Security Best Practices

Corporate Account Takeover (CATO) is a form of identity theft in which criminals steal your online banking credentials. It is the fast-growing electronic crime where thieves typically use some form of malware to obtain login credentials to online banking accounts and then fraudulently transfer funds from those accounts. The attacks are usually undetected for some period of time. Malware introduced into your network/systems may be undetected for weeks or months. Account transfers using stolen credentials may happen at any time and go unnoticed for days.

The good news is, if you follow sound business practices and implement basic policies, you may be able to protect your business:

• Use Layered System Security: Create layers of firewalls, anti-malware software and encryption. One layer of security might not be enough. Install a defense in depth approach with robust anti-malware programs on every network, workstation, laptop and update them regularly.
• Manage online banking accounts with a single, dedicated computer: If possible, use a separate computer exclusively for online banking and cash management. This computer should not be connected to your business network, should receive only secure or encrypted email, AND not to retrieve any public email messages, and should not be used for any online purpose except banking. Do not use this machine to surf the internet. Use for banking purposes only.
• Educate your employees about cybercrimes. Make sure your employees understand that just one infected computer can lead to a CATO incident, an account takeover. Make them very conscious of the risk, and teach them to ask the question: “Does this email or phone call make sense; Am I expecting this from a customer or vendor?” before they open attachments or provide information.
• Block access to unnecessary or high-risk websites. Prevent access to any website that features adult entertainment, gaming, social networking and personal email. All such sites can inject files into your network.
• Establish separate user accounts for every employee accessing sensitive company information. Limit administrative rights! Many malware programs require administrative rights to the workstation and network in order to steal credentials. If your user permissions for online banking include administrative rights, don’t use those credentials for day-to-day processing.
• Use dual control tools in cash management. Create dual control on payments, requiring two different people to issue a payment – one to initiate/set up the transaction and a second to approve the transaction, this doubles the chances of stopping a criminal from stealing your money from your account.
• Review or reconcile accounts online daily. The sooner you find and notify the bank of suspicious transactions, the sooner the theft can be investigated

Social Engineering is any method of theft that manipulates human nature in order to gain access to your online accounts. No business is immune to the risks of Social Engineering attacks, and thieves will go to great lengths to lower your guard. Here are a few ways you can protect yourself from thieves using Social Engineering techniques:

• Don’t allow unfamiliar visitors into any area with network access. Thieves often pose as vendors, service providers or even firefighters conducting an inspection, in order to gain physical access to your network. It only takes a few seconds for them to plug in a thumb/USB drive that installs keystroke logging software. Legitimate technicians or officers will have I.D. beyond a logo shirt or uniform to back up their claim, and should be verified independently.
• Be cautious about letting visitors use a workstation or plug into your network. A request to “check my email” or “download that sales brochure” might seem innocent enough. But, this is a favorite tactic of Social Engineers to gain access to your network and leave monitoring software or hardware behind.
• Control access to your facility. Whatever type of business you have, there should be barriers between public and private back office areas. Doors leading into back offices from public areas should be locked. Doors to outdoor smoking areas should be locked. Visitors to back office areas should always be accompanied by a trusted employee.
• Don’t assume that an unsolicited phone call or email is actually from a trusted source. Thieves can research your business relationships or your online social information, and then pose as a business partner, vendor or colleague you trust. They can pose as another department or company employee needing your personal help. Again, verify before providing any confidential or personal identifying information.
• Remember, unexpected email attachments should be treated with great caution.Common and popular files like PDFs, JPGs, ZIP files and spreadsheets can provide a platform for installing viruses or keystroke-logging malware on your computer or business network. If you are not certain the file came from a legitimate business, or person, don’t open it without verifying. Call them and ask if they sent an email with an attachment.
• Verify, verify, verify. If you receive a phone call, email, or test claiming there is a problem with a bank account, debit/credit card account or any other network or related account, hang up the phone or delete the email or text and check those accounts directly from your information.

What is phishing & spoofing?

Phishing is a term coined by hackers to describe forged e-mails they send that imitate a legitimate company’s e-mails in order to entice people to share passwords, credit card numbers or other personal information. Hackers will use this data to access personal accounts, financial information and identities that they will then use for fraudulent purposes.

Spoofing is a term that describes Phishing that asks you to supply, confirm, or update personal information by clicking on a link in the e-mail. The link will connect to a web page or log-in that appears to belong to the company mentioned in the e-mail. Often the site looks like the company’s website, but it isn’t. If a customer enters personal data, the hackers who set up the site will steal that information.

What are some ways to avoid phishing & spoofing?

• Before submitting financial information through a website, look for the “lock” icon on the browser’s status bar. It means your information is secure during transmission.
• If you receive an unexpected e-mail saying your account will be shut down unless you confirm your billing or other personal information, do not reply or click any links in the e-mail message. At any time if you are uncertain about a request from an institution, contact the company through an address or telephone number you know to be genuine.
• If you unknowingly supplied personal or financial information in response to a request you now fear is a scam, contact us immediately.
• Passwords and access codes should be kept secret, and changed periodically. Financial institutions will never ask for your username and password.
• When banking over the Internet, be sure to exit the browser after completing the Internet session, and take precautions to keep your computer free of viruses and spyware that could be used to capture password keystrokes.