Business Security and Safety
Automated Clearing House (ACH) Fraud
Last updated by Marika BeVier on 08/10/2015 02:03 PM
ACH fraud is the theft of funds through the Automated Clearing House financial transaction network. The ACH network acts as the central clearing facility for all Electronic Fund Transfer (EFT) transactions in the United States, representing a crucial link in the national banking system. Payments linger in the ACH network awaiting clearance for their final banking destination.
Here are a few examples of ACH fraud:
- The criminal accesses a commercial customer's credentials, generates an ACH file in the originator's name, and quickly withdraws funds before the victim discovers the fraud.
- The criminal accesses a retail customer's credentials and sets himself up as an automatic bill pay recipient.
- In an insider threat scenario, an employee of the target company or a bank modifies ACH files to steal money.
- In a variation on check kiting -- a scam in which funds are juggled back and forth between bank accounts at separate banks -- a criminal takes advantage of the time lag in transactions.
- In a spear phishing scam, an employee with authorization for ACH transactions receives an email that leads him to an infected site, which installs a keylogger to access authentication information. The thief can then impersonate the company's authorized representative and withdraw funds.
To protect yourself from ACH fraud, the FBI recommends that you watch account balances closely and reconcile the account frequently, use strong passwords and change them often, restrict access to any computer used for ACH transactions, and ensure that firewalls and antivirus software are up-to-date.
Fraud Prevention Tips for Businesses
Last updated by Marika BeVier on 08/10/2015 02:04 PM
At State Savings Bank, we take the security of your information seriously. While we use a variety of technologies and techniques to help make sure our products and services are secure, we need your assistance in keeping it that way. The following are steps you can take to help protect your accounts from internal and external fraud:
- Don't let others use your personal computer.
- Log off or lock your workstation whenever you leave your computer.
- Change your passwords often, don’t store passwords in an easy to find place, don’t share your password with others, and choose passwords that are hard to guess.
- Install anti-virus, anti-spyware and other internet security software on your personal computer. Make sure you have antivirus software that scans incoming communications and files for viruses that may cause you trouble. Be cautious about offers for "free" antivirus software and make sure you get your software from a highly reputable company. Also look for antivirus software that removes or quarantines viruses and that updates automatically on a regular basis.
- Be leery of e-mail messages you receive from people you don't know, and don't open any attachments they may contain. Don't respond or reply to an e-mail, phone call, or text message that:
- Requires you to supply personal or account information directly in the e-mail;
- Threatens to close or suspend your account if you do not take immediate action;
- Invites you to answer a survey that asks you to enter personal or account information;
- States that your account has been compromised or that there has been third-party activity on your account, then asks you to enter or confirm your personal or account information;
- States that there are unauthorized charges on your account, then asks you to provide your personal or account information;
- Asks you to enter your User ID, password, account numbers, PIN or card expiration dates into an e-mail, non-secure webpage or text message;
- Asks you to confirm, verify or refresh your account, credit card, or billing information.
- Make sure your browser uses the strongest encryption available and be aware of the encryption levels of the sites and applications you use.
- Use only software from reliable vendors.
Mobile Fraud Prevention
- Don’t share your mobile device with others, especially strangers.
- Ensure no one is looking over your shoulder in congested public areas and reading information from your device’s screen.
- Log out from your online banking session when you’re finished, whether you’re using a mobile app or the mobile website.
- Don’t store your password on other apps within your mobile device, such as the Notes app.
- Avoid jailbreaking or rooting your phone.
- Always use official app stores to download any app.
Internal Controls and Tools to Prevent Fraud
- Maintain appropriate internal controls, including segregation of duties. For example, have different people involved in reconciling accounts from those making payments.
- Implement dual control for electronic payments you originate from your account. For example, have one person prepare a payroll file and another approve the file before it is sent to the bank for processing.
- Periodically assess your risk and evaluate your internal controls, including reviewing your users and the permissions you grant them. Your system administrator can establish user permissions and online transaction limits for each of your users.
- Regularly review your transactions and statements to detect unauthorized activity. We promptly post your transaction details online, it can be very useful to monitor and control transactions—including those originating online and through other channels, such as checks you've written or withdrawals you've made.
- Use tools such as Positive Pay Service, debit blocks and Reverse Positive Pay Service to help you monitor and control checks/ACH debits clearing against your accounts.
- Customize Account Alerts to receive notification when certain account activity takes place.
Corporate Account Takeover
Last updated by Marika BeVier on 08/10/2015 02:04 PM
Protecting Your Accounts from Fraud
What is Corporate Account Takeover?
Corporate Account Takeover, account hijacking and keylogging are all terms used when an account is subjected to online fraud. The victims are mostly small to midsize organizations using online accounts at local community banks and credit unions.
How does it occur?
Criminals use various methods to steal online banking credentials in order to steal funds from accounts, access employee records and other confidential information. Access can be gained through unsecure Internet connections not utilizing sufficient firewalls and security features, or by infecting computers with malware or malicious software that can track keystrokes to capture user name, passwords, and other security information when the company employee accesses their online banking network.
Criminals often use e?mail to gain access to a company’s system. Malware, or links to malware are often included in face invoice e?mails, or e?mails that claim to be from a bank or other legitimate business. The user is instructed to click on a link or open an attachment. The link will take the user to a counterfeit website where the user’s machine is infected. The attachment will infect the user’s machine once the file is opened.
What should be done if we have been compromised?
Call your financial institution immediately so they can prevent unauthorized files and block the account.
Employ a knowledgeable IT professional to identify and remove any infections.
What can be done to prevent account takeover?
- Use stand along computers for online banking services, ACH origination and wire transfers. Never allow employees to use this computer for Internet searches or e-mail.
- Implement dual control on all online payment services. A second person should be used to authorize any financial transfer (ACH, inter?bank, wire transfer).
- Increase security for online banking services, login, PIN/password combinations are not sufficient to mitigate account takeover.
- Educate employees to never give out online banking credentials or open e?mail links or attachments. A security policy should be adopted and all employees should be trained and held accountable for any breach of policy.
- Update anti-virus software and utilize it routinely. Verify the software contains both antivirus and antispyware capabilities, and test firewalls regularly.
- Restrict network administrator privileges to supervisor/manager employees only. The employees that utilize the network on a daily basis should never have full administration rights. If an employee’s credentials are compromised the criminal would also have full admin capabilities.
- Reconcile accounts daily to protect accounts from unauthorized activity.
- Implement positive acknowledgement for ACH files and wire transfers. An e-mail or phone call to your financial institution will help mitigate unauthorized funds transfers.
By Cynthia J. Thompson, AAP, CTPDirector Professional Services at The Payments Authority
How to Protect Your Business
Last updated by Marika BeVier on 08/10/2015 02:05 PM
- Reconcile daily/monthly (including separation of duties between who issues payment versus who reconciles)
- Separate controls for your business Online Banking. Use one computer to create online payments; have a second user approve those payments from a different computer.
- Initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer.
- If possible, carry out all online banking activities from a stand-alone, hardened and completely locked down computer system from which e-mail and Web browsing are not possible.
- Immediately escalate any suspicious transactions with the bank. There is a limited recovery window for these transactions and immediate escalation may prevent further loss by the customer.