Business Identity Theft

Identity theft occurs when a criminal (or “fraudster”) steals your business’s or your personal information and uses it to access your accounts, establish credit, purchase items or borrow money in your name or in the name of your business.

Corporate Account Takeover (CATO) is a common type of business identity theft where a fraudster steals your business’s online banking information and gains access to your accounts.  Fraudsters use that access to initiate fraudulent transactions and steal other confidential information.  Fraudsters usually accomplish CATO by infecting computers or other access devices with malware through email or an infected website. Remember, it only takes one infected device to compromise your entire network.

Fraudsters also use scams to trick businesses or their employees in to providing confidential information. For example, fake check scams, overpayment scams, work-at-home scams, weight loss scams, lotteries and sweepstakes scams, debt relief scams, the “Nigerian” email scam and tech support scams.1


What we’re doing to protect you:

Online Banking Credentials:

Online account access requires a username and password for each member of your business with rights to access your account

When you access your account online, you should see an image, called a “watermark,” which you selected when you set up online banking. If your personal watermark is not displayed at sign on, stop and contact us immediately.


Merchant Processor Login Security:

When accessing your merchant processor service payment gateway account, you will be prompted for your cellphone and receive a text message authentication number. This is known as 2 factor authentication. When you sign on to your credit card processing account, you will need to verify multiple ways.


Dual control for ACH origination:

Two users are required to initiate an ACH transaction online.  One user must create the transaction and the other must initiate it.


Out-of-Band Authentication:

If our system detects an IP address that is inconsistent with your normal usage we will review the transaction and may call to verify it is authorized; for example, if an ACH is initiated from an IP address not previously associated with you or your account.

Periodically, or more frequently if our system detects something suspicious, you may be prompted to answer security questions to confirm your identity.

What you should do to protect yourself and your business:

Below are some suggestions to help mitigate the risk of identity theft to your business.  Not all the suggested practices are appropriate for all businesses.  You should identify the risks to your business and implement the most appropriate security measures.

  1. Use a dedicated computer exclusively to access your account online. The computer should not be connected to your network, should not have email capability and should not be connected to the Internet for any purpose other than online banking.
  2. Do not share your username and password, watermark or security question answers with anyone. Where a dedicated computer is not feasible, perform duties that require dual control by two individuals on different devices.
  3. Create “strong” passwords, i.e. complex passwords with capital and lowercase letters, numbers and any allowed special characters.
  4. Reconcile your accounts online daily. If you see a transaction you did not authorize, contact us immediately.
  5. Set up e-notifications to review an email for certain account activity. For example, a notice that there are insufficient funds in your account, or an email summary of your activity at the end of each BillPay session. If you need assistance contact Deposit Services a 216-359-5510.
  6. Consider using Check Positive Pay and ACH Positive Pay (available upon request for business customers for a fee).
  7. Check Positive Pay matches the account number, check number and dollar amount of each check presented for payment against a list of previously authorized checks issued by your business. Any check presented that does not match the list of issued checks is available for you to review each morning.
  8. ACH Positive Pay allows businesses to set up filters so that only authorized vendors or persons can debit or send credits to your account.
  9. Implement multiple layers of security between your network and the fraudsters attempting to access it.      For example, prevent and deter unauthorized access to your network using:
  • Firewalls;
  • Security suites, which include anti-virus and online security;
  • Anti-virus, anti-malware and anti-spyware programs;
  • Internal controls and policies; and
  • Education for all computer users about cybercrime, even those that do not have access to online banking.

Depending on your business you may want to set up different accounts for different uses to segregate activity and help identify any improper transactions. For example, set up a separate account for ACH transactions.

Some tips for safe online banking in general:

Do not access your account from free Wi-Fi hot spots, like airports or Internet cafes.

Do not open suspicious emails or emails from unknown persons.

Cease online banking activity if our website looks different than usual and contact us immediately.

Report suspicious activity on your account immediately.

Report lost or stolen checks or cards immediately.

Shred any documents that contain your personal or account information.

Be sure you know the identity of who you are talking to on the telephone or communicating with via email before disclosing any sensitive information.  Remember, we will never ask you for your online banking password.

To report an incident or if you have any questions about identity theft, privacy or fraud please contact our Deposit Services Department at 216-359-5510.

Helpful websites with more information: