Corporate Account TakeoverProtecting Your Business From Financial Fraud

Legal NoticeThis presentation is for informational purposes and is not intended to provide legal advice. The guidance included is not an exhaustive list of actions, and security threats change constantly.

Do you do any of the following?• Originate ACH Credits – Direct Deposit Payroll

• Originate ACH Debits – Direct Billing

• Use Online Bill Pay

• Use Wires – Domestic and/or International

• Use Business Credit Cards

You could be at risk for Corporate Account Takeover…

What is Corporate Account Takeover?• When cyber-thieves gain control of a business’ bank account by

stealing the business’s valid online banking credentials - such as usernames, passwords, authentication questions & answers, security keys.

• Thieves can then initiate transfers via the online payment systems business utilizes to send ACH payments, wire transfers, or other transfers to the thieves’ own accounts.

Dissecting a CATO Attack

Target Victims

Install Malware

Online Banking

Collect & Transmit

Data

Initiate Funds

Transfer(s)

1

2

34

5

Criminals target victims by way of phishing, spear phishing or social

engineering techniques.

The victims unknowingly install malware on their computers,

often including key logging and screen shot capabilities.

The victims visit their online banking website and logon per the standard

process.The malware collects and transmits data back to the

criminals through a backdoor connection.

The criminals leverage the victim’s online banking credentials to initiate a funds transfer from the victim’s account.

Common Techniques• Phishing – use email to obtain the information necessary to

steal an identity or cause the user to download malware.

• Fake Popups – popups that appear to be legitimate, but install malware.

• Compromising Legitimate Sites – these sites look safe, but may hide malicious code.

• Exploitation of Software Vulnerabilities – use weaknesses in software applications to gain access to system information and resources.

Phishing Ploys• Email attachments – often .zip or .pdf files

• Fake friend requests

• Approved loan requests

• Problems with a shipment

• Better Business Bureau complaints filed against a business

• Online account issues requiring entry of account information

• Bank account issues – missing information, incomplete transfers, etc.

• Subpoena notifications

Phishing Ploys | Fake Bank Message

Phishing Ploys | Fake Bank Message

Phishing Ploys | Fake UPS Message

Phishing Ploys | Fake Popup

Phishing Ploys | Legitimate Message

Protect, Detect and Respond• Education & prevention program developed by: US Secret Service (USSS) FBI Financial Services – Information Sharing & Analysis Center (FS-ISAC) Internet Crime Complaint Center (IC3)

• Delineates a security framework for business owners to follow

• Many solutions are commercially reasonable for both small & large businesses

Protect | Educate All Employees• Don’t automatically click on email attachments or links

• If the message appears to be from a legitimate source, contact the business or organization through other ways: Call the business at a number known to be authentic Go to the business’ legitimate website

• Employ IT security best practices: Use strong passwords Change passwords often – typically every 30-60 days Don’t share passwords Lock workstations when stepping away

Protect | Enhance Network Security• Restrict capabilities on individual workstations: No administrative privileges No web browsing or email capabilities on computers used for online

banking or to access other online payment systems

• Use spam filters

• Install & maintain real-time anti-virus & anti-malware detection and removal software

• Enable desktop firewalls

• Install & maintain a network firewall

• Change the default passwords on all network devices

Protect | Enhance Network Security• Install security updates on all operating systems and applications

as they become available

• Keep all operating systems, browsers & applications up-to-date

• Make regular backup copies of system & work files

• Encrypt sensitive folders

• Don’t use public Internet access points (e.g. wifi at restaurants, hotels, airports, etc.) when accessing accounts or other personal information

• Keep abreast of cyber threats

Protect | Enhance Banking Security• Initiate ACH and wire transfers under dual control using two

separate computers

• Ask your financial institution about “out-of-band” verification methods such as call backs, SMS texts, and batch limits

• Contact your financial institution immediately if you encounter a message that the system is unavailable

Detect• Monitor and reconcile accounts at least once a day

• Discuss options offered by your financial institution to help detect or prevent out-of-pattern activity

• Note any changes in your computers’ performance

• Pay attention to anti-virus or other warnings

• Be on the alert for rogue emails

• Run regular virus & malware scans on all hard drives

Detect | Anti-virus Warning

Respond | Take Immediate Action• If suspicious activity is detected, immediately cease all online

activity and remove any computer systems that may be compromised from the network

• Make sure your employees know how and to whom to report suspicious activity

• Immediately contact your financial institution(s) in order to: Disable online access to accounts Change online banking passwords Open new account(s) as appropriate Request a review of transactions Request a review of online banking accounts to determine if information

was changed or new users were added

Respond | Next Steps• Maintain a written chronology of what happened, what was lost,

and the steps taken to report the incident – make sure to notify: Your financial institution(s) Agencies such as the Federal Trade Commission or IC3 All consumers that were affected by the fraud Any other businesses or organizations that may have been impacted

• File a police report

• Implement a contingency plan for recovering systems suspected of compromise

• Consider whether other company or personal data may have been compromised

• Report exposures to PCI DSS if you accept credit/debit cards

Websites to Know• IC3 | www.ic3.gov

• Your FBI field office | www.fbi.gov/contact-us/field/field-offices

• Your USSS field office | www.secretservice.gov/field_offices.shtml

• USSS Electronic Crimes Task Force | www.secretservice.gov/ectf.shtml

• PCI DSS | www.pcisecuritystandards.org/security_standards/pci_dss.shtml

• Federal Trade Commission | business.ftc.gov

Learn More• IC3 | CATO Fraud Advisory

• NACHA | Corporate Account Takeover What You Need to Know

• NACHA | Sound Business Practices to Mitigate Corporate Account Takeover

• Federal Communications Commission | Small Business Cyber Planner

• US Chamber of Commerce | Internet Security Essentials for Business

• Better Business Bureau | Data Security Made Simpler

• National Cyber Security Alliance | STOP. THINK. CONNECT. Campaign