ECCU Blog

Employee education is one of the strongest tools in our arsenal to fight cybercrime.  NACHA, the Electronic Payments Association, suggests that one simple question can make the difference between an infected network and a protected one. Teaching our employees to always ask, “Does this email make sense?” before responding to it, opening an attachment, or clicking on a link, can make all the difference.   

Regularly remind your staff that financial institutions, government agencies, and associations will not request personal identification numbers (PINs), user names, passwords, or account verification via an email. Should they receive such a request, it is best to delete the email rather than risk infecting your network. 

Emails from family and friends may include links to sites that also may infiltrate the network. Asking, “Does this email make sense” includes considering whether or not it makes business sense to open an attachment or link to an unknown site. 

When in doubt, NACHA suggests: 

Using a lock up service such as “whois.net” to view domain registration information of an email sender.

Contacting the sender to determine legitimacy, but never use the phone number included in the email.

Deleting the email. 

How have you been educating your staff about the perils of cybercrime?

It’s easy to understand why ministries believe they are less likely to become a victim of a financial crime. This is because of the great trust they have for their staff. And while that trust may have been earned or even warranted because of their common Christian bond, internal controls are still necessary. Proper controls don’t say “We don’t trust you.” Instead, they say, “We want to protect you.” Not only do they remove the opportunity for any misappropriation of funds, they also catch errors and protect staff from innuendo and false accusation if a loss is incurred.

Here are six key elements of internal controls for churches and ministries:

1. Maintain clear organizational structure, including proper channels for reporting suspected improprieties.

2.  Keep policies and procedures that are clearly written, current, and accessible. This leaves no question about authority, and helps part-time and volunteer staff carry out activities and continue them during periods of turnover.  

3.  Implement separation of duties. Some of the most important separation of duties for ministries include handling donations and being responsible for recording the receipts in the accounting records. A key component is the routine review and reconciliation by someone other than the preparer or transactor to determine that transactions have been properly processed.  

4. Practice dual control over all cash donations. Two persons should be assigned counting responsibility for all cash and for deposit preparation. The cash counters should not also prepare the deposits, and all positions should be rotated periodically.

5.  Require dual control of cash until it is delivered to the bank or a courier. A locked safe that requires two distinct individuals to remove the cash keeps it secure.

6.  Implement dual control for online banking systems. Individuals who create files should be different from those who release files for processing. 

What other financial controls has your ministry found helpful?

Most everyone knows that an ounce of prevention is worth a pound of cure. This adage is certainly true when combating banking fraud. Prevention is especially important when dealing with a type of fraud known as “corporate account takeover.” Ignore prevention and your ministry could end up dealing with financial loss, negative publicity, and recovery efforts that divert time from kingdom work.

Corporate account takeover occurs when cyber criminals gain control of an organization’s bank account. This commonly happens when malicious software (malware) infects the organization’s computers. This malware is often delivered through very legitimate looking emails with infected links or attachments. Once embedded in a computer, this malware captures personal information and log-on credentials to online banking applications, allowing fraudsters to electronically pilfer money from the unsuspecting organization. It is because of threats like this that ECCU incorporated state-of-the-art security into its new online banking system.

When the Association for Financial Professionals (AFP) conducted a survey in 2010, 14 percent of the respondents had experienced corporate account takeover fraud. While only 2 percent suffered a financial loss, the time wasted to investigate and restore security diverted those organizations from the work they are called to do.

To prevent this kind of fraud, NACHA – The Electronic Payments Association, recommends the following steps:

1. Require dual control for ACH and wire transfer payments. This means that if one person authorizes creation of a payment file, a second person must authorize release of that file.
2. Ensure that all antivirus and security software and hardware for all computers (including laptops) used for online banking and payments are up-to-date.
3. Require that any computers used for online banking and payments are dedicated solely to those activities. This means they are not used for web browsing or social networking and are not connected to an internal network.
4. Monitor and reconcile accounts daily so you can spot fraudulent activity in time to take action.
5. Utilize routine and “red-flag” reporting (i.e., alerts about unusual activity) for transactions.

If your ministry’s bank account falls victim to corporate account takeover, contact your financial institution immediately so they can:

• Disable online access to accounts
• Change online banking passwords
• Open new account(s) as appropriate

Your financial institution should also review all recent transactions and any authorizations on file. Anything suspicious should be cancelled immediately.

What steps has your ministry taken to prevent fraud like corporate account takeover?

We live in an acronym-loving world. Nobody ever just laughs anymore, we LOL. And if you need something in a hurry, it’s ASAP. We bankers are no exception; we love a good acronym as much as the next person. 

So, what I have to say is important, but it requires a bit of an acronym-tutorial for you to follow. Consider this your official cheat sheet:

ACH: Automated Clearing House

RDC: Remote Deposit Capture

AAP: Accredited ACH Professional (Sure enough, we even have an acronym in an acronym!) 

NACHA: National ACH Association

Ready now? Here we go:

If you are currently an ACH originator or you are thinking of becoming one, finding a financial institution with an AAP on staff should be a priority. The AAP certification establishes professional standards based on best practices in the industry as defined by NACHA. The certification requires intensive study and processing experience, passing a grueling exam, and ongoing education requirements. A banker with an AAP accreditation is highly skilled and can help you understand ACH required rules, risk mitigation, and industry best practices.

ECCU (c’mon, you know this one) is committed to a strong and secure ACH program, and we currently have six AAPs on staff. How does this help our members?  One ministry member was having difficulty importing her ACH file into our online banking module. Her donor file had more than 8,000 entries, and she did not know where the error occurred. She called our support team, and one of our on-staff AAPs securely reviewed her file and found a missing account number. The staff member then walked her through correction, the file was uploaded, and those 8,000 donor transactions were completed!

An AAP can also help when a ministry is looking to start a new type of ACH processing.  For example, we had a ministry request to start TEL transactions. (Oops, another acronym. TEL transactions are made when an oral authorization is received via the telephone.)  One of our AAPs contacted the ministry to discuss the transactions, and through that dialogue realized TEL transactions were not a good fit for the ministry. Our AAP helped them understand how to improve their agreement with their clients to obtain authorization up front, eliminating the need for the phone call and streamlining their payments activity.

Do you have a success story from working with an AAP? Post a comment to share with our readers.

According to Javelin Research’s 2010 Identity Fraud Survey Report published in July, more than 11 million people were identity theft victims in 2009. Now there’s an overwhelming statistic. How can we stay vigilant while still enjoying the efficiencies and convenience made possible by online banking technology?

One primary way is to be aware and informed. Banking security regulations require financial institutions to protect your information and identity. Understanding your bank’s stance on security is crucial. Here at ECCU, we are dedicated to securing our members’ personal information and helping to educate them about the need for vigilance. For example:

• Our online banking platform is protected with 24/7 security.
• Our website—eccu.org—offers a variety of resources, including white papers that discuss data security, tips on protecting yourself from identity theft, and news posts on the homepage of recent scams that have affected the financial community.
• Our staff is also trained in security and fraud prevention techniques.

Additional steps your ministry can take to combat online fraud come from the Association for Financial Professionals:

• Never link to your financial institution’s website. Instead, type the address into your browser.
• Immediately contact your financial institution if you see unusual or unexpected activity on your account.
• Be cautious of emails that claim to come from your financial institution. (ECCU will never request personal identification or account information, such as your Social Security or account numbers, from you via our website or email. If you receive any email requesting this information, be suspicious, do not respond, and notify us immediately.)
• Know what your financial institution’s website looks like and what questions it asks to verify your identity.
• If possible, dedicate a single computer for online banking access. The fewer computers that have sensitive information, the less likely it is that the information will be compromised. (We recommend never storing passwords on the same computer you use for online banking.)
• Consider blocking plug-ins and pop-ups on computers used for online banking.

From time to time we call or email a member to ask if a specific transaction is legitimate. The response is often an expression of appreciation for the extra steps taken to protect their accounts.

One missionary in Ecuador, for example, said, “I really appreciate your vigilance on account activity that may be fraudulent.”

Another serving in the Philippines said, “We appreciate ECCU’s continual efforts to strike a good balance between security and convenience (both high values, but not always easily compatible). Your commitment to service—and especially knowing that we have a financial institution who understands our context—is a tremendous blessing to us!”

How about your ministry? What are you doing to protect your information when banking online?