Ensuring that payments are received promptly and into the correct account is a fundamental requirement for any organisation. However, in the pursuit of making it easier for clients to pay, many businesses inadvertently open a door for cyber attackers. While it may seem efficient to list your payment information directly on your website or share it freely, this practice carries significant security implications that could eventually cost your business thousands of dollars.
The Payment Dilemma
Modern banking offers several alternatives to traditional account sharing, such as paying via a business registration number or a specific digital payment ID. Unfortunately, these systems are not always a perfect solution. Many financial institutions currently treat these as one-off transactions rather than supporting batch payments, which are essential for businesses managing multiple invoices. Furthermore, not all banks have fully integrated these identifiers into their payment systems.
This leaves many business owners with a difficult choice: do you place your full bank details on your public website for everyone to see, or do you provide them over the telephone? Even the latter presents a challenge, as it can be difficult to validate that the person on the other end of the call is a legitimate client and not a sophisticated attacker.
Why Attackers Want Your Bank Details
The primary issue with sharing bank details publicly is the intelligence it provides to a motivated cyber attacker. If an individual is attempting to compromise your company, knowing which bank you use gives them a significant advantage.
A Bank State Branch (BSB) number is more than just a routing code; it identifies exactly which financial institution manages your accounts. This allows an attacker to craft highly targeted phishing emails. Instead of a generic scam, they can send a message that appears to come from your specific bank, using the correct branding and referencing the type of security protocols that the bank is known to use.
Furthermore, understanding which bank you use helps attackers focus their efforts. Different institutions have different layers of protection. By knowing your bank, an attacker can tailor their strategy to bypass specific security measures, focusing their malware or social engineering tactics on the exact information required to gain unauthorised access to your funds.
Practical Strategies for Safer Payments
Protecting your financial information does not have to mean making it impossible for clients to pay you. Consider implementing the following strategies to enhance your security posture:
- Avoid Full Disclosure on Websites: Refrain from listing your full BSB and account number on public-facing pages. If you feel it is necessary to provide some information online for verification purposes, consider only displaying the last two digits of the account number. This allows a legitimate client to feel confident they are paying the right person without revealing the full data set to a scraper or an attacker.
- Implement a Verification Process: You can state on your website that bank details must be confirmed via a specific phone number or email address. When a client calls to confirm, you might suggest they provide the BSB first before you confirm the account number, rather than volunteering all the information yourself.
- Use Obfuscated Confirmation: If you must use email to share details, you can direct clients to your website to match the last two digits of the account number provided in the email against the “XX” placeholder on your site. This adds a simple but effective layer of dual-verification.
Strengthening Your Defences
Cybersecurity is an evolving challenge, and the methods used to target business finances are becoming increasingly sophisticated. Moving away from the public sharing of sensitive financial data is a strong step toward protecting your organisation from social engineering and targeted phishing.
If you are concerned about how your payment processes may be exposing your business to risk, or if you would like to explore more secure ways to manage your data, the best expert team at Vertex is here to help. We help hundreds of businesses take the right steps to be more secure. Please contact Vertex for further assistance or visit our website to learn more about our services.