Corporate Account Takeover Protecting Your Business From Financial Fraud
Legal Notice This presentation is for informational purposes and is not intended to provide legal advice. The guidance included is not an exhaustive list of actions, and security threats change constantly.
Do you do any of the following? • Originate ACH Credits – Direct Deposit Payroll • Originate ACH Debits – Direct Billing • Use Online Bill Pay • Use Wires – Domestic and/or International • Use Business Credit Cards You could be at risk for Corporate Account Takeover…
What is Corporate Account Takeover? • When cyber-thieves gain control of a business’ bank account by stealing the business’s valid online banking credentials - such as usernames, passwords, authentication questions & answers, security keys. • Thieves can then initiate transfers via the online payment systems business utilizes to send ACH payments, wire transfers, or other transfers to the thieves’ own accounts .
Dissecting a CATO Attack Criminals target victims by way of 1 phishing, spear phishing or social engineering techniques. Target Victims The criminals leverage the victim’s online banking The victims unknowingly install credentials to initiate a 5 2 malware on their computers, funds transfer from the often including key logging and Initiate Install victim’s account. screen shot capabilities. Funds Malware Transfer(s) The victims visit their online banking The malware collects and website and logon per the standard transmits data back to the process. 4 3 criminals through a backdoor Collect & Online connection. Transmit Banking Data
Common Techniques • Phishing – use email to obtain the information necessary to steal an identity or cause the user to download malware . • Fake Popups – popups that appear to be legitimate, but install malware . • Compromising Legitimate Sites – these sites look safe, but may hide malicious code . • Exploitation of Software Vulnerabilities – use weaknesses in software applications to gain access to system information and resources.
Phishing Ploys • Email attachments – often .zip or .pdf files • Fake friend requests • Approved loan requests • Problems with a shipment • Better Business Bureau complaints filed against a business • Online account issues requiring entry of account information • Bank account issues – missing information, incomplete transfers, etc. • Subpoena notifications
Phishing Ploys | Fake Bank Message
Phishing Ploys | Fake Bank Message
Phishing Ploys | Fake UPS Message
Phishing Ploys | Fake Popup
Phishing Ploys | Legitimate Message
Protect, Detect and Respond • Education & prevention program developed by: US Secret Service (USSS) FBI Financial Services – Information Sharing & Analysis Center (FS-ISAC) Internet Crime Complaint Center (IC3) • Delineates a security framework for business owners to follow • Many solutions are commercially reasonable for both small & large businesses
Protect | Educate All Employees • Don’t automatically click on email attachments or links • If the message appears to be from a legitimate source, contact the business or organization through other ways : Call the business at a number known to be authentic Go to the business’ legitimate website • Employ IT security best practices : Use strong passwords Change passwords often – typically every 30-60 days Don’t share passwords Lock workstations when stepping away
Protect | Enhance Network Security • Restrict capabilities on individual workstations: No administrative privileges No web browsing or email capabilities on computers used for online banking or to access other online payment systems • Use spam filters • Install & maintain real-time anti-virus & anti-malware detection and removal software • Enable desktop firewalls • Install & maintain a network firewall • Change the default passwords on all network devices
Protect | Enhance Network Security • Install security updates on all operating systems and applications as they become available • Keep all operating systems, browsers & applications up-to-date • Make regular backup copies of system & work files • Encrypt sensitive folders • Don’t use public Internet access points (e.g. wifi at restaurants, hotels, airports, etc.) when accessing accounts or other personal information • Keep abreast of cyber threats
Protect | Enhance Banking Security • Initiate ACH and wire transfers under dual control using two separate computers • Ask your financial institution about “out-of-band” verification methods such as call backs , SMS texts , and batch limits • Contact your financial institution immediately if you encounter a message that the system is unavailable
Detect • Monitor and reconcile accounts at least once a day • Discuss options offered by your financial institution to help detect or prevent out-of-pattern activity • Note any changes in your computers’ performance • Pay attention to anti-virus or other warnings • Be on the alert for rogue emails • Run regular virus & malware scans on all hard drives
Detect | Anti-virus Warning
Respond | Take Immediate Action • If suspicious activity is detected, immediately cease all online activity and remove any computer systems that may be compromised from the network • Make sure your employees know how and to whom to report suspicious activity • Immediately contact your financial institution(s) in order to: Disable online access to accounts Change online banking passwords Open new account(s) as appropriate Request a review of transactions Request a review of online banking accounts to determine if information was changed or new users were added
Respond | Next Steps • Maintain a written chronology of what happened, what was lost, and the steps taken to report the incident – make sure to notify: Your financial institution(s) Agencies such as the Federal Trade Commission or IC3 All consumers that were affected by the fraud Any other businesses or organizations that may have been impacted • File a police report • Implement a contingency plan for recovering systems suspected of compromise • Consider whether other company or personal data may have been compromised • Report exposures to PCI DSS if you accept credit/debit cards
Websites to Know • IC3 | www.ic3.gov • Your FBI field office | www.fbi.gov/contact-us/field/field-offices • Your USSS field office | www.secretservice.gov/field_offices.shtml • USSS Electronic Crimes Task Force | www.secretservice.gov/ectf.shtml • PCI DSS | www.pcisecuritystandards.org/security_standards/pci_dss.shtml • Federal Trade Commission | business.ftc.gov
Learn More • IC3 | CATO Fraud Advisory • NACHA | Corporate Account Takeover What You Need to Know • NACHA | Sound Business Practices to Mitigate Corporate Account Takeover • Federal Communications Commission | Small Business Cyber Planner • US Chamber of Commerce | Internet Security Essentials for Business • Better Business Bureau | Data Security Made Simpler • National Cyber Security Alliance | STOP. THINK. CONNECT. Campaign
Recommend
More recommend
![Takeover Game Targets value v is uniform on [0,100] Target knows value; Acquirer does](https://c.sambuz.com/942987/takeover-game-s.jpg)
