Corporate Account Takeover (CATO)
Cyber criminals are targeting the financial accounts of owners and employees of small- and medium-sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts. Oftentimes, these funds may not be recovered.
What is CATO?
Corporate Account Takeovers occur when cyber thieves gain control of systems by stealing sensitive employee credentials and information. Criminals can then initiate fraudulent wire transfers and transactions through ACH to any account. Thieves typically access a computer via malicious software (malware) that can infect a computer through email, websites, or as malware disguised as software. It is necessary to fully understand the severity of these attacks and its effects on confidence, as well as its potential implications on your company’s reputation. Information Security professionals recognize the growing risks in cyber-crimes and the need for businesses to identify, develop, and implement appropriate risk management systems.
Best Practice Recommendations for Businesses
Educate all employees on this type of fraud scheme:
- Review risky behavior with employees, especially when opening unsolicited emails.
- Educate employees on what suspicious websites and malicious “computer optimization” software looks like.
Enhance the security of computer networks:
- Minimize the number of machines used for various business functions. Consider conducting online banking on dedicated machines segregated from other business functions.
- Always lock computers when unattended, especially those with administrator access.
- Install and maintain anti-virus, anti-malware and anti-spam programs that periodically scan file systems.
- Utilize firewalls and routers to restrict network access.
- Ensure that programs are consistently updated through an organized patching process.
- Consider creating regular backup copies of system files.
- Encrypt hard drives if possible, and if not, encrypt important documents including those containing sensitive information.
- Avoid utilizing open internet access points for internet connectivity.
- Be aware of emerging information security threats and what measures can be taken to mitigate the risk of unauthorized intrusion.
Enhance processes and procedures for corporate banking activity:
- When conducting Automated Clearing House ACH or wire transfer activities, utilize dual controls through two separate computers.
- Verify confirmation channels for approval and notification of activity with your financial institution.
- If for any reason your account information or settings have been changed without proper authorization, contact your financial institution immediately.
Understand responsibilities and liability:
- Ensure that you understand the account agreement you have entered into with your financial institution. Understand how liability is determined for cases of fraud.
What to do if a breach is suspected:
- Cease all online activity and remove any compromised systems from the network.
- Ensure all proper authorities are contacted, such as senior management at your firm, information technology personnel, banking institutions, and the police.
- Maintain a written log of events that have transpired since abnormal activity was detected.
- Consider what kind of data might have been accessed by the intruding party.
- File a police report and provide any facts known about the circumstances surrounding the loss.
- Have a contingency plan in place to recover systems that are suspected to have been breached.
Business Email Compromise (BEC)
Business email compromise attacks appear to be too lucrative for the criminally inclined for them to go away anytime soon.
Such social engineering scams, also known as CEO fraud, are designed to trick recipients into sending money directly to attackers. Often, they do this by attempting to exploit a company's accounts payable process, perhaps using a psychological lever or two as they unfurl.
In many cases, attackers pretend to be the CEO - or sometimes the CFO or another c-level executive - and send an email saying they need a wire transfer to be made immediately.
"The sense of urgency, a request for action, or a financial implication used in BEC schemes tricks targets into falling for the trap," security firm Trend Micro says in a blog post. "For example, an accountant may receive a fraudulent email request for a wire transfer from the company CEO, which includes a spoofed version of the CEO's email address and even the CEO's own email signature," it says. "Accordingly, he or she will be more likely to send the funds, because the email appears very real."
In the past, Trend Micro reported that the average BEC attack netted $140,000 in illicit profits.
BEC attacks tend to fall into roughly five categories, according to analyses published by IC3 and Trend Micro:
- Supplier swindle: Attackers call, email or fax a business that has a longstanding relationship with a supplier, pretending to be the supplier, and trying to trick the business into wiring funds for outstanding invoices to an attacker-controlled account. "This particular version has also been referred to as 'The Bogus Invoice Scheme,' 'The Supplier Swindle' and 'Invoice Modification Scheme,'" IC3 says. Trend Micro says foreign suppliers are often targeted.
- CEO fraud: Attackers compromise a high-level business executive's email account and use it to impersonate the executive and send money-transfer requests to victims. "In some instances a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank 'X' for reason 'Y,'" IC3 says. "This particular version has also been referred to as 'CEO Fraud,' 'Business Executive Scam,' 'Masquerading' and 'Financial Industry Wire Frauds.'"
- Account compromise: Attackers hack into a victim's email account and then use it to request invoice payments to multiple vendors listed in their address book. The hacked victim's employer, meanwhile, "may not become aware of the fraudulent requests until they are contacted by their vendors to follow up on the status of their invoice payment," IC3 says.
- Attorney impersonation: "Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters," Trend Micro says. "Normally, such bogus requests are done through email or phone, and during the end of the business day."
- Data theft: Attackers target personally identifiable information - including Social Security numbers - or employees' tax statements, in what's known as W-2 attacks. Such information can be used for filing fake tax returns, among other types of identity theft.
Information security experts say there are multiple defenses that all firms - large, medium and small - should have in place to protect themselves against BEC attacks, including:
- Authentication: Protect all email accounts with two-factor authentication, to make it more difficult for attackers to hack into such accounts and use them to trick others either inside or outside the organization.
- Verification: Always make a requested wire transfer follow a prescribed series of steps that includes either an in-person conversation or telephone verification, using only a pre-approved list of telephone numbers for contacts. Never rely on contact information included in an email.
- Questioning: Always assume that an email account that is requesting a wire transfer has been compromised, until proven otherwise. That especially goes for emails that purport to be from the CEO or another senior manager.
- Training: Show users what BEC attacks look like, and regularly test them to ensure that they remain aware.
- Technology: Block known or suspected BEC emails from ever reaching recipients.
Resources for Business Account Holders
- The Better Business Bureau’s website: http://www.bbb.org/data-security/
- The Small Business Administration’s (SBA) website: https://www.sba.gov/sites/default/files/cybersecurity_transcript.pdf
- The Federal Trade Commission’s (FTC) interactive business guide for protecting data: http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html
- The National Institute of Standards and Technology’s (NIST) Fundamentals of Information Security for Small Businesses: http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf
- NACHA – The Electronic Payments Association’s website: http://www.nacha.org/c/Corporate_Account_Takeover_Resource_Center.cfm
- The website www.mysecurityawareness.com provides small businesses with information, education and tools to protect your information and devices.
- The governmental resource website www.onguardonline.gov is another effective tool to gain valuable insight, information and additional options to protect yourself and your business.
- Finally, a free newsletter called OUCH! Can be subscribed to by clicking here: http://www.securingthehuman.org/resources/newsletters/ouch/2015. This newsletter provides information directly to your inbox each month, giving you the latest best-practices, updates and information you need to know.
- You can also educate yourself on small business scams by visiting the FTC's guide on Scams and Your Small Business: https://www.ftc.gov/system/files/documents/plain-language/scams_and_your_small_business.pdf