Business Fraud & Security
Keeping Your Company Information Secure
Are you taking steps to protect your customer’s and your personal information? Safeguarding sensitive data in your files and on your computers is good business. After all, if that information falls into the wrong hands, it can lead to fraud or identity theft. A sound data security plan is built on five key principles:
- Know your Business. Know what customer/personal information you have on your computers and in your files.
- Down size. Keep only what you need for your business.
- Secure it. Protect the information in your business and on an as need to know basis.
- Destroy it. Properly dispose of what you no longer need.
- Be Ready. Create a plan for your business to respond to security incidents.
To learn more about how you can implement these principles in your business. Click on the links for informative and practical steps your business can take to protect customer/personal information. We hope you'll take advantage of the other resources to educate your employees and customers. This information is provided by the Federal Trade Commission, Bureau of Consumer Protection.
Know what personal identifying information you have in your files and on your computers.
- Inventory all storage devices and electronic equipment where you store files. Where does your company store sensitive data?
- Talk with your employees and outside service providers/vendors to determine who sends personal identifying information to your business, and how it is sent.
- Consider all the ways you collect personal identifying information from customers, and what kind of information you collect.
- Review where you keep the personal identifying information you collect, and who has access to it.
Keep only what you need for your business.
- Use Social Security numbers only for required and lawful purposes. Don’t use SSNs as identifiers or for customer locators.
- Keep customer credit card information only if you have a business need for it, and ensure stored information is in accordance with Payment Card Industry Data Security Standards (PCI-DSS).
- Review the forms you use to gather information on potential customers - and revise them to eliminate requests for information you don’t need.
- Change the default settings on your network and software that reads customers’ personal identifying information. Don’t keep information you don’t need.
- Truncate all account information on credit and debit card receipts for your customers. You should not include any more than the last five digits of the card number, and delete all information not needed for the transaction.
- Have a records retention policy, especially for the information you must keep for business reasons or to comply with the law or regulations.
Protect the information that you keep.
- Put documents and other materials containing personally identifiable information in a secure area locked in file cabinets or storage vaults.
- Remind employees to put files away, log off their computers, and lock file cabinets and office doors when they leave their work areas.
- Implement appropriate access controls for your business.
- Encrypt sensitive and personal identifying information if you must send it over the internet/intranet.
- Regularly run updates for anti-virus and anti-spyware programs on individual computers and all servers.
- Require employees to use complex passwords.
- Caution employees against transmitting sensitive or personal identifying information regular via e-mail.
- Have security policies for all electronic devices including laptops used both within your office, and while traveling.
- Use a firewall to protect your computers and your network.
- Set “access controls” to allow only trusted employees with a legitimate business purpose to access the network.
- Monitor all internet traffic for signs of security anomalies for breaches.
- Check references and do background checks before hiring employees who will have access to sensitive or collect personal identifying information and storage data.
- Create procedures to ensure workers who leave your business no longer have computer access or physical access to sensitive information.
- Educate employees about how to avoid phishing and vishing device/phone scams.
Properly dispose of what you no longer need.
- Have and enforce information disposal practices.
- Dispose of personal identifying information and paper records by shredding, or burning them.
- Encouraging your staff to separate sensitive business data trash from waste material to stop dumpster divers.
- Make shredders or shred bins available throughout your business, including next to the printers/photocopiers.
- Use “Hard Drive Eraser Software” to destroy old computers and copiers hard drives and portable storage devices.
- Train employees who travel or work from home to properly destroy sensitive or collect personal identifying documents, old computers, and portable devices.
Create a plan for responding to security incidents.
- Have a plan to respond to security problems, and designate a team led by a senior staff person.
- Practice what if scenarios for your business and how to respond to different kinds of security incidents.
- Investigate security incidents immediately.
- Create a list of who to notify - inside and outside your business - in the event of a security breach.
- Immediately disconnect a hacked/compromised computer from your network or the internet.
Fraud Advisory for Businesses: Corporate Account Take Over (CATO)
Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts.
Cyber criminals employ various technological and non-technological methods to manipulate or trick victims into divulging personal or account information. Such techniques may include performing an action such as opening an email attachment, accepting a fake friend request on a social networking site, or visiting a legitimate, yet compromised, website that installs malware on your computer(s).
The cyber criminal's goal is to get the employee to open the infected attachments or click on the link contained in the email and visit the nefarious website where hidden malware is often downloaded to the employee's computer. This malware allows the fraudster to "see" and track employee's activities across the business' internal network and on the Internet. This tracking may include visits to your financial institution and use of your online banking credentials used to access accounts (account information, log in, and passwords). Using this information, the fraudster can conduct unauthorized transactions that appear to be a legitimate transaction conducted by the company or employee.
Good practices to insure your information is secure from CATO.
Corporate Account Takeover (CATO) is the fast-growing electronic crime where thieves typically use some form of malware to obtain login credentials to online banking accounts and then fraudulently transfer funds from those accounts. The attacks are usually undetected for some period of time. Malware introduced into your network/systems may be undetected for weeks or months. Account transfers using stolen credentials may happen at any time and go unnoticed for days.
The good news is, if you follow sound business practices, you may be able to protect your business:
- Use Layered System Security: Create layers of firewalls, anti-malware software and encryption. One layer of security might not be enough. Install a defense in depth approach with robust anti-malware programs on every network, workstation, laptop and update them regularly.
- Manage online banking accounts with a single, dedicated computer: If possible, use a separate computer exclusively for online banking and cash management. This computer should not be connected to your business network, should receive only secure or encrypted email, AND not to retrieve any public email messages, and should not be used for any online purpose except banking.
- Educate your employees about cybercrimes. Make sure your employees understand that just one infected computer can lead to a CATO incident - an account takeover. Make them very conscious of the risk, and teach them to ask the question: “Does this email or phone call make sense; Am I accepting this from a customer or vendor?” before they open attachments or provide information.
- Block access to unnecessary or high-risk websites. Prevent access to any website that features adult entertainment, gaming, social networking and personal email. All such sites can inject files into your network. Do not allow shopping or downloads from websites on your business computer.
- Establish separate user accounts for every employee accessing sensitive company information. Limit administrative rights! Many malware programs require administrative rights to the workstation and network in order to steal credentials. If your user permissions for online banking include administrative rights, don't use those credentials for day-to-day processing.
- Review or reconcile accounts online daily. The sooner you find and notify the bank of suspicious transactions, the sooner the theft can be investigated.
Protect yourself against fraudulent transactions
Important! Review your accounts daily on online.
If you find an unauthorized electronic transaction, you have 24 hours to report it to the bank in order to limit the amount for which you are liable. If you wait more than 24 hours you become liable for the unauthorized transactions. So review your accounts daily and report any suspicious activity immediately. Some transactions may be disputed within 60 days. Always review your statements from the bank every month and report any suspicious activity immediately.
The security of your money and identity is as important to us as it is to you. Let's work together to protect it.
The most important step in using a smartphone or tablet for your business is treating your company mobile devices like portable computers.
These common precautions will help protect you from fraud and theft:
- Set the phone to require a passcode to power on the handset or awake it from sleep mode. If it's lost or stolen, any confidential information stored on the device will be more difficult to access.
- Whether you're using the mobile Web or a mobile App, don't let it automatically log you in to company bank accounts. Otherwise, if your phone is lost or stolen, someone will have free access to your accounts and your money.
- Don't save your passcode, account number, PIN, answers to secret questions or other such information on the mobile devices.
- Immediately tell the bank and mobile operator if you lose your phone. The sooner you report the loss, the better protected you are from fraudulent transactions.
- Download and install antivirus software for your mobile device, according to the manufacturer's recommendations.
- Be careful when downloading Apps. Downloads should always be from a trusted and approved source.
- Avoid "free offers" and "free ringtones." An email or instant message that offers free software downloads, such as ringtones, may contain viruses or malware.
- Be cautious of emails or text messages from unknown sources asking you to update, or confirm your personal identifying information including passcode/password and account information. Don't reply to text messages from people or places that you do not know.
- Treat your mobile device as carefully as you would your wallet, cash or credit cards.
- Keep track of account transactions. Review your online bank account daily, statements monthly and as regularly as possible to rule out the chances of fraudulent transactions. If you notice discrepancies, contact Fayette County National Bank immediately.
- Only use Wi-Fi on your device when connected to password protected hotspots. Turn off Wi-Fi when you are away from your network or a trusted network/hotspot. Turn-off any auto-connect features. They might cause your phone to log into insecure wireless networks without your knowledge.
- Make sure you log out of social networking sites and online banking when you’ve finished using them.
- Install operating system updates for your device as they become available - they often include security updates.
- Before you upgrade or recycle your device, delete all personal identifying information and business information.
“Social Engineering” is any method of theft that manipulates human nature in order to gain access to your online accounts. No business is immune to the risks of Social Engineering attacks, and thieves will go to great lengths to lower your guard. Here are a few ways you can protect yourself from thieves using Social Engineering techniques:
- Don't allow unfamiliar visitors into any area with network access. Thieves often pose as vendors, service providers or even firefighters conducting an inspection, in order to gain physical access to your network. It only takes a few seconds for them to plug in a thumb/USB drive that installs keystroke logging software. Legitimate technicians or officers will have I.D. beyond a logo shirt or uniform to back up their claim, and should be verified independently.
- Be cautious about letting visitors use a workstation or plug into your network. A request to “check my email” or “download that sales brochure” might seem innocent enough. But, this is a favorite tactic of Social Engineers to gain access to your network and leave monitoring software or hardware behind.
- Control access to your facility. Whatever type of business you have, there should be barriers between public and private back office areas. Doors leading into back offices from public areas should be locked. Doors to outdoor smoking areas should be locked. Visitors to back office areas should always be accompanied by a trusted employee.
- Don't assume that an unsolicited phone call or email is actually from a trusted source. Thieves can research your business relationships or your online social information, and then pose as a business partner, vendor or colleague you trust. They can pose as another department or company employee needing your personal help. Again, verify before providing any confidential or personal identifying information.
- Remember, unexpected email attachments should be treated with great caution. Common and popular files like PDFs, JPGs, ZIP files and spreadsheets can provide a platform for installing viruses or keystroke-logging malware on your computer or business network. If you are not certain the file came from a legitimate business, or person, don't open it without verifying. Call them and ask if they sent an email with an attachment.
- Verify, verify, verify. If you receive a phone call, email, or text claiming there is a problem with a bank account, debit/credit card account or any other network or related account, hang up the phone or delete the email or text and check those accounts directly from your information.
The best way to avoid Social Engineering schemes is to be cautious about any unknown visitor, and any request for money, passcodes/passwords, account numbers or other confidential or personal identifying information – no matter who or where it seems to be coming from.
*This material is for information purposes only. Before acting on any ideas presented in this information (security, legal, and/or technical) you should independently evaluate by considering all the risks and the unique factual circumstances surrounding your business. No computer system can provide absolute security under all conditions.