CEOs have long worried about financial losses from stolen or forged
checks, so most executives have taken steps to prevent those types of losses by keeping checks in locked drawers
and creating procedural safeguards. But
with the advent of online banking and
electronic financial services, today’s criminal is more likely to enter your company
through cyberspace than the front door.
Phishing, which is a form of online identity theft that uses both social engineering
and technical subterfuge to steal personal data and account information from
users, can be hard to discern from legitimate banking institution communications. In some cases, bank and credit card
brands are hijacked and used as part of
phony e-mail schemes; the APWG reported the hijacking of more than 178 brands
during November 2007. These two examples are only the tip of the modern-day
fraud iceberg.
“There’s been a big increase in counterfeit items because of desktop publishing
technology that allows hackers to replicate and print any company’s checks anywhere in the world, once they’ve stolen the
information,” says Terry Akin, vice president and regional risk manager for Fifth
Third Bank.
Smart Business spoke with Akin about
how executives can protect their company’s assets.
What are other modern fraud techniques?
Anyone inside or outside your company
has the ability to transfer funds to his or
her personal accounts if he or she has the
password and the signature information
for your business accounts. Today, more
companies wire money between accounts
online through the use of a PIN by designated users, so the theft opportunities are
greater. Some perpetrators use malicious
software that downloads onto your desktop and secretly captures the information
needed to access your accounts during
transactions, or they steal the information
by sending an e-mail from someone who
appears to be your banker requesting the
information.
What are some preventive measures?
First, keep all personal and business
account information secured by locking up
checks, codes, passwords and account
statements and limiting the number of people who can sign checks. Also, make sure
that users log out of computers when they
are away from their desks, create a policy
that passwords should never be stored in
the computer’s cache and instruct staff not
to respond to any e-mail request for bank
account information. Requiring dual signatures, especially on large checks, is an
excellent idea as is segregating duties, so
one employee can’t complete all the steps
in a payment transaction. Certainly, audits
are a necessary part of a good prevention
structure as is entering dummy transactions into the system from time to time, to
see if they are discerned during the
accounting process.
What security measures should the bank provide?
Many banks offer their business customers a security system called positive
pay. Traditional positive pay is a system where banks verify checks presented for
payment against a list of issued checks previously submitted by the company. There’s
payee positive pay, which involves comparing the image of the payee name on the
check to the payee name included on issue
information provided to the bank.
Most financial institutions offer enhanced authentication procedures that
require the person logging in to prove who
he or she is, usually by asking a series of
questions whose answers are known only
to the user. In addition, there are other
bank security measures available to business clients; one such system reviews
banking activity electronically and generates exceptions that are kicked out for
human review. Often, the banking relationship manager is familiar with the client’s
typical transactions and can place a call to
verify authenticity if the transaction seems
out of the norm. Also, banks that specialize
in business relationships will often customize review processes and authentication procedures based upon the customer’s
request, and CEOs should alert their personal bankers to business changes.
How can CEOs protect data stored externally?
Today, more people are using laptops
instead of desktops, which poses a unique
security challenge, simply because someone breaking into your company can
remove a laptop more easily than a desktop. More employees use laptops in remote
locations away from the protection of the
office environment and network security
systems. Be sure to have a policy about
what information can be stored on laptop
hard drives and require that laptops are
locked up when not in use. It’s not a good
idea to have any accounting or banking
information stored on laptop computers.
Last, be aware of the threats posed by
wireless networks. Without an appropriate
firewall, wireless networks may launch the
company’s financial transactions into
cyberspace where anyone can grab the
information, access the account and transfer the funds.
TERRY AKIN is vice president and regional risk manager for Fifth Third Bank. Reach him at (615) 687-3104 or [email protected].