In 2024, Elkin Valley Baptist Church lost $793,000 when criminals impersonated their construction contractor and sent fake invoices with updated bank account details. No hacking. No malware. Just convincing emails and a missing verification process.
Adelia Risk helps small and mid-sized businesses implement online banking security controls and corporate banking fraud prevention that reduce the risk of exactly this kind of attack. The church’s experience is common. The FBI reports $2.77 billion in business email compromise losses in 2024 alone, with over 21,000 reported incidents.
The attackers did not use advanced hacking here. They relied on a missing verification step. All they needed was a believable email and a payment process that did not require a call to confirm changes.
Below, you’ll find our complete online banking security checklist, followed by guidance on why each item matters and how to implement it. Feel free to use the checklist directly, or enter your email to get an editable version you can customize for your business.
Want the Editable Checklist?
Enter your email, and we’ll send the Online Banking Security Checklist with step-by-step instructions, questions to ask your bank, and red flag training for your team.
Your 10-Minute Priority Actions
Before anything else, these five steps address the most common attack patterns we see in client environments.
Do These First
Enable multi-factor authentication (MFA) on all banking accounts: Microsoft reports MFA blocks 99.9% of automated account compromises. Ask your bank for an authenticator app or hardware token options instead of SMS when possible.
Set up transaction alerts for all outgoing payments: Don’t wait to discover fraud on your monthly statement. Configure alerts for wire transfers, ACH payments, and any transaction above a small threshold. Send alerts to a shared distribution list, so one inbox does not become a single point of failure.
Activate dual approval for payments: Require two authorized users to approve wire transfers and large ACH payments. Yes, this adds a step to your payment process. That is the tradeoff. You are making it harder for a single person to be tricked into sending money.
Save your bank’s fraud hotline in your phone contacts: Save the fraud reporting number now, so you are not looking for it under stress. The faster you report, the better your chances of recovery.
Test your payment verification process: Send a test request through your normal channels and verify that your team follows the verification steps. If a payment change request goes through without a callback, your team needs a quick refresher.
Why These Come First
MFA is the highest-leverage setting on this list. It stops most credential-based account takeovers before they get started.
The alert and dual approval settings catch what MFA doesn’t: social engineering. When a criminal convinces your accounts payable person that an urgent wire transfer is legitimate, dual approval forces a second set of eyes on the request. Alerts notify multiple people when money moves, so fraud doesn’t go unnoticed until month-end reconciliation.
We recommend testing your verification process because most businesses think they have one until they actually try it. Send a test vendor bank change request through your normal channels. If nobody calls to verify before making the change, you’ve identified your biggest vulnerability.
Why Business Banking Is Different
If someone steals money from your personal checking account, federal regulations give you specific protections. Regulation E limits your liability to $50 if you report unauthorized transactions within two days.
Secure corporate banking doesn’t come with the same protection. Under UCC Article 4A, the legal framework governing business wire transfers, the liability calculation works differently. If your bank offered security procedures like multi-factor authentication, dual authorization, or Positive Pay, and you declined them, it can affect how losses are handled.
Our founder and CISO, Josh Ablett, saw this firsthand during his years as SVP of Fraud at RBS, back when it was the fifth largest bank in the world. Business owners would come in devastated after their operating accounts were drained. In some cases, the loss threatened payroll and cash flow. The legal protection simply wasn’t there, and too often, they hadn’t taken the time to talk to their bank and understand what security measures could prevent it.
After a major transfer fraud, businesses often look to the bank for recovery. The case law is mixed, and outcomes depend on the details.
In Experi-Metal v. Comerica, a Michigan court held the bank liable when it processed 97 fraudulent wires in several hours from an account that had done two wires in two years, ruling the bank failed to act in “good faith.” But in Studco Building Systems US, LLC v. 1st Advantage Federal Credit Union, the Fourth Circuit reversed a $558,868.71 judgment and held the beneficiary bank was not liable under UCC 4A-207 without actual knowledge of a beneficiary name and account-number mismatch.
The common thread: these disputes turn on the transaction pattern, what controls were in place, and what the bank knew (and when).
Online Banking Security Features to Enable
These features are typically free or low-cost, and as discussed above, declining them can affect how liability is handled after fraud.
Enroll in Check Positive Pay: Your bank compares checks presented for payment against a file of checks you’ve issued. Any mismatches get flagged for your review before the bank pays them.
Enroll in ACH Positive Pay or ACH Debit Block: Blocks unauthorized ACH debits from your account. You can approve expected debits and reject everything else.
Set daily and per-transaction limits: Cap the maximum amount that can be transferred via wire or ACH in a single transaction or in one day. This reduces exposure if a fraudulent payment slips through.
Request hardware security tokens if available: Physical tokens that generate codes are harder to compromise than SMS-based codes. Some banks offer these for business accounts at no extra cost.
Positive Pay Explained
Positive Pay is an allow list that helps catch unauthorized checks and ACH debits before they clear. You submit a file of checks you’ve issued, and the bank compares every presented check against your list. Mismatches get flagged for your review before the bank pays them.
ACH Positive Pay (sometimes called ACH Debit Filter or ACH Block) works similarly for electronic debits. You pre-authorize expected debits and reject everything else. If a criminal tries to pull money from your account using ACH, the transaction gets blocked unless you’ve specifically approved it.
The FFIEC issues guidance for financial institutions and encourages layered controls and strong authentication for online banking. Many banks offer tools like Positive Pay and ACH filters/blocks, but businesses still have to enroll and use them.
SMS vs. Authenticator Apps
SMS codes are better than nothing, but authenticator apps are safer. Attackers can sometimes bypass SMS codes via SIM swapping, where they persuade a mobile carrier to move your number to another SIM. Authenticator apps don’t rely on your phone number, so SIM swapping doesn’t work against them.
Frankly, we’re surprised more banks haven’t moved away from SMS entirely. SIM swapping attacks have been documented for years, yet SMS remains the default at most institutions. Ask your bank what multi-factor authentication options they offer beyond SMS. Look for authenticator app support (Microsoft Authenticator, Google Authenticator) or hardware security tokens.
Want the Complete Banking Security Checklist?
It includes step-by-step instructions for enabling each security feature, plus the exact questions to ask your bank’s treasury management team.
Internal Controls That Reduce Social Engineering Risk
Bank security features are only half the equation. Internal controls are your primary payment fraud prevention layer, protecting against the social engineering that causes most losses. Often, attackers don’t need to break into the bank. They trick employees into giving them money.
Internal Controls Checklist
Establish a “Stop, Call, Confirm” verification protocol: Before changing any vendor’s bank account information or processing urgent payment requests, pause, call the requestor at a known phone number (not one from the email) to verify, and confirm the request is legitimate.
Train finance staff to recognize red flags: Business email compromise is behind billions in annual losses. Your team should treat rushed payment requests, vendor bank account changes, requests to bypass approval processes, executive impersonation, and requests for secrecy about financial transactions as high-risk.
Require separation of duties for payments: The person who enters a payment should not be the person who approves it. If you’re a small business where one person handles everything, consider having the owner review and approve all outgoing payments above a threshold.
Use a dedicated device for online banking: Banking trojans spread through malicious websites, email attachments, and infected software. Using a separate computer, Chromebook, or iPad only for banking significantly reduces your exposure.
Access bank sites through bookmarks only: Don’t type your bank’s URL or click links in emails. Typosquatting and phishing sites look convincingly similar to real banking portals.
The Stop, Call, Confirm Protocol
This simple protocol would have saved Elkin Valley Baptist Church $793,000. Before your finance team changes any vendor’s bank account information or processes an urgent payment request, they should:
Stop what you’re doing. Don’t react immediately to any payment change request.
Call the requestor at a known phone number. Never use a phone number from the email or invoice you just received. Use a number from a signed contract, your accounting system, or a previous bill.
Confirm the request is legitimate before processing anything.
The emails the church received looked legitimate. They included the contractor’s logos and existing email thread history. A phone call to the contractor’s known number would have revealed the fraud instantly.
At Adelia Risk, we help clients build verification protocols that prevent wire fraud and become second nature for their finance teams. A 30-second phone call is usually cheaper than hours of cleanup after a bad payment.
Red Flags Your Team Should Recognize
Verizon’s 2024 DBIR notes that pretexting incidents, most ending in Business Email Compromise (BEC), accounted for about one-fourth (24–25%) of financially motivated attacks. Payment workflows are a common target. Train anyone who handles payments to treat these as high-risk:
Urgent payment requests, especially by email
Changes to vendor bank account information
Requests to bypass normal approval processes
Messages from executives asking for immediate, secret payments
Requests for secrecy about financial transactions
Poor grammar or spelling in official communications
Why a Dedicated Banking Device Matters
Banking trojans are malware designed to steal online banking credentials. They spread through malicious websites, email attachments, and infected software downloads. Once installed, they can capture everything you type on your banking site or even modify what you see on screen.
Using a dedicated computer, Chromebook, or iPad only for banking reduces exposure. The device is used for banking only, not general web browsing, email attachments, or casual software installs.
Security researcher Brian Krebs recommends this as an online banking best practice for any business that moves meaningful funds electronically. At Adelia Risk, we recommend this to every client handling significant payment volume. A Chromebook or iPad costs a few hundred dollars. A wire fraud loss averages far more.
Questions to Ask Your Bank
Use this list during your next conversation with your bank’s treasury management or business banking representative. These treasury management security questions help you understand your options.
What MFA options do you offer beyond SMS? Look for authenticator apps or hardware tokens.
Do you support dual authorization for wires and ACH? Find out what thresholds can be set.
Is Check Positive Pay and ACH Positive Pay available?: Ask if there are any fees.
If an unauthorized payment goes out, how is liability handled?: Understand who bears the loss under different scenarios.
What is your fraud reporting process and response time? Get the direct phone number for reporting fraud.
Document the answers. If fraud occurs, having a record of what security features were offered and what you enabled matters for liability disputes.
Under UCC Article 4A, banks must offer “commercially reasonable security procedures.” Keep records of which security features your bank offers, which ones you’ve enabled, and your security decisions. This documentation protects you if there’s ever a dispute over fraud liability.
Ongoing Maintenance
Daily: Review transaction alerts: Don’t let alerts pile up unread. Small unexpected transactions can be an early signal that an account needs attention. We’ve seen cases where small $5-$10 test transactions preceded six-figure wire fraud by days. Catching them early makes the difference.
Monthly: Audit dual approval logs: Review who approved what. Look for patterns like the same two people always approving or approvals happening at unusual hours.
Quarterly: Update procedures and test controls: Review your verification protocols, update authorized signer lists, and run a test to make sure staff follow the process.
Prevention beats recovery every time. According to the AFP 2024 Payments Fraud Survey, only 22% of organizations that experienced fraud recovered 75% or more of their losses. That’s down from 41% in 2023.
When you do discover fraud, speed matters. The FBI’s Recovery Asset Team reports a 66% success rate in freezing fraudulent transfers when businesses report quickly. After that window closes, recovery gets much harder. This is why we emphasize having your bank’s fraud hotline saved in multiple phones across your organization.
Ready to Implement These Controls?
How Adelia Risk Can Help
Implementing online banking security controls isn’t technically difficult, but it requires coordination across your bank, your finance team, and your IT systems. Many businesses put it off because nobody owns the project.
At Adelia Risk, we help small and mid-sized businesses implement practical banking controls as part of our Virtual CISO service. We work with your bank to enable the right security features, train your team on verification protocols, and document your controls for compliance and insurance purposes.
If you’re looking for a banking security checklist you can implement yourself, download our free resource above. If you want expert guidance on implementing online banking security for your business, let’s talk. We’re happy to walk through your current setup and recommend the next best steps.
