Online Banking Fraud Prevention Controls:

The following recommendations are cyber security best practices that help reduce the risks associated with online banking.  Nothing can eliminate all of the risks; however, an informed and vigilant user is a key defense.

• Log In and General Controls
  • Use multi-factor authentication provided with the Secure Sign-On service.
  • Confirm last sign on date on the Welcome page.
  • Do not use account numbers when providing nicknames for accounts.
  • Register your computers so you will not be required to answer the challenge questions on every login.
  • Limit where you login- never at a public or unsecured computer.
• Alerts
  • Remember to set and view alerts and notify the bank if you don’t recognize the activity.  Alerts can be delivered to two separate email addresses including devices that can receive an email.
• Wire  Controls
  • Wire security codes can be set up by the bank at a company level for each individual user.
  • Multiple approvals can be required for template setups and to send transactions.
  • Wire limits can be established at a company and user level.
• ACH Controls
  • Daily limits can be set for ACH transactions by company and by account by service.
  • Pre-notes for new transactions can be required.
  • ACH history is available and should be reviewed on a regular basis.
  • Multiple approvals can be required on ACH template setups and file uploads.
• Funds Transfer & Bill Payment
  • Dollar limits can be set.
  • Role-based access or can be used to limit the number of users with approval authority.
  • History is available and should be reviewed on a regular basis.

Enterprise Recommendations:

• Install a security software suite that includes antivirus, anti-spyware, malware and adware detection, from a reputable vendor.  Keep the software up-to-date through an automatic update feature and configure it to perform recurring, automated complete system scans on a routine basis.
• Routinely install all new software and hardware patches or use the automatic update feature when available.
• Use a dedicated computer for all online transactions and implement white listing methods to prevent the system from going to any site/address that does not have a documented business need.
• Educate users on good cyber security practices to avoid having malware installed on a computer.
• Implement block/black lists and enforce them on the network perimeter.
• Employ advanced authentication techniques for user logins (two-factor authentication).
• Utilize a security expert to test your network or run security software that will aid you in closing known vulnerabilities.
• Monitor log files, especially proxy server logs, for unauthorized/suspicious Internet connections coming to and leaving the network.
• Whenever possible, do not use a wireless network for financial transactions.  If a wireless network must be used, enforce security measures such as enabling encryption and MAC address filtering, changing the service set identifies (SSID) and turning off SSID broadcasting.
• Use a single computer with a static IP address for all online banking transactions.
• Change the default login names and passwords on routers, firewalls, other network equipment and software.
• Consider blocking Internet plug-ins on the computers that access online banking accounts.

User Recommendations:

• Immediately report any suspicious activity in your accounts.
• Setup and use a “non-privileged user” account on the computer to prevent unauthorized changes to the computer.  Use this non-privileged account for web browsing whenever possible.
• Make sure the banking site you are using starts with https:// instead of http://.  The “s” indicates a secure transaction, using a different method of communication that standard Internet traffic.
• Never use a link to reach your financial institution; emails and search engine links should not be trusted.  Type the bank’s website address into the Internet browser’s address bar every time.
• Know what the financial institution’s website looks like and what questions are asked to verify your identity.
• Be suspicious of emails and text messages purporting to be from your institution or a government agency.  Financial institutions should not contact you via email to request you to verify information
• Avoid using check or debit cards for online transactions.
• Always lock your computer when you leave it unattended.  Set the computer to automatically lock after a set period of inactivity, e.g. 15 minutes.
• Do not allow your computer or web browser to save your login names or passwords.
• Use a strong password; at least 10 characters combining upper case and lower case letters, numbers and symbols.
• Clear the Internet browser’s cache before visiting a financial institution’s websites.
• Never access your financial institution or privileged/sensitive system from a public computer.
• Properly log out of all financial institution web sites and close the browser window.
• When you are finished with your computer, turn it off or disconnect it from the Internet.
• Do not open emails from un-trusted sources or suspicious emails from trusted sources.  Be aware of “Reading Pane” features, like those within Microsoft Outlook, automatically opening the emails they display.
• Do not visit un-trusted websites or follow links provided by un-trusted sources.
• Do not use the same computer for online transactions that children or “non-savvy” Internet users use for regular Internet access.
• Do not use the login or password for your financial institution on any other website or software.  Do not write it down.  Do change it frequently.
• Do not post your personal financial information on the web.  Your high school, maiden name, date of birth, first car, first school, youngest sibling’s name, mother’s full name, father’s full name, best friend’s name, etc. are the answers to many security questions on financial web sites.  When you post this information, you are making it easier for criminals to gain access to your financial information.

My account was compromised, now what?

• Immediately stop using any computers that may be involved and contact your financial institution to request their help in preventing further loss and to aid in the possible recovery of any money.
• Begin a log of your activities, including who you have talked with, what information you have and what mitigation steps you have taken.
• Ask your financial institution to report the incident to the Police, FBI or US Secret Service.
• Confirm that your bank reported the incident and call the appropriate agency yourself to provide additional details.