Protecting Your Business Bank Accounts

Most people know that personal banking activities are protected from fraudulent activity, and are therefore low-risk to the consumer.  U.S. law limits credit card fraud liability to $50.00, and most banks waive the $50.00. The risk is essentially zero for an individual.   This DOES NOT apply to businesses.  The consumer fraud protections afforded by banking regulations apply only to personal accounts.

There are many ways that a business can be the victim of fraud:

1. Use of a corporate debit card at an ATM machine or point-of-sale terminal. Criminals install scanners that capture the account information from the card and the PIN number.  This risk will be reduced once the implementation of new “chip” technology has been completed. Watch for new “chip” credit card and, ask your bank when you will get yours.

2. Charge account data is vulnerable to hackers who break in to retail POS systems and download card numbers.

3. Software keylog scanners on a personal computer. If anyone in your business is lax about clicking links in e-mails, or if there are any weaknesses in your network security, thieves will install software on your computers.  They record all the info necessary to log in to your bank account, and start siphoning off money.  One business lost over $50,000 in a 24-hour period, before discovering the problem.

4. Physical keylog devices. Small devices which are inexpensive, virtually impossible to detect can be plugged into a PC in a matter of seconds and record every key stroke.  These devices can be accessed remotely via wireless.  Safe guard physical access to your business computers; if your receptionist walks away from her desk, leaving a guest in the lobby, you are vulnerable.  Public kiosk computers and hotel business centers are prime targets for keylog scanners.  Do not use these computers to conduct business including purchasing airline tickets or hotel accommodations.

5. Hacking of business systems. Hackers routinely access computer systems of businesses that don’t employ the best possible defenses, resulting in the loss of the business’s banking access info, their customers’ credit card info, and the businesses trade secrets.

6. Credit card numbers can be stolen in restaurants or other venues where the card leaves the customer’s sight for the transaction. Anyone with a smartphone can scan your credit card in seconds, recording the account number, expiration date and security code.

Big businesses are targets of hackers because of the possibility of stealing thousands of credit card numbers.  But big businesses usually do have computer security.  Banks have hardened their systems against intrusion.  It is far easier for the criminal to access your small business system.  Small businesses typically have weak or no security, so they are easier targets.  Computer fraud and theft is big business; this is international organized crime and the perpetrators are serious and talented.

What can a small business owner do to protect themselves?

Top-notch computer network security is an absolute must for every small business. You don’t leave your front door unlocked at night.  Why would you leave your computer systems unprotected?  Hire someone reputable to make sure that your network and all computers stay current and are upgraded frequently: install updates and patches immediately.  Don’t leave your computers on and connected to the internet when not in use.

1. Separate tasks… PCs used to conduct financial transactions such as online banking and accounting should not be used to surf the internet, play games or for e-mail.

2. Install the best possible technology, including anti-virus and spam software, and a firewall; set it to update automatically. Nothing of value is free… stick with the name-brand major vendors.

3. Be aware of the risks posed by mobile devices. Smart phones and tablets are fantastic tools for businesses, but they also complicate the security.  The risks are manageable, but only if you devote time and resources.  If you ignore the issues, you will have problems.  Use a strong password (disable simple passwords) and set the device to erase all data after failed attempts, to limit unauthorized access.  Use mobile device management software to control policies and usage of those devices, and to be able to disable and wipe data from them if necessary.

4. Reconcile bank accounts regularly, and promptly. Your bank should provide an easy way to download activity to simplify the process.  If you use on-line banking, review your accounts at least daily to watch for unexpected transactions.

5. Implement good controls over cash, blank checks, on-line banking, and deposits and disbursements within your business. Modern accounting software sacrifices controls in favor of ease of use.  Ask your CPA to look at your internal controls and to recommend cost-effective ways to prevent theft or loss, even inadvertent loss, of your financial assets. For example, the person who reconciles the bank account should not have the authority to write checks or initiate transfers.

6. If you use on-line banking to transfer funds between your accounts, or to initiate ACH or wire transfers, use the tools your bank provides for two-factor authentication such as a token that generates a one-time password for each transaction, or a code from a second source such as text to your mobile phone.

7. Adopt an internet usage policy, including guidelines about personal usage, mobile devices (especially personally-owned devices), e-mail and safety. Avoid employees accessing their personal email via business computers.  Prohibit the use of USB drives.

8. Enforce those guidelines with monitoring software that will alert your system administrator when something dangerous happens.

9. Implement and enforce strong passwords. Using your dog’s or children’s name as a password is not very effective if there are photos of your dog or children on your Facebook page.  Passwords should:

   1. Be long, at least 8 characters, 12 is better

   2. Be meaningless, they should have no direct connection to the user

   3. Contain special characters, numbers and both lower and uppercase letters

   4. Be made up of phrases with substitutions… example: I like the fab four can be made into a strong password…  !Lik3th3F@b4  or a song title or phrase can be used…  Sweet Home Alabama becomes… 5w33tHom3@l@b@m@  The fact that it is a phrase or a song makes it easier to remember and much harder to guess.

10. Do NOT use the same passwords for multiple accounts. If someone hacks another site, where you used the same password as your bank access, you’ve made it easy for them.

11. Implement Positive Pay. This prevents check fraud.  You upload a list of checks issued.  The bank will not pay any check drawn on your account unless it matches the list.

12. Train your people. The weakest point in any system is the people who operate the computers, not the machines or the software.  Train your people.  This is critical.  It is “Penny-wise and Pound-foolish” to have people working with your valuable data, who risk losing it every time they surf the internet.  Train your people about safe computing.  Refresh that training regularly.

EVERY business must have IT resources that will protect the business.  Some can afford to hire a full-time system administrator.  Smaller firms typically hire another business that specializes in providing the services needed on an outsourced basis.  Do not skimp on this: your business is at risk.  Your bank accounts are vulnerable; your customer lists can be copied; your employees can do great damage to your business, intentionally or not.  If you use the internet, and don’t have quality IT resources to support your business, you are playing the lottery.  Unfortunately, it is the hacker/thief who will win, and you who will lose.

Bob Cockrell, CPA, Lighthouse Business Advisors, LLC

@Copyright Bob Cockrell, 2019