We see the headlines all of the time:
“Uptick in Cyber Attacks on Small Businesses” ; “$1.5 Million Cyberheist Ruins Escrow Firm”; “Bank Sues Victim to Recover Funds”; “Missouri Court Rules Against $440,000 Account Takeover Victim”
Although it is over 250 years old, Benjamin Franklin’s “an ounce of prevention is worth a pound of cure” is a valuable axiom in regards to credit unions working with their business customers to prevent account takeover and fraud. Criminal entities employ various methods to obtain access to the legitimate banking credentials from businesses, including mimicking an institution’s website, using malware and viruses to compromise the business’ system, or using social engineering to defraud employees into revealing security credentials or other sensitive data. In each case, fraudsters exploit the infected system to obtain security credentials that they can use to access a company’s business accounts and make fraudulent transfers.
Credit unions initiating funds transfers on behalf of businesses should vigilantly and proactively protect against this type of fraud in various ways in order to mitigate risk for both themselves and the company involved. Here are a few reminders and best practices for financial institutions:
- Require robust and current anti-virus and security software for all of your business customer’s computer workstations and laptops that are used to conduct online banking and to initiate payments. In addition, implement appropriate restrictions on functions for these workstations – for example, a computer that is used for online banking should not be used for general browsing, email, or social media.
- Advise implementation of multi-factor and multi-channel authentication for business accounts that are permitted to initiate funds transfers. Multi-factor authentication includes at least two of the following: 1) something the person knows (user ID, PIN, password), 2) something the person has (password-generating token, USB token), and 3) something the person owns (biometrics, i.e. fingerprint scan).
- Recommend payment file initiation under dual control. Dual control involves file creation by one employee with file approval and release by another employee on a different computer, thus requiring two different employees to “touch” the transaction before it is sent.
- Use out-of-band authentication to validate the authenticity of transactions initiated by your business customer. For example, an email requiring authorization to release a pending transfer, or a call back via phone to verify authenticity.
- Consider fraud detection and risk management services, and review your current policies and procedures.
As with any compliance guidelines, the most important tool your credit union can employ is education. Train your staff on how to watch for unusual activity on business customer’s accounts, and inform your corporate customers about ways to prevent, detect, and report financial crimes. By keeping your members educated about the importance of implementing their own systems and sound business practices to protect themselves, you will in turn further protect your credit union.