This document summarizes information included in a piece released by the US Secret Service, the U.S. FBI, The Internet Crime Complaint Center (IC3), and the Financial Services Information Sharing and Analysis Center (FS-ISAC), entitled, “Fraud Advisory for Business: Corporate Account Take Over (CATO)”. Information contained here is intended to provide basic information about the increasing threat of CATO and to help you establish security processes of your own. However, these attacks – these threats – are continuously evolving and you must stay up-to-date to enforce your security posture.
Cybercriminals are targeting the financial accounts of owners and employees of small- and medium-sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts. Often these funds cannot be recovered.*
To obtain access to financial accounts, cybercriminals target employees – often senior executives or accounting and HR personnel, although any employee can be vulnerable- and business partners, including contractors, accountants, and other third parties, and cause the targeted individual to spread malicious software (or “malware”) which in turn steals their personal information and login credentials. Once the account is compromised, the cybercriminal is able to electronically steal money from business accounts.
Cybercriminals also use various attack methods to:
- Exploit check archiving and verification services, enabling them to issue counterfeit checks
- Impersonate the customer over the phone to arrange funds transfers
- Mimic legitimate communication from the financial institution to verify transactions
- Create unauthorized wire transfers and ACH payments
- Initiate other changes to your accounts
In addition to targeting account information, cybercriminals also seek to gain customer lists and/or proprietary information – often through the spread of malware – that can cause indirect losses and reputational damage to a business.
First identified in 2006, this fraud, known as “corporate account take over,” once attacked mostly large corporations, but cybercriminals have now begun to target municipalities, smaller businesses, and non-profit organizations. Thousands of businesses, small and large, have reportedly fallen victim to this type of fraud. Educating** all stakeholders (financial institutions, businesses, and consumers) on how to identify and protect themselves against this activity is the first step to combating cybercriminal activity.
How It’s Done
Cybercriminals trick victims into divulging personal or account information by:
- Asking you to open an email attachment
- Sending a fake friend request on a social networking site
- Luring you to a compromised website that installs malware on your computer
- Sending mass emails or pop up messages that:
- Ask for personal or account information
- Direct you to click on a malicious link
- Contain attachments that are infected with malware
Methods used to trick you into opening an attachment or clicking on a link include:
- Using email addresses or other credentials stolen from your employers’ website or others you know and making it look like the email is sent from someone you trust
- Making an email look like it includes, for instance:
- Information about a natural disaster
- Information about a sporting event
- Information about popular celebrities
- Masking the email to look legitimate. For example, from:
- UPS (There’s been a problem with your shipment.)
- Financial Institution (There’s a problem with your bank account.)
- Better Business Bureau (A complaint has been filed against your business.)
- U.S. Court System (You have been served a subpoena.)
The criminal’s goal is to get you to open the infected attachment or click on the link so hidden malware (software designed to harm) can be downloaded to your computer. This malware allows the fraudster to “see” and track your activities across the business’ internal network and on the Internet. The tracking may include visits to your financial institution and use of your online banking credentials (used to access account information, login information, and passwords). Using this information, the fraudster can conduct unauthorized transactions that appear to be legitimate transactions conducted by you or your employee.
How to Protect, Detect, and Respond
1. Educate everyone on this type of fraud scheme.
- Don’t respond to or open attachments or click on links in unsolicited e-mails.
- If a message appears to be from your financial institution and requests account information, do not use any of the links provided.
- Reach out to your financial institution using contact information provided upon account opening to determine if any action is needed.
- Remember that financial institutions do not send customers e-mails asking for passwords, credit card numbers, or other sensitive information.
- If you receive an email from an apparently legitimate source (such as the IRS, Better Business Bureau, Federal courts, UPS, etc.) contact the sender directly through other means to verify the authenticity. Be very wary of unsolicited or undesired email messages (also known as “spam”) and the links contained in them.
- Be wary of pop-up messages claiming your machine is infected and offering software to scan and fix the problem, as it could actually be malicious software that allows the fraudster to remotely access and control your computer.
- Teach and require best practices for IT security.
2. Enhance the security of your computer and networks to protect against this fraud.***
- Minimize the number of, and restrict the functions for, computer workstations and laptops that are used for online banking and payments. A workstation used for online banking should not be used for general web browsing, emailing, or social networking.
- Conduct online banking and payments activity from at least one dedicated computer that is not used for other online activity.
- Install and maintain spam filters.
- Install and maintain real-time anti-virus and anti-spyware desktop firewall and malware detection and removal software.
- Use these tools regularly to scan your computer.
- Allow for automatic updates and scheduled scans.
- Do not leave computers with administrative privileges and/or computers with monetary functions unattended.
- Logoff of, turn off, and lock up computers when not in use.
- Install routers and firewalls to prevent unauthorized access to your computer or network.
- Change the default passwords on all network devices.
- Block pop-ups.
- Install security updates to operating systems and all applications, as they become available.
- These updates may appear weekly, monthly, or even daily for zero-day attacks.
- Keep operating systems, browsers, and all other software and hardware up-to-date.
- Make regular backup copies of system files and work files.
- Do not use public Internet access points (e.g., Internet cafes, public Wi-Fi hotspots (airports), etc.) to access accounts or personal information. If using such an access point, employ a Virtual Private Network (VPN), which uses the public telecommunication infrastructure and the Internet to provide remote and secure access to an organization’s network.
- Keep abreast of the continuous cyber threats that occur. See the Additional Resources section below for recommendations on sites to bookmark.
- Encrypt sensitive folders with the operating system’s native encryption capabilities. Preferably, use a whole disk encryption solution.
3. Enhance the security of your corporate banking processes and protocols.
- Initiate ACH and wire transfer payments under dual control using two separate computers. For example: one person authorizes the creation of the payment file and a second person authorizes the release of the file from a different computer system. This helps ensure that one person does not have the access authority to perform both functions, add additional authority, or create a new user ID.
- Talk to your financial institution about Positive Pay and other services such as SMS texting, call backs, and batch limits which help to protect companies against altered checks, counterfeit check fraud, and unauthorized ACH transactions.
- If, when logging into your account, you encounter a message that the system is unavailable, contact your financial institution immediately.
4. Understand your responsibilities and liabilities.
- Familiarize yourself with your institution’s account agreement.
- Be aware of your liability for fraud under the agreement and the Uniform Commercial Code (UCC), as adopted in the jurisdiction.
- Be aware of your responsibilities set forth by the Payment Card Industry Data Security Standard (PCI DSS), should you accept credit cards. For more information, click here.
5. Monitor and reconcile accounts at least once each day.
- Reviewing accounts regularly enhances the ability to quickly detect unauthorized activity and allows the business and the financial institution to take action to prevent or minimize losses.
6. Note any changes in the performance of your computer:
- A dramatic loss of speed
- Changes in the way things appear
- The computer locks up so the user is unable to perform any functions
- Unexpected reboot or restarting of your computer
- An unexpected request for a one-time password (or token) in the middle of an online session
- Unusual pop-up messages
- New or unexpected toolbars and/or icons
- Inability to shut down or restart
7. Pay attention to warnings.
- Your anti-virus software should alert you to potential viruses. If you receive a warning message, contact your IT professional immediately.
8. Be on the alert for rogue emails.
- If someone says they received an email from you that you did not send, you probably have malware on your computer or your email has been hacked.
- You can also check your email “outbox” to look for email that you did not send.
9. Run regular virus and malware scans of your computer’s hard drive.
- This can usually be set to run automatically during non-peak hours.
10. Discuss the options offered by your financial institution to help detect or prevent out-of-pattern activity (including both routine and red flag reporting for transaction activity).
11. If you detect suspicious activity, immediately cease all online activity and remove any computer systems that may be compromised from the network.
- Disconnect the Ethernet cable and/or any other network connections (including wireless connections) to isolate the system from the network and prevent any unauthorized access.
12. Make sure your employees know how and to whom to report suspicious activity within your company and at your financial institution.
- Email your Americana Community Bank Cash Management Department at eBizHelp@AmericanaFinancial.com to report suspicious activity.
13. Immediately contact your financial institution so that the following actions may be taken:
- Disable online access to accounts.
- Change online banking passwords.
- Open new account(s) (if necessary).
- Ask your banker to review all recent transactions and electronic authorizations on the account. If suspicious active transactions are identified, cancel them immediately.
- Ensure that no one has:
- Added any new payees
- Requested an address or phone number change
- Created new user accounts
- Changed access to any existing user accounts
- Changed existing wire/ACH template profiles
- Changed PIN numbers
- Ordered new cards, checks, or other account documents to be sent to an address other than yours
14. Maintain a written chronology of what happened, what was lost, and the steps taken to report the incident to the various agencies, financial institutions, and firms impacted.
- Be sure to record the date, time, contact telephone number, person spoken to, instructions, and any relevant report or reference number.
15. File a police report.
- Obtain a police report number with the date, time, department, location, and the name of the officer taking the report or involved in the subsequent investigation. Having a police report on file will often help facilitate the filing of claims with insurance companies, financial institutions, and other companies that may be the victims of connected fraudulent activity.
- The police report may result in a law enforcement investigation into the loss, with the goal of identifying, arresting, and prosecuting the offender, and possibly recovering losses.
- Depending upon the incident and the circumstance surrounding the loss, investigating officials may request specific data be recorded and some or all of the system’s data may need to be preserved as potential evidence.
- In addition, you may choose to file a complaint online at http://www.ic3.gov/default.aspx. For substantial losses, contact:
16. Have a contingency plan to recover systems suspected of compromise.
- The contingency plan should cover resolutions for a system infected by malware, data corruption, and catastrophic system/hardware failure. A recommended malware removal option is to reformat the hard drive, then reinstall the operating system and other software on the infected computer(s). There is no preservation of data using this method – all your data will be permanently erased. Do not take this step until you determine if a forensic analysis of the computer is needed.
17. Consider whether other company or personal data may have been compromised.
18. Report exposures to PCI DSS, if appropriate.
- If your business accepts credit cards, you are subject to compliance with the Payment Card Industry Data Security Standard (PCI DSS) and you may be required to report and investigate the incident, limit the exposure of the cardholder data, and report the incident to your card company. For more information, see https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.
Contact your ACB banker for more information: eBizHelp@AmericanaFinancial.com
*Consumer accounts are subject to Federal Reserve Regulations E (12C.F.R. Part 205) which requires banks to provide reimbursement for certain losses. Regulation E does not apply to business accounts. Therefore, banks are not required to provide reimbursement for certain losses.
**This advisory was created through a collaborative cross-industry effort to develop and distribute recommended practices to prevent, detect, and respond to corporate and consumer account takeovers. Led by the Financial Services Information Sharing and Analysis Center (FS-ISAC), contributors include more than 30 of the largest financial institutions in the U.S., industry associations including the American Bankers Association (ABA), NACHA – The Electronic Payments Association, BITS/The Financial Services Roundtable, and federal regulatory and law enforcement agencies. This advisory is an update to recommendations previously released in August 2009 by the FS-ISAC, FBI, and NACHA, and the NACHA (Operations Bulletin) in December 2009.
*** See the “Resources” section of this document for links to helpful and detailed tips on how to enhance your information technology (IT) security.