Corporate Account Takeover
What is Corporate Account Takeover?
“Corporate account takeover” is when cyber-thieves gain control of a business’ bank account(s) by stealing the business’ valid online banking credentials. Although there are several methods being employed to steal credentials, the most prevalent involves malware that infects the business’ computer workstations and laptops.
Business E-mail Compromise Scheme
Recently we have seen a new scheme targeting online cash management users by compromising internal company email. By posing as executives, accountants, or vendors, scammers have stolen millions of dollars from organizations large and small through Business Email Compromise (BEC) schemes.
A BEC scheme typically targets companies working with foreign suppliers and companies that regularly perform wire transfers. To avoid spam filters, the emails in BEC schemes are not mass-emailed. Instead, they are sent to only a few employees—usually, employees who regularly perform wire transfers, like CFOs, financial directors, or accountants, or others with cash management access. BEC scammers conduct extensive research to make their emails more believable. They will try to determine who initiates wires, who requests them, and when they typically occur. They may even find out your company’s financial processes. Then, they wait for the perfect opportunity, like a change in leadership in the finance department or a CEO traveling overseas. BEC scammers typically instruct their targets to act quickly or in confidence when transferring funds. They may also pose as an established customer or vendor and send an email request to change their banking information before their next payment is sent out via wire or ACH.
BEC phishing emails often use spoofed email addresses, authentic signatures, and logos to look more credible. Even if the message looks like it was sent by someone in your organization, it may not be legitimate. Many BEC phishing emails don’t include links or attachments. These attacks begin with an email that engages the target in conversation known as a knock-knock email. If the target responds, the attacker continues to manipulate the target until they get them to transfer the requested funds or hand over confidential information.
Quick Tips
Even if you receive an email that looks legitimate, you should still use caution. Keep these three tips in mind when you receive an email requesting a change in how or where funds may be transferred.
- Be skeptical of urgent requests that do not follow typical company procedures and policies.
- Always VERBALLY verify that the email is from the real sender with a quick phone call.
- Look at the domain name. Although some scammers spoof company email addresses, other scammers use domains that are slightly different. For example, if the target company’s domain was www.example.com, the scammers may register “examp1e.com” or “example.co.”
If anything seems suspicious, don’t take the bait. It’s best to be certain before initiating a wire transfer or any other transfer of funds.
A business can become infected with malware via infected documents attached to an email or a link contained within an email that connects to an infected Website. In addition, malware can be downloaded to users’ workstations and laptops by visiting legitimate Websites - especially social networking sites - and clicking on the documents, videos, or photos posted there. This malware can also spread across a business’ internal network.
Recommendations to Business and Corporate Customers
Although Guaranty Bank & Trust uses technologies to prevent, detect and respond to fraudulent transactions, there are additional controls that you can institute within your organization to further reduce the risk of Corporate Account Takeover and fraud.
- Reconcile your banking transactions on a daily basis.
- Initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer.
- Employ best practices to secure computer systems in their business including but not limited to:
- If possible, carry out all online banking activities from a stand-alone, hardened, and completely locked down computer system from which e-mail and Web browsing are not possible.
- Be suspicious of emails purporting to be from a financial institution, government department, or other agency requesting account information, account verification, or banking access credentials such as usernames, passwords, PIN codes, and similar information. Opening file attachments or clicking on web links in suspicious emails could expose the system to malicious code that could hijack your computer.
- install a dedicated, actively managed firewall, especially if the business has broadband or dedicated connection to the Internet, such as DSL or cable. A firewall limits the potential for unauthorized access to a network and computers.
- Create strong passwords with at least 10 characters that include a combination of mixed case letters, numbers, and special characters.
- Prohibit the use of “shared” usernames and passwords for online banking systems.
- Use a different password for each Website that is accessed.
- Change the password a few times each year.
- Never share username and password information for Online Services with third-party providers.
- Limit administrative rights on users’ workstations to help prevent the inadvertent downloading of malware or other viruses.
- Educate employees on good cybersecurity practices to include how to avoid having malware installed on the business computer.
- Install commercial antivirus and desktop firewall software on all computer systems. Free software may not provide protection against the latest threats compared with an industry-standard product.
- Ensure virus protection and security software are updated regularly.
- Ensure computers are patched regularly particularly operating systems and key applications with security patches. It may be possible to sign up for automatic updates for the operating system and many applications.
- Consider installing spyware detection programs.
- Clear the browser cache before starting an Online Banking session in order to eliminate copies of web pages that have been stored on the hard drive. How the cache is cleared will depend on the browser and version. This function is generally found in the browser's preferences menu.
- Verify use of a secure session (HTTPS:// not HTTP://) in the browser for all online financial transactions, including online banking.
- Avoid using automatic login features that save usernames and passwords for online banking.
- Never leave a computer unattended while using any online banking or investing service.
- Never access bank, brokerage, or other financial services information at Internet cafes, public libraries, etc. Unauthorized software may have been installed to trap account number and sign on information leaving the customer vulnerable to possible fraud.
- Properly log out of each online banking session and close all browser windows. Simply closing the active window may not be enough.
- When finished with the computer, turn it off or disconnect it from the Internet.
Also, consider utilizing a security expert to test the network or run security software that will aid you in identifying known vulnerabilities.
Consumer account holders receive protections from errors relative to electronic funds transfers under Regulation E; however, we want to make you aware that Regulation E does not cover Business accounts.
The alerts and notifications offered by the bank are designed as flags to warn you if your system may have been compromised, and we strongly encourage you to take advantage of them.
Warning signs that your system/network may have been compromised include:
- Inability to log into online banking (thieves could be blocking customer access, so the customer won’t see the theft until the criminals have control of the money)
- A dramatic loss of computer speed
- Changes in the way things appear on the screen
- The computer locks up, so the user is unable to perform any functions
- Unexpected rebooting or restarting of the computer
- Unexpected request for a one time password (or token) in the middle of an online session
- Unusual pop-up messages, especially a message in the middle of a session that says the connection to the bank system is not working (system unavailable, down for maintenance, etc.)
- New or unexpected toolbars and/or icons; and inability to shut down or restart the computer
Contact the bank immediately if you suspect your network may have been compromised. Call (888) 572-9881 and ask for the Internet Banking Department.