Online and off-line data security continues to challenge large and small businesses, costing companies money – real money. Unlike consumer fraud protection, businesses do not enjoy the same protection when they experience fraud on their commercial bank accounts. It’s critical that businesses know their liability and responsibility when dealing with cyber fraud.
Businesses need to have controls in place, monitor transactions using online and mobile banking services, create and follow transactional movement protocols to move company revenues between accounts, and keep their antivirus software up-to-date.
Data Theft: It’s so Easy If Not Treated As a High Priority
Take for example two companies:
Example Company A
A Zeus virus was maliciously inserted into the company system, enabling the infiltrator to alter wiring instructions entered by a company employee. To defeat the fraudster, the company effectively used dual control. A second person carefully and thoughtfully reviewed the transaction using a separate login at another computer. Having determined that the information had been changed, the client contacted the bank. In this single attack, more than $99,000 was placed at risk.
Example Company B
In another battle, this company received an email that appeared to be from a company executive. The person who received the email entered a wire transfer for nearly $32,000 as requested in the email. Another person reviewed the transaction and contacted the executive by phone to validate the request. Once again, dual control prevented the transfer and loss of significant funds.
What Does This Mean for Business Owners?
Combatting cyber fraud is crucial to protecting your business, and dual control is a fundamental weapon in cyber warfare. Dual control is an armament against fraud, security breaches, conflicts of interest and errors. We strongly recommend that your arsenal include dual control for executing payments and for maintaining user credentials in online systems. Dual control for online money movement, file transfers and user entitlements is a version of the classic accounting security — separation of duties. It requires two sets of security credentials (generally, two people with unique IDs and passwords) to participate in gaining authorized access to a system resource.
If fighting fraud attempts fits into your strategy, try these tactics:
- Separate payment initiation and approval. These tasks should be performed by separate individuals at separate computers. Even if your company entrusts one person with making payments, separating the process into two tasks will mitigate risk since this tactic prohibits a hacker from executing a virus on a single machine to change and submit a payment.
- Ensure the security token (or similar software) used to log into a system to initiate payments is a separate token from the one used to approve the payments.
- Separate the initial setup and maintenance of users and entitlements into two tasks: entry and approval. This will prohibit one person from being able to set up a fictitious user along with potentially fraudulent money movement templates.
- Ensure file uploads and imports are done with dual control (import/upload with separate approval).
Recent skirmishes in the war against cyber fraud include hacking into a system, introducing a virus through an email message and disguising an email address (changing one letter) to look like it came from a company executive. Along with dual control, be armed with callbacks to known telephone numbers to verify all payment instructions.
Many banks, like us, offer product and services that help reduce your risk, like Amegy Positive Pay and ACH Positive Pay — services that help protect companies against check and electronic transaction fraud. We also offer our clients the ability to download IBM® Security Trusteer Rapport®, a security software application that works with your antivirus and firewall software as an added layer of security. Collaborate with your banker to develop a strategy for helping your business avoid fraud.
Jeanne Bennett is a Senior Vice President and the Head of Private Wealth Services in San Antonio for Amegy Bank, a division of ZB, N.A. Member FDIC. She leads a team of professionals that works extensively with physicians and hand in hand with bankers from all lines of business, enabling clients to receive one-on-one, personalized solutions and comprehensive service at any time.
Bennett and her team specialize in meeting and anticipating the needs of doctors, corporate executives, professionals, entrepreneurs, business owners, wealthy individuals and families who expect and deserve excellence and seek personalized relationship banking. For more information, please contact Bennett at 210-343-4556 or email firstname.lastname@example.org.