Is Your Money at Risk? Three Banking Security Guidelines to Know
Cyber criminals stole nearly $3 billion from about 40,000 business bank accounts over the past five years. While banks provide protections to consumers, many business owners are surprised to find that their bank isn’t obligated to make them whole in the event of fraudulent transactions.
Let’s take a look at banking laws and how you can protect your business from these losses.
Banking Security 101
Most consumers are aware that banks provide them with fraud protection. If you spot a fraudulent transfer, you can call the bank and quickly receive a refund without question.
That’s because Regulation E of the Electronic Fund Transfer Act requires banks to cover any losses from fraud, as long as you weren’t lax about safeguarding your information and notified the bank within 60 days of the fraudulent charge or transfer appearing on your bank or credit card statement.
Many business owners assume that these same protections extend to their business accounts — but that’s not true.
The Uniform Commercial Code requires banks to offer businesses “commercially reasonable” security protocols. If the bank follows those protocols, it can refuse to reimburse businesses that are the victim of fraudulent transfers.
The Internet Crime Complaint Center, known IC3, received 41,058 complaints from U.S. businesses between October 2013 and May 2018, resulting in $2,935,161,457 in losses. These figures don’t include losses that went unreported.
These scams are also becoming more common.
According to the IC3, there was a 136% increase in identified global exposed losses from unauthorized bank transfers between December 2016 and May 2018 with reports in all 50 states and 150 countries around the world.
3 Ways to Stop Criminals
Most bank fraud is perpetuated by business email compromise, or BEC, scams. According to the FBI, the scam is frequently carried out when an attacker compromises a legitimate business email account through social engineering or computer intrusion and conducts an unauthorized transfer of funds.
Phishing emails represent another common attack vector used to steal banking credentials from unsuspecting employees or business owners. In these instances, employees may receive an email that looks legitimate but contains links to fake websites designed to steal banking credentials.
The good news is that these types of fraud can be prevented with some basic security measures and common sense.
Download a free Sample BEC Email that you can use for employee training purposes.
#1: Use Better Authentication
The best way to avoid BEC scams is to prevent unauthorized access to email or bank accounts. Without access to a trusted account, it’s a lot harder for criminals to convince employees or trick banks to make unauthorized transfers.
These best practices should be implemented across your entire business and incorporated into the onboarding and ongoing training for employees in order to be effective.
The two best ways to secure email accounts are:
Password Management: Passwords should be secure, unique for each service that you use and updated on a regular basis with a password manager. These technologies automatically create strong passwords and make them available when you need them in your browser.
Two-Factor Authentication: Two-factor authentication should always be enabled for bank accounts and email accounts. These technologies either text you a password or use third-party apps from Google or Microsoft.
#2: Implement Anti-Phishing Training
Many email, social media and bank accounts are compromised through phishing techniques.
For example, an employee may receive an email stating that the company’s bank account has suspicious activity and requests that they login to view transactions. The problem is that the login link actually takes them to a fake page. When they put in the login details, attackers steal the credentials before redirecting them to the real bank website.
There are a few ways to spot these phishing emails:
From Address: Many banks have measures in place to prevent their domain from being spoofed. So, criminals will use convincing sounding domains instead. An example might be “Chase Bank firstname.lastname@example.org”. Unless the domain matches the bank, you should ignore the email.
Suspicious Links: Most banks and other businesses no longer include links in their emails. Instead, they encourage you to type in their website to login to your account. If you see a link in an email, copy-and-paste it into a text editor to see where it actually goes before clicking on it.
Writing Style: Many criminals try to create a sense of urgency; for example, your account may be “compromised” or, ironically, may have experienced an “unauthorized funds transfer”. When this occurs, take a step back and review the email with a calm mind before clicking any links.
It also helps to have anti-phishing software installed on your company’s network to proactive prevent obvious attacks. For example, Jungle Disk’s Active Network Protection includes anti-phishing and anti-malware detection to filter out these requests before they reach employee browsers or inboxes.
#3: Create the Right Processes
Many businesses have processes for tasks like payroll or invoicing, but they may not have processes for accounts payable or spending on a company credit card.
Some critical processes to consider include:
Two Person Sign Off: Ensure that each transaction, or transactions over a certain amount, is signed off by two people rather than leaving one person responsible. This increases the odds of someone catching a mistake or identifying a fraudulent request.
Cybersecurity Second Opinion: Make it easy for employees to request a second opinion if they suspect a cybersecurity issue. For example, you may want to have a dedicated IT person responsible for reviewing these requests without judging employees that come forward with questions.
Regular Statement Reviews: Check bank statements on a regular basis to ensure that there are no unrecognized or unauthorized transactions. By spotting issues early on, you can avoid losses that add up over long periods of time.
The Bottom Line
Tens of thousands of businesses experience hundreds of millions of dollars of losses from bank fraud each year. By taking basic security measures and using common sense, many of these types of fraud can be avoided. The key is to know what to look for and having the right tools in place.
Don’t forget to download a free Sample BEC Email that you can use for employee training purposes.
Jungle Disk provides a complete cyber security suite that’s designed for small businesses with between two and 250 employees. With a scalable pricing model, companies of all sizes can rest easy knowing that they’re protected against many common types of cyber attacks — including BEC and phishing scams.