What is Corporate Account Takeover?
“Corporate account takeover” is when cyber-thieves gain control of a business’ bank account by stealing the business’ valid online banking credentials. Although there are several methods being employed to steal credentials, the most prevalent involves malware that infects a business’ computer workstations and laptops.
A business can become infected with malware via infected documents attached to an e-mail or a link contained within an e-mail that connects to an infected website. In addition, malware can be downloaded to user workstations and laptops by visiting legitimate websites – especially social networking sites – and clicking on the documents, videos or photos posted there. This malware can also spread across a business’ internal network.
The malware installs key logging software on the business' computer, which allows the perpetrator to capture a user’s credentials as they are entered at the business' Bank web site. Sophisticated versions of this malware can even capture token-generated passwords, alter the display of the Bank’s web site to the user, and/or display a fake web page indicating that the Bank’s web site is down. In this last case, the perpetrator can access the business’ bank account online without the possibility that the real user will log in to the web site.
Once installed, the malware provides the information that enables the cyber-thieves to impersonate the business in online banking sessions. To the Bank, the credentials look just like the legitimate user. The perpetrator has access to and can review the account details of the business, including account activity and patterns, and ACH and wire transfer origination parameters (such as file size and frequency limits, and Standard Entry Class (SEC) codes). The cyber-thieves use the sessions to initiate funds transfers, by ACH or wire transfer, to the bank accounts of associates within the U.S.
Why are Smaller Businesses and Organizations Targeted?
The cyber-thieves appear to be targeting small to medium size businesses, as well as smaller government agencies and non profits, for several reasons:
- Many small businesses and organizations have the capability to initiate funds transfers – ACH credits and wire transfers – via online banking (individual consumers generally do not have this capability except for payees set up in online bill payment systems);
- This funds transfer capability is often related to a small business’ origination of payroll payments;
- In corporate account takeover, the cyber-thieves may add fictitious names to a payroll file (directed to the accounts of money mules), and/or initiate payroll payments off-cycle to avoid daily origination limits;
- Small businesses often do not have the same level of resources as larger companies to defend their information technology systems;
- Many small businesses do not reconcile their accounts on a frequent or daily basis.
Prevention, Detection and Reporting for Business Customers
- Reconcile all banking transactions on a daily basis.
- Initiate ACH and wire transfer payments under dual control.
- Immediately report suspicious transactions to the Bank.
- Stay in touch with other businesses and industry sources to share information regarding suspected fraud activity.
- Utilize account alerts for various transactions types and balance levels.
Computer Security Tools and Practices
- Install a dedicated, actively managed firewall. A firewall limits the potential for unauthorized access to a network and computers.
- Install and regularly update commercial anti-virus software on all computer systems.
- Ensure computers are patched regularly, particularly operating system and key applications, with security patches.
- Consider installing spyware detection programs.
- Be suspicious of e-mails purporting to be from a Bank, government department or other agency requesting account information, account verification or banking access such as usernames, passwords, PIN codes and other information. If you are not certain of the source, do not click any links.
- Use strong passwords with at least 8 characters using a combination of letters, numbers and special characters. Change passwords several times a year, if not once a month.
- Prohibit the use of shared usernames and passwords for online banking systems. Never share usernames and passwords with third-party providers.
- Limit administrative rights on user’s workstations.
- Conduct online banking activity from a stand-alone computer from which email and web browsing are not allowed.
- Verify use of a secure session, “https”, in the browser for all online banking websites.
- Never leave a computer unattended while using any online banking services and never access online banking from internet cafes or public places.
Recommendations for Corporate Account Takeover Victims
- Immediately cease all activity from computer systems that may be compromised. Disconnect the Ethernet or other network connections to isolate the system from remote access.
- Immediately contact the bank so that the following actions may be taken:
- Disable online access to accounts.
- Review transaction history for fraudulent activity.
- Close affected accounts and open new accounts as appropriate.
- File a police report.
Please contact us if you have any questions regarding the information contained above.
If you have fallen victim of Corporate Account Takeover, Premier is here to assist you. Contact us at 213-689-4800.