Please review the agreement below in its entirety. Once completed, close the window and click agree to proceed.
This Business Online Banking AGREEMENT (cash management services) is made and entered into this day by Beacon Credit Union (herein referred to as “Beacon”), a credit union chartered in the state of Indiana, and you (the “Member”).
WHEREAS, the Member has requested Beacon provide certain Internet based cash management services to the Member as herein described; and
WHEREAS, Beacon desires to provide such services to the Member on the terms and conditions herein described.
NOW, THEREFORE, in consideration of the mutual promises herein contained, the parties agree as follows:
General. The cash management services to be provided by Beacon to the Member, consists of an Internet banking program known as Beacon Online for Business and all related materials and documentation (collectively herein the “Program”) that permits the Member to conduct certain cash management activities with Beacon. Such activities include the ability to obtain certain account balance information, to initiate electronic funds transfer services, to initiate ACH transactions, to initiate stop payment requests, to perform e-commerce (bill pay) transactions and generally perform other account reporting functions as provided by the Program, now or in the future, all by means of a personal computer via the Internet (collectively the “Services”). Services are provided by Beacon for access and use by Member.
Term. This Agreement is effective from the date the agreement is clicked as I agree and will remain in force until termination. This Agreement will be terminated (i) upon thirty (30) days prior written notice by either party to the other, (ii) upon termination of the Account relationship between the parties, (iii) failure of the Member to comply with the terms and conditions of this Agreement or (iv) any other event which causes Beacon to be unable to provide the Program to the Member. The provisions of this Agreement protecting the proprietary rights of Beacon’s vendor, Fiserv, (program provider) and Beacon will continue in force after termination.
DISCLAIMER OF WARRANTY. BEACON MAKES NO WARRANTIES WITH RESPECT TO THE PROGRAM NOR DOES BEACON WARRANT THAT THE PROGRAM WILL MEET SPECIFIC REQUIREMENTS OF THE MEMBER. NEITHER BEACON NOR ITS INTERNET BANKING VENDOR, FISERV, MAKES ANY WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, WITH RESPECT TO THE USE OF THE PROGRAM. BEACON AND ITS INTERNET BANKING VENDOR, FISERV, DISCLAIM ANY AND ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Fees. Member agrees to pay the fees for access to and use of the Program at the rates specified by Beacon’s Fee Schedule and Business Analysis Schedule provided to the Member. Beacon may change the fees charged to the Member any time during the term of this Agreement by publishing a new Fee Schedule and Business Analysis Schedule on its Internet WEB site or by mailing to the Member a new Fee Schedule and Business Analysis Schedule. Beacon may deduct all fees due from any account of the Member at Beacon.
Account. The Member will maintain with Beacon at least one business account. . In addition to the terms of this agreement, the accounts will be subject to a separate depository agreement provided at account opening. Unless Beacon otherwise requires the member to maintain collected funds, the member agrees to maintain sufficient available funds in the account(s) to support any transaction initiated under the program and to cover any fees the member is obligated to pay under this agreement. If at any time there are not sufficient collected funds in the account to cover all outstanding transactions and other payment obligations of the member under this agreement, member agrees to immediately pay Beacon, on demand, the amount of any deficiency in such outstanding transactions and obligations. Beacon may, without prior notice or demand, obtain payment from member for any of its obligations under this agreement by debiting any account of the member at Beacon.
Authorization. The member will identify by name and title the officer of the business authorized to be the main administrator of the business online banking agreement. The Business will be responsible to notify Beacon Credit Union if any changes are to be made to the main administrator access. The main administrator will be responsible for any sub users created within the system and any access rights given to the sub users along with assuming responsibility for all activity and transactions conducted.
Account Reconciliation. All transactions which result in a debit or Credit to the account initiated by the member under the program will be reflected on the member’s monthly account statements. The member will notify Beacon, within thirty (30) days after the delivery of the account statements by Beacon of any discrepancies between the account statements and the member’s records of transactions initiated through the program. Failure of the member to notify Beacon within said time of any such discrepancies will preclude the member from asserting any claims for damages or other liabilities against Beacon due to such discrepancies.
ACH Transfers. The Member acknowledges that the ACH feature of the program is an alternate entry system for issuing funds transfer requests to the Automated Clearing House network. Without limitation of any other provision of this agreement, the following provisions will govern the acceptance and liability for all ACH transfer requests initiated in connection with the program:
- Certain Definitions. Unless otherwise defined herein, capitalized terms utilized in this section will have the meaning provided in the National Automated Clearing House Association Operating Rules, “NACHA Rules,” (herein the “Rules”) in effect from time to time during the term of this Agreement.
- Compliance with Rules. The member agrees that all entries and all notices initiated under this agreement are to be governed in all respects by the rules and agrees to be bound by and to comply with the rules in effect from time to time. In the event of conflict between the terms of this agreement and the rules, the rules will control the interpretation of this agreement. In the event the member violates any of the applicable ACH rules and the national Automated Clearing House Association (NACHA) imposes a fine on Beacon because of the member’s violation, Beacon may charge the fine to the member.
- Transmittal of Entries. Pursuant to the provisions of this agreement and the rules, Beacon is willing to act as an originating depository financial institution (“OFDI”) with respect to entries initiated by the member through the program. The member will transmit to Beacon those debits and credits as required in the rules and the terms of this agreement in accordance with the procedures outlined in the program. Only domestic entries will be processed, as Beacon does not initiate international ACH transactions (IAT). The member will provide all information specified by Beacon from time to time, which information will include, without limitation, the account number of the account to be debited or credited (as the case may be), the amount of each such credit or debit, and the receiving depository financial institution (the “RDFI”). Beacon will deliver the entries to the ACH and credit and debit any accounts as required by the entries and the rules. Written notification of cancellation received by the member from any recipient will be accepted as revocation of the authorization agreement for preauthorized disbursements. This agreement will only govern those ACH transfer requests initiated under the program. A separate ODFI origination agreement between Beacon and the member will govern any non-program initiated request.
- Pre-Notification. Prior to the initiation of any entries to a specified account, the member will (i) enter into an authorization agreement with the recipient affected and retain record for two years after termination or revocation of such authorization; (ii) provide a copy of the authorization agreement to the recipient; and (iii) the member will send pre-notifications six banking days prior to initiating the first entry to a particular account. Such notice shall be provided to Beacon in the format and on the medium provided in the rules. After the member has received notice that any such notification has been rejected by the receiving financial institution, or that a receiving financial institution will not receive entries without having first received a copy of the authorization signed by its customer, the member will not initiate any entry to such customers, except after providing the receiving financial institution with such authorization, within the time limits provided in the rules.
- Processing Schedule. Member using the program will transmit or deliver entries to Beacon not later than 24 hours prior to the settlement date for credit entries, and 24 hours prior to the settlement date for debit entries.
- Funds for Entries. The Member will provide immediately available funds to cover any credit entry initiated by it not later than the applicable settlement date. The member will receive immediately available funds for any electronic debit entry initiated by it on the applicable settlement date.
- Variable debit Entries. In the event that a preauthorized debit entry varies in the amount from the preauthorized debit entry pursuant to the same authorization agreement, the member will mail or deliver to the recipient, at least ten (10) calendar days prior to the date on which the debit entry is scheduled to be initiated by the member, a written notice of the amount and scheduled date of the debit entry, provided that, if the member informs the recipient in the authorization agreement of the right to receive notice of all variable debit entries, the recipient may agree in the authorization agreement to receive such prior written notice only when a debit entry does not fall within a specified range of amounts or, alternatively, only when a debit entry differs from the most recent debit entry by more than an agreed upon amount.
- On-Us Entries. Except as otherwise provided herein, in the case of an entry received for credit or debit to an account maintained by Beacon (an “on-us entry”), Beacon will credit or debit the recipient’s account in the amount of such entry on the settlement date, provided the requirements set forth herein are otherwise met. If those requirements are not met, Beacon will use reasonable efforts to credit or debit the recipient’s account in the amount of such entry on the next banking day following the date the entry was received by Beacon. Beacon will have the right to reject an on-us entry for any reason for which an entry may be returned. In the case of an on-us entry, Beacon will have all rights of a RFDI including, without limitation, the rights set forth in Article Seven of the NACHA Rules.
- Notice of Provisional Credit. In the case of any credit entry subject to Article 4A of the Uniform Commercial Code, credit given by the RFDI to the recipient with respect to such an entry is provisional until the RFDI has received final settlement through a Federal Reserve Bank or otherwise has received payment. If such settlement or payment is not received, the RFDI will be entitled to a refund from the recipient of the amount credited, and the Member will not be deemed to have paid the recipient the amount of the entry.
- Stop Payment of ACH Entries. Neither the member nor Beacon will have the right to adjust or stop payment of any entry after it has been received by ACH. If either the member or Beacon asserts that an entry has been erroneously initiated, a reversal or adjustment entry may be initiated by the member or Beacon as set forth in the rules. A reversal of a PPD file type can be made as long as the reversing entry is transmitted to the ACH Operator within five banking days following the settlement date of the erroneous entry. In addition, either the Member or Beacon may make an oral or written request to the RDFI to stop payment of, or to adjust, an entry, which has been or is asserted by the member or Beacon to have been erroneously initiated, and the RDFI may elect whether to honor such request. Beacon will have no obligation to the member with respect to any such request that is not honored. If an unauthorized debit entry is confirmed in writing by the recipient, the recipient will have the right, unless waived in accordance with the rules, to have the amount of such debit entry immediately credited to the recipient’s account by the RDFI as set forth in the rules. The member’s account will be debited for the amount thereof, and if the balance in the account is insufficient, the member will, on demand, provide immediately available funds Beacon to satisfy such insufficiency.
- Dishonored Entries. For any debit entry equal to or in excess of $2,500.00 that (i) is initiated by the Member, (ii) is not posted to a recipient’s account by the RDFI, (iii) is returned to Beacon, and (iv) Beacon has notice of, Beacon will promptly notify the member of such return entry. Except as provided above, Beacon will have no obligation with respect to such return entry. Notice of all other return entries less than $2,500.00 will be provided to the member in the member’s normal monthly statement on the account.
- Reversing Entries. If the member discovers that any entry it has initiated was in error, the member will notify Beacon immediately. Beacon will then notify the member as to whether the transmission of the file or the entry to the ACH has been initiated. The member will then have the sole right and responsibility to initiate a reversal of the entry in accordance with the rules.
Remakes of Rejected Entries or Files. If an entry or file is rejected by the ACH due to improper processing or unexcused delays by Beacon, Beacon will remake such entry or file and send it to the ACH. If such entry or file was rejected as a result of improper processing or the supplying of incomplete information by the member, the member will remake the entry or file, or supply Beacon with complete information for remaking the entry or file, at the member’s expense, and Beacon will send such entry to the ACH. The member will retain and provide Beacon, upon request, all information necessary to any file or entry for three (3) days after the midnight of the settlement date.
Wire Transfers. The member acknowledges that the wire transfer feature of the program is an alternate entry system for issuing wire transfer orders between the member and beacon. Without limiting any other provisions of this agreement, the following provisions will govern the acceptance and liability for all wire transfer requests:
- Initiating Transfers. The member may direct Beacon to transfer funds under the program (“Wire Transfer Request”) from any of the member’s accounts at Beacon to any other account with Beacon or to an account at another financial institution, other than a banking or financial institution located outside the United States, in accordance with the terms and conditions stated in this agreement. Beacon will accept wire transfer requests during the normal business hours of Beacon, which hours may be changed from time to time by Beacon in its sole discretion.
- Honoring Transfers. Beacon will be under no obligation to honor, either in whole or in part, any wire transfer request: (a) which exceeds the member’s collected available balance in the member’s account from which the member wishes to transfer funds; (b) which is not in accordance with any other written agreements between the member and Beacon; (c) which is not in accordance with the current published terms and conditions of Beacon; or (d) which is not in accordance with this agreement. Notwithstanding the foregoing, Beacon, in its sole discretion and without any obligation to do so, may choose to honor a wire transfer request which may be drawn on uncollected funds or which will result in an overdraft in the member’s account with Beacon, and in such instance, the member will be liable to Beacon for the amount of such uncollected funds drawn upon or such overdraft plus any additional charges and expenses as provided by the current and fee schedule affecting such account, including reasonable attorney’s fees and costs of collection, if applicable. Beacon’s election to honor any such wire transfer request will not affect Beacon’s right to refuse to honor any one or more subsequent or other wire transfer requests.
- Execution. Beacon will execute any properly authorized wire transfer requests, if accepted, on the date transmitted under the program, provided such requests are initiated through the Program before 4:00 p.m. Eastern Standard Time, or such other cutoff time as Beacon may hereafter establish (“Cutoff Time”), on a business day for Beacon, the funds transfer system and the receiving financial institution. “Wire transfer system” for the purpose of this agreement will mean the wire transfer network through which a wire transfer request will be transmitted to the receiving financial institution. Wire transfer requests initiated after the cutoff time may be transmitted by Beacon the same business day; however, the wire transfer request will not be processed by the wire transfer system and the receiving financial institution until the next business day. However, Beacon’s election to transmit a wire to the wire transfer system after the cutoff time will not waive or discharge Beacon’s right to adhere to the 4:00 p.m. deadline for any one or more subsequent or other transactions. In executing any wire transfer request, Beacon may utilize such means of transmission and such wire transfer system as Beacon at its sole discretion selects. Beacon may also, at its sole discretion, select the order in which to execute multiple pending wire transfer requests.
- Authorization to Charge Account. Upon receipt of any wire transfer request initiated under the program, the member authorizes Beacon to charge the member’s accounts for the wire transfer request.
- Transfer Tracing. If the member requests, Beacon will endeavor to trace any wire transfer request executed by Beacon on behalf of the member in order to verify that the beneficiary received the transferred funds. In order to perform the trace, the member will provide Beacon with such information as Beacon may request, including the date and reference number of the Wire Transfer Request.
- Incoming Transfers. Incoming funds, which Beacon receives before 4:00 p.m. Eastern Standard Time on any business day will be credited to the member’s account on that day. Otherwise, Beacon will credit incoming funds on the next business day following receipt. Notwithstanding the foregoing, Beacon, at its sole discretion and without obligation to do so, may credit incoming funds on the same day received, even if receipt is not before 4:00 p.m.; however, Beacon’s election to give same day credit on any such transaction will not waive or discharge Beacon’s right to adhere to the 4:00 p.m. deadline for any one or more subsequent or other transactions.
- Additional Information. The Member will provide to Beacon any information Beacon may reasonably request in connection with any wire transfer request and the performance of this agreement. Failure to provide such information within a reasonable time after requested by Beacon will relieve Beacon from any liability or loss, which might arise due to failure to provide such information.
Stop Payments. The member acknowledges that the stop payment feature of the internet banking system is an alternate entry system for issuing stop payment orders between the member and Beacon. When the member elects to execute stop payment requests through the internet banking system, the member agrees to indemnify and hold Beacon harmless for all costs, expenses or damages which Beacon may incur or suffer in connection with or arising from refusing payment thereof, or efforts to stop payment thereof, and further agrees that Beacon will not be held liable on account of payment thereof contrary to such request if such payment occurs through inadvertence, oversight, mistake or accident, or if by reason of such payment, other items drawn by the member are returned because of insufficient funds.
Prior to requesting a stop payment, it is the responsibility of the member to first verify that the item has not already been posted to their account. If a stopped item has already been paid prior to Beacon’s entry of the request, then Beacon will not be liable for any loss incurred by the member arising from the event.
The member further agrees that Beacon will be obligated to honor the stop payment order only if received at such time and in such manner to afford Beacon a reasonable opportunity to act on said order. If an immediate response is required, the member should execute the stop payment request by speaking to Beacon personnel by phone or in person.
Any stop payment request received though the internet banking system is only binding upon Beacon for fourteen (14) calendar days and thereafter must be confirmed in writing by an authorized signer on the applicable account of the member, which will be effective for six (6) months. Revocation of the stop payment order must be in writing.
Unauthorized Access; Security Procedures. The member will be solely responsible for protecting against unauthorized access to the internet Banking system’s administrative functions and personal computers or networks used to access this system and any and all losses and damages arising from any unauthorized access to the internet banking system. The member will establish physical security, passwords and other security procedures necessary to ensure the confidentiality of access features. The member will make such procedures and security features known only to those authorized representatives of the Member who will use the Program. Beacon will have no obligation, liability or control, either directly or indirectly over said procedures or the failure of member to maintain said procedures. The member will be solely responsible for designating its authorized representatives. Beacon will not be responsible for verifying the authenticity of any person claiming to be a representative of the member or the authenticity of any instruction, direction or information provided to any said person. Any instructions, directions or other information provided by the member, or any representative of the member, under the program will be deemed to have been authorized by the member, and Beacon will be indemnified and held harmless by the member for acting upon any such direction, instruction or information.
Beacon reserves the right to not honor a transaction request if Beacon in its sole discretion believes not processing the transaction will protect the member from fraud. A fraudulent transaction could be identified in multiple ways such as unusual payees or dollar amounts, transactions originated at a different time of day than what is usual for the member, or a transaction that empties the member’s account.
- Beacon suggests the following security standards be in place in order to utilize the Program.
- Anti-virus and anti-malware programs be installed on the computers utilizing the program. The anti-virus and anti-malware programs are to be updated automatically by the manufacturer. Subscriptions to these services remain active at all times.
- Update all computer software to protect against new security vulnerabilities.
- Passwords must be strong and not stored on the device used to access the Program.
- Beacon acknowledges that the above list of security standards is not all-inclusive as there are other standards which could be utilized in order to mitigate risk and Beacon is not responsible for listing all security standards which could be utilized.
Dual Control. Beacon requires that dual control is utilized when creating and initiating ACH activity and wire activity. Dual control is utilized for multiple purposes including helping the member enforce internal controls by requiring transaction approval and reducing the risk of fraud by promoting security and requiring two different users review each transaction. In addition, dual control will help mitigate errors by having another employee review the transaction prior to processing. If a member is unable to comply with Beacon’s dual control requirements, the member will hold Beacon harmless in the event a loss is suffered by the Member when dual control procedures would have mitigated or eliminated the loss suffered.
Annual Review. Annually Beacon will conduct a review of the current ACH limits set and utilized by the Member. These limits are subject to change based upon the annual review or as deemed necessary by Beacon. If the member wants the limits reviewed and/or adjusted prior to the annual review, the member can contact Beacon and request that a review be completed and provide a reason for the request.
Beacon reserves the right to visit the member at the member’s location as determined by Beacon to review security practices, employee access, and educate the member on additional best practices. These steps will aid in mitigating risk for the member as well as for Beacon. The member will also be required to update any administrator changes and acknowledge an updated business online banking agreement annually.
Records Retention. The member will retain a record of all data transmitted in connection with the internet banking system in effect for any required retention period under the rules and applicable state or federal law.
Arbitration. Any dispute or difference arising out of or in connection with this contract shall be settled under the rules of arbitration.
Indemnification. The member will defend, indemnify and hold harmless Beacon against and in respect to any and all loss, liability, expense and damage, including consequential, special and punitive damages, directly or indirectly resulting from: (i) the processing of any request received by Beacon under the program; (ii) any breach of the provisions of this agreement or the rules; (iii) any request for stop payment; (iv) any dispute between the member and any third party in connection with the use of the program; and (v) any and all actions, suits, proceedings, claims, demands, judgments, costs and expenses (including attorney’s fees) incident to the foregoing. The terms of this section will survive termination of this agreement.
LIMITATIONS OF LIABILITY. IN NO EVENT WILL BEACON OR ITS INTERNET BANKING VENDOR, FISERV, BE LIABLE TO THE MEMBER FOR ANY DAMAGES, INCLUDING LOST PROFITS, LOST SAVINGS OR OTHER DIRECT, INDIRECT, INCIDENTAL, SPECIALOR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM AND DOCUMENTATION, OR FOR ANY CLAIM BY ANOTHER PARTY. BEACON’S DUTIES AND RESPONSIBILITIES IN CONNECTION WITH ACH AND WIRE TRANSFERS ARE LIMITED TO THOSE DESCRIBED IN THIS AGREEMENT. BEACON WILL BE DEEMED TO HAVE EXERCISED ORDINARY CARE AND TO HAVE ACTED REASONABLY, IF BEACON HAS ACTED IN ACCORDANCE WITH THE TERMS OF THIS AGREEMENT AND WILL BE LIABLE FOR LOSS SUSTAINED BY MEMBER ONLY TO THE EXTENT SUCH LOSS IS CAUSED BY BEACON’S WANTON AND WILLFUL CONDUCT. BEACON WILL NOT BE LIABLE FOR ANY CONSEQUENTIAL, SPECIAL OR PUNITIVE DAMAGES, REGARDLESS OF BEACON’S ACT OR OMISSION. BEACON WILL HAVE NO LIABILITY FOR ANY LOSS OR DAMAGE:
- RELATED TO THE DISHONESTY OF THE MEMBER’S EMPLOYEES, OFFICERS OR AGENTS;
- RESULTING FROM ANY RECEIVING FINANCIAL INSTITUTION’S FAILURE TO ACCEPT ANY ACH OR WIRE TRANSFER REQUESTS;
- RESULTING FROM ANY DELAY IN THE PERFORMANCE OF THIS AGREEMENT, WHICH IS CAUSED BY AN ACT OF GOD, FIRE OR OTHER CASUALTY, ELECTRICAL OR COMPUTER FAILURE, DELAYS OR FAILURE TO ACT BY ANY CARRIER, MEDIUM OR AGENT OPERATING BETWEEN BEACON AND THE MEMBER OR BETWEEN BEACON AND THIRD PARTIES OR ANY OTHER CONDITION OUTSIDE BEACON’S CONTROL. NO THIRD PARTY WILL HAVE RIGHTS OR CLAIMS AGAINST BEACON UNDER THIS AGREEMENT. THE TERMS OF THIS SECTION WILL SURVIVE TERMINATION OF THIS AGREEMENT.
Entire Agreement; Severability. This agreement together with all exhibits, schedules and attachments hereto, the terms and conditions and the rules (as incorporated herein or as provided to the member) represent the entire agreement and understanding of the parties. If any portion of this agreement is found to be unenforceable, all remaining portions will remain in full force and effect. In the event of any inconsistency or conflict between the terms of this agreement and any present or future statute, regulation or governmental policy to which Beacon is subject and which governs or affects the transactions contemplated by this agreement, then this agreement will be deemed amended to the extent necessary to comply with such statute, regulation or policy and Beacon will incur no liability to the member as a result of such violation or amendment.
Assignment; Sublicense. Member agrees not to assign, transfer or dispose of its rights and obligations under this agreement and not to further sublicense, assign or transfer the program, except as expressly provided in this agreement.
Governing Law. This agreement is governed by the laws of the State of Indiana (except to the extent Federal law governs the copyrights and trademarks of Beacon’s internet banking system provider, Fiserv and its successors or assigns) and the rules.
Amendment; Modification. This agreement may not be amended or modified except by a written instrument signed by both the member and Beacon (excluding the fee schedule).
Signatures. By clicking on I Agree, you acknowledge that you have read and accepted the terms and conditions of this agreement, and agree to be bound by its terms and conditions.
Business Online Banking Security Guide
It is the requirement and responsibility of Beacon Credit Union to protect any and all Nonpublic Personal Information provided by our members in order to receive financial services, whether physically, digitally or verbally requested. We, as a trusted financial institution, maintain the utmost regard to the integrity of our membership, all the while providing a safe and sound environment that protects both the member and Beacon Credit Union
As a courtesy, we are providing you with some basic information in regards to online banking security and threats. While we hope this packet gives you some insight into social engineering and the dangers associated with it, we have merely opened the door into the world of cyber-crime. We strongly encourage you to be in-the-know and fully aware of the continuous increase in online scamming and hacking. You can never be too careful when it comes to protecting your business and financial information…stay diligent and resourceful in all things relating to the internet and online banking, as well as social engineering and cyber-crime.
What Is Corporate Account Takeover?
- A fast growing, electronic crime where thieves typically use some form of malware to obtain login credentials to Corporate Online Banking accounts and fraudulently transfer funds from the account(s).
What Is Malware?
- Short for malicious software, is software designed to infiltrate a computer system without the owner’s informed consent.
- Malware includes computer viruses, worms, trojan horses, spyware, dishonest adware, crime ware, most rootkits, and other malicious and unwanted software.
- Domestic and International Wire Transfers, ACH payments, Online Bill Pay and electronic payroll payments have all been used to commit this crime.
How Does It Work?
- Criminals target victims by scams
- Victim unknowingly installs software by clicking on a link or visiting an infected internet site.
- Fraudsters begin monitoring the accounts
- Victim logs on to their Online Banking
- Fraudsters Collect Login Credentials
- Fraudsters wait for the right time and then depending on your controls – they login after hours or if you are utilizing a token they wait until you enter your code and then they hijack the session and send you a message that Online Banking is temporarily unavailable
Where Does It Come From?
- Malicious websites (including Social Networking sites)
- P2P Downloads (e.g. LimeWire)
- Ads from popular web sites
Social Engineering…And Its Many Forms
- Social Engineering can be described as the use of deception to gain unauthorized access to information, systems or assets. While the most common and popular means is through email phishing, other forms known as smishing, vishing and impersonation, are on the rise.
- Attackers create e-mails and websites designed to look like legitimate businesses, business partners or internal, company branded web sites to deceive you into helping them commit fraud. Phishing emails to a specific company or department are known as Spear Phishing.
- They are typically looking for 1 of 2 things:
- Password Harvesting – They are attempting to get you to give up your usernames and passwords. Examples are emails asking you to verify your network account, an email to sign up for employee benefits, or informing you that you have a secure email, etc. Normally gives you a link to click on that takes you to a web form to enter in your credentials and many times looks legitimate.
- Software Downloading – They are looking to get you to open up a secret, electronic tunnel to them so they can remote access systems through your computer or programs that will automatically search for and steal company and/or personal information. Asking you to download anti-virus software or open an attached Word, Excel or PDF document are a few examples.
- Attackers send deceptive SMS text messages in order to commit fraud. To help avoid an attack, same rules and guidelines should apply here as they do with any other phishing attempt.
- Attackers are looking to gain your trust and give up log in credentials and/or business/personal information over the telephone.
- Attackers pretend to be someone they are not, such as a repairman, IT support technician, trusted vendor or new employee. They may drop the name of someone you know in order to further gain your trust. They may also attempt to gain access to computer equipment or gain unrestricted access to your network through a network port in an enclosed office or conference room.
What is NPI?
- In Beacon Credit Union terms, we define NPI (better known as Nonpublic Personal Information) as any piece of personal data provided by our membership base in order to receive financial services. It is our duty to protect all members NPI, whether it is provided physically, verbally or digitally.
- We cannot stress enough the importance of respecting and maintaining proper security measures when it comes to the protection of your business NPI. Not only should this information be secured for all business relationships and employees, but also for your own personal data as well.
Examples Of Ways To Protect NPI:
- Maintaining a “clean desk” policy – all reports, notes, documents, etc., that in any way contain NPI should be kept out of sight (preferably behind lock and key), unless in the presence of the employee needing that particular information for business purposes only.
- Locking of equipment and media devices when not in use – make sure all computers have the capability to lock when not in use, whether an employee leaves their office area for a few moments or is leaving the office for the evening. Should this step be forgotten, consider an automatic PC lock after a set amount of time…a password must then be used to access the computer again.
- Proper disposal of NPI – whatever disposal method is chosen, we strongly urge that the information should not be able to be retrieved in any fashion. A few examples to consider:
- Destroying or erasing electronic media
- Burning, pulverizing or shredding papers
- Consider hiring a shred-it company, whom typically will provide your business with proper disposal bins that are emptied by a member of their staff on a regularly scheduled basis.
- If a standardized shredding machine is used, make sure the shredded material is kept in a secure area before final disposal takes place.
- Truncating key pieces of NPI – this means to block out or chop off the beginning or ending set of numbers for public viewing purposes. This could be done for social security or credit card numbers, for example.
Password Protection Pointers
- To reiterate, one can never be too careful when it comes to the protection of sensitive and personal information. And the more layers of security that can be added to any protocol or procedure, the better.
- The use of passwords is just one security layer we highly recommend everyone use with all aspects of computer usage. Here are a few pointers we suggest you consider:
- Implement password criteria – this should at least include length, type of characters that must be used and reset timeframe (ex. – will expire after 45 days). Other options you may want to add:
- May not be one of the previous 8 passwords used (# can be changed)
- Determination of use of repeating characters (ex. – cannot contain 2 repeating characters)
- Similarity rule – cannot be similar to previous password
- Implement procedures for password resets – whether an employee locks themselves out of an application or system or they have forgotten their password, consider some sort of verification protocol such as:
- A security question or phrase – this piece must be provided prior to moving forward in the reset process
- Miscellaneous Do’s & Don’ts –
- DO create strong passwords. The longer, the better!
- DO change passwords often
- DO NOT let web browsers auto-save passwords!
- DO NOT let web browsers auto-save passwords!
- DO NOT write down passwords! Memorization is preferred…..should they be recorded, make sure they are always kept behind lock and key!!
- DO NOT ever share your password! All users should maintain their own login in credentials – there should never be an instance where ANYONE requests this information for any reason!!
Beacon Credit Union’s Online Banking Sign On Ids and Password Requirements Are:
Sign On ID
* Must be at least 8 characters in length
* Must contain alpha & numeric characters
* Must be at least 8 characters in length
* Must contain alpha & numeric characters
* Must be reset every year
What Can YOU Do To Help Protect Your Business From An Attack?
- Education is Key – Train your employee
- Secure your computer and networks
- Limit Administrative Rights
- Install and Maintain Spam Filters
- Surf the Internet carefully
- Install & maintain real-time anti-virus & anti-spyware desktop firewall & malware detection & removal software – Use these tools regularly to scan your computer & allow for automatic updates and scheduled scans
- Install routers and firewalls to prevent unauthorized access to your computer or network – change the default passwords on all network device
- Install security updates to operating systems and all applications as they become available
- Block pop-Ups
- Do not open attachments or click on links in an e-mail, unless you know for certain who the email is from
- Do not use public Internet access points
- Note any changes in the performance of your computer – Dramatic loss of speed, computer locks up, unexpected rebooting, unusual popups, etc.
- Make sure that your employees know how and to whom to report suspicious activity to at your Company & Credit Unio
- Contact Beacon Credit Union if you:
- Suspect a Fraudulent Transaction
- If you are trying to process an Online Wire or ACH Batch & you receive a maintenance page
- If you receive an email claiming to be from Beacon Credit Union and it is requesting personal/company information
- Contact Beacon Credit Union if you:
WE THANK YOU FOR YOUR INTEREST IN OUR BUSINESS ONLINE BANKING SERVICE. PRODUCT DEMO AND ADDITIONAL SECURITY-RELATED INFORMATION IS AVAILABLE ON THE BEACON CREDIT UNION’S WEBSITE (WWW.BEACONCU.ORG). WE LOOK FORWARD TO SERVING ALL OF YOUR FINANCIAL NEEDS!
Should you have any questions at all regarding the enclosed material or should you believe to have been victim to a social engineering attack, please contact:
Beacon Credit Union