What is Corporate Account Takeover?
“Corporate account takeover” is when cyber-thieves gain control of a business’ bank account by stealing the business’ valid online banking credentials. Although there are several methods being employed to steal credentials, the most prevalent involves malware that infects the business’ computer workstations and laptops.
A business can become infected with malware via infected documents in an email or a link within an email that connects your computer to an infected website. In addition, malware can be downloaded to users’ workstations and laptops by visiting legitimate websites – especially social networking sites - and clicking on the documents, videos or photos posted there. This malware can also spread across a business’ internal network.
How to Limit the Risk of Corporate Takeover
Here are some recommended steps to help you mitigate the risk of corporate account takeover:
- Reconcile your business’ banking transactions daily. Report any suspicious activity or unauthorized transactions on your account to the bank as soon as possible. Call 800.356.8622 and speak to a customer support representative.
- Consider using dual control when processing high risk transactions such as ACH and wire transfer payments. This way, one authorized user enters transactions while another authorized user approves and transmits the transactions.
- Verify use of secure sessions - designated as https:// in the URL of your browser – for all online financial transactions, including online banking.
- Avoid using automatic login features that save usernames and passwords for online banking.
- Never leave a computer unattended while using any online banking or investing service.
- Never access bank, brokerage or other financial services information using public Wifi at places such as: Internet cafes, public libraries, etc. Unauthorized software may have been installed to trap account number and sign-on information leaving you vulnerable to possible fraud.
- Properly log out of each online banking session and close all browser windows. Simply closing the active window may not be enough.
- When finished with the computer, turn it off or disconnect it from the Internet.
- Consider utilizing a security expert to test the network or run security software that will aid you in identifying known vulnerabilities.
Best Practices for Securing Company Computers
Here are some commonly used computer security tips and best practices:
- Perform online banking activities from a stand-alone computer system from which email and Web browsing are not allowed.
- Be suspicious of emails purporting to be from a financial institution, government department, or other agency requesting account information. Opening file attachments or clicking on web links in suspicious emails could expose the system to malicious code that could hijack your computer.
- Install a dedicated, actively managed firewall, especially if your business has a broadband or dedicated connection to the Internet, such as DSL or cable. A firewall limits the potential for unauthorized access to a network and computers.
- Create strong passwords with at least 10 characters that include a combination of mixed case letters, numbers and special characters.
- Prohibit the use of “shared” usernames and passwords for online banking systems and never share password information with third-party providers. The bank will never ask you for your online banking credentials in an unsolicited telephone call or email.
- Use a different password for each website that is accessed.
- Limit administrative rights on users’ workstations to help prevent the inadvertent downloading of malware or other viruses.
- Limit user access rights to only the functions they will need to complete their work tasks.
- Educate employees on good cybersecurity practices to include how to avoid having malware installed on the business computer.
- Install commercial anti-virus and desktop firewall software on all computer systems. Free software may not provide protection against the latest threats compared with an industry standard product.
- Ensure virus protection and security software are updated regularly.
- Ensure computers, particularly the operating system and key applications, are patched and updated regularly. It may be possible to sign up for automatic updates for the operating system and many applications.
- Internet Security Essentials for Business (US Chamber of Commerce)
- Onguardonline.gov (FTC) For videos and tutorials about protecting information, creating cybersecurity plans, employee training materials, and more.
- Data Security Made Simpler (Better Business Bureau)
- Sound Business Practices for Businesses to Mitigate Corporate Account Takeover (NACHA – The Electronic Payments Association)