ACH Fraud: How to Educate Customers

Bank Launches Seminars to Raise Awareness at Businesses
ACH Fraud: How to Educate Customers
Education is the key weapon against ACH and wire fraud, also known as corporate account takeover. And one Oklahoma bank is stepping forward to launch a series of seminars to help educate and protect its commercial customers.

Darcie Henderson, head of cash management at Coppermark Bank, says the decision to offer the training was easy. "There's a lot that needs to be done," she says.

Coppermark Bank, headquartered in Oklahoma City, is an independently-owned regional bank with more than $1 billion in assets. The bank has 11 locations in Oklahoma and Texas and serves more than 25,000 customers.

The plan is to offer June seminars for the bank's business customers. The seminars will include portions addressing avoiding malware, basic security procedures and customer responsibilities to detect and deter fraud.

The first group invited will be the business customers who originate ACH or wire transfers. "And we'll expand it to our other business customers too," Henderson notes. "Do they think [fraud] will happen to them? Probably not. But if we can educate them better about the threat, that's a first step."

In planning the seminars, Henderson says business owners will be targeted, but won't be the only ones encouraged to attend. "We don't just want the owner, but also the user who creates these transactions, to be attending the classes," Henderson says. Example: Perhaps a doctor's office is using ACH transactions, but the doctor doesn't know what the office manager is doing with the transactions. The doctor needs to know the process, the security behind it and what the office manager does when moving transactions. "Most importantly the doctor (or owner) needs to know the threats they're facing from the lack of security and processes in their office."

Coppermark and its customers have not yet experienced any fraud losses due to corporate account takeover, she says. "And with this training, we're aiming to keep it that way."

Security 101


Henderson says that the bank's business customers are coming to the realization that corporate account takeover is a real threat. And increasingly, these customers are asking about security - and revealing a lack of basic knowledge. "They sometimes seem surprised when we talk about creating separate users with different passwords, or basic security such as don't share IDs and passwords and having controls in place," she says.

The seminar will involve several different departments and topics, including:

  • Avoiding Threats -- The bank's IT department will lay out best practices of avoiding malware, recognizing phishing and social engineering attempts, as well as best practices for antivirus and anti-spyware updates.
  • Available Services -- The cash management area of the bank will talk about the products and services businesses can employ to help reduce the threat. "Security isn't a business' top priority," Henderson says. "They're good at what they do in their business, but may not know all the things that they should or should not be doing when it comes to computer operations and security. We'll be talking about malware, basic information security, what their responsibilities are, and what our initiatives are doing to cut the threat of corporate account takeover," she says. The talk will also cover services such as positive pay and other things that can help customers protect their accounts.
  • Information Security Basics -- Neal Clonts, the bank's information security officer, says business customers will get the "Security 101" basics, as well as a rundown of the common types of malware in use by criminals, including Trojans, phishing, root kits, key loggers, spyware, worms and viruses and botnets. His discussion will also focus on what the customers' responsibilities are when it comes to information security.

Best Practices


When it comes to security, the advice is straightforward, Clonts says. "Business customers' responsibilities include having a level of understanding on how to secure their computers and business processes from current threats, and then be able to apply the knowledge and be proactive in their methods."

One recommended practice Clonts will talk about is the use of a dedicated computer for all the business' online banking transactions. "Casual browsing on the Internet can expose a computer to unwanted malware installations or web-based viral scripting," he notes. Using a dedicated PC will help reduce:

  • Exposure to malware;
  • Exposure to viral scripting;
  • Chances of system corruption related to automatic software installs through the Internet browser;
  • Unwanted physical activity if the computer is not exposed in a business' customer areas.

Clonts will also advise business customers to remove the administrative rights on their company computers. "By removing administrative rights, this protects the computer by limiting the activities users can perform on their computers, including uploads, downloads and installations."

The use of strong passwords is also a part of the business customers' "Security 101" course. Clonts points out that passwords confine system access to authorized users and may extend the amount of time it takes a hacker to get a password through an attack. The more complex passwords are the way to go, along with a regularly scheduled time to change passwords (and not allowing users to reuse old passwords), he advises.

The use of antivirus and anti-spyware software to monitor for malware and spyware is also a core security program part for any business customer, Clonts notes. "Antivirus can reduce the amount of exposure to all types of malware," he says. But the other important part of using it is keeping it updated at all times. Same goes for antispyware programs.

The last item that Clonts says all business customers need to focus on is keeping their computers' software up-to-date with patches. "A large percentage of attacks that occur to computers is the result of poor computer programming," he notes. Patches apply new software to computers to fix those issues.

Promoting the Bank's Protections


Henderson says businesses also will find out details on some of the things the bank is already doing on the ACH side to protect transactions. Coppermark has implemented monitoring requirements for ACH and wire transactions, including security questions. To further protect business accounts, the bank has implemented numeric tokens for customers to use to authenticate themselves on the online banking portal.

One recent change in ACH account monitoring at Coppermark includes a new user restriction. Now, when a new user is created, the bank requires a phone call be made to its call center, and the new user is verified. "We've seen this is a way that fraud happens, being able to create a new user and make transactions," she says.

Other security implemented by the bank for ACH transactions and wire transfers include IP restrictions, setting ACH transaction limits, and the bank's internal monitoring. "This is something that the customers aren't aware we do," she says. Anything out of the ordinary, we flag it and send it back to customer for verification."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network