Is your cyber security up to snuff?
All our digital devices make us ripe for fraud or a hack, whether it’s out-and-out theft or someone stealing personal information. From a banker’s perspective, what are the various ways that digital fraud happens to boards?
Email compromise is probably one of the largest fraud schemes that we’re seeing now. There are several different ways that a fraudster can break into an organization, but I would say business email compromise, technical support compromise, ransomware data breach and phishing are probably the most common ways.
What can a bank do to minimize the risk so that a building’s accounts are not compromised?
There are several products that prevent financial transactions from leaving the bank. We have positive pay for check fraud and for payments that are converted to Automated Clearing House, or electronic transfers. We have ACH debit blockers to protect accounts. We also have layers of security when you’re sending out ACH or wire payments so that there are multiple levels of approval. Our fraud team is also constantly monitoring each business account and personal account for activities, so that if something out of the ordinary pops up, we’ll actually flag it and call the customer and make sure that it’s a valid transaction.
In addition, we do have the back-end monitoring, and we also teach our clients about callback procedures. We make sure that we can get ahead of anything that looks fishy, or we can reach out to the customer to verify a large transaction before it leaves the bank. We’ve caught a lot of fraud that way as well.
You mentioned a fraud team. Do you have a group of people who focus on that exclusively?
We have a big team, and this is all they do. They will also work with our clients when they experience fraud to ensure that all their computers are clean of malware and that they have the proper protocols in place to prevent fraud in their organization.
What kind of protocols should boards expect with their management companies, or maybe even their own colleagues on the board?
Obviously, no one should be sending any sensitive financial bank information via email unless it’s secure. If you’re wiring funds to a new location, make sure you pick up the phone and verify those instructions over the phone with the person whose number is on file. That way you don’t get looped into something where an email came in and asked you to wire funds, and you assume that you’re speaking to a vendor that you’ve worked with for a long time, and you send the funds without doing a callback. Because everything is accessible online, we’re teaching our clients that that is the first line of defense.
If a bill is being paid by a management company via ACH, how is that monitored?
The right protocols have to be in place. Whether it’s for payroll or paying a vendor, boards need to make sure that there’s a process for sending payments and new payment destinations to ensure that they’re accurate. Boards want to make sure they talk to their management company about what its protocol is for sending electronic payments, and they want to make sure they’re involved. A lot of board members are really involved in their reserve accounts, and they’ll end up managing that account and sending funds from their reserve account to a new reserve, or maybe back to the operating account. So it’s always really important to make sure that you’ve verified that information over the phone. It’s a good idea to have templates so that if you have a destination that’s been verified and you consistently wire to that destination, it’s an approved template that no one can touch, so they can’t alter the information and then send a wire to the wrong place.
What’s the takeaway for boards given the prevalence of fraud and hacking?
I think boards really need to understand where their information is being housed and how it’s being protected. Everyone needs to make sure they have an insurance policy for cyber fraud, because it is on the rise. Also, have email protocols, and make sure everyone knows them.
Is the staff trained to not click on links that are trying to phish and get into their systems? Are the board members aware of that as well? Do they have a secure way to communicate any financial transactions between themselves and the bank, or themselves and the property management firms? Just review everything, and make sure everything is in place to try to prevent the worst-case scenario.
Meghan Hallinan is senior vice president, commercial private banking, at BankUnited.