What is Corporate Account Takeover?

Corporate account takeover is a type of cyber fraud where thieves gain access to a business' finances to make unauthorized transactions, including transferring funds from the company, creating and adding new fake employees to the payroll, and stealing sensitive customer information that may not be recoverable.

First identified in 2006, this fraud has morphed in terms of the types of companies targeted and the technologies and techniques employed by cyber criminals.  Where cyber criminals once attached mostly large corporations, they have now begun to target municipalities, smaller businesses, and non-profit organizations.  Thousands of businesses, small and large, have reportedly fallen victim to this type of fraud.  Educating all stakeholders (financial institutions, businesses and consumers) on how to identify and protect themselves against this activity is the first step to combating cyber-criminal activity.

How it's Done:

Cyber criminals employ various technological and non-technological methods to manipulate or trick victims into divulging personal or account information.  Such techniques may include performing an action such as opening an email attachment, accepting a fake friend request on a social networking site, or visiting a legitimate, yet compromised, website that installs malware on their computer(s).  Once the malware has been installed the fraudster is able to "see" and track the employee's activities across the business' internal network and on the Internet.  This tracking may include visits to your financial institution where login information can be compromised and used at a later time.  Using this information, the cyber thief can conduct unauthorized transactions that appear to be a legitimate transaction conducted by the company or employee.


How to Protect, Detect, and Respond:

1. Educate

Train your staff not to open unsolicited e-mail attachments.  Most banks, government agencies, payroll companies etc. will not send you an attachment unless it has first been discussed.

Be wary of pop-up messages claiming your machine is infected and offering software to scan and fix the problem, as it could actually be malicious software.

Teach and require best practices for IT security.

2. Enhance the security of your computer and networks to protect against this fraud

Minimize the number of, and restrict the functions for, computer workstations and laptops that are used for online banking and payments. A workstation used for online banking should not be used for general web browsing, e-mailing, and social networking. Conduct online banking and payments activity from at least one dedicated computer that is not used for other online activity.

Do not leave computers with administrative privileges and/or computers with monetary functions unattended. Log/turn off and lock up computers when not in use.

Use/install and maintain spam filters.

Install and maintain real-time anti-virus and anti-spyware desktop firewall and malware detection and removal software.
- Use these tools regularly to scan your computer. Allow for automatic updates and scheduled scans.

Install routers and firewalls to prevent unauthorized access to your computer or network.
- Change the default passwords on all network devices.

Install security updates to operating systems and all applications, as they become available. These updates may appear as weekly, monthly, or even daily for zero-day attacks.

Block pop-ups.

As recommended by Microsoft for users more concerned about security, many variants of malware can be defeated by using simple configuration settings like enabling Microsoft Windows XP7, Vista8, and 7 Data Execution Prevention (DEP)9 and disabling auto run commands10. You may also consider disabling JavaScript in Adobe Reader11. If these settings do not interfere with your normal business functions, it is recommended that these and other product settings be considered to protect against current and new malware for which security patches may not be available.

Keep operating systems, browsers, and all other software and hardware up-to-date.

Make regular backup copies of system files and work files.

Encrypt sensitive folders with the operating system’s native encryption capabilities. Preferably, use a whole disk encryption solution.

Do not use public Internet access points (e.g., Internet cafes, public Wi-Fi hotspots (airports), etc.) to access accounts or personal information. If using such an access point, employ a Virtual Private Network (VPN)12.

Keep abreast of the continuous cyber threats that occur. See the Additional Resources section for recommendations on sites to bookmark.

3. Enhance the security of your corporate banking processes and protocols

Initiate ACH and wire transfer payments under dual control using two separate computers. For example: one person authorizes the creation of the payment file and a second person authorizes the release of the file from a different computer system. This helps ensure that one person does not have the access authority to perform both functions, add additional authority, or create a new user ID.

Talk to your financial institution about Positive Pay and other services such as SMS texting, call backs, and batch limits which help to protect companies against altered checks, counterfeit check fraud and unauthorized ACH transactions.

If, when logging into your account, you encounter a message that the system is unavailable, contact your financial institution immediately.

4. Understand your responsibilities and liabilities

Familiarize yourself with your institution’s account agreement. Also be aware of your liability for fraud under the agreement and the Uniform Commercial Code (UCC), as adopted in the jurisdiction, as well as for your responsibilities set forth by the Payment Card Industry Data Security Standard (PCI DSS), should you accept credit cards.

5. Monitor and reconcile accounts at least once a day

Reviewing accounts regularly enhances the ability to quickly detect unauthorized activity and allows the business and the financial institution to take action to prevent or minimize losses.

6. Discuss the options offered by your financial institution to help detect or prevent out-of-pattern activity (including both routine and red flag reporting for transaction activity.)

7. Note any changes in the performance of your computer as:

A dramatic loss of speed.

Changes in the way things appear.

Computer locks up so the user is unable to perform any functions.

Unexpected rebooting or restarting of your computer.

An unexpected request for a one time password (or token) in the middle of an online session.

Unusual pop-up messages.

New or unexpected toolbars and/or icons.

Inability to shutdown and restart.

8. Pay attention to warnings

Your anti-virus software should alert you to potential viruses.  If you receive a warning message, contact your IT professional immediately.

9.  Be on alert for rogue emails

If someone says they received an email from you that you did not send, you probably have malware on your computer.

You can also check your email "outbox" to look for email that you did not send.

10. Run regular virus and malware scans on your computer's hard drive

This can usually be set to run automatically during non-peak hours, but you do need to set it up.

11.  If you detect suspicious activity, immediately cease all online activity and remove any computer systems that may be compromised from the network.

Disconnect the Ethernet cable and/or any other network connections (including wireless connections) to isolate the system from the network and prevent any unauthorized access.

12.  Make sure your employees know how and to whom to report suspicious activity to within your company and at your financial institution

13.  Immediately contact your financial institution so that the following actions may be taken:

Disable online access to accounts

Change online banking passwords.

Open new account(s) as appropriate.

Request that the financial institution's agent review all recent transactions and electronic authorizations on the account.  If suspicious active transactions are identified, cancel them immediately.

Ensure that no one has added any new payees, requested an address or phone number change, created any new user accounts, changed access to any existing user accounts, changed existing wire/ACH template profiles, changed PIN numbers or ordered new cards, checks or other account documents be sent to another address.

14.  Maintain a written chronology of what happened, what was lost, and the steps taken to report the incident to the various agencies, financial institutions, and firms impacted

Be sure to record the date, time, contact telephone number, person spoken to, instructions, and any relevant report or reference number.

15.  File a police report and provide the facts and circumstances surrounding the loss.

Obtain a police report number with the date, time, department, location and officer’s name taking the report or involved in the subsequent investigation. Having a police report on file will often help facilitate the filing of claims with insurance companies, financial institutions, and other establishments that may be the recipient of fraudulent activity.

• The police report may result in a law enforcement investigation into the loss with the goal of identifying, arresting and prosecuting the offender, and possibly recovering losses.

• Depending on the incident and the circumstance surrounding the loss, investigating officials may request specific data be recorded and some or all of the system’s data may need to be preserved as potential evidence.

• In addition, you may choose to file a complaint online at www.ic3.gov. For substantial losses, contact your local FBI field office , your local United States Secret Service field office , or the Secret Service’s local Electronic Crimes Task Force.

16.  Have a contingency plan to recover systems suspected of compromise

The contingency plan should cover resolutions for a system infected by malware, data corruption, and catastrophic system/hardware failure. A recommended malware removal option is to reformat the hard drive, then reinstall the operating system and other software on the infected computer(s). There is no preservation of data using this method – all your data will be permanently erased. Do not take this step until you determine if a forensic analysis of the computer is needed.

17.  Consider whether other company or personal data may have been compromised

18.  Report exposures to PCI DSS

If your business accepts credit cards, you are subject to compliance with the Payment Card Industry Data Security Standard (PCI DSS) and you may be required to report and investigate the incident, limit the exposure of the cardholder data, and report the incident to your card company.