Back to top

Corporate Account Takeover

What is Corporate Account Takeover?

Corporate Account Takeover (CATO) is a form of corporate identity theft where a business’ online credentials are stolen by malware. Criminal entities can then initiate fraudulent banking activity.  Although there are several methods being employed to steal credentials, the most prevalent involves malware that infects a business' computer workstations and laptops.

Corporate Account Takeover usually works something like this:

Target the Company - The fraudster targets a business or an employee of the business, often a senior executive, using any number of techniques designed to either directly gather the login information or infect the computer with malware that can obtain it. These techniques include but are not limited to phishing, attachments or links to Web site infected with malware, fake friend requests on social networking sites and more.

Install Malware - The next step is to install the malware onto the victim’s computer. This malware often contains the ability to transmit what key strokes are taken and even screenshots of what the victim is looking at. The Zeus Trojan is an example of one of the more prevalent pieces of malware on the Internet that targets online banking customers.

Gather Information - When the victim logs into online banking the malware transmits the login information to the fraudster.

Initiate Takeover - Once the login information is transmitted to the fraudster, they can use it to log in and transfer money out of the accounts, while appearing to be a legitimate user.

 

How to Prevent Corporate Account Takeover

Below is a link to a fraud advisory for businesses released by IC3 that explains the "Protect, Detect, and Respond" framework recommended by a number of security firms and government agencies.  It goes into detail on ways you can prevent CATO, and how to respond if it takes place.

IC3's Fraud Advisory for Businesses

There is no single step a business can take to prevent Corporate Account Takeover.  Prevention takes layered security along with widespread education about this type of attack.  Here are some practices that can help keep you from being a victim of CATO:

  • If possible, carry out all online banking transactions from a stand-alone, hardened and completely locked down computer system from which e-mail and Web browsing are disabled.
  • Be suspicious of e-mails purporting to be from a financial institution, government department or other agency requesting account information, account verification or banking access credentials such as usernames, passwords, PIN codes and similar information. Opening file attachments or clicking on web links in suspicious emails could expose the system to malicious code that could hijack their computer.
  • Install a dedicated, actively managed firewall, especially if they have a broadband or dedicated connection to the Internet, such as DSL or cable.
  • Change the password a few times each year.
  • Never share username and password information for Online Services with third-party providers.
  • Limit administrative rights on users' workstations to help prevent the inadvertent downloading of malware or other viruses.
  • Install commercial anti-virus and desktop firewall software on all computer systems. Free software may not provide protection against the latest threats compared with an industry standard product.
  • Ensure virus protection and security software are updated regularly. 
  • Ensure computers are patched regularly particularly operating system and key application with security patches. It may be possible to sign up for automatic updates for the operating system and many applications. 
  • Clear the browser cache before starting an Online Banking session in order to eliminate copies of web pages that have been stored on the hard drive. How the cache is cleared will depend on the browser and version. This function is generally found in the browser's preferences menu.
  • Verify use of a secure session (https not http) in the browser for all online banking.
  • Avoid using an automatic login features that save usernames and passwords for online banking.
  • Never leave a computer unattended while using any online banking or investing service.
  • Never access bank, brokerage or other financial services information at Internet cafes, public libraries, etc. Unauthorized software may have been installed to trap account number and sign on information leaving the customer vulnerable to possible fraud.
  • Customers must familiarize themselves with the institution's account agreement and with the customer's liability for fraud under the agreement and the Uniform Commercial Code as adopted in the jurisdiction.
  • Stay in touch with other businesses to share information regarding suspected fraud activity.
  • Immediately escalate any suspicious transactions to the financial institution particularly, ACH or wire transfers. There is a limited recovery window for these transactions and immediate escalation may prevent further loss by the customer.

 

Signs Your Computer has Been Compromised

It can be very hard to tell if your computer has been compromised (or infected) by a virus or malware.  Most of the malware includes features that do their best to keep you from noticing them.  However there are some common signs of an infections that can help tip you off that something is wrong.  Here are some of those signs:

  • You see unexpected messages or images.
  • Programs start unexpectedly, or won't start when activated.
  • Your personal firewall tells you that an application has tried to connect to the Internet
  • Your friends tell you that they have received e-mail messages from your address and you haven’t sent them anything.
  • Your computer ‘freezes’ frequently, or programs start running slowly.
  • You get lots of system error messages.
  • The operating system will not load when you start your computer.
  • You notice that files or folders have been deleted or changed.
  • Your web browser behaves erratically, e.g. you can’t close a browser window

 

Helpful Links

NACHA's Corporate Account Takeover Resource Center

IC3's Fraud Advisory for Businesses

CATO Press Release from the Texas Dept. of Banking

Corporate Account Takeover page from the CSBS