Your online security is our concern

As a user of Business Online, your right to privacy and security is important to us. We understand that any information transmitted via our channels is sensitive and, as such, needs to be protected at all times.

All interactions with our transactional sites are protected through encryption that complies with international standards of good practice. Our application webservers are protected by firewalls and intrusion detection systems. Access to information on these servers is restricted to authorised personnel only.

We have also employed the services of independent security experts to test and advise us on the security of our systems and an independent party conducts internal audits on a regular basis.

Security Tips

Here are some tips that will help you to ensure your online environment is as secure as possible:

  • Control access to your premises, particularly to areas where critical computers are located
  • Ensure that anti-virus, anti-spyware, and intrusion prevention systems are up to date
  • Keep operating systems updated. Ensure that the latest patches are installed, that software is licensed and legal, and that systems are configured correctly.
  • Run the latest Java version. Business Online runs on Java Runtime Environment (JRE) version 6 and upwards. Older versions could leave you exposed.
  • Ensure your employees keep their login details confidential and change passwords regularly
  • Familiarise yourself with the information on Business Online
  • Be alert at all times. Fraudsters strike in those weak moments when your guard is down
  • Never share your token with anyone or leave it unattended. Always keep it locked away securely

What to look out for

Protect Yourself from Fraud and Online Scams

We remain committed to protecting your information, but we also need you to ensure that you have taken effective security measures when transacting over the Internet. For queries please contact our 24-Hour Fraud Hotline on 0800 222 050.


Phishing misleads users into sharing sensitive information (i.e. passwords, credit card details or bank account numbers), for malicious purposes, via electronic means or communication.

Perpetrators of phishing attacks lead you to believe you are performing a familiar action and take advantage of that established trust to harvest confidential or authentication level information from you.

Smishing (SMS Phishing)

Smishing is the cell phone equivalent to phishing. Instead of being directed by email to a website, a text message is sent to your cell phone with a request to click on a link. The link causes a Trojan to be installed on your cell phone.

Email Spoofing (Identity theft)

Email spoofing is a malicious practice in which communication is sent from an unknown source disguised as a source known to the receiver.

Since you are more likely to open an email from a person or company that you recognise, they trick you into opening the forged email, asking you to make a payment, to reveal personal and confidential information, or to download an attachment.

Keystroke logging

Keystroke logging is a system of "recording" a series of keystrokes and then "playing back" the recording to replicate the actions of the user. It is used by fraudsters to access information about internet users, such as passwords, credit card and banking information, personal details, and more, to use in identity theft and other malicious deeds.


A spoofed website claims to be the legitimate site of an organisation and is set up to look like the original.

Spoofed websites usually have similar logos to the original sites and, in some cases, they may even be identical. The domain name or web address is also similar to that of the original website and will often use words related to the company's name or products.

419 scams

With a 419 scam, also known as an advanced fee scam, an SMS or email – often in broken English – is sent to a recipient, usually from someone with a sad story, claiming to be in a foreign country, and making an offer that would result in a large pay off for the recipient.

Deposit refund scam

This deposit refund scam is when criminals contact you telling you that an amount of money was deposited into your bank account by accident, or that they have paid you a deposit for an urgent order that must be delivered immediately.

Banking details scam

In this scam, you will receive a letter on a company letterhead that appears to be authentic (or an email from a company that you believe is one of your trusted suppliers) informing you of a change to their bank account details.


A computer virus is a type of malicious program (or “malware”) that, if executed, replicates itself by modifying other computer programs and inserting its own code or making copies of itself on the computer system. Virus writers use social engineering (email, USBs, downloaded material, foreign websites, etc.) as a point of entry into an organisation or system to start the spread of viruses.

File Malware

There are many forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other intentionally harmful programs.


Ransomware is a type of virus or malware. The difference is that where a typical virus may go after your operating system or programs, ransomware goes after your data. By using cryptography in line with international standards or better, ransomware encrypts your data with a public key.


Be savvy about online banking security

Security breaches constantly make the headlines. That’s why it is critically important to ensure that your data is secure. Always remember that we will never ask you to update personal information like PINs or passwords via an email or over the phone.

  • The basic principle of IT security is to not be impregnable, or to be 100% secure
  • 100% security isn’t something to strive for, nor is it often practical
  • Aim to be better than the next target. Focus not only on preventing cyber-crime but also on being ready to detect it when it takes place and to respond to it when it happens


  • People are the weakest link in any organisation
  • Create and enforce awareness programs. Themes should include common threats that are being seen in the wider IT environment:
    • Phishing
    • Malware
    • Mobile security
    • Social engineering

Credential Management

  • Implement 2-Factor Authentication where possible
  • Avoid storing passwords in clear text
  • Implement a password policy that is in line with international best practice
  • Passwords need to be hashed and salted before being stored
  • Enforce the password policy on all systems in your environment
  • Exercise additional controls to protect authentication data
  • Password cracking is real and available; ensure the appropriate flags are raised to protect your organisation from brute force attacks

Access control

  • Ensure accountability for all accounts to your applications and infrastructure
  • Review all access monthly at a minimum
  • Provision access on a least privileged basis
  • Determine effective access for the systems and infrastructure in your organisation
  • Exercise additional controls over privileged user and system accounts
  • Attacks are traditionally performed on behalf of an authenticated user

Physical security

  • All access to your organisation needs to be authenticated and controlled
  • Ad hoc access needs to be attested to by an accountable permanent employee
  • Staff should display company issued identification
  • Be aware of the level of information that is openly displayed or available
  • Consider the use of additional access control around sensitive environments
  • Social engineering is often the easiest way into any organisation

Network security

  • Protect your payment files from point of origination to point of exit
  • Conduct reviews of your firewalls and external facing systems annually, at a minimum
  • Terminate all external connections within your DMZ
  • Consider the use of a sandboxed environment to scan received files
  • Consider segregating core or critical systems from the rest of your network
  • Standard Bank South Africa provides encrypted communications between your network and ours, but control of the source is within your domain

Operational security

  • Ensure patch levels of systems and infrastructure is at an (n-2) level at a minimum
  • Keep an up-to-date asset register of all hardware and software, including open systems, in your organisation
  • Implement anti-virus on Wintel systems and ensure open systems are kept up-to-date
  • Scan any attachments or files introduced into your environment for malware or viruses before opening them
  • It does not help to update Windows on your laptop without updating Java


Ensure that all these events are logged at a minimum:

  • Authentication and authorisation events
  • Provisioning and de-provisioning of user or system accounts, account locking, unlocking and password resets or changes
  • Granting, modifying, or revoking access rights to a user, file or object
  • Log all privileged user activity on systems and infrastructure
  • Log all system and application configuration changes
  • All logs should be stored remotely from where they are generated, without the capability to overwrite or edit

Business Continuity Planning (BCP)/Disaster Recovery (DR)

  • Backup your important data to a remote/offsite server
  • Segregate your important backups from the rest of your network
  • Create restore points where applicable
  • Test your DR plan on an annual basis at a minimum
  • Identify and remediate against single points of failure in your systems and in your organisation
  • Remember that availability and continuity are key pillars of IT security