For Business Online Banking Customers

What is corporate account takeover?

"Corporate account takeover" is when cyber-thieves gain control of a business' bank account by stealing the business' valid online banking credentials. Although there are several methods being employed to steal credentials, the most prevalent involves malware that infects a business' computer workstations and laptops. Malicious software, which is available over the internet, automates many elements of the crime including circumventing one time passwords, authentication tokens and other forms of multi-factor authentication.

A business can become infected with malware via infected documents attached to an e-mail or a link contained within an email that connects to an infected web site. In addition, malware can be downloaded to user workstations and laptops by visiting legitimate websites - especially social networking sites - and clicking on the documents videos or photos posted there. This malware can also spread across a business' internal network.

The malware installs key logging software on the computer, which allows the cyber thieves to capture a user's credentials as they are entered at the financial institution's website. Sophisticated versions of the malware can even capture token-generated passwords, alter the display of the website to the user, and/or display a fake web page indicating the financial institution's website is down. In this case, the criminal can access the business' account online without the possibility that the real user will log in to the website.

Once installed, the malware provides the information that enables the cyber-thieves to impersonate the business in online banking sessions. To the financial institution, the credentials look just like the legitimate user. The perpetrator has access to and can review the account details of the business, including account activity and patterns, and ACH and wire transfer origination parameters (such as file size, frequency, limit, and SEC codes).

The cyber-thieves use the sessions to initiate funds transfers, by ACH or wire transfer, to the bank of associates within the US. These accounts may be newly opened by accomplices or unwitting "money mules" for the express purpose of receiving and laundering these funds. A "money mule" is a person who transfers stolen money or merchandise from one country to another, either in person, through a courier service, or electronically. The term is commonly used to describe online scams that prey on victims who are unaware that the money or merchandise they are transferring is stolen. In these scams, the stolen money or merchandise is transferred from the victim's country to the scam operator's country. The accomplices or mules withdraw the entire balance shortly after receiving the money, and then send the funds overseas via over-the-counter wire transfer or other common money transfer services.

Why are businesses and organizations targeted?

The cyber-thieves appear to be targeting business, as well as government agencies and nonprofits, for several reasons:

  1. Many Business and organizations have the capability to initiate funds transfers - ACH credits and wire transfers - via online banking.
    1. This funds transfer capability is often related to a business origination of payroll payments.
    2. In corporate account takeover, the cyber-thieves may add fictitious names to a payroll file (directed to the accounts of money mules) and/or initiate payroll payments off-cycle to avoid daily origination limits.
  2. Some business do not have the level of resources to defend their information technology systems.
  3. Many business do not monitor and reconcile their accounts on a frequent or daily basis.
  4. Some business bank with a wide variety of financial institutions with varying degrees of IT resources and sophistication.

Prevention, detection & reporting for business customers account control

  1. Reconcile all banking transactions on a daily basis.
  2. Initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer.
  3. Utilize routine reporting on transactions.
  4. Perform periodic risk assessments of the banking products/services you use; including regular reviews of user access levels, dollar limits and activity.
  5. Immediately report any suspicious transactions to the financial institution.
  6. Stay in touch with other business and industry sources to share information regarding suspected fraudulent activity.

Computer security tools & practices

  1. Install a dedicated, actively managed firewall. A firewall limits the potential for unauthorized access to a network and computers.
  2. Install commercial anti-virus software on all computer systems and ensure virus protections and security software are updated regularly.
  3. Ensure computers are patched regularly, particularly operating systems and key applications, with security patches.
  4. Consider installing spyware detection programs.
  5. Be suspicious of emails purporting to be from a financial institution, government department or other agency requesting account information, account verification or banking access credentials such as usernames, passwords, PIN codes and similar information. If you are uncertain of the source do not click any links.
  6. Use strong password policies.
  7. Prohibit use of "shared" usernames and passwords for online banking systems.
  8. Use a different password for each website that is accessed.
  9. Change the password several times per year.
  10. Never share username and password information with third-party providers.
  11. Limit administrative rights on user workstations.
  12. Carry out all online banking activities from a stand-alone computer system from which email and web browsing are not possible.
  13. Verify use of a secure session ("https") in the browser for all online banking.
  14. Avoid using automatic login features that save usernames and passwords for online banking
  15. Never leave a computer unattended while using any online banking or investing service.
  16. Never access bank, brokerage or other financial services information at Internet cafes, public libraries, etc. Unauthorized software may have been installed to trap account number and sign on information leaving the customer vulnerable to possible fraud.

Symptoms of an Infected Computer

  • A Computer may have been compromised if it exhibits any of the following characteristics or signs:
  • Is slow or nonresponsive
  • Shows signs of high-level activity on the hard drive that is not the result of anything you initiated
  • Displays messages on your screen that you haven't seen before
  • Is unable to run a program because you don't have enough memory
  • Crashes constantly