Corporate Account Takeover is a type of business identity theft where cyber thieves gain control of a business’ bank account by stealing employee passwords and other valid credentials. Thieves can then initiate fraudulent wire and ACH transactions to accounts controlled by the thieves.
Businesses across the United States have suffered large financial losses from electronic crimes through the banking system. These thefts have ranged from a few thousand to several million dollars. They have occurred in banks of all sizes and locations. And, they may not be covered by the bank’s insurance. Along with the financial impact, there is also a very high level of reputation risk for financial institutions.
Recognizing the importance of having banker developed practices specifically to assist the banking industry, the Conference of State Bank Supervisors (CSBS) and the Financial Services – Information Sharing and Analysis Center (FS-ISAC) have joined with the United States Secret Service (US Secret Service) and Texas Department of Banking to make practices for mitigating the risks of Corporate Account Takeover available to financial institutions nationwide.
The Task Force developed a list of nineteen processes and controls for reducing risk of Corporate Account Takeovers. These processes and controls expand upon a three-part risk management framework developed by the FS-ISAC, the US Secret Service, the Federal Bureau of Investigation, and the Internet Crime Complaint (IC3)1. Fundamentally, a bank should implement processes and controls centered on three core elements: Protect; Detect; and Respond.
The Task Force has also compiled a set of best practices for each of the recommended processes and controls under the Protect, Detect, and Respond framework. These best practices are not an all-inclusive list and are provided as guidance to assist in implementing the nineteen processes and controls needed to reduce the risk of Corporate Account Takeover thefts. The Federal Financial Institutions Examination Council’s (FFIEC) Supplement to Authentication in an Internet Banking Environment2 (FFIEC Supplemental Guidance) issued on June 28, 2011, conveys minimum expectations with are noted within this document. It is important to remember that electronic crimes are dynamic as cyber criminals continually change their techniques. Additional changes in risk management processes and controls will be necessary as this type of theft continues to evolve.
1 Refer to the jointly issued “Fraud Advisory for Businesses: Corporate Account Takeover” available on the IC3 and FS-ISAC websites (http://www.ic3.gov/media/2010/CorporateAccountTakeOver.pdf) of the FS-ISAC website (http://www.fsisac.com/files/public/db/p265.pdf). 2 The FFIEC Guidance is available at (http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formatted.pdf")
RESOURCES FOR BUSINESS ACCOUNT HOLDERS
- The Better Business Bureau’s website on Data Security Made Simpler: http://www.bbb.org/data-security;
- The Small Business Administration’s (SBA) website on Protecting and Securing Customer Information:;
- The Federal Trade Commission’s (FTC) interactive business guide for protecting data: ;
- The National Institute of Standards and Technology’s (NIST) Fundamentals of Information Security for Small Businesses:http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf;
- The jointly issued “Fraud Advisory for Businesses: Corporate Account Takeover” from the U.S. Secret Service, FBI, IC3, and FS-ISAC available on the IC3 website (http://www.ic3.gov/media/2010/CorporateAccountTakeOver.pdf) or the FS-ISAC website (http://www.fsisac.com/files/public/db/p265/pdf); and
- NACHA – The Electronic Payments Association’s website has numerous articles regarding Corporate Account Takeover for both financial institutions and banking customers: http://www.nacha.org/c/Corporate_Account_Takeover_Resource_Center.cfm.
EXAMPLES OF DECEPTIVE WAY CRIMINALS CONTACT ACCOUNT HOLDERS
- The FDIC does not directly contact bank customers (especially related to ACH and Wire transactions, account suspension, or security alerts), nor does the FDIC request bank customers to install software upgrades. Such messages should be treated as fraudulent and the account holder should permanently delete them and not click on any links.
- Messages or inquiries from the Internal Revenue Service, Better Business Bureau, NACHA, and almost any other organization asking the customer to install software, provide account information or access credentials is probably fraudulent and should be verified before any files are opened, software in installed, or information is provided.
- Phone calls and text messages requesting sensitive information are likely fraudulent. If in doubt, account holders should contact the organization at the phone number the customer obtained from a different source (such as the number they have on file, that is on their most recent statement, or that is from the organization’s website). Account holders should not call phone numbers (even local prefixes) that are listed in the suspicious email or text message.
INCIDENT RESPONSE PLANS
- Since each business is unique, customers should write their own incident response plan. A general template would include:
- The direct contact numbers of key bank employees (including after hour numbers)
Steps the account holder should consider to limit further unauthorized transactions, such as:<
- Changing passwords;
- Disconnecting computers used for Internet Banking; and
- Requesting a temporary hold on all other transactions until out-of-band confirmations can be made;
- Information the account holder will provide to assist the bank in recovering their money;
- Contacting their insurance carrier; and
- Working with computer forensic specialists and law enforcement to review appropriate equipment.
INFORMATION SECURITY LAWS AND STANDARDS AFFECTING BUSINESS OWNERS
Although banks are not responsible for ensuring their account holders comply with information security laws, making business owners aware of consequences for non-compliance if the information is breached can reinforce the message that they need to maintain stronger security. Breaches of credit and debit card information can create financial and reputational risks for the business.
When providing security awareness educations to corporate customers, banks may want to also alert business owners of the need to safeguard their own customers’ sensitive information. State statutes related to safeguarding customer information could be provided as part of the educations process.
The Payment Card Industry Security Standards Council was launched in 2006 to manage security standards related to card processing. Any merchant that accepts credit or debit cards for payment is required to secure their date based on the standards developed by the council. The PCI Security Standards Council website: https://www.pcisecuritystandards.org/security_standards/index.php; notes that noncompliance may lead to lawsuits, cancelled accounts, and monetary fines. The website provides information for small business compliance.