Business Online and Mobile Banking Security Best Practices

Everyone at every level of a business plays a crucial role in helping prevent fraud. Your IT team, if you have one, can help ensure your computer systems are secure and up to date, but attacks rarely come in the form of hacking through your business’ firewall. Instead, attacks are often much simpler than that — initiated through emails, phone calls, and text messages to employees, usually disguised in formats that reflect those of legitimate requests.

It’s important for all employees, but especially users of INTRUST Business Online and Mobile Banking, to be aware of the ways in which attackers can attempt to gain sensitive information and trick or force an employee into taking an action (such as authorizing a fraudulent payment). When employees are aware, they are better equipped to treat requests with caution, take time to verify them, and follow best practices that decrease the risk of fraud.

Verify requests

While you and your employees may, in many ways, be your company’s greatest asset, you can also quickly become a liability by unknowingly acting as the access point to your financial accounts for scammers. That’s because malicious actors know that while computers can be difficult to manipulate, humans are much more susceptible to deception.

Most commonly, these scammers will send phishing emails including an unauthorized request for a funds transfer or a link that, when clicked, will install malicious software on the recipient’s computer. To learn more about phishing, how to spot it, and how to prevent becoming a victim of phishing scams, review our article on business email compromise.

One of the most effective ways to prevent falling victim to phishing attempts is through verification. When you receive a non-routine request for a payment via email, take the time to contact the individual or business requesting the payment to verify the request is legitimate. You may contact the requester by phone or email, but do not call any phone number included in the original email request, and do not reply directly to the email you received. Instead, find an alternate phone number or email that you know is legitimate to contact the requesting party and check that the request is valid.

While verification does add an extra step in the process and increases the amount of time it takes to process payments, it will save you and your business from losing even more time and dollars in the long run.

If you are unable to verify a request before making a payment from one of your INTRUST accounts and believe that you have been the victim of fraud, it’s important to report it immediately. The sooner we are aware of a potential compromise, the more likely we will be able to intervene.

Keep best practices in mind

Leveraging these easy-to-follow best practices adds additional layers of security to those already included with online banking and make it more difficult for scammers to access your accounts.

Safe password practices

You should never share your password with anyone, including someone claiming to be from INTRUST Bank. Neither INTRUST Bank nor any credible vendor or merchant will ever ask for your online and mobile banking password. Additionally, you should keep passwords secure by never storing them on a piece of paper or in an unencrypted computer file, like a Word document. Consider using a password manager to store your passwords.

Review our article about passwords and password managers to learn more about password best practices.

Admin user management

INTRUST Business Online and Mobile Banking admins have complete access to your company’s online and mobile banking profile, so it is especially important to safeguard credentials for these users. There are some steps you can take to limit the exposure these user profiles present.

  1. Limit the number of users with administrative rights to as few as possible. Users should be given only the permissions they need to complete the tasks required of their role.
  2. Create separate, unique user IDs for day-to-day banking activities, only using the administrative ID for user maintenance.
  3. Routinely review your list of admin users and remove those which are no longer needed.

Understand and use available tools

While it is up to employees to be aware of the ways in which they can unintentionally aid fraud through business email compromise, there are also tools available within INTRUST Business Online and Mobile Banking that can help reduce a business’ exposure to other types of fraud, such as ACH and check fraud.

Check Positive Pay

Check Positive Pay provides early detection of fraudulent, altered, or counterfeit checks. Checks presented for payment are verified daily against a file that you provide to INTRUST Bank. Only checks that match the items in the file are automatically paid. If a check is presented that does not match, you receive an email alert detailing the exception. After reviewing the check, you can determine whether or not to pay it. Learn more about Check Positive Pay.

ACH Positive Pay

Similar to the way that Check Positive Pay prevents check fraud, ACH Positive Pay prevents unauthorized ACH activity on your business accounts. Based on rules that you define (for example, dollar thresholds or a predefined list of approved recipients) the ACH Positive Pay system determines which ACH transactions will automatically pay and which ACH debits will require your review to approve or reject. If a presented ACH debit transaction does not meet your predefined rules, you receive an email alert detailing the exception. You then decide if you would like to process the ACH payment. Learn more about ACH Positive Pay.


Whether or not you take advantage of either of these Positive Pay tools, it is important that you consistently monitor ACH transactions, wire transfers, and bill payments within online and mobile banking. Look for suspicious activity on statements and verify the source of all debits.

If you are not regularly spending time in online or mobile banking, you can leverage alerts to notify you of important activity occurring on your accounts, including new ACH and wire payments, or a change to a user’s entitlements. Alerts can come in the form of email, desktop notification, or SMS text message and are available to all users. Select the alert method or methods that are most likely to catch your attention.

Entitlements and limits

Business Online and Mobile Banking provides comprehensive user management tools out-of-the box, designed to give each user only the access they need to perform the responsibilities of their role. At the individual user level, company administrators can assign accounts to which the user needs access and restrict access to all other accounts. For each of those accounts the user can access, your company admin can use entitlements to select which tools, such as transfers, ACH origination or wire payments, the individual can use.

As another layer of risk mitigation, the admin should also set transaction-level and daily dollar limits on the amounts each user is able perform for each feature to which they are entitled.

Keep your employees informed

If you have multiple users performing online banking functions, make sure they are properly trained and understand the importance of keeping your company’s banking activity secure. Regularly review these best practices with your employees to ensure they know how to spot a scam and what to do in the event they encounter one.

It is also important that administrators take the time to routinely review your list of online and mobile banking users, including their entitlements and limits, to ensure they have the appropriate level of access.

For more best practices for safeguarding your business, review our guideless for protecting your business.



Recommended Articles