Did you know that most banks do not cover unauthorized withdrawals from business accounts? Although consumer banking accounts are covered under Federal Reserve Regulation E, requiring banks to reimburse for certain fraud losses, Regulation E does not apply to business accounts. Instead, business bank accounts are covered by the Uniform Commercial Code (UCC), which provides shorter reporting timelines, less protections, and much higher liability for fraud.
In short, this means much of the responsibility for protecting your business bank account rests squarely on you and your business. You must be especially careful to safeguard against wire transfer fraud, check fraud, and protecting your business' banking credentials.
This article by Pamela Ryckman for The New York Times tells the stories of companies who lost hundreds of thousands of dollars to hackers and malware not detected by antivirus programs. Consider these tips from security specialists and from owners who have learned these lessons the hard way:
- Keep firewalls and security patches up-to-date.
- Limit the number of employees with access to accounts.
- Dedicate one computer solely for online banking. Employees should never send e-mail or browse the Web from this machine.
- Restrict social media and other access and educate employees to avoid unusual links and e-mails.
- Consider placing accounts with larger banks that have more mature pattern-recognition and monitoring capabilities.
- Require multiple people to approve every bank transaction and insist on “multifactor authentification,” or more than one way for a bank to confirm an owner’s identity before making a transfer.
- Place limits on the amounts of all automated clearinghouse transactions.
- Monitor your balances daily.
- Buy fraud insurance with a rider covering cybercrime and fraudulent bank transfers.
The website www.businessidtheft.org has lots of resources for education, prevention, and what to do if your business is a victim of identity theft or fraud. This site is maintained by the Identity Theft Protection Association which, together with the National Association of Secretaries of State (NASS), has brought together state government officials, business owners, law enforcement, financial industry representatives, and other key stakeholders in the fight against business identity theft.
This link offers many suggestions to protect your business, including:
- Review your commercial / business banking agreements so you are fully aware of your liability.
- Monitor your accounts daily and use online banking. Many banks provide email and text alerts regarding your account activity, which can help alert you to suspicious transactions. You can also eliminate mailed paper statements which can further reduce the risk that your business banking information may be stolen or exposed.
- Use strong, complex passwords for your financial transactions and be sure to include a combination of upper and lower case letters, special characters, and numbers. Change your passwords regularly, and do not use the same passwords for other websites or online accounts.
- Treat and protect your business EIN / TIN as you would your own Social Security number. Thieves can commit numerous business identity theft fraud schemes, tax fraud schemes, and fraudulently access or open many types of business accounts with only your business name, address, and EIN.
- Shred old or unnecessary documents that contain your business information or business identifiers.
- Monitor your state Business Registration information using the resources available at this link. Many Secretaries of State are beginning to offer free email alert services that can notify you when your business registration information has been changed or updated, or be sure to manually check this information frequently. This can provide early warning of potential fraud.
- If your business provides or maintains a list of trade or credit references, request each reference to notify you if they are contacted by a third party.
- In most small businesses, the owner(s) are required to provide a personal guarantee for business accounts, and may be subject to a credit check. If you are not actively applying or planning to apply for new credit, you can place a security freeze on your personal credit. This can help to reduce opportunities for thieves to fraudulently list you as a guarantor or open new credit accounts in your business' name.
- Be alert for large or unusual orders from unknown customers or companies. Unusual orders or customer information can be a sign of attempted fraud.
- Export and delete all information from web applications associated with expiring domain names. Known security vulnerabilities can allow anyone who later purchases the domain to access the applications associated with the domain, such as email accounts, passwords, other online account credentials, and contacts.
It may seem overwhelming, but implementing even a few of these tips might save your business from fraud.
Do you have any additional tips or personal stories about identity theft or fraud? Feel free to leave them in the comments below.