Fraud Protection Best Practices
Fraud can impact virtually anyone and any business. Based on your role in your business organization, here are some tips to reduce your risk and better protect your identity, accounts and online activities.
Transaction Originators or Approvers
Have a healthy suspicion of, and independently confirm, any request for confidential information or sending of funds. Always verify any request by calling the company or person, using a telephone number that you know to be real, and not one provided in an email or call. Never reply to the same email address from where the request originated or you end up communicating with the fraudster. Even when the request is urgent, take the time to confirm sensitive requests with known people and entities, through an independent method.
Be wary of an email that doesn’t “sound like” other emails you have received from your CEO or other company executive, or that doesn’t look like the typical emails from a vendor or bank, or that requests an outgoing funds transfer that falls outside of your company’s standard practices for such requests.
Carefully check the email domain portion of an email sender’s address – the portion between @ and .com (or .net, etc.) - for any replacement characters, such as 0 (zero) instead of the letter O or l (lowercase letter L) in place of I (uppercase letter I). Keep in mind that many other character replacement variations are commonly used. Even requests from domains that appear to be legitimate should be independently confirmed with the requestor.
Guard your financial or other account information. Don't provide it to anyone unless there is a legitimate reason to do so as part of a transaction, and only after you’ve confirmed this with the requestor.
Confirm any request for change to a vendor’s payment information, or for an unusually large payment amount, or outside the normal payment cycle by phone call to a known vendor representative.
Require high-dollar invoices received electronically to be authenticated by phone call to the vendor prior to payment. For those received by mail, authenticate by phone or email. Communicate only to the phone numbers, email addresses and contact names in your master vendor files.
Pay attention to unusual circumstances and "red flags,” such as a vendor using an atypical communication channel or a different individual making the request than your company normally deals with or who seems to be new to the vendor.
If you use a free email service for your business (such as Hotmail®, Gmail®, Yahoo®, etc.) make sure no confidential information is stored in contact records or saved messages. Alternatively, consider upgrading to a secure email system.
Implement Positive Pay fraud prevention services for checks or ACH. These services prevent counterfeit checks or unauthorized ACH transactions from posting to your account. For more information about these services, call us at 1-800-255-6190, or e-mail us at firstname.lastname@example.org.
Establish dedicated computers for accessing online banking. These computers should not be utilized for accessing email or non-banking websites. Use separate computers to initiate and authorize transactions.
Do not use public computers or public Wi-Fi hotspots to access your online banking
Store blank check stock and cancelled checks in a secure location and limit access to only specific employees authorized to handle check payments.
Keep outgoing checks in a safe place prior to mailing, and use a locking mailbox or P.O. Box for incoming mail.
Review and reconcile account activity daily. The passage of time might adversely affect the potential recovery of a fraud loss or the outcome of a customer claim.
CoBank's Positive Pay service helps protect against the payment of altered and counterfeit checks. In the "standard" Positive Pay approach, a customer uploads an electronic file with issued check information to CoBank each day. As checks clear, CoBank matches them to issued check records by date, check number and amount. There is also an option to match check payee names. Any mismatches are identified as exceptions for the customer to review and decision online before the daily deadline. "Reverse" Positive Pay is an alternative for customers not able to upload check issue files. This service provides the customer with online images of all checks clearing each day. The customer reviews the images and indicates the decision to "pay" or "return" each item.
Consider using alternative payment methods such as wire transfer or ACH instead of checks. These types of electronic transactions are cost-effective, efficient and much more secure than traditional checks. CoBank also offers an ACH Fraud Control Service for cash management customers.
Account Activity Reviewers
Review your account activity and reconcile your financial transactions on a daily basis so you can identify any unauthorized or unusual payments and take immediate action. Immediately notify CoBank of any unauthorized transactions by calling 1-800-255-6190.
Cash Management customers, in particular, have an obligation to monitor their transaction clearing accounts on a daily basis. Transaction clearing accounts are different from other types of accounts, such as demand deposit accounts at commercial banks. Transaction clearing accounts are generally used to disperse loan funds and to make loan payments. They are not insured by the Federal Deposit Insurance Corporation, the Farm Credit System Insurance Corporation or any other government entity, so ongoing diligence is critical.
Regularly review who has online access to your accounts to ensure authorized users are current.
Computer or Mobile Device Users
Never disclose via text message, phone call or email your personal or financial information, including account numbers, passwords, Social Security number or birth date.
Be suspicious of any emails that claim to be from a financial institution – including CoBank – a government agency or other entity, that request account information or verification of account or login credentials such as user names, passwords, personal identification number (PINs), etc.
Be wary of emails with links or attachments requiring you to change or verify your account information, as they often contain malicious code that could expose your company's login and account credentials to fraudsters.
Be wary of odd, strangely worded or unexpected emails from friends and acquaintances, or business emails that contain misspellings or grammatical errors. This may indicate that the impersonated email account has been compromised.
If you are suspicious of an email request, call the company using a publicly available phone number, not one provided in the email, to verify the request. If you use the contact information provided in the email, the fraudster might reply that the message is safe.
Use complex passwords consisting of upper- and lower-case letters, numbers and special characters; do not use names and special dates that may be known or determined by others.
Do not write down or share your password with anyone, and do not allow your browser or other password tools to store and automatically populate your password on your banking websites. Passwords stored in tools that automatically populate fields on websites could allow a malicious user to recover your password.
Protect your answers to security questions. Select questions and provide answers that are easy for you to remember, but hard for others to guess. Avoid choosing questions for which the answer can be discerned via social networking sites or public websites such as Facebook and LinkedIn.
Use distinct passwords and security questions for each application or website you access. This will help mitigate the potential for all of the systems you access from becoming compromised if the password for a single site or application is disclosed.
Be selective of the information you post on your business and personal social media sites.
Do not use public computers to access your online banking account or other sites that have sensitive information.
Do not click on links or open attachments in emails or text messages from unknown sources.
Implement web filtering (content filtering) to block access to websites known or suspected of being compromised or spreading malware.
Secure Your Computer
- Install and maintain antivirus and firewall software on all computers and mobile devices.
- Ensure your antivirus software is updated on a regular basis. Most antivirus software can be configured to automatically update on a weekly or daily basis (or even more frequently).
- Run anti-virus software in active or real-time scanning mode. This allows the software to actively scan all incoming messages, files or websites being accessed to identify and prevent malicious content from running on your computer.
- Run a full or comprehensive antivirus scan on a regular basis. These scans may detect viruses or other malware that is missed by real-time scanning.
- Set your computer to automatically install operating system and software updates and patches. A fully updated and patched system is less susceptible to becoming infected with malware.
- Take note of unusual behavior, slowness, pop-up windows or other unexpected changes. If these are noted, have a comprehensive scan run against the computer with fully updated antivirus software. Do not access sensitive systems, websites or other applications until the computer has been verified to be safe.
- Do not access your computer with an Administrator (Admin) or Power User level account for daily use. Computers being run with general user level permissions are less susceptible to becoming infected with viruses, Trojan horses or other malware.
- Set your web browser to a higher level of security.
Secure Your Mobile Device
- Make sure your smart phone, tablet and other mobile devices are password protected.
- Download antivirus protection for your phone, tablet, e-reader or any other device that has mobile access to the Internet.
- Do not bypass limitations set by your carrier or device manufacturer by rooting or jailbreaking your mobile device, which can remove the built-in protections to defend against mobile threats.
- Beware of everything you download onto your device, including applications. Only use reputable application markets. Verify the permissions the application requests to ensure they are appropriate for what the application is meant to do.
Train all of your employees – not just those with online banking access – to be cautious when clicking on web links or attachments in company emails. Personal emails sent to an employee's company e-mail address, or emails accessed through a public domain email server using a company computer also pose potential threats.
Educate your employees on how to spot fraud scams. Encourage them to verbally confirm any unusual email request for an outgoing wire transfer, even if it appears to be from a company executive.
Strong internal controls are a critical component in preventing fraud. Best practices include:
- Separate duties in the accounts payable and payments disbursement processes to provide multiple checkpoints for identifying unauthorized payments. More than one employee should be involved in the processes of approving payments, generating checks or ACH payments, signing/approving checks and sending payments.
- Implement a two-touch process for approving payments. Each approver should have a strong knowledge of the accounts payable process and the company’s vendor/payments universe. Their knowledge should include what constitutes typical vendor or outgoing payments behavior in order to identify - and escalate – any anomalies.
- Require verbal (phone or in person) confirmation of any internal request for an outgoing payment to a new recipient/vendor, or to a new bank account number of an existing recipient/vendor. Individuals’ personal email accounts can be easily hacked or spoofed, and the fraudster is relying on your employee not questioning or verifying the request. It’s critical that this confirmation be verbal, not by email, because you may in fact be communicating with the fraudster.
- Consult with your end-user services department or IT provider on ways to strengthen your Internet/technology infrastructure to inhibit MITB attacks and other outside threats.
- Ensure that all company computers are running firewall and antivirus software that is updated and checked for security patches regularly. Updates should be run at least weekly, using the software's automatic update feature takes care of this important task.
- Implement a process to immediately remove departing employees’ access to sensitive and password-protected areas and information, especially online banking. A full audit of employee online and sensitive system access should be conducted at least twice per year.