risk: Mobile devices without security software installed:

      Mobile devices need to have security software to protect against malicious applications and spyware. At times, these devices do not come pre-installed with the appropriate security software or users fail to install the security software.

      Protecting yourself:

      Install Anti-Malware Capability: Users should ensure that appropriate software is installed and enabled on their mobile device to protect against unwanted email attachments, voice messages, and text messages as well as malicious applications, viruses, and spyware.

    8. Risk: Out-of Date Operating System:

      Security patch updates on operating system and third party applications can sometime take weeks before these are provided to, and installed by users. Jailbreaking (iOS) and rooting (Android) provide the user with additional access to circumvent mobile device security controls. For certain mobile devices, rooting and jailbreaking allow the user to download applications from untrusted sources, which may introduce malware onto the device.

      Protecting yourself:

      Your mobile device can be configured to automatically update to the latest operating system version. Follow the instructions that come with your device so that you can ensure these updates are transmitted promptly. Avoid jailbreaking or rooting your mobile device.

    9. Risk: No restrictions on Internet Connections.

      By not limiting the ports that can be used by a device, you may permit a potential criminal to enter the device through an unsecure access point.

      Protecting yourself:

      Install Anti-Malware Capability: Users can install a mobile personal firewall. When this software is installed appropriately, the programs will enable the mobile device to protect against unwanted email attachments, voice messages, and text messages; as well as, malicious applications, viruses, and spyware.

    10. Risk: Connection to an Unsecured Wi-Fi Network.

      Public network connections are notoriously not very secure. When using Wi-Fi networks, users become susceptible to the Man-in- the-Middle attacks (MITM) where criminals eavesdrop on the network connection. When this happens, users are at risk of their personal information being viewed and/or stolen.

      Protecting yourself:

      Do not participate in banking activities while connected to a public network. It is better to disable Wi-Fi and switch to the cellular network when handling personal banking transactions or look into setting up a Virtual Private Network (VPN) that encrypts your Wi-Fi connections.

    Be aware of Phishing Website Scams

    OneWest Bank has created this webpage to inform and warn consumers about a type of fraud called "phishing." The term "phishing" - as in fishing for confidential information - refers to a scam that encompasses fraudulently obtaining and using an individual's personal or financial information. This is how it works:

    • A consumer receives an e-mail that appears to originate from a financial institution, government agency, or other well-known/reputable entity.
    • The message describes an urgent reason you must "verify" or "re-submit" personal or confidential information by clicking on a link embedded in the message.
    • The provided link appears to be the Web site of the financial institution, government agency or other well-known/reputable entity, but in "phishing" scams, the Web site belongs to the fraudster/scammer.
    • Once inside the fraudulent Web site, the consumer may be asked to provide Social Security numbers, account numbers, passwords or other information used to identify the consumer, such as the maiden name of the consumer's mother or the consumer's place of birth.
    • When the consumer provides the information, those perpetrating the fraud can begin to access consumer accounts or assume the person's identity.

    Recently, criminals have been using the OneWest Bank's name and reputation to perpetrate various "phishing" schemes. It is important to note that OneWest Bank will never ask for personal or confidential information in this manner. One “phishing” scheme was perpetrated using the following domain name: www.onewstbk.com

    Please do not attempt to transact any business or submit any personal information through the above web site.

    Any genuine OneWest Bank communication will only utilize links to the official OneWest web page located at www.onewestbank.com Any genuine link will commence with that URL as in the example below:

    Phishing Website Scam

    If you click on a link that takes you to a website whose address begins with something else, or which includes apparent abbreviations of our bank name, it’s not a genuine OneWest Bank site – even if it looks familiar. You should refrain from using any links or information found at such fraudulent sites. Look for:

    • Anti-malware warning when trying to access a web page.
    • No lock icon in the address bar and/or URL does not start with https.
    • Observe the overall look and feel of the site - be cautious if there appears to be random content on the site or links that appear to access unrelated content (e.g., a bank site with links to pharmaceuticals).

    If you suspect an e-mail or Web site is fraudulent, please report this information to OneWest Bank, using this number 1.877.741.9378. If you suspect that you have been a victim of identity theft, perhaps because you submitted personal information in response to a suspicious, unsolicited e-mail or you see unauthorized charges on your credit card, immediately contact OneWest Bank and, if necessary, close existing accounts and open new ones. Also contact the police and request a copy of any police report or case number for later reference. In addition, call the three major credit bureaus (Equifax at 800-525-6285, Experian at 888-397-3742 and TransUnion at 800-680-7289) to request that a fraud alert be placed on your credit report.

    Your online security is always a priority to OneWest Bank.
    Given the recent news of the Bash "Shellshock" bug, we want you to know what we're doing to protect your information.

    First, what is the Bash Shellshock Bug?
    The Shellshock bug refers to a coding flaw housed in utility program called "Bash," which affects computers and websites running operating systems such as Mac OS and Linux. Bash enables computer programs to connect, and one of its chief uses is in connecting web server software to underlying operating systems. It also enables individual computers to execute commands like "run my Web browser" and "open this application," etc. Generically, programs like Bash are called "shells," and that's how the bug was given its name.

    Bash has been in use all over the world for well over 20 years, but in September 2014, it was discovered that modifications to the code in the early 1990s inadvertently created a flaw that allows malicious code execution to take over an operating system and access confidential information. As a result, lots of companies with an internet presence are potentially at risk from the Shellshock bug. Certain personal computers may also be at risk.

    What is OneWest Bank doing about it?
    OneWest is using both automated and manual protocols to detect Bash vulnerabilities in our own systems and swiftly deploy the appropriate patches. We are also working with our vendors to detect and eliminate vulnerabilities.

    What should I do?
    There are two things you can do to protect yourself, and they are not new:

    First, the best way to limit your exposure to computer bugs that target internet-based activity is to have different passwords for different websites, and to make those passwords appropriately complex, using upper- and lower-case letters, numbers and if allowed, symbols. Change your passwords periodically.

    Second, it's always wise to watch for and promptly implement operating system updates or patches designed to enhance security. Bash is used in personal computers running the Mac operating system, though Apple has explained that OS X is safe for all but those running advanced Unix services. A patch is coming for those users, according to Apple. Bash is not native to Windows-based computers, but there is a window-based version in use on some machines, that is reportedly vulnerable. So stay up to date on security patches for your machine(s)!

    Why you can feel confident.
    We're serious about security. Your online account with OneWest Bank is protected with a sophisticated information security program. Our multi-layered defense system consists of preventive, detective and response controls managed by a team dedicated to tracking threats such as the Shellshock bug.

    We are vigilantly monitoring this situation and will take additional steps, as needed, to guard against the Shellshock bug and safeguard your information.

    Calls Claiming to Come from OneWest Bank’s Security Department:

    Recently, some of our customers have received telephone calls featuring a recorded message that claims to be from OneWest Bank’s Security Department. The recorded message asks the called party to enter their debit card number. These calls are not from OneWest Bank. The imposters placing these calls are engaging in a practice known as "vishing" or "voice phishing," through which they attempt to obtain a called party’s debit or credit card and security information.

    Do not become a victim! If you receive a call like the one described above, or any other suspicious phone call inquiring about your account(s) with OneWest, do not provide your card number(s) or security information. If you have any questions, please contact our Customer Call Center (at 1.877.741.9378) or use our branch locator to contact your local branch to report such activities.

    We are aware that there are companies engaging in telemarketing activities that will spoof (or manipulate) the caller ID to make it appear that the call is coming from OneWest Bank. These companies are performing this illegal activity for purposes of enticing the called party to pick up the phone, after which they proceed to pitch the service they are offering. We encourage any customer receiving this type of call or any other suspicious call in which the caller claims to be a representative of OneWest to ask for the name of the caller and then contact our Call Center (at 1.877.741.9378) or use our branch locator to contact their local branch to report such activities.

    If you receive a suspicious call from someone claiming to be OneWest Bank, please be vigilant and follow the guidelines below:

    1. Do NOT provide any personal information to these callers
    2. Contact OneWest Bank at 1.877.741.9378
    3. OneWest Bank has filed a complaint with Federal Communications Commission (FCC) reference #14-T01346568 and will add the information you provide to our complaint.
    4. Customers can also file a complaint with the FCC, directly. The FCC can be reached at 1-888-CALL-FCC (888-225-5322) or www.fcc.gov/complaints (you can reference OneWest’s complaint ID # within your complaint to the FCC).

    Your online security is always a priority to OneWest Bank.
    Given the recent news of the Heartbleed bug, we want you to know what we're doing to protect your information.

    First, what is the Heartbleed Bug?
    The Heartbleed bug is a coding flaw that has potentially exposed information on some web sites, including user names and passwords.

    The best thing to do...
    This site is not vulnerable to Heartbleed. However, it’s a good idea to change your password regularly and turn on your Online Banking account alerts. Those, along with other online account tools, will add another layer of coverage to your account.

    Why you can feel confident.
    We're serious about security. Your online account with OneWest Bank is protected with a sophisticated information security program. Our multi-layered defense system consists of preventive, detective and response controls managed by a team dedicated to tracking threats such as the Heartbleed bug.

    You can be confident we are vigilantly monitoring this situation.

    Updated July 18, 2011

    The Federal Deposit Insurance Corporation (FDIC) has received numerous reports of fraudulent emails that have the appearance of being from the FDIC.

    The emails appear to be sent from various "@fdic.gov" email addresses, such as "protection@fdic.gov," "admin@administration.fdic.gov," or "service@admin.fdic.gov." The messages have various subject lines that read: "Update for your banking account" or "ACH and Wire transfers disabled," and "Banking security update."

    The fraudulent emails are addressed to "Dear clients" and state "Your account ACH and Wire transactions have been temporarily suspended for your Security, due to the expiration of your security version. To download and install the newest Updates, follow this link. As soon as it is set up, your transaction abilities will be fully restored." The message concludes with, "Best regards, Online security department, Federal Deposit Insurance Corporation."

    An example of a fraudulent FDIC e-mail can be seen below:

    Fraudulent FDIC Emails

    These emails and links are fraudulent and were not sent by the FDIC. Recipients should consider the intent of these e-mails as an attempt to collect personal or confidential information, or to load malicious software onto end users' computers. Recipients should NOT access the link provided within the body of the emails and should NOT, under any circumstances, provide any personal financial information through this media.

    Financial institutions and consumers should be aware that other subject lines and modifications to the e-mails may occur over time. The FDIC does not directly contact consumers in this manner nor does the FDIC request personal financial information from consumers.

    For more information about these fraudulent emails, click here to view the FDIC consumer alert website.

    A recent text message (SMS) scam has been identified in the banking industry in which online banking customers receive fraudulent text messages claiming to be from their financial institution.

    If you recently received the text message below on your mobile device, please delete it immediately and DO NOT call the telephone number or open any links. This message is an attempt to obtain your bank account number and was not sent by OneWest Bank.

    Fraudulent Text Message:
    Customer Issue, Bank of the West Service frozen, please call at 562-923-9916.

    If you believe that you've been the victim of online fraud, identity theft or a lottery scam, please notify us by either calling 1.877.331.3785 Monday through Friday, 8:00 a.m.– 9:00 p.m. (EST) or e-mail us at CorporateInvestigations@cit.com.

    Please include your name, e-mail address, telephone number and a detailed description.

    Don't be fooled by this e-mail scam!

    If you recently received the e-mail below claiming to be from IndyMac, please delete it immediately and DO NOT click on any links. This e-mail was not sent from IndyMac Mortgage Services or OneWest Bank, and it is an attempt to steal your personal information.

    Remember, we will never send you an e-mail with sensitive account information.

    An example of the fraudulent e-mail is shown below to help you identify this and other scams.

    Malware E-mail

    If you believe that you've been the victim of online fraud, identity theft or a lottery scam, please notify us by either calling 1.877.331.3785 Monday through Friday, 8:00 a.m.– 9:00 p.m. (EST) or e-mail us at CorporateInvestigations@cit.com.

    Please include your name, e-mail address, telephone number and a detailed description.

    Don't be fooled by this e-mail scam!

    You may have received a fraudulent e-mail claiming that your access to "Online Services" with OneWest Bank has been suspended. This e-mail is false and was NOT sent by OneWest Bank.

    We have effectively prevented the scam from reaching further customers, but you may still be at risk if you already received it. If you received an e-mail with the subject line "Access Suspended" claiming to be from OneWest Bank, please DO NOT open it or click any of the links inside. Promptly delete the e-mail or mark it as "Spam."

    Remember, we will never send you an e-mail with sensitive account information.

    An example of the fraudulent e-mail is shown below to help you identify this and other scams.

    OWB Scam Alert

    If you believe that you've been the victim of online fraud, identity theft or a lottery scam, please notify us by either calling 1.877.331.3785 Monday through Friday, 8:00 a.m.– 9:00 p.m. (EST) or e-mail us at privacyemail@owb.com.

    Please include your name, e-mail address, telephone number and a detailed description.

    Identity theft consists of any situation in which you have unintentionally given your information in a phishing or other identity theft scam or your information has been used by an unauthorized party to conduct transactions, business or other enterprises under your name.

    If you suspect that you may be a victim of identity theft, please contact the Federal Trade Commission immediately at http://www.consumer.ftc.gov/features/feature-0014-identity-theft or 1.877.IDTHEFT.

    Additionally, please take the following actions immediately to prevent damage to your finances and/or credit:

    1. Report it to your financial institutions. Let them know what has occurred and ask them to place fraud alerts on all your accounts. Contact OneWest Bank immediately by using the Notify Us link.
    2. Contact one of the three major credit bureaus and discuss placing fraud alerts on your file. This will help to prevent identity thieves from opening new accounts in your name:
      • Equifax: 1.800.525.6285
      • Experian: 1.888.397.3742
      • TransUnion: 1.800.680.7289
    3. Review your statements regularly to make certain all charges are correct. If your statement is late in arriving, call your financial institutions to find out why.

    We are committed to the security of your financial information. However, you must also take every step to ensure the safety and security of your accounts and transactions.

    How can I prevent identity theft?

    • Do not leave your account information where others can see or have access to it. For example, do not write down your password.
    • Do not use easy-to-guess passwords such as birth dates, first names, pet names, addresses, phone numbers or Social Security numbers (after initial registration) that can be easily obtained. Do not use a password that contains part of your online user ID, e-mail address, or a version of the word "password."
    • Do not use single words that can be found in the dictionary in any language. Strong passwords contain upper case and lower case letters, digits AND punctuation marks.
    • Never reveal or share your account access information with another person, including your builder or contractor. OneWest Bank will never ask you to confirm or provide personal information in an e-mail. Should anyone attempt to obtain your personal information, or if you have responded to one of these fraudulent e-mails, immediately contact us by using the Notify Us link.
    • At the end of your session, be sure to properly sign off by selecting "sign out" or "log off," and close your browser window. This is especially important if you are using a computer in a public location, such as an Internet café or library. Do not leave your computer unattended while you are connected.
    • For further information and practical tips from the federal government, to help protect you from Internet fraud, secure your computer, and protect your personal information, please visit http://onguardonline.gov/ and http://www.fdic.gov/quicklinks/consumers.html.

    OneWest Bank is dedicated to providing a safe, secure and protected environment in which to access your online accounts. Overall, online banking and e-commerce through OneWest are safe methods of managing your finances and mortgage, and you can trust that every transaction you make is protected. If you have questions or concerns regarding a specific contact from OneWest Bank, please let us know via our Notify Us link.

    Online fraud occurs when someone poses as a legitimate company to obtain your personal and financial information in order to illegally conducts transactions on your existing accounts. Often called "phishing" or "spoofing," the most current methods of online fraud are fake e-mails, websites and/or pop-up windows.

    OneWest Bank will never send an unsolicited request for personal information through e-mail or require customers to send personal information to us via e-mail or pop-up windows. Any unsolicited request for OneWest Bank account information you receive through e-mails, websites, or pop-up windows should be considered fraudulent and reported to us immediately via our Notify Us link.

    Fake e-mails will often:

    • Ask you for personal information. Fake e-mails often contain an overly-generic greeting and may claim that your information has been compromised, that your account has been frozen, or ask you to confirm the authenticity of your transactions.
    • Appear to be from a legitimate source. While some e-mails are easy to identify as fraudulent, others may appear to be from a legitimate address and trusted online source. However, you should not rely on the name or address in the "From" field, as this is easily altered.
    • Contain fraudulent job offers. Some fake e-mails appear to be from companies offering jobs. These are often work-at-home accounting positions which are actually schemes that victimize both the job applicant and other customers. Be sure to confirm that the job offer is from a known and trusted company.
    • Contain prizes or gift certificate offers. Some fake e-mails promise a prize or gift certificate in exchange for completing a survey or answering questions. In order to collect the alleged prize or gift certificate you may be directed to provide your personal information. Just like with job offers, be sure to confirm that prize or gift certificate is being issued from a known and trusted company.
    • Link to counterfeit websites. Fake e-mails may direct you to counterfeit websites carefully designed to look real, but which actually collect personal information for illegal use. Check the URL in your browser’s address bar to ensure you are visiting a legitimate website.
    • Link to real websites. In addition to links to counterfeit websites, some fake e-mails also include links to legitimate websites as supplements to fraudulent e-mails in order to make them appear real.
    • Contain fraudulent phone numbers. Fake e-mails often contain telephone numbers that are tied to the fraudsters. Never call a number featured on an e-mail you suspect is fraudulent, and be sure to cross-check any numbers you do call with companies you know and trust.
    • Contain real phone numbers. Some of the telephone numbers listed in fake e-mails may be legitimate, connecting to actual companies. Just like with links to legitimate websites (above), fraudsters include real phone numbers in an effort to make the e-mail appear legitimate.

    Example of a fake email:

    Fake E-mail

    Trojan horses

    These fake e-mails may also contain a virus known as a "Trojan horse" that can record your keystrokes. The virus may live in an attachment or be accessed via a link in the e-mail.

    Again, OneWest Bank customers should keep in mind that we do not request personal information via e-mail or send e-mail attachments. Never respond to e-mails, open attachments, or click on links from suspicious or unknown senders.

    If you're not sure if an OneWest Bank e-mail is legitimate, report it to us via our Notify Us link without replying to the e-mail you received.

    How is my e-mail address obtained by online fraudsters?

    E-mail addresses can be obtained from publicly-available sources or through randomly-generated lists. Therefore, if you receive a fake e-mail that appears to be from OneWest Bank, this does not mean that your e-mail address, name or any other information has been taken from OneWest Bank's systems.

    Counterfeit websites

    Online thieves often direct you to fraudulent websites via e-mail and pop-up windows and try to collect your personal information. In many cases there is no easy way to determine that you are on a phony website because the URL will contain the name of the institution it is spoofing. However, if you type (or cut and paste) the URL into a new web browser window and it does not take you to a legitimate website, or you get an error message, it was probably counterfeit website.

    Another way to detect a phony website is to consider how you arrived there. Generally, you were directed by a link in a fake e-mail requesting your account information. Again, OneWest Bank will not request personal information from customers via e-mail. Any unsolicited request should be considered fraudulent and reported immediately via our Notify Us link.

    How can I prevent online fraud?

    With a few simple steps, you can help protect your OneWest Bank accounts and personal information from fake e-mails and websites:

    • Delete suspicious e-mails without opening them. If you do open a suspicious e-mail, do not open any attachments or click on any links it may contain.
    • Never provide sensitive account or personal information in response to an e-mail. If you have entered personal information, notify OneWest Bank immediately via our Notify Us link.

    Avoiding malware:

    • Keep a “clean” machine: Set your security software, Internet browser, and operating system (like Windows or Mac operating systems) to update automatically. Ensure your Internet browser setting is set to detect unauthorized downloads.
    • Instead of clicking on a link in an e-mail, type the URL of the site you want directly into your Internet browser. Criminals send e-mails that may appear to be from known, trusted sources, but clicking them could download malware or send you to a spoofed site designed to steal your personal information.
    • Don’t open e-mail attachments unless you can confirm the sender and the content of the attachment.
    • Download and install software only from websites you know and trust.
    • StaySafeOnline.org and OnGuardOnline.gov contain user-friendly information on commonly used, free security software as well as safe computing best practices.

    Detecting and removing malware:

    • Update your security software, and then run it to scan your computer for viruses and spyware. Delete anything it identifies as a problem. You may have to restart your computer for the changes to take effect.
    • If your computer is covered by a warranty that offers free tech support, contact the manufacturer. Before you call, write down the model and serial number of your computer, the name of any software you've installed, and a short description of the problem.
    • Many companies – including some affiliated with retail stores – offer tech support on the phone, online, at their store, and in your home. Decide which is most convenient for you. Telephone and online help generally are the least expensive, but you may have to do some of the work yourself. Taking your computer to a store usually is less expensive than hiring a repair person to come into your home.
    • Once your computer is back up and running, think about how malware could have been downloaded to your machine, and what you could do differently to avoid it in the future.

    Updated January 15, 2009

    The Federal Deposit Insurance Corporation (FDIC) is warning consumers, businesses and financial institutions to be aware of fraudulent e-mails allegedly from the Federal Reserve Bank. The fraudulent e-mails claim that a phishing attack has affected the Fedwire system and that restrictions are in place. The e-mails further instruct recipients to click on links within the e-mail for additional information.

    The fraudulent e-mails have included various spoofed names and addresses in the "From:" line of the messages, including "Bank System Administration," "System Administration" and "Federal Reserve Bank." The e-mails contain the following message verbatim:

    Phishing Federal Reserve Scam

    The message contains links to two Web pages that attempt to load malicious Trojan horse programs onto end users' computers.

    Please review these helpful guidelines of what to do when you’ve received or click links within unsolicited emails:

    • If an end user received the e-mail and clicked on any of the links, fully scan the computer using updated anti-virus software. If malicious code is detected on the computer, consult with a computer security or anti-virus specialist to remove the malicious code or re-install a clean image of the computer system.
    • Be aware that phishing e-mails frequently have links to Web pages that host malicious code and software. Do not follow Web links in unsolicited e-mails from apparent federal banking agencies. Instead, bookmark or type the agency's Web address.
    • Always use anti-virus software and ensure that the virus signatures are automatically updated. Ensure that the computer operating systems and common software applications security patches are installed.
    • Do not open unsolicited or unexpected e-mail attachments because of the risk of malicious code or software in the attachments. Instead, call the agency using a known and appropriate telephone number to verify the legitimacy of the message and attached file.
    • Be alert to different variations of the fraudulent e-mails.

    Information about counterfeit items, cyber-fraud incidents and other fraudulent activity may be forwarded to the FDIC's Cyber-Fraud and Financial Crimes Section, 550 17th Street, N.W., Room F-4004, Washington, D.C. 20429, or transmitted electronically to alert@fdic.gov. Questions related to federal deposit insurance or consumer issues should be submitted to the FDIC using an online form that can be accessed at https://www2.fdic.gov/starsmail/index.asp.

    Lottery Scam

    A newly-discovered scam known as the "Lottery Scam" is not committed online or by e-mail, but by regular mail. Victims of lottery scams receive a letter declaring the recipient the winner of a lottery or sweepstake (usually British or Canadian). The letter refers to an enclosed check for a small portion of the winnings which is to cover tax, fees, and/or insurance. The recipient is instructed to contact the sender to negotiate the balance of their winnings, at which time personal information is requested to "verify" the recipient's identification. The enclosed check is not valid, and the request for identification information is an attempt at identity theft.

    How can I protect myself from lottery scams?

    Never provide sensitive account or personal information in response to such a letter. If you have already provided personal information, please contact your local law enforcement agency immediately. If you receive a similar letter and you are unsure about its validity, either contact law enforcement or the bank that issued the enclosed check.

    Forensic Mortgage Loan Audit Scam

    Similar to foreclosure rescue scams, forensic mortgage loan audit scams charge several hundred dollars to review distressed homeowners' loans to see if they may be able to use the audit report to avoid foreclosure, accelerate the loan modification process or even cancel the loan—none of which ever occur.

    Forensic mortgage loan audit scams will often:

    • Guarantee to stop foreclosure on your home.
    • Advise you to cease contact with your lender, lawyer or credit or housing counselor.
    • Charge a fee before providing any services, accepts payment only by cashier’s check or wire transfer.
    • Encourage you to lease your home so you can buy it back at a later date.
    • Recommend that you make your mortgage payments directly to it, rather than your lender.
    • Urge you to transfer your property deed or title to it.
    • Offer to buy your house for cash at a fixed price that is inappropriate for the housing market.
    • Pressure you to sign papers you haven’t had a chance to read thoroughly or that you don’t understand.

    How can I protect myself from forensic mortgage loan audit scams?

    Never provide sensitive account or personal information to any company or individual that seems suspicious or displays one of the above warning signs. If you suspect you've encountered a forensic mortgage loan audit scam, please contact your local law enforcement agency immediately and visit the Federal Trade Commission website for information on how to report the illegal activity at www.ftc.gov.

    To notify us of online fraud, identity theft or a lottery scam, please call 1.877.331.3785 Monday through Friday, 8:00 a.m.– 9:00 p.m. (EST) or e-mail us at privacyemail@owb.com .

    Please include your name, e-mail address, telephone number and a detailed description.