Fraudsters follow the money, and these days the money trail leads to the Internet, where a growing number of businesses are now conducting transactions online.
Online attacks on business bank accounts come in a variety of forms, and new ones are emerging daily.
A basic phishing scam starts with an e-mail that attempts to lure you to a counterfeit Web site and then cons you into divulging online banking credentials that can be used to initiate fraudulent transactions.
This type of trickery is often referred to as "social engineering."
Phishing schemes continue, but these days fraudsters are more likely to attempt to fool their victims into installing malicious software on their PCs. Once on your computer, "malware" recognizes when you visit an online banking site, captures your log-in and security credentials, and delivers these stolen "keys" to the fraudster. This enables the criminal to essentially take over and empty your account.
Malicious malware variants abound, with names reminiscent of villains in old James Bond movies. For instance, "SpyEye" is malware that wakes up and steals credentials in real time; "OddJob" aids in theft by keeping online sessions open after log out by the user; and "Tatanga"causes a screen freeze and displays a "please wait" message as fraudulent transactions are conducted in the background.
The account takeover threat
Check fraud remains the top payments fraud threat, according to the 2011 AFP Payments Fraud and Control Survey, conducted by the Association for Financial Professionals (AFP). Yet the AFP notes in its survey commentary that "corporate account takeover is emerging as a serious threat."
In 2010, 14% of organizations were subject to a payments fraud attack involving compromised user IDs or passwords, the AFP survey reports.
Fighting back – secondary review
One simple but effective protection strategy is for companies to practice secondary review or dual control. This means that the person who authorizes a transaction can't be the same person who initiates it.
Many banks build a secondary review capability into the transaction initiation function of their online banking system. Secondary review enables a company to establish one or more authorizers who are not also initiators. Whenever an ACH or wire is initiated, the bank can send an alert to all of the designated payment authorizers, making details of the proposed transaction transparent. The transaction can't be released until a designated authorizer approves it.
Other recommended controls
Here are five other important controls your organization should consider implementing to mitigate online transaction fraud risk:
- Maintain a dedicated computer for financial transactions.
Designate a standalone computer to be used for accessing your online banking system and executing transactions. This will reduce the odds of a random virus finding its way onto the computer. If the machine isn't used for e-mailing and random Internet browsing — and doesn't require a network log-in — that will lower the risk of unauthorized intrusion.
- Turn off the computer when it's not in use.
This can limit your exposure to viruses and unauthorized users. Many modern viruses exploit vulnerabilities in the Microsoft Windows operating system and, contrary to popular belief, can infect a computer without its user taking actions such as opening e-mails or visiting malicious Web sites.
- Monitor traffic.
Implement a firewall to control both inbound and outbound traffic. Monitor and log all access to and from your computer to ensure unauthorized access is denied. The computer should be used for financial purposes only; all non-business related usage should be forbidden.
- Monitor and approve changes related to computer maintenance.
Put controls in place to monitor and approve the maintenance done on computers that are used to conduct financial transactions. Proper upfront review and approval is crucial. Even putting a dual control process in place for network changes is recommended.
- Update your protection.
Install virus and spyware mitigation tools and be sure your detection and protection software is active and up to date at all times.
A team effort
Online banking fraud prevention can only be successful if both banks and their business clients do their part.
At First Tennessee Bank, we maintain a robust and active program designed to identify and reduce fraud threats. "We are confident in the strong security systems that we have deployed around our products," says Chris McKnatt, Senior Product Manager, Treasury Management Services. "We work diligently to offer products that are both easy to use and secure, but our top priority is always our clients' security."
To learn more about how First Tennessee Bank can help you avoid online banking fraud losses, contact your Treasury Management Sales Officer.