Protecting Your Business From Fraud

Businesses and consumers both need to be aware of the computer-related crimes affecting them. A guide, developed by the Federal Deposit Insurance Corporation, provides cybersecurity information for business customers of financial institutions on how to safeguard their computer systems and data. The FDIC provides the following tips:

Protect computers and networks. Install security and antivirus software that protects against malware, or malicious software, which can access a computer system without the owner's consent for a variety of uses, including theft of information.

Require strong authentication. Ensure that employees and other users connecting to your network use strong user IDs and passwords for computers, mobile devices, and online accounts by combinations of upper- and lower-case letters, numbers, and symbols that are hard to guess and changed regularly.

Control access to data and computers and create user accounts for each employee. Take measures to limit access or use of business computers to authorized individuals.

Teach employees the basics. Establish security practices and policies for employees, such as appropriate Internet usage guidelines, and set expectations and consequences for policy violations.

Train employees to be careful where and how they connect to the Internet. Employees and third parties should only connect to your network using a trusted and secure connection.

Train employees about the dangers of suspicious emails. Employees need to be suspicious of unsolicited e-mails asking them to click on a link, open an attachment, or provide account information.

Patch software in a timely manner. Software vendors regularly provide patches or updates to their products to correct security flaws and improve functionality.

Make backup copies of important systems and data. Regularly backup the data from computers used by your business.

Pay close attention to your bank accounts and watch for unauthorized withdrawls. Put in additional controls, such as confirmation calls before financial transfers are authorized with the financial institution.

Don't forget about tablets and smartphones. Mobile devices can be a source of security challenges, especially if they hold confidential information or can access your business's network.

Watch out for fraudulent transactions and bills. Scams can range from payments with a worthless check or fake credit or debit card to fraudulent returns of merchandise.

Educate yourself. To learn more about protecting your business, visit the "Stop. Think. Connect." resources for small businesses at http://www.dhs.gov/publication/stopthinkconnect-small-business-resources.

 

You can download this brochure from the FDIC here.

Fraud Advisory

Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts.

Learn more

This product was created as part of a joint effort between the United States Secret Service, the Federal Bureau of Investigation, the Internet Crime Complaint Center (IC3) and the Financial Services Information Sharing and Analysis Center (FS‐ISAC).

E-mail Fraud Alert

Financial Services Information Sharing and Analysis Center (FS-ISAC) members and federal law enforcement agencies continue to report an increase in wire transfer fraud against U.S. businesses through a scam referred to as "Business E-mail Compromise" (BEC).

Learn more

This product was created as part of a joint effort between the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the United States Secret Service.

Best Practices for Online Banking

The best way to avoid becoming a victim of a cyberheist is not to let computer crooks into the computers you use to access your organization’s bank accounts online. The surest way to do that is to maintain a clean computer: Start with a fresh install of the operating system and all available security updates, or adopt a “live CD” approach (explained in more detail below).

-Use a dedicated system to access the bank’s site. The dedicated machine should be restricted from visiting all but a handful of sites necessary to interact with the bank and manage the organization’s finances. This can be done using custom firewall rules and hosts files, or services like OpenDNS. Remember that the dedicated system approach only works if you *only* access your bank’s site from locked-down, dedicated machines. Making occasional exceptions undermines the whole purpose of this approach.

-If possible, use something other than Microsoft Windows. Most malware only runs in a Microsoft Windows environment, so using a different operating system for the dedicated machine is an excellent way to drastically reduce the likelihood of becoming a cyberheist victim. A “live CD” is a free and relatively painless way to temporarily boot a Windows PC into a Linux environment. The beauty of this approach is that even if you fail to maintain a clean Windows PC, malicious software can’t touch or eavesdrop on your banking session while you’re booted into the Live CD installation. For more information on how to set up a live CD for a dedicated machine, see this primer.

-If you must use a multi-purpose machine where you will check email, avoid clicking links in email (see previous tip). Also, set email to display without HTML formatting if possible.

-If you installed it, patch it. Keep the operating system up-to-date with patches. It’s equally important to update the third-party software on your system, especially browser plugins. One leading cause of malware infections are exploit kits, which are attack tools stitched into hacked Web sites that exploit unpatched or undocumented vulnerabilities in widely-used browser plugins. Tools such as File Hippo’s Update Checker and Secunia’s Personal Software Inspector will alert you to new security updates available for third-party programs installed on your PC.

-Remove any unneeded software from dedicated systems used to access the bank’s site. In particular, unneeded plugins (such as Java) should be junked.

-Avoid opening attachments in email that you were not expecting. Be particularly wary of emails that warn of some dire consequence unless you take action immediately.

-Use a bookmark to access the bank’s site. Avoid “direct navigation,” which involves manually typing the bank’s address into a browser; a fat-fingered keystroke may send you to a look-alike phishing Web site or one that tries to foist malicious software.

-Remember that antivirus software is no substitute for common sense. A majority of today’s cyberheists begin with malware that is spread via email attachments. Many of these threats will go undetected by antivirus tools in the first few days.

-If your financial institution offers it, consider taking advantage of ACH Positive Pay. Any item that meets the criteria you establish will automatically post to your account. Your company will be notified via email and/or text message of any rejected electronic item(s) that do not meet your filter criteria. Upon receipt of the rejected items, you can then return them or conveniently add filter criteria for future electronic transactions.

-Require two people to sign off on every transaction. This fundamental anti-fraud technique can help block cyberheists (and employee fraud).

 

From Krebs on Security

A bossy business scam

August 25, 2014
by Nicole Vincent Fleming 
Consumer Education Specialist, FTC

You get an email from your boss’s boss requesting that you make a wire transfer to a new vendor. The email is marked urgent, so you ignore the 20 others that need your attention to take care of it. You handle wire transfers all the time, and you’ll definitely score points for responding so quickly, right? Maybe not.
In a recent scheme, sometimes called “masquerading,” a hacker poses as a senior executive and asks an employee to complete a financial transaction, like a confidential business investment or a payment to a vendor. Once money is wired to a bogus account, it can be nearly impossible to recover.
In fact, the scheme often goes undetected until the company’s fraud department raises an alarm, or company executives talk to each other about the “transfer” request. According to a recent bulletin from the Internet Crime Complaint Center (IC3), the average loss is $55,000, but some losses have exceeded $800,000.
In some cases, the emails are spoofed by making subtle changes, so it’s difficult to distinguish a fake address from a legitimate one. For example, john example.com looks a lot like john exanple.com. In other cases, the hackers break into an organization’s email system and send urgent requests from legitimate accounts. 
Scammers like to mix it up. They may pose as vendors who have existing relationships with the company and send emails to “update” their account information. Some masqueraders try to commit this fraud on the phone, posing as the CFO, comptroller or CEO to intimidate an employee.

Want to make sure your company doesn’t fall victim to a masquerade scam?  
1. Establish a multi-person approval process for transactions above a certain dollar threshold.
2. Implement a system that requires a valid purchase-order, along with approvals from a manager and finance officer, to spend money.
3. Circulate this blog post by email or in a staff meeting. It’s great with coffee and donuts.

In addition, share these tips with your colleagues:
- Confirm that any request to initiate a wire transfer is from an authorized source within the company.
- Double- and triple-check email addresses. 
- Slow down. Fraudsters pressure you to take action quickly so you don’t have time to think it through. Take time to verify any request — even an urgent one.
- Be suspicious of requests for secrecy. Speak to the executive on the phone or in person. If you still have doubts, speak to another senior executive.

If you think you may have encountered a masquerade scam, please report your experience at www.ic3.gov and ftc.gov/complaint.

Helpful Resources to Protect Your Business from Fraud

Federal Trade Commission - Malware 

Online Banking Best Practices for Businesses

Federal Trade Commission - Bossy Business Scam

'Masquerading': New Wire Fraud Scheme

FDIC - Identity Theft

Cybersecurity Guide for Businesses

identitytheft.gov

OnGuard Online - Featured Information for Small Businesses