eBusiness Solutions: Fraud Prevention Best Practices
eBusiness Solutions: Fraud Prevention Best Practices
September 5, 2018
User ID and Password Guidelines
- Create a “strong” password with at least 8 characters that includes a combination of mixed case letters, numbers, and special
- Change your password
- Never share username, password or token information with anyone, including third-party
- Avoid using an automatic login feature that saves usernames and and passwords.
- Do not use public or other unsecured computers for logging into eBusiness.
- Users should check the last login date/time every time they log Last login date/time is displayed on the Welcome Page.
- If the system does not recognize your computer or location, you will be asked to provide additional information to log into eBusiness Solutions. This is called Out-of-Band Authentication via phone or SMS text.
- Review account balances and detail transactions on a daily basis to confirm payment and other transaction data and immediately report any suspicious transactions to your financial Review historical and audit reports regularly to confirm user access and transaction activity.
- Take advantage of and regularly view system alerts; examples include:
- ACH Alerts
- Wire Alerts
- Security Notification Alerts
- Do not use account numbers, your social security number, tax id number, or other account or personal information when creating account nicknames or other
- Use the historical reporting features of your online banking application on a regular basis to confirm payment and other transaction
- Never leave a computer unattended while using eBusiness Solutions.
- Never conduct banking transactions while multiple browsers are open on your
- An FBI recommended best practice is to suggest that company users dedicate a PC solely for financial transactions (e.g., no web browsing, emails, or social media). This can effectively seal off threats that can come from visiting various websites, which could lead to becoming a target for hackers and Corporate Account Take Over (CATO).
- Familiarize yourself with bankESB's Cash Management Master Agreement and Internet Banking Services Schedule. Immediately escalate any suspicious activity or transactions to a bankESB representative by calling 855-527-4111 There is a very limited recovery window for unauthorized, previously revoked commercial debit transactions (they must be made available to the Originating Depository Financial Institution no later than the opening of business on the second banking day following the settlement date of the original entry) and immediate escalation may prevent further loss.
- Prohibit the use of “shared” usernames and passwords for eBusiness Solutions.
- Limit administrative rights on users' workstations to help prevent the inadvertent downloading of malware or other
- Dedicate and limit the number of computers used to complete online banking transactions; do not allow Internet browsing or e-mail exchange and ensure these computers are equipped with latest versions and patches of both anti-virus and anti- spyware
- Delete online user IDs as part of the exit procedure when employees leave your Review and adjust User entitlements as access needs change and delete any inactive Users.
- Use multiple approvals for monetary transactions and require separate entry and approval
- Establish transaction dollar limits for employees who initiate and approve online payments such as ACH batches, wire transfers, and account
Tips to Protect Online Payments, ACH and Wire
- Require dual control of ACH and wire transfer payments. Each transaction should be drafted by one employee and approved by another (dual control).
- Take advantage of transaction Establish limits for monetary transactions at maximum daily limits and maximum per transaction limits.
- Use pre-notification transactions to verify that account numbers within your ACH payments are corre
- When you have completed a transaction, ensure you log off to close the connection with the financial organization's
- Use separate accounts for electronic and paper transactions to simplify monitoring and tracking any discrepancies.
Tips to Avoid Phishing, Spyware and Malware
- Do not open e-mail from unknown sources. Be suspicious of e-mails purporting to be from a financial institution, government department, or other agency requesting account information, account verification, or banking access credentials such as usernames, passwords, PIN codes, and similar information. Opening file attachments or clicking on web links in suspicious e-mails could expose your system to malicious code that could hijack your computer.
- Do not enter token codes into links that you clicked on in an e-mail. Instead, type the URL of the reputable site to which you want to authenticate.
- Never respond to a suspicious e-mail or click on any hyperlink embedded in a suspicious e-mail. Call the purported source if you are unsure who sent an e-mail. If an e-mail claiming to be from your financial organization seems suspicious, checking with your financial organization is bankESB will never call you and ask for personal or business information over the telephone or request information via e-mail.
- Install commercial anti-virus and spyware detection software on all computer Update all of your computers regularly with the latest versions and patches of both anti-virus and anti-spyware software. Free software may not provide the level of protection against the latest threats that a licensed industry standard product can.
- Ensure computers are patched regularly, particularly operating systems, browsers, and key
- Install a dedicated, actively managed firewall, especially if using a broadband or dedicated connection to the Internet, such as DSL or A firewall limits the potential for unauthorized access to your network and computers.
- Check your settings and select, at least, a medium level of security for your
- Be advised that repeatedly being asked to enter your password/token code are signs of potentially harmful
Tips for Wireless Network Management
Wireless networks can provide an unintended open door to your business network. Unless a valid business reason exists for wireless network use, it is recommended that all wireless networks be disabled. If a wireless network is to be used for legitimate business purposes, it is recommended that wireless networks be secured as follows:
- Change the wireless network hardware (router /access point) administrative password from the factory default to a complex Save the password in a secure location as it will be needed to make future changes to the device.
- Disable remote administration of the wireless network hardware (router / access point) and if possible, disable broadcasting the network
- If your device offers WPA encryption, secure your wireless network by enabling WPA encryption of the wireless If your device does not support WPA encryption, enable WEP encryption.
- If only known computers will access the wireless network, consider enabling MAC filtering on the network Every computer network card is assigned a unique MAC address. MAC filtering will only allow computers with permitted MAC addresses access to the wireless network.
Tips to avoid Business Email Compromise (BEC)
- Treat email with caution – email is a gateway into your computer and personal information, so make sure you only open emails/attachments from known senders and, in general, be wary of emails with attachments and links. Make sure everyone on your team is on the alert.
- Check for spoofed (i.e. false and deceptive) domain names – this can help you identify if someone might be launching a Business Email Compromise (BEC) scam against your company.
- Limit publicly available information – criminals use public information to target companies for BEC scams.
- Implement a formal process for money transfers and documentation requests - ensure there is a formal process for high-risk transactions such as wire transfers and requests for sensitive documentation.
- Require dual approval for high-risk transactions - segregation of duties and including more than one individual in a transaction is a great way to help mitigate external and internal fraud.
- Use Forward instead of Reply – when receiving an email requesting a money transfer or for sensitive information, using forward and sending it back to the intended recipient can help you avoid falling victim to a BEC scam that utilizes a spoofed domain.
- Use Out of Band to Verify – use a different channel to verify. If the request came in via email, use phone (and not the phone number that is in the e-mail) and vice versa. Also be sure to verify beneficiary bank and account number.
- Color code emails - so emails from employees or internal accounts are one color, and emails from non-employees or external accounts are another color.
- Adding new vendors - when changing vendor payment information by using phone verification as part of the two-factor authentication. When doing this, use previously known phone numbers, not the numbers provided in the email request.
- Don’t get complacent - fraud is ever-changing, keep up to date.