Risks of standard account authorization for company employees in cases of fraud

In the latest attacks on companies' online banking accounts, which are occurring in various forms, the standard account authorization is becoming an unmanageable risk.

The problem

If a company's accounts department employee is issued an account authorization by the management to use online banking, among other things, the account authorization form provided by the company's bank is usually used. The scope of the power of attorney authorizes, among other things, to carry out all transactions related to account management. As a rule, this also includes the disposal of the credit balance and the right to amend and terminate the contractual conditions relating to deposits as well as the conclusion and amendment of participation agreements for telephone and online banking. In principle, there is no upper limit on the amount that can be disposed of and even if there are agreed daily limits, the power of attorney allows the authorized employees to change these as they wish.

As part of fraud attacks, accounting employees are increasingly being asked to pass on TANs or to approve orders using the pushTAN app, either by telephone or on a fraudulent bank-like website, under an inconspicuous pretext such as a software update.

The employee usually makes use of this extensive account authorization, which entitles the authorized person to increase the transfer limit for the online banking participation agreement. In addition to the card number and date of birth, the fraudsters often also require the TAN or authorization via the pushTAN app. By increasing the transfer limit, the fraudsters ultimately have unlimited access to all of the company's assets and make real-time transfers to their accounts.

Only in very few cases the transferred funds can be fully recovered, as they are transferred within a few days via various international accounts to make it impossible to trace them.

Consequences and recommendations for practice

In order to reduce the risk of fraud in companies, it is strongly recommended to check the model powers of attorney for accounting staff and to expressly limit them to a maximum amount in the authorization document in the external relationship.

As a further security measure, it is advisable to implement an A-B system whereby the accounting employees (A) can only make account disposals together with a managing director (B) as part of a joint representation. The house bank must then ensure that the consent of both representatives is obtained for all transactions.

As part of their organizational duties, the management is also recommended to conduct regular training courses on online security and payment fraud prevention and to formulate corresponding work instructions for employees on processing payment transactions.