PROTECT YOURSELF FROM E-MAIL SCAMS Identity theft and Internet fraud are a common conversation today. Chances are, at some point you will be subjected to some sort of a "phishing" scam. Phishing uses 'spoofed' e-mails and fraudulent web sites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted names of well-known banks, online retailers and credit card companies, phishers are able to convince up to five percent of recipients to respond to them. IMPORTANT TO NOTE: FirstMerit NEVER solicits confidential information like credit or debit card numbers through the Internet or e-mail without prior customer consent. We will never send e-mail which: Requires you to enter any personal information or account information directly into the e-mail or redirects you to a webpage that asks for that information since we already have that information on file. Threatens to close your account if you do not take the immediate action of providing personal information Asks you to reply by sending personal information or asks you to enter your User ID, password or account numbers into an e-mail or non-secure web page

EXAMPLE OF FRAUDULENT E-MAIL If you get an e-mail warning you, with little or no notice, that an account of yours will be shut down unless you reconfirm your billing information, do not reply or click on the link in the e-mail. Instead, contact the company cited in the e-mail using a telephone number or Web site address you know to be genuine. If you receive any e-mail – from FirstMerit Bank or from any institution or individual – requesting personal or account information, please treat it as fraudulent and forward it to us at identitytheft@firstmerit.com. Please call us at 1-888-554-4362, option 3, option 3, for assistance. Specialists are available 24 hours a day, 7 days a week. Please also report suspicious activity to the Federal Trade Commission (FTC), the government agency responsible for investigating such crimes at uce@ftc.gov.

• Avoid e-mailing personal and financial information. Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar (lower-right corner). It signals that your information is secure during transmission.
• Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than 3-4 days, call your credit card company or bank to confirm your billing address and account balances.
• Report suspicious activity to the Federal Trade Commission. Forward mail or spam to uce@ftc.gov.
• If you believe you've been scammed, file your complaint at http://www.ftc.gov/, and then visit the FTC's Identity Theft Web site (http://www.ftc.gov/id theft) to learn how to minimize your risk of damage from identity theft.
• Never provide account information to unsolicited telephone calls. FirstMerit will not ask for personal identification numbers (PINs) over the phone. If someone should ask for personal account information, pleasantly thank the caller and contact the company using a telephone number or e-mail address you know to be genuine.
• Use strong passwords. Passwords should have a combination of letters, numbers, and special characters.
• Change your passwords routinely, as a compromised password is an open invitation to fraud, identity theft, or both. Remember: you should always use a strong password.
• Don't open links in e-mails. Hackers frequently try to get information from individuals by sending e-mails asking for verification of account information. These deceptive e-mails may say that your bank account has been closed due to fraudulent activity or that it needs to be verified. If you ever receive an e-mail of this nature, do not open the attached files, and do not provide any personal information. FirstMerit Bank will never solicit your personal or account information through e-mail.
• Examine browser security settings. Make sure the security settings in your browser (Internet Explorer, for example) are set to provide an appropriate level of protection. Browser-based attacks can occur when a user visits a web page containing hidden code intended to sabotage a computer or compromise one’s privacy. Use the Help feature of your Internet browser program to familiarize yourself with the security features available for your particular browser, or visit the browser manufacturer's web site for more information.
1. Click on Tools on the menu bar.
2. Then click on Internet Options on the pull-down menu.
3. Click on Security.
• Avoid account and password reuse. For example, fraudulent individuals will use compromised Yahoo accounts against the top fifty banks in America hoping that the account and password is reused to access a financial e-commerce application.

Be wary of any seemingly legitimate e-mail request for account information, often under the guise of asking you to verify or reconfirm confidential personal information such as account number, Social Security Numbers, passwords or other sensitive information.

It's often hard to detect a fraudulent e-mail. That's because the e-mail address of the sender often seems genuine (such as support@yourbank.com), as do the design and graphics. But there are clear signs to be aware of. For example, fraudulent e-mails often try to extract personal information from you in one of two ways:

1. By luring you into providing it on the spot (e.g., by replying to the e-mail), or
2. Including links to a Web site that tries to get you to disclose personal data

Like the e-mail, a fraudulent Web site is designed to trick you into believing it belongs to a company you know by using its brands as domain names and/or its graphics. The ultimate goal of this fraud is to use your information to gain unauthorized access to your bank or financial accounts or to engage in other illegal acts.

Do not reply to any e-mail requesting your personal information, or one that sends you personal information and asks you to update or confirm it. If you receive an e-mail you are suspicious of, contact the company through an address or telephone number you know to be genuine. FirstMerit Bank will never send you any e-mail that requests your account information or asks you to verify a statement.

If you suspect you have provided confidential account or personal information to a fraudulent Web site, change your password immediately, monitor your account activity frequently and report any suspicious activity to the company.

The Department of Justice recommends following three simple rules when you see e-mails or Web sites that may be part of a phishing scheme: Stop, Look, and Call.

1. Stop. Phishers typically include upsetting or exciting (but false) statements in their e-mails with one purpose in mind. They want people to react immediately to that false information, by clicking on the link and inputting the requested data before they take time to think through what they are doing. Resist that impulse to click immediately. No matter how upsetting or exciting the statements in the e-mail may be, there is always enough time to check out the information more closely.

2. Look. Look more closely at the claims made in the e-mail, think about whether those claims make sense, and be highly suspicious if the e-mail asks for numerous items of your personal information such as account numbers, usernames, or passwords. For example:

• If the e-mail indicates that it comes from a bank or other financial institution where you have a bank or credit card account, but tells you that you have to enter your account information again, that makes no sense. Legitimate banks and financial institutions already have their customers' account numbers in their records. Even if the e-mail says a customer's account is being terminated, the real bank or financial institution will still have that customer's account number and identifying information.
• If the e-mail says that you have won a prize or are entitled to receive some special "deal," but asks for financial or personal data, there is good reason to be highly suspicious. Legitimate companies that want to give you a real prize don't ask you for extensive amounts of personal and financial information before you're entitled to receive it.

3. Call. If the e-mail or Web site purports to be from a legitimate company or financial institution, call or e-mail that company directly and ask whether the e-mail or Web site is really from that company. To be sure that you are contacting the real company or institution where you have accounts, credit card account holders can call the toll-free customer numbers on the backs of your cards, and bank customers can call the telephone numbers on your bank statements.

How does FirstMerit secure my information when I'm logged in? We use a variety of methods and technology to keep your confidential information out of the hands of online criminals.

1. When you log in to your online account, your password is encrypted and the characters are replaced with asterisks so no one can see your password. Any screen that displays or requests information about your account is also encrypted.
2. We store your User ID and password in our database in an encrypted format that even we cannot decode.
3. We have procedures in place so that when a customer contacts our call center, visits a banking center or banks online, we can verify their identity.

Following are several web sites where you can learn more about Internet security:

Federal Trade Commission http://www.ftc.gov/idtheft
Microsoft http://www.microsoft.com/security
Federal Deposit Insurance Corporation http://www.fdic.gov/bank/individual/online/safe.html
Anti-phishing.org http://www.antiphishing.org