Protecting Your Business from Fraud

Businesses and consumers both need to be aware of the computer-related crimes affecting them. A guide, developed by the Federal Deposit Insurance Corporation, provides cybersecurity information for business customers of financial institutions on how to safeguard their computer systems and data. The FDIC provides the following tips:

Protect computers and networks. Install security and antivirus software that protects against malware, or malicious software, which can access a computer system without the owner's consent for a variety of uses, including theft of information.

Require strong authentication. Ensure that employees and other users connecting to your network use strong user IDs and passwords for computers, mobile devices, and online accounts by combinations of upper- and lower-case letters, numbers, and symbols that are hard to guess and changed regularly.

Control access to data and computers and create user accounts for each employee. Take measures to limit access or use of business computers to authorized individuals.

Teach employees the basics. Establish security practices and policies for employees, such as appropriate Internet usage guidelines, and set expectations and consequences for policy violations.

Train employees to be careful where and how they connect to the Internet. Employees and third parties should only connect to your network using a trusted and secure connection.

Train employees about the dangers of suspicious emails. Employees need to be suspicious of unsolicited e-mails asking them to click on a link, open an attachment, or provide account information.

Patch software in a timely manner. Software vendors regularly provide patches or updates to their products to correct security flaws and improve functionality.

Make backup copies of important systems and data. Regularly backup the data from computers used by your business.

Pay close attention to your bank accounts and watch for unauthorized withdrawls. Put in additional controls, such as confirmation calls before financial transfers are authorized with the financial institution.

Don't forget about tablets and smartphones. Mobile devices can be a source of security challenges, especially if they hold confidential information or can access your business's network.

Watch out for fraudulent transactions and bills. Scams can range from payments with a worthless check or fake credit or debit card to fraudulent returns of merchandise.

Educate yourself. To learn more about protecting your business, visit the "Stop. Think. Connect." resources for small businesses at http://www.dhs.gov/publication/stopthinkconnect-small-business-resources. The U.S. House of Representatives Small Business Committee recently released cybersecurity guides for small business.

 

Positive Pay

Cyber crime has become a fact of business life, but there are solutions available to protect your payment processing. Positive Pay services are some of the most effective tools to assist businesses in proactively identifying check and ACH transactions that may be fraudulent.
 
Check Positive Pay compares checks presented for payment against your account against files you provide to us of the checks you have issued. If any mismatches in serial numbers or dollar amounts are detected, those suspect items are presented for your approval to pay or return.  
 
Payee Match when added to Positive Pay identifies payee names that have been altered.
 
ACH Positive Pay ensures you have full control over the ACH transactions attempting to clear your account. Upon review, you can choose to pay or return the item. If the item is paid, you have the opportunity to add the payment to your list of approved ACH payment originators. You may also choose to block all ACH transactions from posting to your account.
 
Positive Pay services are conveniently accessed through Business Online Banking and do not require a separate application. For more information regarding Positive Pay please contact Banner’s Treasury Management Services team at 877-856-7933.
 
Mouse

Fraud Advisory

Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts.

Learn more

This product was created as part of a joint effort between the United States Secret Service, the Federal Bureau of Investigation, the Internet Crime Complaint Center (IC3) and the Financial Services Information Sharing and Analysis Center (FS‐ISAC).

Wire Transfers and Imposter Fraud: Are you sure where your payment is going?

At Banner Bank, we take your online banking security seriously, and when we see a trend affecting business clients, we want to raise awareness. 
 
We have recently seen an upswing in cases of impostor fraud, often with payment requests sent via wire transfer.  
 
Let’s say you receive an email from an officer at your organization, or maybe from the business owner, with instructions to send a payment via wire transfer that’s out of the ordinary – and very confidential.  You are not to say anything to anyone else about the request.  Or, you may get a phone call from one of your suppliers saying they’ve changed banks and need you to update their remittance information.   
 
Either one of these requests could be coming from an impostor posing as a member of your organization or as a current vendor.  
 
The best way to protect your accounts from impostor fraud is to implement a strong verification process. Below are several best practices your business should use to confirm payment instructions before transmitting wires from within online banking:
 

Verify the requester and the request.  If a request comes by mail, fax, or email, verify the request with a call back by phone, or even visit an internal requester in person to validate the request.  If the request comes by phone, verify the request using email — or never hesitate to ask a vendor to validate the change in writing.  Don’t use the contact information accompanying the request because it could be fraudulent, too.    

Use dual control effectively.  When processing wires using dual control in online banking, both the person initiating the wire and the person approving the wire must pay close attention to the details.  Rubber stamps are not allowed.  The best practice for initiators and approvers:  Verify before you initiate a wire and verify before you approve a wire.  

Monitor account activity carefully.  Review online account activity daily and immediately call our Treasury Management Support team at 1-877-856-7933 if you notice an unauthorized transaction.   

 

Business fraud is on the rise and tactics change rapidly. Having strong controls in place and educating your employees about the risks of business fraud can help you stay alert, keep your business safe and all of us one step ahead of the cyber criminals. 

E-mail Fraud Alert

Financial Services Information Sharing and Analysis Center (FS-ISAC) members and federal law enforcement agencies continue to report an increase in wire transfer fraud against U.S. businesses through a scam referred to as "Business E-mail Compromise" (BEC).

Learn more

This product was created as part of a joint effort between the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the United States Secret Service.

Best Practices for Safe Online Banking

The best way to avoid becoming a victim of a cyberheist is not to let computer crooks into the computers you use to access your organization’s bank accounts online. The surest way to do that is to maintain a clean computer: Start with a fresh install of the operating system and all available security updates, or adopt a “live CD” approach (explained in more detail below).

Use a dedicated system to access online banking. The dedicated machine should be restricted from visiting all but a handful of sites necessary to interact with the bank and manage the organization’s finances. This can be done using custom firewall rules and hosts files, or services like OpenDNS. Remember that the dedicated system approach only works if you *only* access your bank’s site from locked-down, dedicated machines. Making occasional exceptions undermines the whole purpose of this approach.

Never write down your passwords or user credentials. Post-it notes, index cards, etc. aren’t secure even if you think they might be out of sight under your keyboard or in unlocked drawers.
 
Don’t re-use your office computer password for other systems and services. Login credentials are continuously being stolen from systems that may be less secure, such as online shopping sites. Those credentials can be used to try to access important systems, like online banking or your office systems.

If possible, use something other than Microsoft Windows. Most malware only runs in a Microsoft Windows environment, so using a different operating system for the dedicated machine is an excellent way to drastically reduce the likelihood of becoming a cyberheist victim. A “live CD” is a free and relatively painless way to temporarily boot a Windows PC into a Linux environment. The beauty of this approach is that even if you fail to maintain a clean Windows PC, malicious software can’t touch or eavesdrop on your banking session while you’re booted into the Live CD installation. For more information on how to set up a live CD for a dedicated machine, see this primer.

Adjust email settings on a shared computer. If you must use a multi-purpose machine where you will check email, avoid clicking links in email (see previous tip). Also, set email to display without HTML formatting if possible.

If you installed it, patch it. Keep the operating system up-to-date with patches. It’s equally important to update the third-party software on your system, especially browser plugins. One leading cause of malware infections are exploit kits, which are attack tools stitched into hacked Web sites that exploit unpatched or undocumented vulnerabilities in widely-used browser plugins. Tools such as File Hippo’s Update Checker and Secunia’s Personal Software Inspector will alert you to new security updates available for third-party programs installed on your PC.

Remove any unneeded software from dedicated systems used to access online banking. In particular, unneeded plugins (such as Java) should be junked.

Avoid opening attachments in email that you were not expecting. Phishing emails with attachments may post as notification from a delivery service, e-commerce resource or law enforcement agency — just to name a few. Be particularly wary of emails that warn of some dire consequence unless you take action immediately. Phishing emails can look like a reputable communication from a person or company and usually include a link to click.

Use a bookmark to access online banking. Avoid “direct navigation,” which involves manually typing the bank’s address into a browser; a fat-fingered keystroke may send you to a look-alike phishing website.

If your financial institution offers it, consider taking advantage of ACH Positive Pay. Any item that meets the criteria you establish will automatically post to your account. Your company will be notified via email and/or text message of any rejected electronic item(s) that do not meet your filter criteria. Upon receipt of the rejected items, you can then return them or conveniently add filter criteria for future electronic transactions.

Require two people to sign off on every transaction. This fundamental anti-fraud technique can help block cyberheists (and employee fraud).

Remember that antivirus software is no substitute for common sense. A majority of today’s cyberheists begin with malware that is spread via email attachments. Many of these threats will go undetected by antivirus tools in the first few days.

A bossy business scam

August 25, 2014
by Nicole Vincent Fleming 
Consumer Education Specialist, FTC

You get an email from your boss’s boss requesting that you make a wire transfer to a new vendor. The email is marked urgent, so you ignore the 20 others that need your attention to take care of it. You handle wire transfers all the time, and you’ll definitely score points for responding so quickly, right? Maybe not.
In a recent scheme, sometimes called “masquerading,” a hacker poses as a senior executive and asks an employee to complete a financial transaction, like a confidential business investment or a payment to a vendor. Once money is wired to a bogus account, it can be nearly impossible to recover.
In fact, the scheme often goes undetected until the company’s fraud department raises an alarm, or company executives talk to each other about the “transfer” request. According to a recent bulletin from the Internet Crime Complaint Center (IC3), the average loss is $55,000, but some losses have exceeded $800,000.
In some cases, the emails are spoofed by making subtle changes, so it’s difficult to distinguish a fake address from a legitimate one. For example, john example.com looks a lot like john exanple.com. In other cases, the hackers break into an organization’s email system and send urgent requests from legitimate accounts. 
Scammers like to mix it up. They may pose as vendors who have existing relationships with the company and send emails to “update” their account information. Some masqueraders try to commit this fraud on the phone, posing as the CFO, comptroller or CEO to intimidate an employee.

Want to make sure your company doesn’t fall victim to a masquerade scam?  
1. Establish a multi-person approval process for transactions above a certain dollar threshold.
2. Implement a system that requires a valid purchase-order, along with approvals from a manager and finance officer, to spend money.
3. Circulate this blog post by email or in a staff meeting. It’s great with coffee and donuts.

In addition, share these tips with your colleagues:
- Confirm that any request to initiate a wire transfer is from an authorized source within the company.
- Double- and triple-check email addresses. 
- Slow down. Fraudsters pressure you to take action quickly so you don’t have time to think it through. Take time to verify any request — even an urgent one.
- Be suspicious of requests for secrecy. Speak to the executive on the phone or in person. If you still have doubts, speak to another senior executive.

If you think you may have encountered a masquerade scam, please report your experience at www.ic3.gov and ftc.gov/complaint.

Helpful Resources to Protect Your Business from Fraud

 

Federal Trade Commission - Malware 

Online Banking Best Practices for Businesses

Federal Trade Commission - Bossy Business Scam

'Masquerading': New Wire Fraud Scheme

FDIC - Identity Theft

Cybersecurity Guide for Businesses

identitytheft.gov

OnGuard Online - Featured Information for Small Businesses

 U.S. House of Representatives Small Business Committee's Cybersecurity Guides for Small Business.