Protect Your Organization from Theft and Fraud

The Small Business Banking has all the same features as personal digital banking plus additional features for business owners that support the day-to-day banking needs of your business, such as:

• Consolidate Profiles:  if you have more memberships with Fusion you can consolidate & have the ability to switch between other membership with one login.
• Add and Manage Delegates:  Delegates are people such as an accountant, bookkeeper or employees who can be granted limited access to Small Business digital banking.   Delegates are managed by authorized signers with small business digital banking access.
• Read-Only Access – view account information but cannot perform any transactions.
• Initiator Access - initiates transactions that require approval by authorized signers.
• Make corporate tax payments.
• View pending transactions that require your approval, as well as cancelled or expired transactions.
• Set up dual signers on business accounts that require two people to approve transactions. (You can have as many signers as the organization requires, but you only need 2 to sign for dual signature).
• Create transactions that require additional approval.
• Set up Alerts - Stay informed when you need to approve transactions or if you have transactions that are about to expire. You can view small business alerts by email or text message anywhere, anytime. (Text messaging rates may apply.) Set up is needed before alerts will be received.
• Two-Factor Authentication – one time passcode (OTP) is a security code that provides an additional layer of protection that safeguards sensitive information and certain online banking activities. One-time passcodes are used to:

• register for online banking,
• add a new bill vendor,
• update contact information,
• change or reset your password,
• transfer funds to another member,
• add an Interac e-Transfer® recipient

• Use strong passwords
  • Use long and memorable words with a combination of letters, numbers & special characters.
  • Create unique passwords for each website login.
  • Create strong passwords for email accounts as they are the gateway to digital banking.
• Keep your passwords secret:
  • Do not share passwords or login credentials; each user should have an assigned username and password.
• Segregation of duties:
  • Authorized signers & delegate access should be assigned based on employee responsibilities; Adequate segregation of duties involving custody, authorization and control of source documents and records.
  • Using dual authorization requires two individuals to complete a transaction; one person should not have sole authority to initiate, authorize or approve a transaction without appropriate sign off processes and differing levels of approval.
• Contact Fusion CU about any changes to signing authorities
  • Provide updated resolutions and communicate to the credit union regarding changes in signing authorities or when there is a change in staff or board member to update Digital Banking access
  • Note: Digital Banking access is to the person & does not distinguish position and assigned authority.  For example, two signers required one of Mayor or Deputy Mayor AND one of CAO or Assistant CAO,
• Establish Internal controls
  • Strong Internal Controls (policies, processes and procedures) do not make a company immune from fraud, however it does make a company less attractive as a target to both internal and external fraudsters seeking to exploit internal control weaknesses.
  •  Internal controls are a set of tools that evolves over time as the business, technology and fraud environment changes
• Review and Manage Delegate Access Regularly:
  • Delegates are managed by authorized signers of the account with Digital Banking access; Any changes to staff employment or authority should be managed immediately.
• Protect your computer:
  • Install anti-virus and malware on computer or network.
• Register for Autodeposit if accepting Interac e-Transfer
  • Autodeposit is a secure way to receive money without having to answer security questions for every transaction.
• Employee Education of Fraud Prevention
  • Keeping employees and committee members up to date on fraud schemes can assist them to pass on information to the members and make them more vigilant.

Online banking security is the responsibility of everyone who uses the system. Fusion invests considerable time and money in fraud detection systems,  but requires vigilance on everyone’s part in order to be effective.
 
Hackers today are getting more sophisticated, so it is vital that everyone remember some basic online banking safety principles. It’s better to prevent theft than to try to recover losses later.

 Here are a few things you should NEVER do with your online banking:

• NEVER log in to online banking over public Wi-Fi. That is like letting hackers “look over your shoulder” as you do your banking. 

• NEVER provide personal information over the phone.   Fusion will never ask for personal information over the phone.
• NEVER click on attachments or links in suspicious emails or text messages.​ This is a very common method for hackers to gain access to your private information
• NEVER click on an Interace-Transfer^† that you weren’t expecting. Make sure you verify the suspicious Interac e-Transfer with the sender personally before clicking.
• NEVER tell anyone your password or PIN.

Here are a few things you should ALWAYS do with your online banking:

• ALWAYS be wary of suspicious emails, text messages, social media messages and letters, and online ads that ask you to reveal private information or ask you to click through to online banking.  Type your online banking address directly into your browser instead of clicking on a link.
• ALWAYS choose unique and secure passwords for any site that requires you to create one.

Security questions should be difficult to answer. Your spouse’s or child’s name is easy to find online. Pick something that a hacker can’t answer using Google, Facebook or LinkedIn.

• ALWAYS change your passwords on a regular basis.   Use difficult passwords and consider using a password manager app that can keep your passwords safe. These can help you generate difficult passwords and will remember them for you. Examples of password manager apps are: Keepass, LastPass, 1Password, Bitwarden, Dashlane, Keeper and TrueKey. 
• ALWAYS use anti-virus and anti-malware software.   Keep your devices safe and secure!
• ALWAYS take extra precaution by setting up sign-in and transactional alerts through online banking.  When important changes have been made to your account, Account & Security alerts let you know by text, email or both as soon as it happens.

International Wire Transfers - An international wire transfer is initiated in one country and settled in another. Senders must initiate international wire transfers even when they send money to someone in another country who has an account at the same bank.  These payments require a routing or SWIFT codes (Swift stands for Society for Worldwide Interbank Financial Telecommunication. It is a unique identification code for both financial and non- financial institutions, used for International as well as Canadian wire payments). These wire transfers are normally delivered within two to three business days.

• • Eliminate the possibility of processing delays related to missing/incorrect data;
  • Lessen risk that the payment will be rejected; and
  • Satisfy regulatory requirements under anti-money laundering and anti-terrorist financing laws and regulations.

• • Within the province, if we receive & send by 3 pm = receiving institution to receive same day.
  • Out of province, if received and sent by 12 pm = receiving institution to receive same day.
  • Outside country (Domestic) if we receive and send by 3 pm = receiving institution to receive in 3 business **This does depend on both the intermediary and receiving institutions’ acceptance of incoming wires.

• Institution name
• Institution’s full address
• Institution’s phone number
• Institution’s Transit number 
• SWIFT code
• Beneficiary’s full name
• Beneficiary’s full address
• Beneficiary’s phone number
• Beneficiary’s account number

• • Institution name
  • Institution’s full address
  • Institution’s phone number
  • Institution’s Transit number
  • SWIFT code
  • Beneficiary’s full name
  • Beneficiary’s full address
  • Beneficiary’s phone number
  • Beneficiary’s account number

A fraudster may pose as a colleague, client, or someone they or their company have done business with recently in an attempt to get confidential account information or convince members to wire funds. In some cases, if the fraudster has access to the members mail or invoices, they may pretend to be a vendor asking for funds to be wired to a new or different account.

 These are some of the common red flags that should raise suspicion in a wire transfer request.

RED FLAG: THE SENDER REFUSES PHONE CALLS AND INSISTS ON COMMUNICATING VIA EMAIL ONLY

If attempting to send money and they won't even talk to you by phone, something's probably wrong.

Sometimes the person requesting the transfer will claim an inability to be reached by phone now but will promise to confirm at a later date. This should be treated as the implausibility it is and the member should insist on hearing directly from the person requesting funds.

RED FLAG: THE SENDER USES ODD OR INCORRECT WORDS, SPELLING, OR PHRASES

If dealing with a professional, you should expect their email and other communications to make sense and appear professional. But it's extremely common for fraudsters' emails to arrive riddled with spelling and grammar mistakes, which is a red flag.

While some fraudsters can pass for polished business communicators, many cannot. It might be bizarre phrasing, awkward English, poor grammatical choices, incorrect punctuation, or simply weird spacing or capitalization. These all suggest that you may be dealing with someone other than a legitimate contact.

RED FLAG: THE NATURE OF THE AMOUNT REQUESTED IS UNUSUAL OR INCONSISTENT WITH PREVIOUS PRACTICE

If the request is out of the ordinary, especially if it's way out of the ordinary, that's a reason to question it.  Watch the patterns associated with the people we do business with and keep an eye out for larger-than-normal amounts or requests to transfer money to new locations.

RED FLAG: THE RETURN EMAIL IS INCORRECT

Even if an email appears legitimate, always check the return address before sending any money. In most cases, a financial institution, lawyer's office, or other legitimate organization requesting funds will not use a Gmail or Yahoo email address; they will use a branded company email address. Some fraudsters will try to imitate the legitimate company email address but make it slightly different, so check closely.

Individuals and business owners should also watch out for large monetary requests that ask to be “coded" to a department within the company, or requests accompanied by detailed instructions with return addresses that are incorrect or have one or more extra letters added — all further indications of spoofing.

 Be vigilant, use common sense and take a detailed approach. Fraudsters are getting bolder, and the amounts are getting bigger. Take the steps you need to take to keep from becoming the latest victim.

Review the content of each request carefully. Watch for slight changes to an email address, spelling, grammatical errors, a great sense of urgency, unavailability of the member, international transfers, high dollar amounts and increased frequency.

Do not rely solely on history of similar email wire transfer requests, as a fraudster may have intercepted that correspondence with the purpose to introduce similar but fraudulent transactions.

Educate employees on the dangers associated with opening attachments or clicking on links in unsolicited emails; delete sensitive information.

Use strong passwords and keep anti-virus and anti-malware software up-to-date.

Avoid sending sensitive emails using hotspots.

 Do not allow employees to access:

• • Personal emails on work computers
  • Internet freely on the same computer used to initiate payment

CAFT is a web-based application, therefore Originator accounts could be exposed to cyber fraud if the business or employee's computer system becomes compromised.

 If you notice unusual activity:

• Check the CAFT Activity Log and History File.
• Contact your financial institution.
• Change your CAFT password.
• If you have been compromised, follow the security procedures of your company.

• Protect passwords and User ID’s
• Manage CAFT transactions.
• Verify file totals prior to file processing.
• Release files in a timely manner.
• Review CAFT email notifications upon receipt
• Review the Activity Log.
• Review the History File.
• Verify all CAFT reports
• Verify account settlement to the settlement register (AFTR0010).
• Contact their financial institutions about any changes to Originator information
• Immediately notify their financial institution of any unusual activity.

Users can prevent transaction processing due to key error, theft or fraud by:

• Learning about cyber.
• Implementing internal controls (segregation of duties, dual authorization, setting CAFT limits).
• Creating a policy/control that mandates all requests to change payee/payor account information received via email MUST be confirmed by phone using the contact number on file (not the number included in the email request).
• Reviewing transaction files for accuracy.
• Reviewing CAFT email notifications.
• Reconciling banking transactions daily.
• Talking to insurance provider about Social Engineering coverage.

Increasing cyber security practices and building fraud awareness are vital in protecting yourself.

• Create strong passwords and never share your User ID or password.
• Lock or logout out of your computer when unattended
• Never access bank, brokerage or financial services information using open/free Wi-Fi (e.g. coffee shops, public libraries, hotels, etc.)
• Never click on links or attachments from an unexpected email, even if it looks like it is from a person or organization you know.
• Always use the login page on your browser to login to an account or online service (e.g. CAFT) – never use links in an
• Limit administrative rights on users' workstations to help prevent the inadvertent downloading of malware or other viruses.
• Ensure virus protection and security software and the operating systems/applications on your computer are updated regularly.  Familiarize yourself with your institution's account agreement and your businesses liability coverage for fraud.

Find more information at:

• Your financial institution
• Get Cyber Safe: getcybersafe.gc.ca
• Canadian Anti-Fraud Centre: antifraudcentre.ca.

• Onboarding new CAFT originators.
• Completing the profile form and required CAFT agreements with appropriate user permission levels.
• Understanding and applying the CAFT risk management features, originator training and support.
• Monitoring CAFT Activity Log and History File information to ensure compliance and mitigate risk.
• Confirming the file value with the Originator when authorizing late files using the "Hold Late" feature.
• Resetting employee and Originator passwords, if applicable. Note: credit unions/financial institutions are responsible for the authentication process.
• Reviewing Originators information in their profile (at minimum annually) to ensure it is current and notify CUPS of changes.
• Ensuring CAFT Signature Card(s) are current and forwarded to CUPS.

Originator:

• Read Only: has view only access.
• Data Entry: this ID gives the user administrative access without being part of the authorization process.
• Upload Only: this ID gives the user the ability to upload a file to CAFT without being part of the authorization process.
• Authorize Only: this ID allows the user to authorize files for processing without being part of the administrative process.
• Super User: can release all files and upload or administer transactions on database.

Credit Union/Financial Institution:

• Authorize Late: allows credit unions/financial institutions to authorize or reject files which have been marked late.
• Security: all credit unions/financial institutions are required to have this level to assign or reset passwords for Originators and lock or unlock User IDs.

 If your Originator notices unusual activity, you must notify CUPS immediately with the following information:

• Originator name and number
• User ID(s) and name(s)
• Transaction date(s) and value(s)

• Mitigates risk by stopping file from processing if transaction limit is exceeded.

• Mitigates risk by stopping the file from processing if limit is exceeded.

• Mitigates risk by stopping file from processing if credit limit is exceeded.

• Mitigates risk by stopping file from processing if debit limit is exceeded.

• Mitigates risk by sending credit union/financial institution a warning email (note: files will not be stopped if the monthly limit is exceeded).

• Mitigates risk by ensuring a second user is reviewing a file prior to releasing.

• Mitigates risk by aggregating all file totals to a maximum daily combined limit. If the daily limit is exceeded, the file will reject.

• Mitigates risk by warning email recipients of Originator activity.

• Mitigates risk by securing funds at the credit union/financial institution prior to settlement (works best with pre-hold option).

• Mitigates risk by stopping files from processing without the credit union/financial institutions authorization by following their internal authorization procedures.