Business Guide to Corporate Account Takeover
What is Corporate Account Takeover?
Corporate account takeover is a type of fraud where thieves gain access to a business’ finances to make unauthorized transactions, including transferring funds from the company, creating and adding new fake employees to payroll, and stealing sensitive customer information that may not be recoverable.
Corporate account takeover is a growing threat for small businesses. It is important that businesses understand and prepare for this risk.
Cyber thieves target employees through phishing, phone calls, and even social networks. It is common for thieves to send emails posing as a bank, delivery company, court or the Better Business Bureau. Once the email is opened, malware is loaded on the computer which then records login credentials and passcodes and reports them back to the criminals.
How do I protect myself and my small business?
The best way to protect against corporate account takeover is a strong partnership with Community State Bank. Work with Community State Bank to understand security measures needed within the business and to establish safeguards on the accounts that can help the bank identify and prevent unauthorized access to your funds.
A shared responsibility between the bank and the business is the most effective way to prevent corporate account takeover. Consider these tips to ensure your business is well prepared:
- Educate your employees. You and your employees are the first line of defense against corporate account takeover. A strong security program paired with employee education about the warning signs, safe practices, and responses to a suspected takeover are essential to protecting your company and customers.
- Protect your online environment. It is important to protect your cyber environment just as you would your cash and physical location. Do not use unprotected internet connections. Encrypt sensitive data and keep updated virus protection on your computer. Use complex passwords and change them periodically.
- Partner with Community State Bank to prevent unauthorized transactions. Talk to your bank about programs that safeguard you from unauthorized transactions. Device authentication, multi-person approval processes, and batch limits help protect you from fraud.
- Pay attention to suspicious activity and react quickly. Look out for unexplained account or network activity, pop-ups, and suspicious emails. If detected, immediately contact your financial institution, stop all online activity and remove any systems that may have been compromised. Keep records of what happened.
- Understand your responsibilities and liabilities. The account agreement with your bank will detail what commercially reasonable security measures are required in your business. It is critical that you understand and implement the security safeguards in the agreement. If you don’t, you could be liable for losses resulting from a takeover. Talk to your bank if you have any questions about your responsibilities
We encourage our business customers to use the following resources to create comprehensive cyber security policies and to stay up-to-date on best practices.
The Federal Deposit Insurance Corporation (FDIC) is working with federal and state banking agencies and financial institutions to assist customers affected by the coronavirus disease 2019 (COVID-19) global pandemic. The following information is more important than ever during these challenging times. Learn more here.
Information regarding Fake Check Scams
FDIC Consumer News - Oct 2021
When cybersecurity is inadequate, it can lead to stolen identity and financial loss. Most scams and scammers have two main goals--to steal your money and your identity. You should know what to look for, how they work, and what to do, so you can protect yourself and your finances. Read the full newsletter here: FDIC: Avoiding Scams and Scammers
Online Banking Safety and Mobile Banking Fraud
Mobile Device Security Information
Tips to Keep Your Mobile Device Safe and Secure
- Use of mobile anti-malware applications and PIN protection is vitally important in keeping your device safe and secure.
- Mobile device users should regularly install operating system and firmware updates.
- Using unsecured "public" wireless networks, e.g. (coffee shops, airports, etc.) is highly risky and can put your login credentials at risk. You should never log in to any secured site in an unsecured public wireless network.
- Avoid phishing messages in the form of email as well as SMS text messaging. Text message Phishing is becoming more common. Users should practice caution when receiving these messages and acting on them.
- You may see a warning that says "Warning: Visiting this website may harm your computer." This warning is a very strong indicator that there is something wrong with the site you are about to visit.
- If a download has begun as soon as you enter a site, this may be a sign that there is something fishy going on. If you weren't looking for the application, then don't install it.
- If a site redirects to a strange website, it may be compromised.
- A rooted or jailbroken device is more susceptible to malware infection and it's easier for a jailbroken device's operating system to be compromised.
- Mitigate risk factors for jailbroken devices: Keep mobile devices and apps up to date by enabling auto-update on the device to ensure timely updates are happening. Where practical, configure Android devices to disallow sideloading; install apps from trusted sources such as Apple's App Store, Google Play and Amazon's App store.
- Complex passwords to secure the device is highly recommended. Using alphanumeric, special characters, as well as incorporating upper and lower case letters. Mixing the use of characters and not using names or readily available words and number sets. Never share your login credentials with anyone.
- Secure apps with passwords if possible.
- Consider using mobile security software and apps to protect your device. For example, anti-malware software for smartphones and tablets can be purchased from a reputable vendor.
- Utilize autowipe technology should the device be lost or stolen to remove any sensitive and confidential information.
- Activate the "time out" or "auto lock" feature that secures your mobile device when it is left unused for a certain number of minutes. Set that security feature to start after a relatively brief period of inactivity. Doing so reduces the likelihood that a thief will be able to use your phone or tablet.
Mobile Security Threats
|Device Loss or Theft||
(often delivered via emails, text messages and social media)
|Malware and Spyware||
|Quick Response (QR) Codes||
United States Computer Emergency Readiness Team (US-CERT) Tips
- Do not follow unsolicited web links or attachments in email messages.
- Keep antivirus and other computer software up-to-date.
- Verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number.
Cybersecurity Awareness Month (Resources & Education)
As hacks, data breaches, and other cyber-enabled crime become increasingly commonplace, National Cyber Security Awareness Month (in October) was an important reminder of the need to take steps to protect yourself and your family when using the Internet.
- Contact the Internet Crime Complaint Center if you’re ever a victim.
- Understand the importance of cyber-security skills at your workplace.
- Know the risks of the Internet of Things (IOT)
Cybersecurity Tips for Businesses with Online Banking
- Provide continuous communication and education to employees using online banking systems. Providing enhanced security awareness training will help ensure employees understand the security risks related to their duties.
- Update anti-virus and anti-malware programs frequently.
- Update, on a regular basis, all computer software to protect against new security vulnerabilities (patch management practices).
- Communicate to employees that passwords should be strong and should not be stored on the device used to access online banking.
- Adhere to dual control procedures if feasible.
- Use separate devices to originate and transmit wire/ACH instructions.
- Transmit wire transfer and ACH instructions via a dedicated and isolated device.
Warning Signs of Potentially Compromised Computer Systems
- Inability to log into online banking (thieves could be blocking customer access so the customer won’t see the theft until the criminals have control of the money).
- Dramatic loss of computer speed.
- Changes in the way things appear on the screen.
- Computer locks up so the user is unable to perform any functions.
- Unexpected rebooting or restarting of the computer.
- Unexpected request for a one time password (or token) in the middle of an online session.
- Unusual pop-up messages, especially a message in the middle of a session that says the connection to online banking (or other website/application) is not working (system unavailable, down for maintenance, etc.).
- New or unexpected toolbars and/or icons.
- Inability to shut down or restart the computer.
Deceptive Ways Criminals Contact Account Holders
10 things you can do to help protect yourself from online criminals:
- Have computer security programs running and regularly updated to look for the latest threats. Install anti-virus/anti-malware software to protect against malware (malicious software) that can steal information such as account numbers and passwords, and use a firewall to prevent unauthorized access to your computer.
- Be smart about where and how you connect to the Internet for banking or other communications involving sensitive personal information. Public Wi-Fi networks and computers at places such as libraries or hotel business centers can be risky if they don’t have up-to-date security software.
- Get to know standard Internet safety features. For example, when banking or shopping online, look for a padlock symbol on a page (that means it is secure) and “https://” at the beginning of the Web address (signifying that the website is authentic and encrypts data during transmission).
- Ignore unsolicited emails asking you to open an attachment or click on a link if you’re not sure it’s who truly sent it and why. Cybercriminals are good at creating fake emails that look legitimate, but can install malware. Your best bet is to either ignore unsolicited requests to open attachments or files or to independently verify that the supposed source actually sent the email to you by making contact using a published email address or telephone number.
- Be suspicious if someone contacts you unexpectedly online and asks for your personal information. A safe strategy is to ignore unsolicited requests for information, no matter how legitimate they appear, especially if they ask for information such as a Social Security number, bank account numbers and passwords.
- Use the most secure process you can when logging into financial accounts. Create “strong” passwords that are hard to guess, change them regularly, and try not to use the same passwords or PINs (personal identification numbers) for several accounts. Never share your ID and Password information with anyone.
- Be discreet when using social networking sites. Criminals comb those sites looking for information such as someone’s place of birth, mother’s maiden name or a pet’s name, in case those details can help them guess or reset passwords for online accounts.
- Be careful when using smartphones and tablets. Don’t leave your mobile device unattended and use a device password or other method to control access if it’s stolen or lost. Do not store/save Bank account information, e.g. (statements, transaction images, etc.) on your mobile device by performing screenshots, etc.
- Parents and caregivers should include children in their cybersecurity planning. Talk with your child about being safe online, including the risks of sharing personal information with people they don’t know, and make sure the devices they use to connect to the Internet have up-to-date security.
- Small business owners should have policies and training for their employees on topics similar to those provided in this checklist for customers, plus other issues that are specific to the business. For example, consider requiring more information beyond a password to gain access to your business’s network, and additional safety measures, such as requiring confirmation calls with your financial institution before certain electronic transfers are authorized.