CEOs have long worried about financial losses from stolen or forged checks, so most executives have taken steps to prevent those types of losses by keeping checks in locked drawers and creating procedural safeguards. But with the advent of online banking and electronic financial services, today’s criminal is more likely to enter your company through cyberspace than the front door.
Phishing, which is a form of online identity theft that uses both social engineering and technical subterfuge to steal personal data and account information from users, can be hard to discern from legitimate banking institution communications. In some cases, bank and credit card brands are hijacked and used as part of phony e-mail schemes; the APWG reported the hijacking of more than 178 brands during November 2007. These two examples are only the tip of the modern-day fraud iceberg.
“There’s been a big increase in counterfeit items because of desktop publishing technology that allows hackers to replicate and print any company’s checks anywhere in the world, once they’ve stolen the information,” says Terry Akin, vice president and regional risk manager for Fifth Third Bank.
Smart Business spoke with Akin about how executives can protect their company’s assets.
What are other modern fraud techniques?
Anyone inside or outside your company has the ability to transfer funds to his or her personal accounts if he or she has the password and the signature information for your business accounts. Today, more companies wire money between accounts online through the use of a PIN by designated users, so the theft opportunities are greater. Some perpetrators use malicious software that downloads onto your desktop and secretly captures the information needed to access your accounts during transactions, or they steal the information by sending an e-mail from someone who appears to be your banker requesting the information.
What are some preventive measures?
First, keep all personal and business account information secured by locking up checks, codes, passwords and account statements and limiting the number of people who can sign checks. Also, make sure that users log out of computers when they are away from their desks, create a policy that passwords should never be stored in the computer’s cache and instruct staff not to respond to any e-mail request for bank account information. Requiring dual signatures, especially on large checks, is an excellent idea as is segregating duties, so one employee can’t complete all the steps in a payment transaction. Certainly, audits are a necessary part of a good prevention structure as is entering dummy transactions into the system from time to time, to see if they are discerned during the accounting process.
What security measures should the bank provide?
Many banks offer their business customers a security system called positive pay. Traditional positive pay is a system where banks verify checks presented for payment against a list of issued checks previously submitted by the company. There’s payee positive pay, which involves comparing the image of the payee name on the check to the payee name included on issue information provided to the bank.
Most financial institutions offer enhanced authentication procedures that require the person logging in to prove who he or she is, usually by asking a series of questions whose answers are known only to the user. In addition, there are other bank security measures available to business clients; one such system reviews banking activity electronically and generates exceptions that are kicked out for human review. Often, the banking relationship manager is familiar with the client’s typical transactions and can place a call to verify authenticity if the transaction seems out of the norm. Also, banks that specialize in business relationships will often customize review processes and authentication procedures based upon the customer’s request, and CEOs should alert their personal bankers to business changes.
How can CEOs protect data stored externally?
Today, more people are using laptops instead of desktops, which poses a unique security challenge, simply because someone breaking into your company can remove a laptop more easily than a desktop. More employees use laptops in remote locations away from the protection of the office environment and network security systems. Be sure to have a policy about what information can be stored on laptop hard drives and require that laptops are locked up when not in use. It’s not a good idea to have any accounting or banking information stored on laptop computers.
Last, be aware of the threats posed by wireless networks. Without an appropriate firewall, wireless networks may launch the company’s financial transactions into cyberspace where anyone can grab the information, access the account and transfer the funds.
TERRY AKIN is vice president and regional risk manager for Fifth Third Bank. Reach him at (615) 687-3104 or firstname.lastname@example.org.