Avoiding Fraud in Online Banking
16 May 2017 at 8:10 am
Online banking has become the norm, and most people would think of it as safe and secure, with low associated risks, but vigilance is still required, writes Kinh Luong, partner with chartered accounting group HLB Mann Judd.
Banks and other financial institutions have done much to make online banking as safe as possible. Banks use encrypted webpages or purpose-built software, which abide by strict regulatory requirements. However, we have all heard horror stories associated with online banking, whether it be personal banking or a business processing a monthly trade payables payment run.
In many cases, it is human error that is at the root of any problems. For example, a payment to an incorrectly input account number can result in a painful and costly recovery exercise.
The human element involved when using online banking can compromise security simply through trust (for example shared passwords), inaction, or inadvertent errors.
At the heart of any online banking system, an authorised signatory gains access via an authentication process, typically a password or token key, or, for more sophisticated systems, a biometric characteristic such as a fingerprint.
These systems in themselves may be secure and reliable, but their use can be compromised in a number of ways. A password can be shared or hacked, a token key can be lost or taken without knowledge.
Vigilance is vital to protect these systems, but it’s not enough on its own. Fraud or error via online banking can occur even without these safety measures failing.
For example, many organisations use a Vendor Master File (“VMF”) which contains the key financial information used by their online banking system, to identify to whom funds are to be transferred. This uses BSB and account numbers, not account names.
The most common way fraud arises in online banking is where someone internally has deliberately altered the BSB and account number to their own bank account, but retained the account name to mask the fraud. Banks do not rely on or check account numbers.
Another scenario is that the VMF details are legitimately changed by the accounts personnel within the company, after being contacted by an external perpetrator who has managed to convince them of a change in bank details.
It’s a good idea to regularly check BSB and account numbers to ensure that they still match those provided by suppliers.
Other ways to improve your online banking system, that require little time or money, include:
- Passwords – exposure to phishing scams, malware, or the sometimes necessary and one-off sharing of passwords, means this authentication safeguard may be compromised. Lower the risk by using sophisticated passwords and regularly updating these passwords.
- Two factor identification – using two or more factors in the authorisation process, for example a password plus a token key or mobile verification, easily enhances security.
- Segregation of duties – for businesses, implementing multiple accounting signatories ensures there is always sufficient personnel available to authorise payments, without the need to share and therefore compromise passwords.
- Software – there is now software available such as EFTsure, which provides real time verification of the BSB and account numbers to an independently verified database at the critical payment authorisation phase.
HLB Mann Judd strongly encourages clients to review their online banking system, identify the weaknesses, make the necessary improvements and monitor these processes on an ongoing basis.
We also regularly conduct reviews of online banking systems and VMF which ultimately help protect our clients from fraud.
For more information on HLB Mann Judd click here.