corporate account takeover - wyocb.com · •don’t automatically click on email attachments or...
TRANSCRIPT
Corporate Account TakeoverProtecting Your Business From Financial Fraud
Legal NoticeThis presentation is for informational purposes and is not intended to provide legal advice. The guidance included is not an exhaustive list of actions, and security threats change constantly.
Do you do any of the following?• Originate ACH Credits – Direct Deposit Payroll
• Originate ACH Debits – Direct Billing
• Use Online Bill Pay
• Use Wires – Domestic and/or International
• Use Business Credit Cards
You could be at risk for Corporate Account Takeover…
What is Corporate Account Takeover?• When cyber-thieves gain control of a business’ bank account by
stealing the business’s valid online banking credentials - such as usernames, passwords, authentication questions & answers, security keys.
• Thieves can then initiate transfers via the online payment systems business utilizes to send ACH payments, wire transfers, or other transfers to the thieves’ own accounts.
Dissecting a CATO Attack
Target Victims
Install Malware
Online Banking
Collect & Transmit
Data
Initiate Funds
Transfer(s)
1
2
34
5
Criminals target victims by way of phishing, spear phishing or social
engineering techniques.
The victims unknowingly install malware on their computers,
often including key logging and screen shot capabilities.
The victims visit their online banking website and logon per the standard
process.The malware collects and transmits data back to the
criminals through a backdoor connection.
The criminals leverage the victim’s online banking credentials to initiate a funds transfer from the victim’s account.
Common Techniques• Phishing – use email to obtain the information necessary to
steal an identity or cause the user to download malware.
• Fake Popups – popups that appear to be legitimate, but install malware.
• Compromising Legitimate Sites – these sites look safe, but may hide malicious code.
• Exploitation of Software Vulnerabilities – use weaknesses in software applications to gain access to system information and resources.
Phishing Ploys• Email attachments – often .zip or .pdf files
• Fake friend requests
• Approved loan requests
• Problems with a shipment
• Better Business Bureau complaints filed against a business
• Online account issues requiring entry of account information
• Bank account issues – missing information, incomplete transfers, etc.
• Subpoena notifications
Phishing Ploys | Fake Bank Message
Phishing Ploys | Fake Bank Message
Phishing Ploys | Fake UPS Message
Phishing Ploys | Fake Popup
Phishing Ploys | Legitimate Message
Protect, Detect and Respond• Education & prevention program developed by: US Secret Service (USSS) FBI Financial Services – Information Sharing & Analysis Center (FS-ISAC) Internet Crime Complaint Center (IC3)
• Delineates a security framework for business owners to follow
• Many solutions are commercially reasonable for both small & large businesses
Protect | Educate All Employees• Don’t automatically click on email attachments or links
• If the message appears to be from a legitimate source, contact the business or organization through other ways: Call the business at a number known to be authentic Go to the business’ legitimate website
• Employ IT security best practices: Use strong passwords Change passwords often – typically every 30-60 days Don’t share passwords Lock workstations when stepping away
Protect | Enhance Network Security• Restrict capabilities on individual workstations: No administrative privileges No web browsing or email capabilities on computers used for online
banking or to access other online payment systems
• Use spam filters
• Install & maintain real-time anti-virus & anti-malware detection and removal software
• Enable desktop firewalls
• Install & maintain a network firewall
• Change the default passwords on all network devices
Protect | Enhance Network Security• Install security updates on all operating systems and applications
as they become available
• Keep all operating systems, browsers & applications up-to-date
• Make regular backup copies of system & work files
• Encrypt sensitive folders
• Don’t use public Internet access points (e.g. wifi at restaurants, hotels, airports, etc.) when accessing accounts or other personal information
• Keep abreast of cyber threats
Protect | Enhance Banking Security• Initiate ACH and wire transfers under dual control using two
separate computers
• Ask your financial institution about “out-of-band” verification methods such as call backs, SMS texts, and batch limits
• Contact your financial institution immediately if you encounter a message that the system is unavailable
Detect• Monitor and reconcile accounts at least once a day
• Discuss options offered by your financial institution to help detect or prevent out-of-pattern activity
• Note any changes in your computers’ performance
• Pay attention to anti-virus or other warnings
• Be on the alert for rogue emails
• Run regular virus & malware scans on all hard drives
Detect | Anti-virus Warning
Respond | Take Immediate Action• If suspicious activity is detected, immediately cease all online
activity and remove any computer systems that may be compromised from the network
• Make sure your employees know how and to whom to report suspicious activity
• Immediately contact your financial institution(s) in order to: Disable online access to accounts Change online banking passwords Open new account(s) as appropriate Request a review of transactions Request a review of online banking accounts to determine if information
was changed or new users were added
Respond | Next Steps• Maintain a written chronology of what happened, what was lost,
and the steps taken to report the incident – make sure to notify: Your financial institution(s) Agencies such as the Federal Trade Commission or IC3 All consumers that were affected by the fraud Any other businesses or organizations that may have been impacted
• File a police report
• Implement a contingency plan for recovering systems suspected of compromise
• Consider whether other company or personal data may have been compromised
• Report exposures to PCI DSS if you accept credit/debit cards
Websites to Know• IC3 | www.ic3.gov
• Your FBI field office | www.fbi.gov/contact-us/field/field-offices
• Your USSS field office | www.secretservice.gov/field_offices.shtml
• USSS Electronic Crimes Task Force | www.secretservice.gov/ectf.shtml
• PCI DSS | www.pcisecuritystandards.org/security_standards/pci_dss.shtml
• Federal Trade Commission | business.ftc.gov
Learn More• IC3 | CATO Fraud Advisory
• NACHA | Corporate Account Takeover What You Need to Know
• NACHA | Sound Business Practices to Mitigate Corporate Account Takeover
• Federal Communications Commission | Small Business Cyber Planner
• US Chamber of Commerce | Internet Security Essentials for Business
• Better Business Bureau | Data Security Made Simpler
• National Cyber Security Alliance | STOP. THINK. CONNECT. Campaign