Fraud Protection Best Practices for Transaction Originators or Approvers

Have a healthy suspicion of, and independently confirm, any request for confidential information or sending of funds. Always verify any request by calling the company or person, using a telephone number that you know to be real, and not one provided in an email or call. Never reply to the same email address from where the request originated or you end up communicating with the fraudster. Even when the request is urgent, take the time to confirm sensitive requests with known people and entities, through an independent method.

Be wary of an email that doesn’t “sound like” other emails you have received from your CEO or other company executive, or that doesn’t look like the typical emails from a vendor or bank, or that requests an outgoing funds transfer that falls outside of your company’s standard practices for such requests.

Carefully check the email domain portion of an email sender’s address – the portion between @ and .com (or .net, etc.) - for any replacement characters, such as 0 (zero) instead of the letter O or l (lowercase letter L) in place of I (uppercase letter I). Keep in mind that many other character replacement variations are commonly used. Even requests from domains that appear to be legitimate should be independently confirmed with the requestor.

Guard your financial or other account information. Don't provide it to anyone unless there is a legitimate reason to do so as part of a transaction, and only after you’ve confirmed this with the requestor.

Confirm any request for change to a vendor’s payment information, or for an unusually large payment amount, or outside the normal payment cycle by phone call to a known vendor representative.

Require high-dollar invoices received electronically to be authenticated by phone call to the vendor prior to payment. For those received by mail, authenticate by phone or email. Communicate only to the phone numbers, email addresses and contact names in your master vendor files.

Pay attention to unusual circumstances and "red flags,” such as a vendor using an atypical communication channel or a different individual making the request than your company normally deals with or who seems to be new to the vendor.

If you use a free email service for your business (such as Hotmail®, Gmail®, Yahoo®, etc.) make sure no confidential information is stored in contact records or saved messages. Alternatively, consider upgrading to a secure email system.

Implement Positive Pay fraud prevention services for checks or ACH. These services prevent counterfeit checks or unauthorized ACH transactions from posting to your account. For more information about these services, call us at 1-800-255-6190, or e-mail us at

Establish dedicated computers for accessing online banking. These computers should not be utilized for accessing email or non-banking websites. Use separate computers to initiate and authorize transactions.

Do not use public computers or public Wi-Fi hotspots to access your online banking.