How can you protect your business from ID Theft?
General Business Practices
- Contact your IT Department or IT consultant/vendor and evaluate how your systems may be vulnerable to risk. Follow their advice to protect your system or individual computer from being used to perpetrate a fraudulent transaction.
- Talk to your insurance provider about adding a cyber insurance rider or similar rider to your business insurance policy.
- Reconcile your banking transactions daily and look for unusual small amounts such as penny transactions. This may be an indication that your account has been compromised and a fraudulent plan is in progress.
- Never access bank, brokerage or other financial services information at internet cafes, public libraries, etc. Unauthorized software may have been installed to trap account numbers and sign on information leaving you vulnerable to fraud.
- Immediately escalate knowledge of any suspicious transaction to the Bank, particularly if these transactions are ACH, RDC, Mobile Banking or wire transfers. There is a limited recovery window for these transactions and immediate escalation may prevent or minimize further loss.
ID and Password Practices
- Change passwords at least every 90 days and every time an employee leaves the company.
- Create a strong password with at least 10 characters that includes a combination of mixed case letters, numbers, and special characters.
- Ensure that your account information and security responses are not written where they can be seen or accessed by others. If the information must be written down, it should be secured under lock and key when not being used.
- Never share your User ID, password or other security device information with anyone for any reason. If it is compromised, contact us to have the ID and/or password/device disabled or reset or security device replaced.
- Secure your computers with a password-protected screensaver that has a timeout feature activated after no more than 15 minutes.
- Avoid using an automatic login feature that saves usernames and passwords for Internet banking and other business related web sites.
Operating System Protection
- Ensure that you have current anti-virus and anti-spyware products to protect yourself against malicious software that is created for the specific purpose of gathering information such as your User ID, password, and other critical information that may be stored on your computer.
- Ensure that you have a patch management solution that keeps your computer software current and can further mitigate new vulnerabilities to which your computer may have been exposed.
- Install a dedicated, actively managed firewall, especially if you have a broadband or dedicated connection to the Internet, such as DSL or cable. A firewall limits the potential for unauthorized access to a network and to computers.
- Practice safe internet use. Never click on pop up messages or links to applications contained in emails. Try to get into the habit of manually going to links that are sent to you.
- Be suspicious of emails purporting to be from a financial institution, government department, or other agency requesting account information, account verification, or banking access credentials such as usernames, passwords, PIN codes and similar information.
- Use caution when opening attachments and ensure they were sent from a trusted source.
- Consider designating a "locked down" PC to accommodate only your Internet banking transactions and related Internet banking services. This computer should not be used for email or any other internet activities. This precaution should minimize the opportunity to download malware.
Protect Personal Information Offline and Online
- Limit customers and vendors to designated public areas. Limit access to documents and files that contain personal information to key managers who need it.
- When an employee leaves, immediately remove their access to computer networks and confidential files. Verify third party requests for personal information to make sure they have a legitimate purpose for obtaining the information. Verify third party practices for securing your personal information.
- Put security procedures in place for documents that contain personal identifying information. Keep documents with personal information in locked file cabinets. At a minimum, make sure that all vital records and offices are locked during non-business hours. Regularly brief employees and management about security policies, security threats and how to report a problem.
- Set up policies to address the use of social media sites. Personal information that is placed on various social media sites can be easily searched by hackers to find out passwords and answers to employee security questions.
- Understand how GPS settings on your mobile devices and tablets affect your social media profiles. If the GPS function is enabled, you may become a hacker's target by being away on vacation or out of the office, etc.
Risks and Controls
- Perform a periodic risk assessment and controls evaluation to identify IT strengths and vulnerabilities.
- Evaluate your current business practices and internal controls involving IT and personal computer operating environments. Determine what risks are acceptable and document. Mitigate any risks that you deemed unacceptable (i.e. risk of loss financial or business data etc).
- Train your employees as to acceptable and unacceptable risks. Provide oversight of your employees to verify that activities are in-line with stated processes and operations.
Corporate Account Take Over (CAT)
What it is CAT?
"Corporate account takeover" is when cyber-thieves take control of a business' bank account by stealing online banking credentials of employees at a business. Although there are several methods being employed to steal credentials, the most prevalent involves malware that infects a business' computer workstations and laptops.
A business can become infected with malware via infected documents attached to an e-mail or a link contained within an e-mail that connects to an infected web site. In addition, malware can be downloaded to users' workstations and laptops by visiting legitimate websites - especially social networking sites - and clicking on the documents, videos or photos posted there. This malware can also spread across a business' internal network.
How to Prevent CAT?
Using commercially reasonable and sound business practices can help prevent your business from being a victim of Corporate Account Takeover.
- Utilize layered security (such as Security Questions and Tokens)
- Educate yourself and your employees who utilize Online Banking. Stay informed and up to date!
- Restrict your employees internet use to known/safe websites.
- Ensure each user has their own set of computer credentials and do not share credentials once established.
- Consider utilizing a standalone PC that is only used for Online Banking purposes.
- Make sure you have current/updated Anti-Virus and Anti-Malware software installed and in use.
- Develop company policies and procedure that deal specifically with Cyber/Data security.
- Keep them updated as current and new technology and information comes up.
- Utilize Dual Control to mitigate risks and make it more difficult for cyber-thieves to get multiple credentials, etc.
- Be sure you are reconciling your statements each day to check for suspicious or fraudulent activity. Report any suspicious activity as soon as possible.
- Utilize the resources at your disposal. Ask your bank representative if you would like more information.
- Ensure each user has their own set of Online Banking credentials and do not share credentials once established.
These are only a few ways you can prevent being a victim of Corporate Account Takeover. See below for more information on how you can better protect yourself and your business. For more information contact your local TrustAtlantic branch or visit: https://www.nacha.org/content/corporate-account-takeover-resource-center