Keep Your Business Banking Safe in the Digital Age By Erin Fonté As a business executive, you have many choices in conducting banking activities, including online and mobile banking options. But with increasing freedom and ease comes increasing responsibility. You can take steps to protect your assets in partnership with your bank, to help you guard against the potential of an account compromise. Partnership for secure electronic banking Your role in the partnership Report odd screens or messages when conducting online banking Monitor accounts and transactions frequently Understand best practices for software use Establish and train employees on security procedures Review any security updates Frost sends you Call your Frost banker Frost s role in the partnership Clearly explain security procedures and answer questions at any time Continually update processes and products to be more secure Frost takes responsibility for safeguarding Educate your employees on proper online banking practices your account and personal information on Notify you regarding account irregularities our systems. You, as the business owner, executive or administrator, must control your interactions and educate yourself about online and mobile security. While there are people out there who want to take advantage of a weak link, you can take action to help avoid becoming a target. Don t forfeit the security game by not educating yourself and your employees. Protecting your accounts not only guards your assets it s also a smart business practice to help protect your reputation. Your customers and vendors rely on you to keep their information secure. Isn t my business automatically protected from unauthorized transactions? Many business managers mistakenly think that they are automatically protected from losses due to unauthorized transactions. While there are certain laws protecting consumer electronic funds transfers, they do not apply to business transactions. frostbank.com business.solutions@frostbank.com p.1
What are some ways bank accounts typically become compromised? One of the most publicized ways a bank account can become compromised is when an unauthorized individual obtains legitimate online or mobile banking login and authentication information. Such information can be used to log in and originate unauthorized transactions. When this happens to a business account, it is referred to as a corporate account takeover. Unauthorized transactions arising from these events can take many forms, including: Transferring funds to an overseas bank account Creating fake employees, vendors or bill payees and transferring funds to them Taking other sensitive customer information and using it for unauthorized purposes and transactions Corporate accounts can be taken over by individuals outside the company or by an employee of the company. Here is what could happen without attention to security. External Account Takeovers External takeovers often target company employees who can be tricked into voluntarily revealing their online or mobile banking information. Unexpected trickery: Debbie, who works in accounts payable, has a group of friends who trade funny videos of their pets. One morning Debbie gets an email saying, My new kitten is so cute thought you would enjoy this! with a video clip attached. On her lunch break, when Debbie opens her new kitten video, she triggers installation of malware to her computer. Later in the afternoon, when Debbie logs in to the company s online banking account, the malware captures her user ID and password. Now the company s business banking account is compromised. When an account is compromised, you might see an unfamiliar screen asking for information you don t usually enter, or perhaps a message indicating you should wait a moment for information to clear. If anyone at your company notices any suspicious or unauthorized activities, you should immediately contact your bank to help investigate the incident. You should also isolate that particular computer from the rest of the company s network. p.2
Internal Account Takeovers Not all takeovers are carried out by people outside of the company. Over the past several years, there have been examples of modern-day trusted bookkeeper insider fraud using bill payment and ACH transactions. Outright deception: Bill is the company s only bookkeeper and accounting person, handling vendor setup and accounts payable and receivable, and also balancing the books. Having total control over setting up new vendors, issuing payments and balancing the books, he creates five fake vendors. Then he creates false invoices and pays the five fake vendors. The money is really routed to Bill s own personal accounts. Each month, he transfers around $500 per vendor via ACH, for a total of $2,500. No one at the company catches the fraud, and by year s end, Bill has embezzled $30,000. As your partner in responsible online banking, Frost s products and services could help prevent such fraud by: Setting up dual authentication with separate people initiating and approving wire or ACH transfers Obtaining positive pay services for checks or ACH positive pay services that compare checks or ACH transfers only to approved companies What can I do to improve my account security? The best way to protect against financial fraud is to have a strong relationship and open line of communication with your financial institution. Talk to your banker if you have any questions about security procedures or your responsibilities for online and mobile banking activities. Implement Good Security on Your Side of the Transaction Attention to internal security is good for your business and helps protect your banking security. Consider these actions: Protect your online and mobile environment just like you protect your cash and physical location. Work with your banker to understand necessary security measures your bank requires you to follow for online and mobile banking, and review any updates your bank sends to you. p.3
- Use only secure Internet connections - Encrypt sensitive data and use strong passwords - For both online and mobile devices, obtain and install anti-virus, anti-malware and anti-spyware software and install firewalls Pay attention to suspicious activity and react immediately. Call your banker if you have any questions or concerns about banking activity that seems different. - Monitor accounts frequently and immediately review wire, ACH or other transaction confirmations - Report suspicious activity to your banker immediately - Keep records of what happened for investigation purposes and because your bank may need information for its own investigation Implement good internal controls. Comply with your bank s security procedures, and do not ask for standard security procedures to be waived just this one time. - Implement dual controls and approval for ACH and wire transfers so that dual approval is required prior to the transaction being initiated - Consider using a dedicated computer for online banking that is never used for email or general Internet browsing - Have good security on any mobile devices used to initiate account transactions - Understand and control the authorized users and permissions granted to any employees approved for commercial or online mobile banking use Provide good employee education. Ask how your banker may be able to help educate your employees. - People are really the first line of defense against account takeover attacks and the best resources for protecting security, so train your employees in computer security best practices - Adopt and provide a computer and mobile device use policy that teaches your employees about computer and mobile device security - Train employees to never share user IDs, passwords, PINs, dynamic tokens or other authentication information with anyone, and don t leave such information unsecured - Never replicate your login or password for other websites, software or apps p.4
What does Frost do to protect my account security and data privacy? Protecting the security of your accounts and your personal information is and will always be a priority. You can be confident in Frost and online electronic banking, knowing that we are on guard to keep your information safe and secure. Frost has a team of highly trained personnel to address the quality and security of our online and mobile banking services. We can even help you in situations with your affected Frost accounts unrelated to Frost actions. For example, Frost has well-recognized experts who can explain and intervene if you face identity theft because non-account-related information is compromised. Frost develops and deploys online and mobile security procedures that are flexible and address current and evolving security concerns. Our routine processes and sophisticated technologies constantly monitor accounts and detect unauthorized activity, and we continually look for ways to strengthen those systems. We will notify you if we notice any irregularities on our side first and quickly respond to your reports of unauthorized activity. When unauthorized activity on a customer s account has been reported and verified, Frost bankers will work quickly to: - Investigate the incident - Determine if any amount of a loss can be recovered - Restore the integrity and security of any affected computer systems or mobile devices - Restore online or mobile banking services p.5
References Here are additional resources regarding security essentials for business. How to Keep Your Personal Information Secure (Federal Trade Commission) http://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure Ten Cybersecurity Strategies for Small Businesses (Federal Communications Commission) http://www.uschamber.com/sites/default/files/issues/defense/files/10_cyber_strategies_for_small_biz.pdf Data Security Made Simpler (Better Business Bureau) http://www.bbb.org/data-security/ Sound Business Practices for Businesses to Mitigate Corporate Account Takeover (NACHA The Electronic Payments Association) https://www.nacha.org/sites/default/files/files/cat%20-%20b.pdf About the Author Erin Fonté is a banking regulatory and payments attorney and shareholder with the Austin office of Cox Smith (efonte@coxsmith.com). She has served as outside counsel to Frost for more than 10 years for regulatory and compliance, commercial and consumer banking services (including online and mobile), and privacy and data protection issues. www.frostbank.com 1-800-513-7678 p.6