While securing your internal business systems and processes against online fraud is critical for small businesses, it is equally important to put safeguards in place when doing business externally with banks and other vendors. According to the 2013 AFP Payments Fraud and Control Survey sponsored by the Association of Financial Professionals, 61% of organizations -- including 50% of smaller businesses -- experienced attempted or actual payments fraud in 2013 involving a number of payment methods, including ACH transactions, credit/debit card transactions, and interbank wire transfers.
This year's survey reported and overall decrease in fraud attempts, yet the report urged organizations to remain vigilant, since cyber-criminals are employing increasingly sophisticated techniques to thwart protections that have been put in place by banks and other financial institutions.
Many online banking scams target small to medium-sized business customers since their account balances are generally higher than consumer accounts and their transaction volume is generally greater. Following are two of the newer breed of cyber risks you should be aware of and protect against.
Keylogging spyware.1 A keylogger is a type of surveillance software program that records the keystrokes entered on the PC on which it is installed and transmits a record of those keystrokes to the person controlling the spyware over the internet. Keyloggers can be installed on a PC by simply visiting an infected website or by clicking on an infected website banner advertisement or email attachment. Cyber-criminals may use keylogger files to steal the logon IDs, passwords, and challenge question answers of financial institution customers.
Main in the Middle (MIM), or Man in Browser (MIB), attacks. 1 This type of malware allows the cyber-criminal to insert himself between the customer and the financial institution and hijack an online session. For instance, the criminal may be able to intercept the logon credentials submitted by the customer to gain access to the customer's account. Similarly, the criminal may be able to modify the transaction content or add additional transactions (e.g., funds transfers) not authorized by the customer. Criminals conceal their actions by directing the customer to a bogus website that is a mirror image of the financial institution's website or by sending the customer a message claiming that the institution's website is unavailable and to try again later.
Conducting financial transactions online can help streamline your business processes, but it can also give cyber-criminals a gateway to your assets. Another important consideration: Federal regulations require banks to protect individuals -- but not commercial clients -- against losses from an online account hack. Given these realities, consider the following as important baseline practices in your own cyber-safety campaign.
Communicate with your bank. Understand its security procedures and fully utilize all services that are available to you such as Positive Pay, ACH fraud filters or other verification tools.
Continuously educate your workforce. Establish a formal written online security policy that includes best practices for conducting online transactions, and review it regularly, updating as needed. Best practices should include the following:
- Protecting access credentials. Never give out the passwords, PINs, or other authorization credentials used to access your online banking systems or accounts.
- Reporting suspicious communications. Never respond to an unsolicited email, phone call, or text message from a party claiming to be from your financial institution and asking for account verification credentials. Instead, contact your financial institution immediately.
- Ignoring suspicious links. Never open links or email attachments from unknown sources.
Increase your internal controls.
- Implement dual custody (second level of approval) on all online payment services. Reconcile accounts daily to detect suspicious activity. Keep authorized signatories up-to-date and conduct an annual audit of all bank signature cards, access codes, fund transfer agreements, etc., to ensure they are current.
- Keep all device software up-to-date and run virus protection and malware checks on a regular basis. Encrypt all sensitive data.
- Make sure your technology staff is up-to-date with the latest security technologies and software releases.