Online banking is a useful tool to help small businesses quickly and conveniently track financial information, pay bills, and pay employees. However, data thieves are now targeting small business owners — and their employees — to get access to their online banking credentials and accounts so that they can make unauthorized money transfers. A small business can protect itself against increased liability on its financial transactions by using strong procedures to secure the credentials they use to access their bank accounts.
Getting Started
The following guidelines will help you protect the computers you use to access your bank accounts and your online access credentials.
- Initiate a "dual control" payment process with your bank and employees.
Ensure that all payments are initiated from your bank accounts only after the authorization of two employees. One employee will authorize the creation of the payment file and a second employee will be responsible for authorizing the release of the file. This process should be in place regardless of the type of payment being initiated...including checks, wire transfers, fund transfers, payroll files, ACH payments, etc.
- Have dedicated workstations.
Restrict the use of certain workstations and laptops to be utilized solely for online banking and payments, if possible. For example, a workstation or laptop used for online banking should not be also used for web browsing or social networking.
- Use robust authentication methods and vendors.
Make sure your financial service providers allow for "multi-factor authentication." This means that you need more than just a username and password to access your account.
- Update virus protection and security software.
Ensure that all anti-spyware, anti-malware, and security software and mechanisms are robust and up-to-date for all computer workstations and laptops used for online banking and payments. Implement a process to periodically confirm they remain up-to-date. Security patches are often available via automatic updates.
- Reconcile accounts daily.
Monitor and reconcile accounts daily against expected credits and withdrawals. If you see any kind of unexpected activity on your account, notify your financial institution immediately.
Checklists
- Initiate a "dual control" payment process with your bank and employees.
- Have dedicated workstations.
- Lock down these workstations when not in use...even for short periods of time.
- Do not use public computers — such as at the public library, hotel business centers or airport computer terminals — to access online banking.
- Use robust authentication methods and vendors.
In addition to passwords and PINs:
- Each user should have their own password — do not allow several users to share the same password.
- Use complex passwords — ones that contain a combination of numbers, letters and/or symbols.
- Consider using an additional authentication tool, such as a token or a smart card.
- Each user should change their password frequently — approximately every 45-60 days.
- Update virus protection and security software.
- Do not respond to emails or open attachments...unless you were expecting the communication. Phishing scam emails can come from both unrecognized and recognized sources.
- You won’t ever receive an authentic email asking for your online banking credentials.
- If something appears unusual or you receive an email requesting your online banking credentials, call your bank, but don’t click on any links or use any information from the email, as it may be a phishing email.
- Reconcile accounts daily.
- Utilize bank account features, such as automated payment filters and other alerts that show unexpected activity on your accounts.
