Focus on Security

Data Security: Protect Your Business from Fraud

Cyber thieves target businesses through phishing, phone calls, social networks, texting scams and malware. Businesses are always at risk. Peak vulnerabilities can exist just before a holiday, when key employees are on vacation, when a business office is relocating or when new computer equipment is installed. The vast majority of cyber thefts begin with compromising the computers of business account holders.

Tips to Keep Your Business Safe Online

Provide internet and email security training for all employees.
Usernames and passwords should be kept confidential. Passwords should be complex and changed often.
Verify computers have updated anti-virus and anti-malware program(s).
Remove online user accounts as part of the exit procedure when employees leave the company.
Don't click on links or open attachments in unexpected emails, even from known senders.
Be suspicious of any email asking for personal information including: account numbers, account verification, usernames, passwords, or any personal information.
Log off computers when not in use. Never leave workstations unattended while computers are logged in and vulnerable.
Don't use public WiFi or other unsecure network connections to access online services.
Using a computer dedicated for online transactions can limit the possibility of viruses and malware. This dedicated computer should not be used for standard web browsing or have access to email.

Tips to Improve Security

Perform an internal business risk assessment that includes the business processes used to initiate financial transactions.

Make sure all workstations are using supported operating systems (Windows 7 is no longer supported).

Review account balances and transactions regularly (daily is preferred). Report any suspicious activity to Central Bank immediately.

Use Positive Pay, a Business Online Banking service, to help identify check and ACH fraud.

Maintain rotational backup copies of business systems offsite and disconnected from the business network when not in use.

Implement mandatory dual control for ACH and wire transactions. When two users are required to process transactions, the frequency of fraudulent transactions decreases substantially.

Take advantage of system alerts: balance change, transfers, password change, ACH and Wire.

ACH and Wire transaction limits are valuable safeguards for online accounts. Please review these limits at least annually to make sure they're appropriate.

Disable user accounts for employees on extended leave.

Business Email Compromise Scams Are on the Rise

Business email compromise (BEC) is a sophisticated and increasingly common scam targeting organizations of all sizes.

What is it?

A BEC attack happens when a fraudster obtains access to a business email account and replicates the owner's identity to defraud the company, its employees, customers and partners.

Central Bank’s VP of Security and BSA explains how a BEC attack can occur:

The most popular way hackers gain access to company networks and individual PCs is when an employee clicks on an unsafe link within an email message. This simple and, often, automatic reaction can give hackers access to all computer programs and files. It allows them to take control of email settings, read all incoming and outgoing messages and set up folders only accessible to the fraudsters.

After they’re in control, hackers can monitor emails and identify upcoming financial transactions like an invoice to be paid by an ACH or wire transfer payment. Hackers can mimic the appearance of those familiar emails and send a follow-up email to inform the recipient that their banking credentials have changed, “We have a new bank! The new routing number is _ and our new account number is _.”

What should I do if it seems suspicious?

STOP. If you receive an email similar to this scenario, immediately call the invoicing company to verify the changes. DO NOT SEND ANY FUNDS until you can verify the change in bank information is, without a doubt, legitimate.

It’s important that you call the company rather than emailing them. Fraudsters can intercept email chains and reply that the changes are correct, leading to funds getting in the wrong hands.

How can I protect myself?

Follow these tips to avoid a BEC attack at your business:

Enable multi-factor authentication for your email system.
Use strong passwords. Don't use the same password for different systems. If one system gets compromised, hackers can easily gain access to other systems.
Office 365 encourages customers to prohibit automatically forwarding emails to external domains. Although this sounds simple, it's an excellent way to block hackers from gaining access to incoming mail.
Scrutinize emails. Scammers know how to make an email look like it’s sent from a recognized business or someone familiar to you. If you receive an unexpected email, check the reply address to make sure it originated from a legitimate email address.
Don't reply to emails requesting personal or confidential information.
Don’t click links or download attachments from emails.

What should I do if I fall victim to BEC?

If your company has sent funds through fraudulent information, immediately take the following steps:

Call your bank and inform them of the transactions.
Contact the police department.
Visit www.ic3.gov and file a complaint. The site is monitored 24/7 by FBI agents. When completing the form, fill out all requested information and state if the funds were sent to a foreign bank or a bank in the U.S. Submit and print your form, and document any file numbers provided to you.

Reach out to your local banker if you have any questions regarding a BEC attack or other financial scam. We’re here to help!

Corporate Account Takeover

How to Keep your Business Bank Accounts Safe

What is it?

When an unauthorized person maliciously takes over a corporate bank account, the event is referred to as a corporate account takeover (CATO). Once an attacker has access to an online account, they can often transfer funds or steal sensitive customer information.

How do attackers get my information?

Although this type of threat can originate from a complex security breach, more often the attacker relies on much simpler means to harvest a user’s login credentials. This deception can come in the form of spear phishing, credential stuffing (finding previously used passwords) or password spraying (trying commonly used passwords).

How should I protect my business?

Preventing CATO is the responsibility of both Central Bank and our customers. It requires a combination of training, technology, and good business policies. Recommended steps for Central Bank business customers include:

Performing a business risk assessment incorporating the processes used to initiate financial transactions.
Provide internet and email security training for all employees.
Require multifactor authentication to access both Online Banking and corporate email.
Usernames and passwords should be stored confidentially. Passwords should be complex (at least 12 characters with letters, numbers and symbols) and never used on multiple websites. Do not use automatic login features where usernames and passwords are automatically filled into a web browser without additional authentication.
Implement mandatory dual control for ACH and wire transactions. When two users are required to process transactions, the frequency of fraudulent transactions decreases substantially.
Take advantage of alerts: balance changes, transfers, password changes, ACH/wire processing and account maintenance (phone or email address changes).
Remove online user accounts as part of the exit procedure when employees leave the company. Disable user accounts for employees on extended leave.
Do not use public or other unsecure computers or network connections (Wi-Fi) to access online services.
Review account balances and transactions regularly (daily is preferred). Please report any suspicious activity to Central Bank as soon as it is identified.
Do not click on links in unexpected e-mails or open attachments in unexpected e-mails, even from known senders. Be suspicious of any email asking for personal information including: account numbers, account verification, usernames, passwords or any personal information.
Develop an incident response program. This should include procedures to follow and resources to contact in the event of a malicious security event.

Focus on Security

Data Security: Protect Your Business from Fraud

Best Practices for Businesses

Business Email Compromise Scams Are on the Rise

Corporate Account Takeover