With increased online banking access comes the risk of your business’s information being compromised through cybercrime. Cybercrimes are not new; cyber-criminals employ various technological and non-technological methods to manipulate or trick you or other victims into divulging your personal or account information.
Modern cybercrime is about money. Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized businesses, resulting in significant business disruption and potential monetary losses.
What Can You Do?
Having protection software is only half of the equation. No single layer of protection is enough; you need a layered security approach, especially when employees are engaging in risky or potentially unsafe behavior online. The best practices outlined here are intended to raise your awareness of ways to help protect, detect, and educate business employees on today’s online risks.
Much of the information is based on the extensive experience and knowledge of our security teams.
Secure your Business’s Network of Devices
Dedicate a Device:
Minimize the number of, and restrict the function for, computer workstations and/or devices that are used for online banking and payments
Consider using a stand-alone device that isn’t connected to your network to perform your online banking transactions.
Individuals accessing online financial services should not use the same password.
Do not share devices for accessing financial services. Sharing a computer that has become infected places the login and transaction credentials of all users of that computer at risk of theft and unauthorized use.
A workstation used for online banking should not be used for general web browsing, e-mailing, and social networking.
Install and maintain real-time anti-virus, anti-spyware, firewall, and malware detection and removal software.
Use these tools regularly to scan your business network and allow automatic updates for your operating and software systems.
Ensure that every computer that accesses Comerica Business Connect has the Rapport software from Trustee downloaded onto it and the maximum protection settings are selected.
Do not ignore warning messages from security software that a potential virus has been detected. Take immediate action.
Firewalls – Install this hardware on your network to prevent unauthorized access and create a strong password.
Have a contingency plan to recover files on your business computers that were lost due to a catastrophic system/hardware failure. What if there is no preservation of data and everything was erased?
Develop a scheduled weekly or daily plan to back-up important business files and secure the back-up disks or external hard drives.
Don’t forget to test your plan and verify your data will be restored.
Do not use public Internet access points (e.g., Internet cafes, public Wi-Fi hotspots such as airports and government buildings) to access accounts or sensitive business information.
If this type of access is needed, employ a Virtual Private Network (VPN) and make sure your transmissions are encrypted.
User IDs, Tokens and Passwords – Do not share your secure User ID and password with anyone, even with a co-worker. Comerica will ask for your User ID when you initiate a call, but Comerica will never ask for your password.
Make sure key employees have a trained backup in the event of an absence, who have their own ID and password available to continue banking business as usual.
Don’t forget to delete employee IDs and passwords when they leave the business or change responsibilities. Regularly review an active access list and determine any changes to privileges that may be needed.
Create strong passwords, not something that is easily guessed. Try using a phrase with special characters and numbers.
Change your passwords periodically.
Dual Control creates safety checks – Initiate ACH and wire transfer payments under dual control using two separate computers. For example: one person authorizes the creation of the payment file and a second person authorizes the release of the file from a different computer system.
Note: This helps ensure that one person does not have the access authority to perform both payment functions. Additionally, dual control will ensure that one person cannot give themselves additional authority, or create new user IDs.
Block Sites – Consider enlisting the help of an Internet service to automatically block sites that employees do not need to access for business purposes (i.e., social networking sites, blogs, instant messenger, and free software sites) to reduce the risk of downloading malware or spyware. Look to disabling full internet access completely on sensitive systems if possible.
Monitor and reconcile your accounts regularly – The quicker suspicious activity is detected, the sooner you can take action to prevent or minimize losses.
Note: If you detect suspicious activity, immediately call Comerica to report the suspicious activity.
Note any changes in the performance of your computer/device:
Significant loss of speed
Computer “locks up” so the user is unable to perform any functions
Unexpected rebooting, restarting or the inability to shut down
Unexpected request for a one-time password, token, or other information in the middle of an online session
Ask questions – Comerica is here to help. Use the relationship services phone number at 800.852.3649 to speak with a trained product specialist from 9:00 a.m. to 7:00 p.m. ET.
Take the Business Connect online tutorials and view the online Resources located on the home page of Business Connect. This area contains a wealth of knowledge, especially for new users.
Be knowledgeable about the online services you use and how they look and work. Call your service provider if you are suspicious about any request you receive for login or personal information that is generally confidential, and if something looks or performs in an unusual way.
Continuously educate employees – Cybercrimes are constantly changing, so software and fraud prevention solutions have to change as well to stay ahead of the game.
Be Cyber Savvy – Don’t view or open attachments or click on links in unsolicited e-mails. Financial institutions and government agencies do not contact customers by e-mail or phone asking for passwords, credit card numbers, or other sensitive information. This is also true if you are contacted from an apparent legitimate source (such as the IRS, Better Business Bureau, Federal courts, UPS, etc.)
Report suspicious activity – Make sure your employees know how to report suspicious activity within your company and to your financial institutions.