Online Security

Protecting your information is important to us.

Here's how to protect your account and identity.

Secure your BancFirst account

Take precautions online

Financial education resources

Let's work together to secure your BancFirst accounts.

When bank employees are working with a customer over the phone, several steps must be taken to validate or authenticate the identity of the customer. To expedite the process, ask your local bank representative to set up an authentication code and register your cell phone number.

BancFirst's Debit Card Controls allow you to help safeguard your debit card from fraud by blocking authorizations, setting alerts, establishing spending limits, and controlling transaction types.

Set up mobile banking alerts and notifications on our online banking page. Alerts can notify you on low balance, large withdrawal, loan payment date and more.

Social Engineering

Fraudsters use multiple techniques to manipulate a victim into disclosing information or taking a specific action. Or, as the FBI has stated, “… social engineering—or, more bluntly, targeted lies designed to get you to let your guard down.”

Social engineering is the use of deception, through manipulation of human behavior, to target and manipulate you into divulging confidential or personal information and using it for fraudulent purposes. In the context of information security, social engineering might also mean psychologically manipulating people to take action to inadvertently give adversaries access to protected information or assets.

Common social engineering attacks:

  • Phishing – Emails claim they are from a trusted source
  • Technical Support Phone Calls – Phone calls trying to obtain passwords or install software
  • Business Email Compromise – Fraudsters using your email to attempt fraud
  • Social Media Fake Users – Using social media to gain trust with you or customers


Fraudsters are attempting to:

  • Gain access to your computer to introduce malware, such as ransomware
  • Attempt ACH or wire fraud
  • Obtain sensitive information
  • Pursued you to send them money through gift card


How to not fall victim to social engineering:

  • Do not give out personal information , such as account numbers or credit card information, unless you have initiated the conversation or activity (i.e. visited a specific website) unless you have initiated the conversation or activity
  • Do not give your username or password to anyone
  • An unsolicited call from a technician should never result in you installing software on your device.

Mobile Phone Security 

There are an estimated 294 million smartphone users in the US, making these devices an attractive target for cybercriminals. The threats are basically the same as on your desktop PC or laptop, but mobile devices are usually turned on all the time, you carry them with you, and the text feature creates an added layer of vulnerability.   

What are some mobile threats?

Mobile Spyware

Spyware is a type of malicious software that monitors and records information about a user's actions without the user's knowledge or permission. Once the victim of the malware attack has been affected by mobile spyware, the intruder is able to listen in on conversations, access data stored on the mobile device, and can even tap into the device’s camera and microphone.

Mobile Banking Trojans

This invasive malware hacks into your mobile banking app in an attempt to steal information and money from your bank account. Anyone who has a mobile banking application installed on their mobile device is at risk of falling victim to these trojans, however Android users are at a higher risk of being attacked. Mobile trojans are hard to detect because they are disguised as legitimate applications.

SMS Malware

SMS malware can affect any device that is able to receive calls and/or text messages and is installed by sending unauthorized calls or texts without the victim’s knowledge. This malware may also intercept text messages or calls without the user’s consent.

How to protect your Mobile Device:

1.    Keep your phone operating system up to date; install the latest version when prompted.
2.    Keep all of your apps up to date.
3.    Use strong device authentication. Additionally, enable two-factor authentication on apps and websites when available.  
4.    Use secure networks.  Avoid public or unknown Wi-Fi systems. 
5.    Install security software often offered by your cellular carrier. 


These are other resources to consider:

1.    CISA-Capacity-Enhancement-Guide-Mobile-Device-Cybersecurity-Checklist-for-Consumers

2.    Mobile-Devices-Best-Practices

Authentication – Secure Sensitive Online Information

Hackers have published over 555 million stolen passwords on the dark web. And 80% of hacking incidents are caused by stolen or reused login information. Authentication to online applications is a serious concern to anyone who uses the Internet.

Multifactor Authentication – a safer way to sign in you your online accounts. Authentication is the mechanism that a website or application uses to verify who you are and what access you have. Simple authentication is in the form of a Username and Password – the same information that is stolen on the dark web. Multifactor Authentication (MFA) provides an added layer of security to your accounts by requiring a second method of verification after you enter your password. The second level verification often comes via text providing a one-time passcode to further validate your credentials. How to protect your online access:

  1. Do not share your username and password with anyone. Many scams include a “technician” who calls and asks for your username and password to help you with a site. Do not share information giving anyone access to your personal information.  

  2. Use a password phrase for extra security. For example, use a long title of a movie replacing and capitalizing different letters: CatchM3ifyouc@n.

  3. Use a password manager app to store and manage your passwords. These applications can maintain your list of username and passwords with different websites.

  4. Do not use the same password on multiple sites. A common username is an email address. If you use the same email address and password, this will give a hacker access to all those websites or applications.

  5. If given the option, use multifactor authentication.









Business Email Compromise


Business E-mail Compromise (BEC) is a sophisticated scam commonly targeting businesses through spoofed email accounts in order to modify or generate fund transfers, such as wires or ACH, so that the funds arrive at the scammer’s bank account or money mule account!

In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, like in these examples:

•    A vendor your company regularly deals with sends an invoice with an updated mailing address.

•    A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.

•    A homebuyer receives a message from his title company with instructions on how to wire his down payment.

Versions of these scenarios happened to real victims. All the messages were fake. And in each case, thousands—or even hundreds of thousands—of dollars were sent to criminals instead.



Step 1: Identify a Target

Organized crime groups target U.S. and European businesses, exploiting information available online to develop a profile on the company and its executives.

Step 2: Grooming

Spear phishing e-mails and/or telephone calls target victim company officials (typically an individual identified in the finance department).

Perpetrators use persuasion and pressure to manipulate and exploit human nature.

Grooming may occur over a few days or weeks.

Step 3: Exchange of Information

The victim is convinced he/she is conducting a legitimate business transaction. The unwitting victim is then provided wiring instructions.

Step 4: Wire Transfer

Upon transfer, the funds are steered to a bank account control by the organized crime group.

*Note: Prepetrators may continue to groom the victims into transferring more funds.


Scammer might:

Spoof an email account or website. Slight variations on legitimate addresses ( vs. fool victims into thinking fake accounts are authentic.

Send spearphishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.

Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.

  • Be wary of e-mail-only wire transfer requests and requests involving urgency
  • Establish a reliable phone number of the entity you are doing business with and call them confirming your wiring or transaction information. 
  • Don’t click on anything in an unsolicited email or text asking you to update or verify account information.  Use a known good phone number to verify with the company if the request is legitimate.
  • Inspect the email for a mimicked e-mail addresses
  • Use multi-level authentication



We go online for everything from shopping and communicating to banking and bill paying. While the benefits of more convenient services are clear, the strategies for preventing online fraud and theft may not be as well-known. We want you to be aware of fraudulent situations so you can make informed online decisions.

Please view the FDIC's Consumer Assistance Topics page on CyberSecurity:

The FDIC's Consumer Assistance Topics page provides tips on how to best protect your identity:

Mastercard's provides ID Theft protection services to its debit card holders. The service alerts when personal information, such as your Social Security number, debit card number or and email address, is known to be compromised.

Your Guide to Preventing and Managing Overdraft Fees explains options to help you prevent overdrafts.

Learn helpful ways to manage your money from the FDIC.

FDIC Money Smart -
FDIC Consumer News -
Home Ownership through Ginnie Mae and Freddie Mac 

Other Helpful Links
FDIC Electronic Deposit Insurance Estimator

Online & Mobile Banking

Manage your money anywhere, anytime with online and mobile banking.

  • Up-to-the-minute account updates
  • Transfer funds and pay bills
  • Deposit checks from your phone

Customer Service
Outside Oklahoma
Hours of Operation
  • M-F: 7 a.m.-10 p.m.
  • Sat: 8 a.m.-10 p.m.
  • Sun: Noon-10 p.m.

Open all holidays except Easter, Thanksgiving, and Christmas.