After years of aggressive attacks by international cybercriminals, more small companies are getting serious about securing online bank accounts. And they aren't just boosting computer security within their companies. They are demanding better security from their banks.
"They'll come to the table with a checklist of different types of fraud-mitigation technologies," says Julie Conroy McNelley, a senior analyst at Boston research firm Aite Group. In response, banks -- eager to retain and attract new customers -- often explain what they're doing behind the scenes and offer extra security tools.
Being a squeaky wheel can pay off. Derek Capo, founder of Miami- and Beijing-based Next Step China LLC, asked Bank of America numerous security-related questions when he opened a business account in 2008. The bank helped Capo with several defenses, including alerts and temporary blocks should anyone, including an employee, try to make transactions exceeding a certain value.
Bank of America also sold Capo a keychain gadget for $15 that displays an alternating code that he must enter when transferring funds internationally. The bank also advised him to receive payments into one account and immediately transfer the funds to another that he uses for paying expenses. Maintaining a zero balance in a receivables account recently stopped an attempted fraudulent use of his debit-card number at a New York hotel, he says.
Fending off crafty, well-financed criminals requires many layers of low- and high-tech controls. In general, banks are getting better about defending business accounts,
Banks haven't always invested enough in defending business accounts because they aren't liable for fraud losses as they are with consumer accounts, says Avivah Litan, an analyst at Stamford, Conn.-based research firm Gartner Inc. Large international and regional banks generally have the best security systems, she says, while community banks tend to lag behind because they often outsource technology systems to third-party payment processors that have skimped on security investments.
A company's best protection is an agreement in writing stating that the bank will absorb any fraud, Litan says. "If you can't get that, you have to drill into their security."
Want to grill your bank about how they help thwart fraud? Here's a look at some additional security tools banks are using -- or should be using -- that you might consider asking about.
Protecting your PC.
Hackers typically get into bank accounts by stealing user names and passwords through programs they plant in company computers, usually with an email attachment or malicious website. Once in your account, they set up electronic fund transfers that quickly drain balances and even connected credit lines.
Defense against malware starts with good PC hygiene and up-to-date security software. But because some malware can still sneak in, ask if your bank offers additional free security software for their browsers, such as Trusteer and Prevx.
Safeguarding online banking sessions.
More than a password should stand between a thief and your money. To strengthen the process of authenticating authorized users, some banks provide one-time passcodes on devices, such as the one Capo purchased, or send them to mobile phones. While this technology offers an extra layer of security, some crooks can still get around it. A number of banks also register customer devices and block or impose extra security challenges on any unfamiliar machines that try to access the account.
But perhaps the most important safeguard to ask your bank about is a system that blocks a transaction when it detects odd behavior. One example might be someone logging into your account from Russia at 3 a.m. when you always log in from Texas during business hours.
Stopping fraudulent transactions.
Like Capo, ask for extra account controls, such as text or email alerts and a second verification step if a new payee is added, name and address are changed, and large or risky transactions are attempted. Experts also urge businesses to set up "dual authorization," a requirement that two employees approve all transactions.
In case all else fails, try using an identity-fraud protection service, says Phil Blank, a managing director of security, risk and fraud at Pleasanton, Calif.-based research firm Javelin Strategy & Research.
"When fraud does occur, it's good to have a professional on your side who knows how to deal with it," he says. "You will lose a lot less money."
Riva Richmond is a freelance journalist who has covered technology for more than a decade. She focuses on computer security, privacy, social networking and online business and has written for The New York Times, The Wall Street Journal and other national publications. Previously, Riva was a technology reporter at Dow Jones Newswires and regular contributor to The Journal's "Enterprise" small business column.