Online Security for Business
"Knowledge is crucial to your defense against fraud. According to Symantec, "hackers do not care what the size of your business is. They only care if they can get past your defenses and relieve you of your valuables. What hackers do like about a small business is that they tend to have more money in the bank than an end-user and less cyber defenses than a larger company. Additionally, these hackers are no longer limited to highly skilled computer geeks. Using easily available attack toolkits, even a relative novice can infect your computers and extract all the information they need to steal your bank accounts' login and password details or steal a list of your customer's credit card numbers."
For your protection, you should always carefully monitor your bank accounts for fraudulent activity. If you ever see anything unusual, immediately call us at 833-837-4839.
What is Account Takeover Fraud?
Also known as "Corporate Account Takeover", account takeover is an evolving electronic crime typically involving the exploitation of businesses of all sizes, especially those with limited to no computer safeguards and minimal disbursement controls for use with their bank's online business banking system. These businesses are vulnerable to theft when cyber thieves gain access to its computer system to steal confidential banking information in order to impersonate the business and send unauthorized wire and ACH transactions to accounts controlled by the thieves. Municipalities, school districts, large non-profit organizations, corporate businesses, and any customer that perform electronic transfers are potential targets. Losses from this form of cyber-crime range from the tens of thousands to the millions, with the majority of these thefts not fully recovered. These thefts have affected both large and small banks. This type of cyber-crime is a technologically advanced form of electronic theft. Malicious software, which is available over the Internet, automates many elements of the crime including circumventing one time passwords, authentication tokens, and other forms of multi-factor authentication. Customer awareness of online threats and education about common account takeover methods are helpful measures to protect against these threats. However, due to the dependence of banks on sound computer and disbursement controls of its customers, there is no single measure to stop these thefts entirely. Multiple controls or a "layered security" approach is required.
WARNING SIGNS OF POTENTIALLY COMPROMISED COMPUTER SYSTEMS
Account holders should be the most vigilant in monitoring account activity. They have the ability to detect anomalies or potential fraud prior to or early into an electronic robbery. Warning signs visible to a business or consumer customer that their system/network may have compromised include:
- Inability to log into online banking (thieves could be blocking customer access so the customer won't see the theft until the criminals have control of the money);
- Dramatic loss of computer speed;
- Changes in the way things appear on the screen;
- Computer locks up so the user is unable to perform any functions;
- Unexpected rebooting or restarting of the computer;
- Unexpected request for a one time password (or token) in the middle of an online session;
- Unusual pop-up messages, especially a message in the middle of a session that says the connection to the bank system is not working (system unavailable, down for maintenance, etc.);
- New or unexpected toolbars and/or icons; and
- Inability to shut down or restart the computer.
Establish "Best Practices" Controls
- Limit electronic access to financial information or sensitive documents
- Develop policies to control how financial transactions are made and implement review and authorization procedures.
- Utilize Dual Control, Dual Approval and/or Security Tokens for ACH Origination and Wire Transfers.
- Limit “Admin” access to one or two users. The Bank strongly recommends using a separate login for “Admin” access.
- Review and reconcile accounts daily using Veritex Online Banking.
- Set up balance and transaction alerts in Veritex Online Banking.
- Create strong and secure passwords. Veritex recommends password changes regularly.
Supervise and Monitor Financial Transactions
- Adequately supervise all employees who take part in business finances.
- Continually review wires, transfers, payroll, ACH origination, and business checks.
- Use Veritex Positive-Pay for daily check and deposit reconciliation to help prevent against fraudulent activity. Positive-Pay allows the bank to confirm each item before paying.
Conduct Regular and Unscheduled Internal Audits
- Commercial users are encouraged to periodically perform risk assessments and system control evaluations.
- In addition to regular examinations of inventory and finances, unannounced audits can deter fraud.
Secure and Maintain Your Computer Systems
- Use Detect Safe Browsing software from Easy Solutions for more comprehensive protection for your online banking. The software, available for download at no charge to you; works with your current anti-virus software and web browser to provide a more secure online banking experience.
- Do not use public Internet access points when you login to a site using a password.
- Be cautious when utilizing wireless networks – avoid doing business on public wireless networks, and if it’s your own wireless network, use encryption.
- Use firewalls on your local network to add another layer of protection for all devices that connect through the firewall.
- Use current updated anti-virus and anti-spyware software.
- Apply computer operating system patches and updates.
- Maintain the physical security of computers and limit access to computers that are used for sensitive functions.
- Do not download or install software from unknown third parties.
- Limit Internet access on business computers to business requirements.
- Do not open email or email attachments from an unknown source.
Contact us immediately if you receive an email claiming to be from the Bank and it is requesting personal/company information.
Be Aware of the Deceptive Ways Criminals Contact Account Holders
- The FDIC does not directly contact our customers (especially related to ACH and Wire transactions, account suspension, or security alerts), nor does the FDIC request our customers to install software upgrades. Such messages should be treated as fraudulent and customers should permanently delete them and not click on any links.
- Messages or inquiries from the Internal Revenue Service, Better Business Bureau, NACHA, and almost any other organization asking you to install software, provide account information or access credentials is probably fraudulent and should be verified before any files are opened, software is installed, or information is provided.
- Phone calls and text messages that request sensitive information are likely fraudulent. If in doubt, you should contact the bank at the phone number you obtained from a different source (such as the number you have on file, your most recent statement, or from our website, www.veritexbank.com). You should not call phone numbers (even with local prefixes) that are listed in the suspicious email or text message.
“Best Practices” Controls Frequently Asked Questions
What should I consider when establishing access for users in my company?
First, select a user to be the "Admin". Veritex recommends the Admin User be an authorized signer on the account. The Admin User will have access to all functions in online banking and will be responsible for granting other users access in, and privileges, to your online banking (Refer to the "Online Access Agreement and Disclosure Statement"). Second, consider assigning separate duties, such as issuing and reconciling payments made by your company. For payment functions such as wire transfers and ACH origination, implement dual control if possible. Third, whether you have one user or ten, use VeriSign© Tokens to authorize transactions going out of your account.
What other security features are available in Online Banking to monitor and manage my accounts?
Veritex Online Banking already has several mandatory security alerts enabled. For instance, you will receive an alert anytime an "Invalid Password" is used when you attempt to login. There are additional security alerts that are enabled for you, although not advised; you may disable them if you would like. You can also setup account level "event" alerts by going to PREFERENCES, then ALERTS in online banking.
Another available security feature is the VIP tokens and the VIP Access Application for transaction authorization when using Treasury Services (Online ACH Origination and Wire Transfers). Security tokens add a layer of security in Online Banking.
Incident Response Plans
Since each business is unique, customers should write their own incident response plan. A general template would include:
- The direct contact numbers of key bank employees (including after hour numbers)
- Steps the account holder should consider to limit further unauthorized transactions, such as:
- Changing Passwords
- Disconnecting computers used for Internet banking
- Requesting a temporary hold on all other transactions until out-of-band confirmations can be made;
- Information the account holder will provide to assist the bank in recovering their money
- Contacting their insurance carrier
- Working with computer forensic specialists and law enforcement to review appropriate equipment.
Additional Resources for Business Account Holders
- The Federal Trade Commission’s (FTC) interactive business guide for protecting data: http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html
- The National Institute of Standards and Technology’s (NIST) Fundamentals of Information Security for Small Businesses: http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf
- The jointly issued “Fraud Advisory for Businesses: Corporate Account Takeover” from the U.S. Secret Service, FBI, IC3, and FS-ISAC available on the IC3 website (http://www.ic3.gov/media/2010/CorporateAccountTakeOver.pdf) or the FS-ISAC website (http://www.fsisac.com/files/public/db/p265.pdf)
- NACHA – The Electronic Payments Association’s website has numerous articles regarding Corporate Account Takeover for both financial institutions and banking customers: http://www.nacha.org/c/Corporate_Account_Takeover_Resource_Center.cfm