Business Security Best Practices

Cross River logo

At Cross River, we understand the importance of online security and the need for various types of safety measures. On a daily basis, we take many precautions to successfully protect the security of your accounts and transactions. However, it is also up to you, our customer, who must participate in creating a secure environment to protect your online banking accounts from unauthorized access and fraudulent activity.

Security Best Practices

As each business is unique and operates differently, additional security measures may be necessary based on your environment and level of risk. We at Cross River recommend that you periodically perform an internal risk assessment and evaluate your controls to determine if they are sufficient given your level of risk. We also recommend you educate and train employees on the following list of best practices, which should be used as a starting point to protect your online banking accounts.

  1. Monitor account activity on a daily basis. Immediately review Wire, ACH or other transaction confirmations and report suspicious transactions or if your information has been compromised by contacting us at 1-877-55C-RB55.
  2. Utilize dual controls and approval for ACH and wire transfer transactions.
  3. Implement transaction limits that are appropriate for the level of transaction activity at your business.
  4. Never share logins, passwords, dynamic tokens, or any other information that allows secure access to your online banking system. Do not leave them in an area that is not secure.
  5. Use different logins and passwords for each online banking system. Your password should be easy to remember and difficult to guess. We recommend using best practices for strong passwords that include upper and lower case letters, numbers, and special characters. Periodically change passwords several times a year.
  6. Avoid using passwords such as birthdays, family names, and pet names.
  7. Do not store a list of passwords on the computer or keep them near your computer.
  8. Never access websites for online banking from a public computer at an internet café, hotel, library, etc. and do not use public wireless access points or non-secure wireless networks.
  9. Obtain and install commercial anti-virus, anti-malware and anti-spyware software, and consider installation of a managed firewall. Free software may not provide the level of protection required against the latest security threats. Keep all security software updated to the latest releases. In many cases the software can be configured to automatically update.
  10. Keep computers updated with the latest operating system patches and updates for all software applications. This includes the operating system, browser software, and software programs such as Real Player, iTunes, and Microsoft Office. Most of the programs can be set to automatically update.
  11. To prevent the inadvertent installation of malware, spyware, or viruses do not navigate the web when you are using an identity that has Administrative rights. Set up a separate identity for web browsing that does not have Administrative rights, and only use the Administrative rights identity when operating off of the web.
  12. Be aware of pop-ups that prompt you to install software. A common scam is a message that warns of a virus installed on your computer and imitates running a virus scan. Never click OK to the popup that states software needs to be installed to remove the virus. Clicking OK will actually install malware, spyware, and/or a virus on your computer.
  13. Limit or eliminate unnecessary web-surfing and e-mail activity by employees, including personal activity, on computers used for online banking. Consider using a dedicated computer to perform online banking transactions and do not use it for any other online purpose (ex: reading e-mail, web browsing, accessing social media sites).
  14. Educate employees to clear the Internet browser's cache before and after visiting online banking websites to avoid having malware installed on a computer.
  15. Perform updates to installed software by visiting the official website instead of clicking a link contained in an e-mail or web page. For example, if a media player needs to be updated, go to the official media player website to install the update. Clicking on a fake update installation link could result in downloading malware onto the computer.
  16. If you are on a site that asks for personal information or login information check for the following on the web page:
  17. Check that the online banking system session is secure by verifying the web address contains "https://" and not "http://". This ensures the site is secure.
  18. Look for a closed lock either by the address bar or in the bottom frame of your browser. If the lock is missing the page is not encrypted and your information can be intercepted as it passes across the internet.
  19. Type the address of the page you are browsing to in the address bar instead of clicking on a link. Links can be spoofed to look valid but may take you to a fraudulent site without your knowledge. Favorites can also be compromised and altered to take you to a fraudulent site.
  20. Do not use automatic login features for online banking and best practices advise to avoid saving passwords to the computer.
  21. Never leave a computer unattended when using an online banking service, and always secure the computer when not in use or away.
  22. Never send personal or sensitive information by e-mail or post on any external websites such as social media sites.
  23. Do not click on links or open attachments contained in suspicious emails.
  24. Immediately report suspicious or fraudulent activity or if your information has been compromised by contacting us at 1-877-55C-RB55.

Email and Text Scams

Email scams, also known as "phishing," typically appear to have been sent by a legitimate source. The e-mail asks the internet banking user to update their personal information, confirm their account status, or try a new online banking feature. An embedded link within the e-mail sends them to a fraudulent website that often looks similar to an actual online banking site. In addition to other sensitive data, users are asked to enter an account user name and password under the pretense of verifying their identity. Unfortunately, this information can then be used to gain access to real accounts online. For years, scammers have tried to trick people using phony e-mails, asking them to click to websites that "spoofed" authentic websites for banks and credit card companies, eBay and major retailers, even the IRS. Most recently, text messaging scams, called "smishing," have begun to appear. Smishing is when identity thieves send fraudulent text messages to a mobile phone, pretending to be from a financial institution asking the user to call a number. Those who call are asked to key in their credit card number, ATM number, social security number, and/or their personal identification number (PIN).

  1. Be suspicious of e-mail or text messages purporting to be from a financial institution, government agency, or other source requesting any of your banking information.
  2. Never reply back to the sender with account or login information.
  3. It is strongly advised against clicking on links or opening attachments in these types of e-mails. Doing so could result in your system being compromised. Instead, contact the sender using publicly available contact information to verify the authenticity of the e-mail.
  4. Never reply to or follow any of the instructions in an e-mail or text message that requests your personal information.
  5. Never provide personal information including, but not limited to, Social Security Number, account or credit card numbers and personal identification numbers (PIN) over the phone, via the internet, email or by text message unless you have initiated the transaction.
  6. Always access online banking websites by typing the URL in the address bar instead of clicking on links in an e-mail or another website.
  7. Always review the sender's e-mail address or text message to verify that it is from a valid account or source. If they appear suspicious in any way, notify Cross River Bank or the legitimate source company immediately.
  8. Always leave any suspicious website if you suspect that it is not legitimate.

Social Engineering

Like "phishing" and other email or text scams, Social Engineering involves scamming or tricking people into breaking their normal security procedures in order to obtain information, commit fraud, or gain access to the victim's computer system. These Social Engineers attempt to obtain information by gaining the confidence of an authorized user and getting them to reveal information that compromises the network's security. The Social Engineer relies on the natural helpfulness and weaknesses of people. They may call the authorized employee with an urgent problem that requires immediate network access.

A Social Engineer will use tactics to persuade people to run malware-laden email attachments and convince people to divulge sensitive information. These malicious engineers rely on people who are not aware of the value of the information and are careless about protecting it. Eavesdropping, shoulder surfing, and dumpster diving are other tactics used in Social Engineering.

Additional Resources

Cross River Bank and legitimate companies or financial institutions will NEVER make an unsolicited contact requesting your user name, password, or other account information. It is important that all internet banking users be aware of such types of fraud.  

You can report suspicious e-mails, text messages or any other suspicious activity or requests to your financial institution and the Internet Crime Complaint Center (www.ic3.gov), a partnership between the FBI and National White Collar Crime Center.

For more information, visit the following websites: Federal Deposit Insurance Corporation, the Anti-Phishing Working Group, and the National Consumers League.