Corporate Account Takeover (CATO)
Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts. Often these funds may not be recovered.
What is CATO?
Corporate account takeover is a type of fraud where thieves gain access to a business’ finances to make unauthorized transactions, including transferring funds from the company, creating and adding new fake employees to payroll, and stealing sensitive customer information that may not be recoverable. Criminals can then initiate fraudulent wire transfers and transactions through ACH to any account.
Dean Bank recommends following these tips to keep your small business safe:
- Educate your employees. You and your employees are the first line of defense against corporate account takeover. A strong security program paired with employee education about the warning signs, safe practices, and responses to a suspected takeover are essential to protecting your company and customers. Review risky behavior with employees, especially when opening unsolicited
Dean Bank has several online banking alerts that can notify users of account activity. We highly recommend that customers use these alerts to be notified about transactions and balances to prevent unauthorized activity from occurring.
Protect your online and computer environment:
NEVER give out your username or password to anyone online or over the phone. Dean Bank will never send you text messages or emails asking you for usernames and passwords. We will also not ask for this information over the phone, as we have no access to your passwords. If you get an email, text, or call requesting changes to online banking, please call us at 508-528-0088 to speak with us.
- Always call your bank with any issue, email, text, or phone call asking for information
- Minimize the number of machines used for various business Consider conducting online banking on dedicated machines segregated from other business functions.
- Always lock computers when unattended, especially those with administrator
- Install and maintain anti-virus, anti-malware and anti-spam programs that periodically scan file
- Utilize firewalls and routers to restrict network
- Ensure that programs are consistently updated through an organized patching
- Create regular backup copies of system
- Encrypt hard drives if possible, and if not, encrypt important documents including those containing sensitive
- Depending on your business, look into cybersecurity insurance
Enhance processes and procedures for corporate banking activity: When conducting Automated Clearing House ACH or wire transfer activities, utilize dual controls through two separate computers if possible.
Pay attention to suspicious activity and react quickly. If you think that there might be an issue:
- Look out for unexplained account or network activity, pop ups, and suspicious emails.
- If detected, immediately contact your financial institution, stop all online activity and remove any systems that may have been compromised. Keep records of what happened.
- Ensure all proper authorities are contacted, such as senior management at your firm, information technology personnel banking institutions, and the police
Understand your responsibilities and liabilities. The account agreement with your bank will detail what commercially reasonable security measures are required in your business. It is critical that you understand and implement the security safeguards in the agreement. If you don’t, you could be liable for losses resulting from a takeover. Talk to your banker if you have any questions about your responsibilities.
What to do if a breach is suspected:
- Cease all online activity and remove any compromised systems from the network.
- Ensure all proper authorities are contacted, such as senior management at your firm, information technology personnel, banking institutions, and the police.
- Maintain a written log of events that have transpired since abnormal activity was detected.
- Consider what kind of data might have been accessed by the intruding party.
- File a police report and provide any facts known about the circumstances surrounding the loss.
- Have a contingency plan in place to recover systems that are suspected to have been breached.
Resources for Business Account Holders
Resources for Business Account Holders
- The Better Business Bureau’s website on Data Security Made Simpler: http://www.bbb.org/data-security/
- The Federal Trade Commission’s (FTC) interactive business guide for protecting data: http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html
- The National Institute of Standards and Technology’s (NIST) Fundamentals of Information Security for Small Businesses: http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf
- NACHA – The Electronic Payments Association’s website has numerous articles regarding Corporate Account Takeover for both financial institutions and banking customers: Nacha - Homepage | Nacha
Business Email Compromise (BEC) Alert & Protective measures
Business email compromise attacks appear to be too lucrative for the criminally inclined for them to go away anytime soon.
Such social engineering scams, also known as CEO fraud, are designed to trick recipients into sending money directly to attackers. Often, they do this by attempting to exploit a company's accounts payable process, perhaps using a psychological lever or two as they unfurl. Common ploy is indicating by text saying they need some sort of monetary assistance (wire transfer, movement of funds, even purchase of gift cards) immediately.
Targets of business email compromise
Anyone can be the target of a BEC scam. Businesses, governments, nonprofits, and schools are all targeted, specifically these roles:
- Executives and leaders, because details about them are often publicly available on the company website, so attackers can pretend to know them.
- Finance employees like controllers and accounts payable staff who have banking details, payment methods, and account numbers.
- HR managers with employee records like social security numbers, tax statements, contact info, and schedules.
- New or entry-level employees who won’t be able to verify an email’s legitimacy with the sender.
Bad actors use several key points to make the victim try to process the transaction:
Sense of urgency – The idea that this has to happen right away, so don’t take the time to go through normal channels, I’m the CEO and I need this
Sense of danger – That if this isn’t done, there could be customer impact, or financial or reputational impact to the institution
Knowledge of absence – Many of these attacks take place when the bad actors KNOW the CEO or high-level staff person is at a seminar or otherwise disposed. They count on the fact that the employee doesn’t have immediate access to check on the request in person.
BEC attacks tend to fall into roughly five categories:
Supplier swindle: Attackers call, email or fax a business that has a longstanding relationship with a supplier, pretending to be the supplier, and trying to trick the business into wiring funds for outstanding invoices to an attacker-controlled account. "This particular version has also been referred to as 'The Bogus Invoice Scheme,' 'The Supplier Swindle' and 'Invoice Modification Scheme,'”. Recently, this has been executed by simply submitting new account information for the phony customer, so that when a legitimate bill comes in, funds are sent to the wrong account.
CEO fraud: Attackers compromise a high-level business executive's email or texing accounts and them it to impersonate the executive and send money-transfer requests to victims. In some instances a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank 'X' for reason 'Y'. Other times the fraud is smaller, with the criminal asking for gift wards or other personal purchases. This particular version has also been referred to as 'CEO Fraud,' 'Business Executive Scam.
Account compromise: Attackers hack into a victim's email account and then use it to request invoice payments to multiple vendors listed in their address book. The hacked victim's employer, meanwhile may not become aware of the fraudulent requests until they are contacted by their vendors to follow up on the status of their invoice payment.
Attorney impersonation: Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. Normally, such bogus requests are done through email or phone, and during the end of the business day.
Data theft: Attackers target personally identifiable information - including Social Security numbers - or employees' tax statements, in what's known as W-2 attacks. Such information can be used for filing fake tax returns, opening bogus accounts, identity theft and fraud. These attacks often go undetected until the data is used by the criminal.
How to protect yourself:
- Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
- Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
- Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
- Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
- Set up multifactor authentication (MFA) - Make your email harder to compromise by turning on multifactor authentication, which requires a code, PIN, or fingerprint to log in as well as your password
- Teach employees to spot warning signs - Make sure everyone knows how to spot phishing links, a domain and email address mismatch, and other red flags. Simulate a BEC scam so people recognize one when it happens.
Helpful links and sources of additional information:
https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec
https://www.crowdstrike.com/cybersecurity-101/business-email-compromise-bec/
https://www.tessian.com/blog/business-email-compromise-bec-examples/