CATO

Corporate Account Takeover

A fast growing electronic crime where thieves typically use some form of malware to obtain login credentials to Corporate Online Banking accounts and fraudulently transfer funds from the accounts.

What is Corporate Account Takeover, how does it work?

  • Criminals target victims by scams
  • Victim unknowingly installs software by clicking on a link or visiting an infected internet site.
  • Fraudsters begin monitoring the accounts
  • Victim logs on to their Online Banking
  • Fraudsters collect Login Credentials
  • Fraudsters wait for the right time and then depending on your controls – they login after hours or if you are utilizing a token they wait until you enter your code and then hijack the session and send you a message that Online Banking is temporarily unavailable.

Types of Security Threats

  • Malware – Short for malicious software, is software designed to infiltrate a computer system without the owner’s informed consent. Malware include computer viruses, worms, Trojan horses, spyware, dishonest adware, crimeware, most rootkits, and other malicious and unwanted software.
  • Viruses – A computer program that can copy itself and infect a computer. Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them.
  • Spyware – Type of malware that is installed on computers and collects little bits of information at a time about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. It can install additional software, redirecting Web browser, change computer settings, different home pages, and/or loss of internet.
  • Rogue Software / Scareware – Mainly relies on social engineering in order to defeat security software. It has become a growing serious security threat in desktop computing. Most form of malware that deliver or misleads user into paying for the fake or stimulated removal of malware.
  • Phishing – Criminally fraudulent process of attempting to acquire sensitive information (usernames, passwords, credit card details) by masquerading as a trustworthy entity or electronic communication. Commonly used means are: social websites, auction sites, online payment processors, and IT administrators.
  • E-mail Usage – Some experts feel e-mail is the biggest security threat of all. The fastest, most-effective method of spreading malicious code to the largest number of users. It is also a large source of wasted technology resources. Some examples of corporate e-mail waste: electronic greeting cards, chain letters, jokes and graphics, and spam and junk e-mail.
  • Hoaxes – Hoaxes attempt to trick or defraud users. A hoax could be malicious, instructing users to delete a file necessary to the operating system by claiming it is a virus. It could also be a scam that convinces users to send money or personal information. Phishing attacks fall into this category.

What can you do to protect your business?

  • Train your employees
  • Secure your computer and networks
  • Limit administrative rights
  • Install and maintain spam filters
  • Use multi-layer security
  • Surf the internet carefully
  • Install and maintain real time anti-virus and anti-spyware desktop firewall and malware detection and removal software
  • Install routers and firewall to prevent unauthorized access to your computer or network
  • Install security updates to operating systems and all applications as they become available.
  • Block pop-ups
  • Do not open attachments from e-mails you don’t know
  • Reconcile accounts daily.

Contact the Bank if you:

  • Suspect a fraudulent transaction
  • If you are trying to process an online wire or ACH batch and receive a maintenance page
  • If you receive an email claiming to be form the Bank and it is requesting personal/company information

The Bank will never ask for sensitive information, such as account numbers, access IDs, or passwords via e-mail.

Incident Response Plans

Since each business is unique, customers should write their own Incident Response Plan. A general template would include:

  1. The direct contact numbers of key bank employees (including after-hours numbers)
  2. Steps the accountholder should consider to limit further unauthorized transactions, such as:
    1. Changing passwords
    2. Disconnecting computers used for Internet Banking
    3. Requesting a temporary hold on all other transaction until our-of-band confirmations can be made
    4. Noting information the accountholder will provide to assist the bank in recovering the accountholders money
    5. Contacting their insurance carrier and
    6. Working with computer forensic specialists and law enforcement to review appropriate equipment.

How to recognize a phishing, mishing or vishing scam

  • Genuine banks and organizations will NOT contact you by email to request confidential and personal information.
  • If a bank or organization sends you a genuine request for some information, they should address you by name and not refer to you as 'account holder' or 'customer'.
  • A genuine bank or organization should take good care to ensure that any email or message they send to you does not contain typing errors and grammatical mistakes—many scammers make silly mistakes.

How to respond to a phishing, mishing or vishing scam

  • There are things you can do if you receive a suspicious message. If you receive an email, phone call or other message supposedly from your bank or another organization requesting your personal details, delete the message or hang up your phone.
  • Even if the email or message urges you to act quickly, do not panic—this is just a trick to make you respond immediately without giving you a chance to talk to others or to check if it is a scam.
  • If you receive a suspicious call or message that you think might be genuine, do not divulge your details until you have made some extra checks to satisfy yourself that it is not a scam.
  • Ring your bank or the company yourself to find out if it is a genuine message but never use the number provided in the email or message—a scammer will not give you the correct number!

How to reduce the damage if you think you have fallen for a scam

  • Report the scam - You should telephone your bank or financial institution if you are suspicious of an email, letter or phone call that claims to be from them, or if you think someone may have access to your accounts. They can advise you on what to do next. Make sure the telephone number you use is from the phone book or your account statement, ATM card or credit card.
  • Protect your computer - If you were using your computer when you got scammed, it is possible that a virus of other malicious software may have infected your computer. Run a full system check using reliable security software. If you do not have security software (such as virus scanners and a firewall) installed on your computer, a computer professional can help you choose what you need.
  • Change your passwords - Scammers may have also gained access to your online passwords. Change your passwords using a secure computer.