Remote Deposit Quick Start Guide

Transcription

1 Treasury Management Fraud Prevention How to Protect Your Business Remote Deposit Quick Start Guide

2 What s Inside We re committed to the safety of your company s financial information. We want to make you aware of common types of business fraud and what you can do to protect your organization. The information in this guide is designed to help you learn more about fraud prevention and the services available to help protect your business. Common Types of Online Fraud: Phishing Malware Spyware Best Practices for Online Security Online Fraud Prevention Tools:. Firewalls Software Updates Anti-Virus Anti-Spyware Common Types of Payment Fraud: ACH Check Fraud Credit Card Fraud Best Practices for Payment Fraud Prevention How We Protect Your Company How to Respond to a Security Breach Conclusion Additional Resources Note: The following information should be used for reference only and should not be used as a sole resource for security training in your organization. Published by Murphy & Company, Inc. 459 Sovereign Court St. Louis, MO Murphy & Company, Inc. Disclaimer: Concepts, strategies and procedures outlined in this guide can and do change and may not be applicable to all readers. The content in this guide is not warranted to offer a particular result or benefit. Neither the author/publisher, nor the service provider shall be liable for any damages arising out of the use of this guide, including but not limited to loss of profit, commercial, special, incidental or other damages. For complete product and service information, please refer to the terms, conditions and disclosures for each product and service. 2

3 Common Types of Online Fraud Phishing Phishing refers to one of a variety of scams in which cybercriminals attempt to gather personal and financial information from unsuspecting victims. Often, phishers claim to be representatives from a legitimate organization or business. There are several common types of phishing you should be aware of. Phishing: Cyber-criminals send s attempting to trick victims into divulging sensitive information such as usernames, passwords and debit/credit card numbers. These s may contain fake toll-free numbers, links to counterfeit websites or harmful computer viruses. Spear Phishing: This type of phishing is usually directed at a person within a company who is able to initiate business funds transfers or payments. A cyber-criminal sends an attachment containing a keystroke logger, which will capture the user s online banking credentials and transmit them back to the criminal. Phone Phishing (Vishing): A victim may receive a phone call from either a live person or recorded message, asking them to provide or confirm personal or financial information. Text Phishing (SMiShing): A cyber-criminal contacts a victim via text message, directing them to call a toll-free number or visit a website which asks for the victim s personal or financial information. Note: We will never request your personal or account information via , text message, or pop-up windows. Contact your local branch directly if you suspect any message to be fraudulent. Do not respond to or use links within s; always type the URL into your browser. 3

4 Common Types of Online Fraud Malware Malware is designed to infect or damage a computer system without the owner s knowledge or consent. Examples of malware include viruses, worms, Trojans and spyware. Spyware and Trojans are becoming increasingly popular with cyber-criminals. Common symptoms of a computer infected with malware include system instability or extremely slow operation, advertising pop-ups, a new browser homepage or toolbar, repeated error messages and s sent from your account which you didn t initiate. Spyware Spyware is a form of malware that can monitor and in some instances control a victim s computer. If your system is infected with spyware, a third party could monitor your web browsing, record your keystrokes or direct your browser to counterfeit websites. If you notice your browser accessing websites you did not request, computer keys that don t work, a large number of advertising pop-ups, error messages, and generally poor system performance, these may be signs of spyware compromising your system. To avoid malware and spyware, do not click on links in pop-up windows or s, even if the links claim to be offering anti-spyware software. Use reputable commercial anti-virus and anti-spyware software, and keep them up-to-date. Use of a hardware or software firewall is highly recommended. 4

5 Best Practices for Online Security The following tips can help protect you and your company from online fraud. Protect Your Accounts: Initiate outbound ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer. Set daily limits for wire transfers and ACH batches and use ACH blocks and filters to protect your accounts from fraudulent inbound transactions. You can use our Positive Pay service to review/approve checks before they are cleared. Contact Treasury Management at for more information. Set online alerts to provide additional security and awareness within online banking. Protect Your Computer Systems: Perform online banking activities from a computer that is used only for accessing online banking services and not any other or web browsing activities. Be suspicious of any claiming to be from us, any other financial institution or government agency asking for your online banking login credentials. Install a dedicated business firewall. Use complex passwords with at least eight characters of mixed case letters, numbers and special characters. Immediately report any suspicious activity to us at , particularly if you suspect fraudulent activity concerning ACH or wire transfers. There is a limited recovery window for these transactions, and immediate escalation may assist us in preventing losses to your company. 5

6 Online Fraud Prevention Tools Firewalls A firewall is a hardware or software system designed to block unauthorized access to your computer. Think of a firewall as an electronic gatekeeper, allowing only legitimate network access to your computer workstations. Software Firewall: Many modern computer operating systems for home and professional use include a pre-installed software-based firewall. Hardware Firewall: Many businesses choose to run a dedicated, physical firewall device to protect access to their network. A hardware firewall connects directly to the network, independent of any individual computer. Software Updates It s important to keep the software running on your business s computers up-to-date. As hackers and other cyber-criminals find new ways to compromise software applications or systems, developers will release fixes or patches to the software to address any new security weaknesses. Many of these software updates can be set to occur automatically, such as updates to Microsoft Windows or Mac operating systems. Make sure to consult the documentation for the software used on your business computer for details on how to make sure applications are updated. 6

7 Online Fraud Prevention Tools Anti-Virus Every computer used by you or your employees should use up-to-date anti-virus software. These programs keep your computer safe from malware (malicious software) in two ways: Removing Known Malware: The anti-virus software scans your computer s hard drive for known viruses and removes any detected malware. Preventing New Malware: The anti-virus software keeps track of running computer processes and will block any suspicious computer code or files. Anti-Spyware Spyware is a particular kind of program designed to monitor and collect information about your computer or Internet usage and transmit it to a third party without your knowledge. This information can be as simple as what websites you visit regularly, or as dangerous as recording your keystrokes as you enter your password when logging on to manage finances with online banking. As with anti-virus software, anti-spyware works in two ways: Removing Known Spyware: The anti-spyware software scans your computer s hard drive for known spyware and removes any detected programs. Preventing New Spyware: The anti-spyware software keeps track of running computer processes and will block any suspicious computer code or files. 7

8 Common Types of Payment Fraud ACH Automated Clearing House (ACH): Cyber-criminals steal funds directly from accounts by accessing account and routing numbers illegitimately. Payroll and government payments are common transactions that cyber-criminals focus on, as well as any online payments or payments made over the phone. Account Hijacking: A cyber-criminal captures a user s login credentials to gain access to the ACH origination system and then uses it to make payments. Criminals can capture login credentials in a variety of ways, such as using a keystroke logger or remote access Trojan. Identity Theft: A criminal creates a false identity and uses it to obtain origination capabilities within an online banking environment. They then initiate fraudulent credits using these capabilities. ACH Kiting: ACH kiting is very similar to check kiting, but involves cyber-criminals using a pair of accounts for fraudulent purposes. The criminal originates an ACH debit from one account to another, with the available balance withdrawn before settlement. Reverse Phishing: Instead of s attempting to fraudulently obtain online banking information, the cyber-criminal sends s to businesses that provide fraudulent banking information, redirecting payments to an account they control. Counterfeiting: The perpetrator of this kind of payment fraud converts a counterfeit check to electronic form and uses it to originate an ACH debit. 8

9 Common Types of Payment Fraud Check Fraud Even as businesses conduct more and more financial management online, check fraud is still a threat to financial security. Check fraud involves forging, altering or counterfeiting checks as well as the issuing of a check for an account the criminal knows has been closed or has insufficient funds to cover the check amount. Check fraud is easy to commit, needing no more advanced technology than a scanner, printer and desktop publishing software. Credit Card Fraud Many businesses use corporate or commercial credit cards to conduct business-to-business payments. The widespread use of corporate credits cards has led to many types of credit card fraud. Misuse: A legitimate company employee uses a corporate credit card for unauthorized purposes. Embezzlement: An employee with authorization to use a corporate credit card uses card information to defraud the company. False Fraud: A card-holder claims legitimate charges are invalid in order to avoid paying them or to avoid repercussions. 9

10 Best Practices for Payment Fraud Prevention The best way to protect your business against payment fraud is to have a plan in place before any fraudulent activity occurs. ACH Fraud Protection: Make absolutely sure of the other party s identity when conducting electronic transactions. Mask account numbers and Tax ID numbers in correspondence. Never transmit confidential or personal information over unencrypted . When employees leave the company, make sure all tokens are collected and users are deleted from the system. Protect your funds by preventing unauthorized transactions from taking place with the use of our ACH Filters and Blocks. Designate the type of ACH transactions you wish to block from your accounts with ACH Blocks, or limit which companies can initiate ACH entries to and from your account with ACH Filters. Both these ACH control measures will help protect against fraudulent transactions. Check Fraud Protection: Use high-quality check stock with built-in security features such as watermarks, bleach-reactive stains, micro printing and fluorescent fibers. Establish and implement financial document destruction processes and check reorder policies. Segregate duties by assigning different employees to make payments and reconcile accounts. Credit Card Fraud Protection: Require training for all card-holders to make sure everyone understands the limits of the program. Use a card provider that offers web-based payment management tools, including real-time spending reports. Establish protective controls like monthly transaction limits and blocking unauthorized vendors. 10

11 How We Protect Your Company Privacy Protection: The privacy of your financial information is our top priority. We provide access to confidential information only for authorized users. Encryption, monitoring and automated analysis software is used to protect confidential information. We monitor all consultants and vendors who work with us through contractual agreements and corporate-wide security programs. Password Policy Guidelines: We comply with industry standards for complex passwords, requiring at least eight characters of mixed case letters, numbers and special characters. 11

12 How We Protect Your Company Multi-Factor Authentication: We use strong authentication methods to make sure only you and/or your authorized users are able to access your accounts online. Users must provide a User ID and Password to log in, and may be asked several challenge questions. Corporate Net Banking users must provide information from a security token at sign-on, while Business Net Banking users must use their security tokens to process ACH and wire transfers. Encryption: All online activity is encrypted from the time it leaves your computer until it enters our systems. Your information is protected by Secure Sockets Layer (SSL) technology, preventing your data from being read. Please be aware that information accessed from a compromised computer may still be at risk. Online Payments Digital Controls: Our online products give your business a wide variety of tools and features aimed at allowing you to manage access to your accounts at the user level, including regulated permissions and specified limits to ACH, wire transfers and other transactions. Payment approval permissions and advanced reporting tools help to further prevent fraudulent activity from occurring. 12

13 How to Respond to a Security Breach An electronic security breach is any unauthorized acquisition of computerized data that compromises the security, confidentiality and integrity of nonpublic information maintained by your business. To Report a Security Breach: Should you suspect someone has breached your account security, immediately report the suspicious activity to us at This is particularly important if you suspect fraudulent activity concerning ACH or wire transfers. There is a limited recovery window for these transactions and immediate escalation may assist us in preventing further losses to your company. As a general precaution, we suggest businesses establish written procedures to be followed in the event of a security breach, with the assistance of legal counsel, information technology consultants or both. Suggested Guidelines: Develop a list of local police department phone numbers to report thefts or break-ins. Select an information technology consultant who can take proactive steps to stop further dissemination of information taken from a compromised computer system. Designate specific employees to contact us in the event of a security breach. If we are unsure the information is coming from an authorized company representative, we will follow established protocols to validate the identity of the contact. Establish a written policy detailing conditions under which you will notify your customers of the breach, who will provide the notification and how the notification will take place. 13

14 Conclusion No company or organization is immune to fraud. Criminals are extremely resourceful, inventive and elusive in defrauding consumers, businesses and government agencies. Scams can occur online and offline involving anything from individual check fraud to organized groups of criminals working to steal billions. We are your partner in establishing and maintaining effective fraud prevention techniques and procedures. Through a combination of strict internal controls such as segregation of duties, third-party audits and services like Positive Pay, we provide a multitude of tools to help you keep your financial information safe. We continue to invest in technology and the ongoing research necessary to reduce fraud risk and protect your company around the clock. 14

15 Additional Resources Secure Communications: We will never send you an asking you to click a link to verify or supply personal information. If you are unsure about an or website that appears to be from us, take the following precautions. 1. Type our web address (sterlingsavingsbank.com) into your browser to visit our website instead of relying on links in s or an 1 entry in your favorites. 2. Double click the gold lock icon at the bottom or top of the page to verify the security certificate is listed as being issued to sterlingsavingsbank.com. Our services are certified by VeriSign, Inc. Third-Party Information: 2 Federal Trade Commission (FTC) - The FTC is an independent government agency tasked with promoting consumer protection. This agency investigates issues raised by reports from consumers and businesses. Internet Crime Complaint Center (IC3) - The IC3 is a task force comprised of representatives of the Federal Bureau of Investigation, National White Collar Crime Center and Bureau of Justice Assistance, assembled specifically to address instances of cyber-crime. BBB s Data Security Made Simple - The Better Business Bureau provides an overview of best practices for data security. 15

16