Online Banking
Corporate Account Takeover is a type of business identity theft in which a criminal entity steals a business’s valid online banking credentials. Small to mid-sized businesses remain the primary target of criminals, but any business can fall victim to these crimes. Attacks today are typically perpetrated quietly by the introduction of malware through a simple email or infected website. For a business that has low resistance to such methods of attack, the malware introduced onto its system may remain undetected for weeks or even months.
Short for “malicious software”, malware is software designed to infiltrate a computer system without the owner’s informed consent. Examples include viruses, worms, Trojan horses, spyware, dishonest adware, crimeware, etc.
Malicious websites, including social media sites, Email, ads from popular websites. Some experts believe email is the biggest security threat of all. Email has been the fastest, most effective method of spreading malicious software to the largest number of users. A good rule of thumb is to only include information in an email that you would feel comfortable sharing with a stranger.
Introducing layered security processes and procedures can help protect businesses from criminals seeking to drain accounts and steal confidential information. These increased security procedures may help reduce the number of incidents, and mitigate financial losses and reputational damage that can result from such attacks
No single security measure alone is likely to be effective in preventing or mitigating all risks associated with Corporate Account Takeover. Similarly, some of these sound business practices may not be appropriate for or applicable to all businesses. Accordingly, each business must identify its own risks and design and implement appropriate security measures to prevent and mitigate risks associated with Corporate Account Takeover.
Sound business practices for entities suggested by Chelsea Savings Bank are outlined in the next pages.
Layered System Security - Use appropriate tools to prevent and deter unauthorized access and periodic reviews of such tools to ensure they are up to date. These tools include:
Install robust anti-virus and security software for all computer workstations and laptops and ensure that such software is automatically patched regularly and remains current.
Implement multi-layered system security technology. Anti-virus software alone will not protect a business from most threats. Layering security software constructs a multi-level barrier between businesses’ networks and criminals attempting to access such networks.
Implement security suites so all security options (i.e., firewall, anti-virus, anti-spyware, anti-malware, etc.) work harmoniously to provide superior protection.
Create a secure financial environment by dedicating one computer exclusively for online banking and cash management activity. This computer should not be connected to the business network, have email capability, or connect to the Internet for any purpose other than online banking. Disallow any use for general Web browsing and social networking.
Educate all employees about cybercrimes so they understand that even one infected computer can lead to an account takeover. All employees, even those with no financial responsibilities, should be educated about these threats.
Educate all employees to think critically about each email and phone call received. An employee should always ask “Does this email or phone call make sense?”
Block access to unnecessary or high-risk websites. Common sites that carry high-risk include adult entertainment, online gaming, social networking and personal email.
Promptly deactivate or remove access rights of employees who no longer require access (e.g., inactive, transferred or terminated employees).
Require all employees to use strong passwords and change their passwords frequently on both the computer and online banking application.
In some cases a business may determine it is appropriate to utilize a “white-listing” tool to limit employees’ access to only websites that the business has reviewed and deemed safe.
Establish user accounts for every computer and limit administrative rights. Many malware programs require the user to have network administration privileges to infect the computer. Employ “user” settings to avoid unintentionally downloading a credential-stealing program. Often malware requires the user to be logged in as the network administrator for the malicious program to download.
Staying Informed
Stay informed about defenses to Corporate Account Takeover. Since cyber threats change rapidly, it is imperative that all businesses stay informed about evolving threats and adjust security measures in a timely manner. Among other things, this can be achieved by connecting with alert groups, and business and industry resources about threats and frauds
Initiate payments under dual control, with assigned responsibility for transaction origination and authorization. Dual control involves file creation by one employee with file approval and release by another employee on a different computer.
Reconcile accounts online daily. At a minimum, pending electronic activity.
Take advantage of appropriate account services offered by its financial institution. Financial institutions offer a variety of services including debit blocks, Falcon Monitoring, call-backs, etc. Please contact Chelsea Savings Bank for Monitoring services provided.
Monitor for and report suspicious activity. Ongoing monitoring and timely reporting of suspicious activity are crucial in deterring or recovering from these frauds. A business should report anything unusual to the financial institution, such as log-ins at unusual times of day, new user accounts, unauthorized transfers, etc., so the financial institution can immediately block the account and monitor activity.
As use of the Internet continues to expand, more banks and thrifts are using the Web to offer products and services to enhance communications with consumers.
The Internet offers the potential for safe, convenient new ways to shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or scams.
Tips to Help you if you are thinking about or already using online banking systems:
Confirm that an Online Bank is Legitimate and that Your Deposits are InsuredWhether you are selecting a traditional bank or an online bank that has no physical offices, it is wise to make sure that it is legitimate and that your deposits are federally insured.
Key Information about the bank posted on its Web SiteMost bank Web sites have an "About Us" section that describes the institution. You may find a brief history of the bank, the official name and address of the bank, and information about its insurance coverage from the FDIC.
Verify the bank's insurance statusTo verify a bank's insurance status, look for the familiar FDIC logo or the words "Member FDIC" or "FDIC Insured" on the web site. You can search for an institution by going to the FDIC's home page and selecting "Is My Bank Insured?". Enter the official name, city, and state of the bank, and click the "Find My Institution" button. A positive match will display the official name of the bank, the date it became insured, its insurance certificate number, the main office location, and its primary government regulator. If your bank does not appear on this list, contact the FDIC at 800-934-3342 or send an email via the FDIC's online Customer Assistance page.
Protect yourself from fraudulent Web sitesWatch out for copycat Web sites that deliberately use a name or Web address very similar to, but not the same as, that of a real financial institution. The intent is to lure you into clicking onto their Web site and giving your personal information, such as your account number and password. Always check to see that you have typed the correct Web site address for your bank before conducting a transaction.
Keep your Transaction SecureThe Internet is a public network. Therefore, it is important to learn how to safeguard your banking information, credit card numbers, Social Security Number and other personal data.Contact your bank for information regarding their Web site security practices.
Security FeaturesEncryption, which is a process of scrambling private information to prevent unauthorized access. To show that your transmission is encrypted, some browsers display a small icon on your screen that looks like a lock or key whenever you conduct secure transactions online. Avoid sending sensitive information, such as account numbers, through unsecured email.
Passwords or personal identification numbers (PINs) should be used when accessing an account online. Your password should be unique to you and you should change it regularly. Do not use birthdates or other numbers or word that may be easy for others to guess. Always carefully control who you give your password to. If you use a financial company that requires your passwords in order to gather your financial data, make sure you learn about the company's privacy and security practices.
General security over you personal computer such as virus protection and physical access controls should be used and updated regularly. Contact your hardware and software suppliers or Internet service provider to ensure you have the latest security updates.
Before you order a product or service online, make sure you are comfortable with the reputation of the company making the offer. Only then should you give out your credit card or debit card number. Never give these numbers unless you initiated the transaction.
Due to Microsoft’s termination of support for systems that do not support TLS 1.2, we advise you to upgrade your OS version or browsers to help ensure that you do not experience unnecessary service interruptions. If you are unable to connect using TLS 1.2 you may receive a connection error. Please upgrade to a supported version to be able to connect using TLS 1.2. Contact the bank if you need assistance.
By operation of federal law, beginning January 1, 2013, funds deposited in a noninterest-bearing transaction account (including an Interest on Lawyer Trust Account) no longer will receive unlimited deposit insurance coverage by the Federal Deposit Insurance Corporation (FDIC). Beginning January 1, 2013, all of a depositor’s accounts at an insured depository institution, including all noninterest-bearing transaction accounts, will be insured by the FDIC up to the standard maximum deposit insurance amount ($250,000), for each deposit insurance ownership category.
You are leaving our website. We are not endorsing or guaranteeing the products, information or recommendations provided by the organizations linked to our website. We are not liable for any failure of products or services advertised on those sites. We are not responsible for the validity, collection, use or security of information by organizations that may be linked to our website. We encourage you to read the privacy policies of websites reached through the use of links from our website.
