Corporate Account Takeover is a form of identity theft in which criminals steal your valid online banking credentials. The attacks are usually stealthy and quiet. Malware introduced into your systems may be undetected for weeks or months. Account-draining transfers using stolen credentials may happen at a time when they are not noticed for a day or two. Follow these sound business practices to protect your company:
- Use Layered System Security. Create layers of firewalls, anti-malware software and encryption. One layer of security might not be enough. Install robust anti-malware programs on every workstation and laptop. Keep them updated.
- Manage the security of online banking with a single, dedicated computer used exclusively for online banking and cash management. This computer should not be connected to your business network, should not retrieve any email messages, and should not be used for any online purpose except banking.
- Educate your employees about cybercrimes. Make sure your employees understand that just one infected computer can lead to an account takeover. Make them very conscious of the risk, and teach them to ask the question: "Does this email or phone call make sense?" before they open attachments or provide information.
- Block access to unnecessary or high-risk websites. Prevent access to any website that features adult entertainment, online gaming, social networking and personal email. All such sites can inject files into your network.
- Establish separate user accounts for every employee accessing financial information, and limit administrative rights. Many malware programs require administrative rights to the workstation and network in order to steal credentials. If your user permissions for online banking include administrative rights, don't use those credentials for day-to-day processing.
- Use approval tools in cash management to create dual control on payments. Requiring two people to issue a payment – one to set up the transaction and a second to approve the transaction – doubles the chances of stopping a criminal from draining your account.
- Review or reconcile accounts online daily. The sooner you find suspicious transactions, the sooner the theft can be investigated.
The most important step in Mobile Banking security is treating your company mobile devices like portable computers. A few common-sense precautions will help protect you from fraud and theft:
- Require a password. Set the phone to require a password to power on the handset or awake it from sleep mode. If it's lost or stolen, any confidential information stored on the device will be more difficult to access.
- Avoid auto log-ons. Whether you're using the mobile Web or a mobile client, don't let it automatically log you in to company bank accounts. Otherwise, if your phone is lost or stolen, someone will have free access to your money.
- Memorize your passwords. Don't save your password, account number, PIN, answers to secret questions or other such information on the mobile device.
- Immediately tell your bank or mobile operator if you lose your phone. The sooner you report the loss, the better protected you are from fraudulent transactions.
- Stay virus-free.Download and install antivirus software for your mobile device, according to the manufacturer's recommendations.
- Be careful when downloading Apps. Downloads should always be from a trusted and approved source, and endorsed by your mobile device provider.
- Avoid "free offers" and "free ringtones." An email or instant message that offers free software downloads, such as ringtones, may contain viruses or malware.
- Know your sender. Be cautious of e-mails or text messages from unknown sources asking you to update, validate or confirm your personal details including password and account information. Don't reply to text messages from people or places that you do not know.
- Guard your phone. Treat your mobile device as carefully as you would your wallet, cash or credit cards.
- Keep track of account transactions. Review your bank statements as regularly as possible to rule out the chances of fraudulent transactions. If you notice discrepancies, contact your bank immediately.
- Surf securely. Only use Wi-Fi on your device when connected to password protected hotspots. Turn-off any auto-connect features. They might cause your phone to log into insecure wireless networks without your knowledge.
- Always log out. Make sure you log out of social networking sites and online banking when you've finished using them.
- Use security updates. Install operating system updates for your device as they become available - they often include security updates.
- Always delete. Before you upgrade or recycle your device, delete all personal/business details.
Mobile Banking is a very useful tool for your business. By using common sense, it can also be a safe and secure part of your daily operations.
Beware of Social Engineering
"Social Engineering" is any method of theft that manipulates human nature in order to gain access to your online financial accounts. No business is immune to the risks of Social Engineering attacks, and thieves will go to great lengths to lower your guard. Here are a few ways you can protect yourself from thieves using Social Engineering techniques:
- Don't allow unfamiliar visitors into any area with network access. Thieves often pose as vendors, service providers or even firefighters conducting an inspection, in order to gain physical access to your network. It only takes a few seconds for them to plug in a thumb drive that installs keystroke logging software. Legitimate technicians or officers will have I.D. beyond a logo shirt or uniform to back up their claim, and should be verified independently.
- Be cautious about letting visitors use a workstation or plug into your network. A request to "check my email" or "download that sales brochure" might seem innocent enough. But, this is a favorite tactic of Social Engineers to gain access to your network and leave monitoring software or hardware behind.
- Control access to your facility. Whatever type of business you are in, there should be barriers between public and private back office areas. Doors leading into back offices from public areas should be locked. Doors to outdoor smoking areas should be locked. Visitors to back office areas should always be accompanied by a trusted employee.
- Don't assume that an unsolicited phone call or email is actually from a trusted source. Thieves can research your business relationships or donations, then pose as a vendor or charity you trust. They can even pose as another company employee needing help. Again, verify before providing any confidential information.
- Remember, unexpected email attachments should be treated with great caution. Common and popular files like PDFs, JPGs and spreadsheets can provide a platform for installing viruses or keystroke-logging malware on your computer. If you aren't certain the file came from a legitimate business, charity or person, don't open it without verifying. Call them and ask if they sent an email with an attachment.
- Verify, verify, verify. If you receive a phone call or email claiming there is a problem with a bank account, credit card account or any other network or finance related account, hang up the phone or delete the email and check those accounts directly through normal access channels.
The best way to avoid Social Engineering schemes is to be cautious about any unknown visitor, and any request for money, passwords, account numbers or other confidential information – no matter where it seems to be coming from.
Helping you protect the security of information held by your company is as important to us as it is to you. Let's work together to protect it.
If you want to report suspicious activity in your account, or if you have questions about the security of your account, call our Member Service Center immediately at (866) 585-7628.