Meghan Hallinan, Bank United
All our digital devices make us ripe for fraud or a hack, whether it's out and out theft or someone stealing personal information from our servers. From a banker's perspective, what are the various ways that digital fraud happens?
Email compromise is probably one of the largest fraud schemes that we're seeing now. There's several different ways that a fraudster can break into an organization, but I would say business email compromise, technical support compromise, ransomware data breach and phishing are probably the most common ways.
What can a bank do to minimize the risk so that my account is not compromised?
There's several products that prevent financial transactions from leaving the bank. We have positive pay for check fraud or that are converted to ACH. We have ACH debit blockers to protect accounts. We also have layers of security when you're sending out ACH or wire payments so that there are multiple levels of approval. Our fraud team is also constantly monitoring each business account and personal account for activities, so that if something out of the ordinary pops up, we'll actually flag it and call the customer and make sure that it's a valid transaction. In addition, we do have the backend monitoring and we also teach our clients about callback procedures. We make sure that we can get ahead of anything that looks fishy, or we can reach out to the customer to verify a large transaction before it leaves the bank, which in many cases, we've caught a lot of fraud that way as well.
You mentioned a fraud team. Do you have a group of people? Is that's their job?
We have a big team and this is all they do. They will also work with our clients when they do have fraud to ensure that all their computers are clean of malware and that they have the proper protocols in place to prevent fraud in their organization.
What kind of protocols should boards expect with their management companies, or maybe even their own colleagues on the board?
Obviously, no one should be sending any sensitive financial bank information via email unless it's secure. We always teach our clients and our board members that if you're wiring to a new location, make sure you pick up the phone and verify those instructions over the phone with the person whose number is on file. That way you don't get looped into something where an email came in and asked you to wire funds, and you assume that you're speaking to a vendor that you've worked with for a long time, and you send the funds without doing a callback. Because everything is accessible online, we're teaching our clients that that is the first line of defense.
I don't know that funds are being wired in the co-op condo community, but they are being paid via ACH from the management company and even boards. How is that monitored?
There has to be the right protocols in place. Whether it's for payroll or paying a vendor, boards need to make sure that there’s a process for sending payments and new payment destinations to ensure that they're accurate. Boards want to make sure they talk to their management company about what their protocol is for sending electronic payments, and they want to make sure they're involved. A lot of board members are really involved in their reserve accounts and they'll end up managing that account and sending funds from their reserve account to a new reserve, or maybe back to the operating for the management company, so it's always really important to make sure that you've verified that information over the phone. Again, we can set up templates so that if you have a destination that's been verified and you consistently wire to that destination, it's an approved template that no one can touch, so that they can't alter the information and then send a wire to the wrong place.
Boards have a ton of sensitive information about their shareholders and with their property management company. What’s the takeaway for boards given the fear of fraud and hacking?
I think boards really need to understand where their information is being housed and how it’s being protected. Everyone needs to make sure they have an insurance policy for cyber fraud, because it is on the rise and it does happen, even with the best of intentions. Also, having email protocols and making sure everyone knows them. Is their staff trained to not click on links that are trying to phish and get into their systems? Are the board members aware of that as well? Do they have a secure way to communicate any financial transactions between themselves and the bank or themselves and the property management firms? Just re-looking at everything and knowing everything is in place to try to prevent the worst case scenario.