Reducing the Risks of Account Takeover
Account Takeover is a form of identity theft where cyber thieves gain control of a business' bank account by stealing employee passwords and other valid credentials. Thieves can then initiate fraudulent wire and ACH transactions to accounts controlled by the thieves. Businesses with limited or no internal computer safeguards and disbursement controls for use with the bank's online banking system are vulnerable to theft when cyber thieves gain access to their computer systems, typically through malicious software (malware). Malware infects a business' computer system not just through 'infected' documents attached to an email but also simply when an infected Web site is visited.
Suggested Steps for Mitigating Account Takeover Risks
- Provide continuous communication and education to employees using online banking systems. Providing enhanced security awareness training will help ensure employees understand the security risks related to their duties;
- Download and install Trusteer Rapport, available at no cost to you;
- Update anti-virus and anti-malware programs frequently;
- Update, on a regular basis, all computer software to protect against new security vulnerabilities (patch management practices);
- Communicate to employees that passwords should be strong and should not be stored on the device used to access online banking;
- Adhere to dual control procedures;
- Use separate devices to originate and transmit wire/ACH instructions;
- Transmit wire transfer and ACH instructions via a dedicated and isolated device;
- Practice ongoing account monitoring and reconciliation, especially near the end of the day;
- Adopt advanced security measures by working with consultants or dedicated IT staff; and
- Utilize resources provided by trade organizations and agencies that specialize in helping small businesses. See Appendix A for a list of resources.
Examples of Deceptive Ways Criminals Contact Account Holders
- Grand Bank will never initiate a call to our customers in which we ask for any sensitive information such as access IDs or passwords.
- The FDIC does not directly contact bank customers (especially related to ACH and Wire transactions, account suspension, or security alerts), nor does the FDIC request bank customers to install software upgrades. Such messages should be treated as fraudulent and the account holder should permanently delete them and not click on any links.
- Messages or inquiries from the Internal Revenue Service, Better Business Bureau, NACHA, and almost any other organization asking the customer to install software, provide account information or access credentials is probably fraudulent and should be verified before any files are opened, software is installed, or information is provided.
- Phone calls and text messages requesting sensitive information are likely fraudulent. If in doubt, account holders should contact the organization at the phone number the customer obtained from a different source (such as the number they have on file, that is on their most recent statement, or that is from the organization's website). Account holders should not call phone numbers (even with local prefixes) that are listed in the suspicious email or text message.
Warning Signs of Potentially Compromised Computer Systems
- Inability to log into online banking
- Dramatic loss of computer speed
- Changes in the way things appears on the screen
- Computer locks up so the user is unable to perform any functions
- Unexpected request for a one time password (or token) in the middle of an online session
- Unusual pop-up messages
- New or unexpected toolbars and/or icons
- Inability to shut down or restart computer
Creating an Incident Response Plan
Since each business is unique, customers should write their own incident response plan. A general template would include:
- The direct contact numbers of key bank employees (including after hour numbers);
- Steps the account holder should consider to limit further unauthorized transactions, such as: a. Changing passwords; b. Disconnecting computers used for Internet banking; and c. Requesting a temporary hold on all other transactions until out-of-band confirmations can be made;
- Information the account holder will provide to assist the bank in recovering their money;
- Contacting their insurance carrier; and 5. Working with computer forensic specialists and law enforcement to review appropriate equipment.
Information Security Laws and Standards Affecting Business Owners
Texas statutes related to safeguarding customer information include:
- Chapter 521 of the Texas Business and Commerce Code, which is known as Identity Theft Enforcement and Protection Act, provides that penalties of up to $50,000 may be imposed violations. See §521.053 Notification Required Following Breach of Security of Computerized Data. Texas Business and Commerce Code (http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm#521.053);
- Chapter 72 of the Texas Business and Commerce Code relates to disposal of business records. This statute addresses paper and electronic records/information, including information stored on photocopy machines and printers Texas Business and Commerce Code (http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.72.htm).
The Payment Card Industry Security Standards Council was launched in 2006 to manage security standards related to card processing. Any merchant that accepts credit or debit cards for payment is required to secure their data based on the standards developed by the council. The PCI Security Standards Council's website The PCI Security Standards Council (https://www.pcisecuritystandards.org/security_standards/index.php) notes that noncompliance may lead to lawsuits, cancelled accounts, and monetary fines. The website provides information for small business compliance.
Resources for Business Account Holders
- The Better Business Bureau's website on Data Security Made Simpler: Better Business Bureau (http://www.bbb.org/datasecurity);
- The Small Business Administration's (SBA) website on Protecting and Securing Customer Information: SBA (http://community.sba.gov/community/blogs/community-blogs/business-law-advisor/how-smallbusinesses-can-protect-and-secure-customer-information);
- The Federal Trade Commission's (FTC) interactive business guide for protecting data: FTC (http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html);
- The National Institute of Standards and Technology's (NIST) Fundamentals of Information Security for Small Businesses: NIST (http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf);
- The jointly issued "Fraud Advisory for Businesses: Corporate Account Takeover" from the U.S. Secret Service, FBI, IC3, and FS-ISAC available on the IC3 website IC3 (http://www.ic3.gov/media/2010/CorporateAccountTakeOver.pdf) or the FS-ISAC website FS-ISAC(http://www.fsisac.com/files/public/db/p265.pdf); and
- NACHA – The Electronic Payments Association's website has numerous articles regarding Corporate Account Takeover for both financial institutions and banking customers: NACHA (http://www.nacha.org/c/Corporate_Account_Takeover_Resource_Center.cfm).