Fraud involving the exploitation of valid online banking credentials is a significant risk facing any local government or school that processes financial transactions online. Some of the more popular types of electronic fraud targeting online banking are phishing¹⁵ and malware.¹⁶ In a typical scenario, the targeted individual (or group of individuals) receives an email that either contains a malicious attachment or directs the recipient to a malicious website. Once the recipient opens the attachment or visits the website, malware containing a key logger or other data harvesting and reporting mechanism is installed on the recipient’s computer, or the recipient is prompted to input their username and password, which are collected for malicious use. A key logger collects login information, allowing the perpetrator to impersonate the legitimate user or create another user account with access to the victim’s online bank accounts. Thereafter, fraudulent electronic transfers are initiated and directed to bank accounts in the United States or foreign countries.

Despite financial institutions’ security controls, there is no way to guarantee the safety of online banking. The tactics used to commit fraud can range dramatically in sophistication and continually evolve over time. Likewise, there is no single control that is most effective against cyberattacks. A best practice for protecting IT systems, information and local government and school resources is to build successive layers of defense mechanisms, a strategy referred to as defense-in-depth, a concept discussed earlier in this publication.

Local governments and schools should have a combination of nontechnical and technology-based controls in place to help safeguard against online banking fraud. For example, officials should establish written policies and provide recurring information security awareness training to all computer users. In addition, malware protection should be kept up-to-date and, whenever possible, a wired rather than wireless network connection should be used for financial transactions. If a wireless network must be used, certain security measures should be in place (see Area #9 – Wireless Network).

Although online banking fraud is often committed by external parties, risks posed by employees and other internal parties must also be considered. The ease and speed with which large amounts of money can be transferred among accounts and banks requires heightened attention to traditional internal controls, such as the proper segregation of incompatible duties and timely reviews of online banking transactions. It is also critical that bank accounts be frequently monitored for unauthorized or suspicious activity. Any suspicious activity should be immediately reported to banking officials and/or law enforcement. The window of time in which recoveries can be made from fraudulent online banking transactions is limited, and a rapid response may prevent additional losses.

A further discussion of online banking controls can be found in the Office of the State Comptroller’s publication entitled Local Government Management Guide: Cash Management Technology.¹⁷

¹⁵ Phishing attacks use fake email messages or other techniques, sometimes pretending to represent a bank, to trick you into providing personal or financial information. The email may provide links to a counterfeit website and request information such as name, password and account number.

¹⁶ Malware is malicious software (e.g., ransomware, viruses, Trojans, spyware, rootkits and worms) that typically is installed without the user’s knowledge or consent. Such software is specifically designed to harm computer systems and electronic data, often by deleting files, gathering sensitive information, or making systems inaccessible or inoperable. The different types of malware can capture keystrokes for login information, monitor and capture other data to authenticate identity, generate web pages that appear to be legitimate but are not and hijack a browser to transfer funds without the user’s knowledge.

¹⁷  https://www.osc.ny.gov/files/local-government/publications/pdf/cashtechnology.pdf

The Information Technology Governance LGMG can be downloaded at https://www.osc.ny.gov/files/local-government/publications/pdf/information-technology-governance.pdf