Computer Safety Guidelines To help control your risk when conducting business online; here are some steps you can take. General Computer Security Control physical access to your personal computer (PC); to help prevent unauthorized persons from using your PC Select passwords that would be difficult for others to guess and change them frequently Do not give your passwords to anyone; do not save passwords on your website or leave written notes with your password near your PC Always close your browser or select Exit after using a secure website When your computer is not in use, shut it down or disconnect from the Internet Do not access the Internet without first enabling an updated firewall Ensure accounts used to access the internet only have the minimum privileges required; for example, do not use admin accounts to do your daily work; accounts with admin level rights allow viruses and malware to install themselves onto your PC Keep all applications up-to-date with the latest versions and patches – Examples: Adobe, Java, operating system (OS), web browser, etc. What are Computer Viruses? A computer virus is a program or piece of code that can copy itself and be loaded onto your computer without your knowledge. Examples of computer viruses are "worms" and "Trojan horses". What are Spyware Programs? Spyware is computer software that may monitor and collect your keystrokes and send personal information to third parties without your consent.

Virus & Spyware Management Install anti-virus and anti-spyware management software on your PC and use it regularly Keep your anti-virus/anti-spyware software up-to-date Be cautious when downloading and running programs as they may contain unsecure data which cannot be filtered Use extreme caution when opening email received from unknown sources and do not launch or open any attachment from an unknown source; When in doubt . . . delete it without opening it Tips to consider if you suspect your computer has a virus program and/or spyware software Make sure your anti-virus and anti-spyware software has the most recent updates; if you are unsure how to do this please contact your software maker(s) Run a complete scan using your updated anti-virus and/or anti-spyware software – this should be done on a regular basis going forward Possible next steps if your software has identified "virus/spyware," on your computer Remove the virus program and/or spy-ware software Change your FirstMerit Online Banking password Place a fraud alert on your credit report – for instructions and to learn more about how to shield yourself from identity theft, call the Federal Trade Commission (FTC) at 1-877-ID-THEFT (1-877-438-4338), or visit the FTC's Indentity Theft website Get a copy of your credit report and check for any discrepancies Have your computers professionally serviced to keep all applications protected Report any pop-ups in online banking, or any suspicious account activity, to us immediately by calling 1-888-554-4362, option 3, option 3 or email us at identitytheft@firstmerit.com Contact any other financial companies that you do business with online

There is an increase in identity theft fraud being conducted over the telephone, voice mail, and text messaging. This technique, known as "vishing" or "vioching" uses voice response telephone systems to deceive consumers into revealing personal data.

How It Works:
An automated system or live user on the phone may report an urgent problem with one of your accounts that requires you to validate your personal information, such as account numbers, credit card details, PINs, Social Security Numbers, etc.

Additionally, people may receive a text message, voice mail or email "alert" urging them to respond to a security concern by dialing a given number (which is not the actual financial institution's number) and verifying their account details.

What Should You Do?

1. If you receive an urgent phone call or message referencing an account you hold and are asked to provide or confirm any personal information, do not answer the questions
2. End the call immediately and contact your bank directly using a telephone number from a statement, the back of a debit/credit card, or from a telephone book

• Avoid emailing personal and financial information; before submitting financial information through a website, look for the "lock" icon on the browser's status bar (lower-right corner); this icon signals that your information is secure during transmission
• Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges; if your statement is late by more than 3-4 days, call your credit card company or bank to confirm your billing address and account balances
• Report suspicious activity to the Federal Trade Commission(FTC) – forward suspicious email(s) or spam to uce@ftc.gov
• If you believe you have been scammed, file your complaint at http://www.ftc.gov/ – then visit the FTC's Identity Theft website to learn how to minimize your risk of damage from identity theft
• Never provide account information to unsolicited telephone calls; if someone should ask for personal account information, pleasantly thank the caller and contact the company using a telephone number or email address you know to be genuine – FirstMerit will not ask for personal identification numbers (PINs) over the phone
• Use strong passwords – passwords should have a combination of letters, numbers, and special characters
• Change your passwords routinely, as a compromised password is an open invitation to fraud, identity theft, or both
• Don't open links in emails; hackers frequently try to get information from individuals by sending emails asking for verification of account information; these deceptive emails may say that your bank account has been closed due to fraudulent activity or that it needs to be verified; if you ever receive an email of this nature, do not open the attached files, and do not provide any personal information – FirstMerit Bank will never solicit your personal or account information through email
• Avoid account and password reuse – for example, fraudulent individuals will use compromised Yahoo accounts against the top fifty banks in America hoping that the account and password is reused to access a financial e-commerce application
• Examine browser security settings; make sure the security settings in your browser (Internet Explorer, for example) are set to provide an appropriate level of protection; use the Help feature of your Internet browser program to familiarize yourself with the security features available for your particular browser – follow the below steps to check your browser's level of protection:
1. Click on Tools on the menu bar
2. Then click on Internet Options on the pull-down menu
3. Click on Security

Protect yourself from Email scams Identity theft and Internet fraud are a common conversation today. Chances are, at some point you will be subjected to some sort of a "phishing" scam. Phishing uses 'spoofed' emails and fraudulent web sites designed to fool recipients into sharing personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted names of well-known banks, online retailers and credit card companies, phishers are able to convince up to five percent of recipients to respond to them. Important Note: FirstMerit NEVER solicits confidential information like credit or debit card numbers through the Internet or email without prior customer consent. We will never send email which: Requires you to enter any personal information or account information directly into the email or send you to a webpage that asks for that information since we already have that information on file Threatens to close your account if you do not take the immediate action of providing personal information Asks you to reply by sending personal information or asks you to enter your User ID, password or account numbers into an email or non-secure web page Example of a Fraudulent Email If you receive any email from FirstMerit Bank or from any institution or individual requesting personal or account information, treat it as fraudulent and take this action: Forward the email to us at identitytheft@firstmerit.com Call us at 1-888-554-4362, option 3, option 3 Report suspicious activity to the Federal Trade Commission (FTC), the government agency responsible for investigating such crimes at uce@ftc.gov

How to Recognize Fraudulent Emails Be wary of any seemingly legitimate email request for account information, often under the guise of asking you to verify or reconfirm confidential personal information such as account number, Social Security Numbers, passwords or other sensitive information. It's often hard to detect a fraudulent email. That's because the email address of the sender often seems genuine (such as support@yourbank.com), as do the design and graphics. But there are clear signs to be aware of. For example, fraudulent emails often try to extract personal information from you in one of two ways: By luring you into providing it on the spot (e.g., by replying to the e-mail); or Including links to a website that tries to get you to disclose personal data Like the email, a fraudulent website is designed to trick you into believing it belongs to a company you know by using its brands as domain names and/or its graphics. The ultimate goal of this fraud is to use your information to gain unauthorized access to your bank or financial accounts or to engage in other illegal acts. Do not reply to any email requesting your personal information, or one that sends you personal information and asks you to update or confirm it. If you receive an email you are suspicious of, contact the company through an address or telephone number you know to be genuine. FirstMerit Bank will never send you any email that requests your account information or asks you to verify a statement. If you suspect you have provided confidential account or personal information to a fraudulent website, change your password immediately, monitor your account activity frequently and report any suspicious activity to the company.

The Department of Justice recommends following three simple rules when you see emails or websites that may be part of a phishing scheme: Stop, Look, and Call.

1. Stop – Phishers typically include upsetting or exciting (but false) statements in their emails with one purpose in mind. They want people to react immediately to that false information, by clicking on the link and inputting the requested data before they take time to think through what they are doing. Resist that impulse to click immediately. No matter how upsetting or exciting the statements in the email may be, there is always enough time to check out the information more closely.

2. Look – Look more closely at the claims made in the email, think about whether those claims make sense, and be highly suspicious if the email asks for numerous items of your personal information such as account numbers, usernames, or passwords. For example:

• If the email indicates that it comes from a bank or other financial institution where you have a bank or credit card account, but tells you that you have to enter your account information again, that makes no sense. Legitimate banks and financial institutions already have their customers' account numbers in their records. Even if the email says a customer's account is being terminated, the real bank or financial institution will still have that customer's account number and identifying information.
• If the email says that you have won a prize or are entitled to receive some special "deal," but asks for financial or personal data, there is good reason to be highly suspicious. Legitimate companies that want to give you a real prize don't ask you for extensive amounts of personal and financial information before you're entitled to receive it.

3. Call – If the email or website purports to be from a legitimate company or financial institution, call or email that company directly and ask whether the email or website is really from that company. To be sure that you are contacting the real company or institution where you have accounts, credit card account holders can call the toll-free customer numbers on the backs of your cards, and bank customers can call the telephone numbers on your bank statements.

How does FirstMerit secure my information when I'm logged in?

• When you log in to your online account, your password is encrypted and the characters are replaced with asterisks so no one can see your password; any screen that displays or requests information about your account is also encrypted
• We store your User ID and password in our database in an encrypted format that even we cannot decode
• We have procedures in place so that when a customer contacts our call center, visits a banking center or banks online, we can verify their identity

Below are several websites where you can learn more about Internet security:

• Federal Trade Commission – www.ftc.gov/idtheft
• Microsoft – www.microsoft.com/security
• Federal Deposit Insurance Corporation – www.fdic.gov/bank/individual/online/safe.html
• Anti-Phishing Working Group (APWG) – www.antiphishing.org

FirstMerit has taken steps to protecting your online banking information; however, we need you to be alert to items that are out of the ordinary. Below are tips to consider, if you encounter any issues please contact us using the information provided below.

• When logging into our Online Banking site, be sure the personal image you have selected is the correct one; if the image is missing from the login process you should not provide any further information on the webpage
• After successfully logging into Online Banking, be sure to check the timestamp for the last successful and unsuccessful logins
• If your secret questions are not the ones that you entered when setting up your account, do not fill out any information
• Change your password periodically and use non-dictionary words and passwords that you do not use to login to other websites

Contact Information

• Email us at identitytheft@firstmerit.com
• Call us at 1-888-554-4362, option 3, option 3