Online Security

Corporate Account Takeover and Business Email Compromise

“Corporate Account Takeover” and “Business Email Compromise” are the names given to two types of cyber-crimes that target small-and medium-sized businesses. Nationwide, businesses have reported fraud losses in the thousands of dollars as a result of these two types of cyber-crimes.

The following information will assist you in reducing your exposure to these two types of fraud.

What is corporate account takeover?

Corporate Account Takeover is when cyber-thieves gain control of a businesses’ bank account by stealing the business’ valid online banking credentials. Once the criminal has access to these credentials, they log into the business’ online banking account and conduct one or more transactions to fraudulently remove funds from the account(s).

What is business email compromise?

Business email compromise occurs when the email credentials of a business owner or executive are exposed to a criminal. The criminal will monitor the executive’s calendar and wait for them to be out of town. While the executive is gone, the criminal will use the compromised email account to send an email to someone either within the company or at the bank and state that there is an urgent need to send out a wire transfer.

How do criminals obtain account and email credentials?

Criminals use several methods to steal account and email credentials. The most common method involves infecting a businesses’ computer with malware through either an email attachment or a link to an infected website. Legitimate websites – including social media websites - can also be used to download infected documents, photos, or videos. Once the malware is on a computer it can spread across an enterprises’ entire internal network. The malware typically installs key logging software that can monitor and record the keystrokes that the user enters to access their financial institution’s website.

Some cyber thieves are very patient and have been known to allow the malware to collect data from an infected computer in excess of 200 days. During this timeframe, the thieves gather information from the user’s calendar entries (scheduled business trips and vacation time) and the email account (address book contacts, as well as word and sentence structure within the body of the emails). The cyber thieves will also monitor online banking habits including account activity and ACH details (file size, frequency, limits, and Standard Entry Class (SEC) Codes). This information is later used to conduct fraudulent transactions.

Why are smaller businesses and organizations targeted?

The cyber-thieves target small-to medium-sized businesses for several reasons:

  • They know that many small businesses and organizations access their bank’s online banking product to originate ACH funds transfers for payroll purposes. In corporate account takeover, the cyber-thieves may add fictitious names to a payroll file.
  • Small businesses often do not have the same level of resources as larger companies to defend their information technology systems.
  • Many small businesses do not monitor and reconcile their accounts on a frequent or daily basis.
What can Sterling Bank & Trust and its business customers do?

Sterling Bank & Trust and its business customers have distinct responsibilities to help address the security of online access to businesses’ accounts. Each of us can take steps to protect corporate accounts from being taken over.

The top things Sterling Bank & Trust does:

  • Deploy multi-factor authentication, (MFA), a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction, for business account holders who are permitted to initiate funds transfers. For example: something the person knows (user ID, PIN, and password); something the person has (computer, phone, or mobile device)
  • Encourage business customers to initiate payments under dual control, with distinct responsibility for transaction origination and authorization.
  • Establish exposure limits that are related to customers’ activities.

Business customers should be aware of prevention, detection and reporting measures. The top things a business can do are:

  • Initiate ACH and wire transfer payments under dual control. For example: One person authorizes the creation of the payment file, and a second person authorizes the release of the file.
  • Ensure that all anti-virus and security software and mechanisms for all computer workstations and laptops that are used for online banking and payments are robust and up-to-date.
  • Utilize the security features offered by their financial institution(s).
  • Restrict functions for computer workstations and laptops that are used for online banking and payments. For example, a workstation used for online banking should not be used for general web browsing and social networking. A better solution is to conduct online banking and payments activity from a dedicated computer that is not used for other online activity, and/or is not connected to an internal network.
  • Monitor and reconcile accounts daily. Many small business clients do not reconcile their bank accounts on a daily basis, and therefore may not recognize fraudulent activity until it is too late to take action.