By Sarah Grooms, Senior Vice President, Regional Head of Treasury Management Sales
By Sarah Grooms, Senior Vice President, Regional Head of Treasury Management Sales
Cybercrime is nothing new. However, with the sudden need to implement unprecedented work-from-home strategies, combined with the economic downturn COVID-19 has caused, we’re seeing a drastic increase in the number of fraudulent attacks, especially against small businesses. Rapid changes in work environment and new processes quickly put in place may leave you unprepared to fight cyber criminals. Learn how you can combat these attacks and empower your employees to do the same.
The last few months have proven that we can accomplish so much more than we ever thought possible while working remotely. Task-oriented work especially, such as daily online banking, has a myriad of online and app solutions that make work from home—or anywhere—not just a reality but the new normal.
Unfortunately, with access to this great technology also come additional fraud attempts, especially in an economic downturn. Criminals are always looking for a leg up on businesses of all sizes, but especially target small businesses that tend not to have the technological resources and large accounting teams a big company can afford.
How do you protect your company while also protecting your employees from the pandemic and allowing more to be done away from the office? Here, we look at a three-pronged strategy to keep your company’s funds and systems as safe as possible, most of which come at little to no cost!
Online banking tools
For some time now, banks have offered tools like Positive Pay to protect your check writing efforts and prevent those attempting to duplicate your checks. ACH Positive Pay also provides a measure of protection against those who would debit funds from your account that you did not authorize. Very briefly, here is how these two low-cost tools work:
Payee Positive Pay protects your check writing efforts and prevents attempts to duplicate your checks. It compares checks presented for payment against issued check information you provide via online banking. The system then identifies discrepancies, such as mismatched payees, check numbers, or dollar amounts. When an exception occurs, your accounting team is notified in order to review the check, determine if a fraud attempt has been made, and indicate whether or not the check should be paid. By default, checks that are not decisioned prior to the cutoff time will be returned; if a returned item was actually correct, it’s much easier to wire funds tomorrow than to try to get them back!
ACH Positive Pay provides a measure of protection against those who would debit unauthorized funds from a checking account. Based on filters the company establishes, the bank system scans your non-originated, outgoing ACH debits and automatically returns any unauthorized entries to the source. With ACH Positive Pay, you have control, and this quick rejection of unauthorized items ensures that returns are processed in line with federal ACH regulations and timeframes.
Additionally, other tools like online banking alerts via email or text message are a customizable, free method to provide great insight into and warnings on your account activity, and can be set up by user so that each employee can monitor what is most important to them on behalf of the company.
Fighting new-age fraud attempts
While the online banking tools above are incredibly useful, newer schemes can get around them by bypassing the bank fraud attempts entirely and instead attacking a company’s accounting and email systems directly. In some of the more sophisticated methods, criminals gain access to C-suite email accounts, impersonate those executives, and direct those within the company to either wire or ACH funds out. Alternatively, criminals impersonate suppliers and direct accounting personnel to change vendor information so that ACHs or wires are sent to the criminal’s account instead of the correct one. Only when the real supplier starts to ask about your missed or delayed invoice payments do these schemes finally surface. By that time, the funds are typically overseas or otherwise spent, and the company could be looking at a large loss as the funds are still owed to the true supplier.
To combat this type of fraud, always encourage the finance team to double check payment instructions that come via email. Allow for and even encourage suspicion and questioning if something seems out of the ordinary. Put internal passwords or codes in place, and make it a mandatory policy to confirm vendor payment changes via phone with a known individual at that vendor or supplier requesting the change. Finally, please discuss cyber-fraud insurance policies with your corporate insurance provider. These types of coverages have become much more affordable and broad-based as more companies have entered that specific policy market.
All of that said, how did the criminal get into the system in the first place, and how does a company proactively prevent this?
Additional security measures
The internet makes it convenient for businesses to ensure work goes forward during the pandemic but has also emboldened cyber thieves to take advantage of remote workers even more than when we were all in the office together. Renewed education and proactive measures are the best defense against an attack on your company’s online and systems security.
We all know the basics: Don’t open emails from unknown sources or click on unknown links. Don’t install software from unknown sources or unknown websites. Don’t make payment decisions based on mobile versions of emails. Do use complex passwords and change them often. Do restrict access to sensitive data. But, we can no longer stop there.
Companies also have to consider that data and systems protection are worth the incremental IT cost to make sure things can keep running smoothly, especially remotely. The reputational damage of a data hack or potential loss of customer and financial records entirely due to a ransomware attack are very hard to estimate and absolutely miserable to work through when they occur.
Consider VPN connections (bonus points if they’re tokenized!) for all remote employees, particularly those who access financial data and systems. Install personal and enterprise firewalls with web filtering software. Keep those rules and lists updated and mandate that security patches are kept current. Consider requiring unique user IDs and credentials when working with sensitive accounts and critical systems. Additionally, put policies and required learning in place to which employees must attest, stating they understand the severity and consequences of these fraud events should it be found they were the cause of the system breach. These next-level tools are a great starting point for keeping the criminals at bay.
Final thoughts
Will all of this guarantee that your company never has a fraud attack? I wish there were absolutes like that in life, but unfortunately, with the speed of change online, no one can provide that guarantee. We can’t stop the attempted fraud that is out there, nor the uptick due to the economic hit we’ve taken. However, by putting all of these practices, tools, and policies in place, you can make your company a very hard target.
This article was written by Sarah Grooms, Senior Vice President, Regional Head of Treasury Management Sales.