Protecting Against Corporate Account Takeover: Best Practices for Digital Banking Security
When banking online, you want to trust that your accounts are safe from hackers. However, without taking proper security measures you can leave your business at risk of Corporate Account Takeover. Corporate Account Takeover is a criminal act that occurs when a hacker obtains electronic access to your corporate bank account and conducts unauthorized transactions (wire transfers, Automated Clearing House-ACH, etc.). Losses from this cyber-crime can range from tens of thousands to millions of dollars with many of these thefts never fully recovered.
Types of Corporate Account Takeover
Corporate Account Takeover can occur in three different methods:
- Business Email Compromise (most common) –an unknown source gathers enough information from a business to successfully have funds sent to them
- Wire Transfer – urgent request, last minute update to transaction details
- Email from an employee asking to change their banking information in payroll
- Emails or calls asking to verify a small piece of information (often done over a series of phone calls or emails prior to requesting the change, also called Social Engineering)
- Information collected via social networks
- Impersonation or take over of a business email account
- Using the compromised email to achieve the goal such as requesting funds be sent to a new account or gift cards purchased
- Phishing – when the look and feel of a legitimate financial institution’s website, e-mail or other communication is mimicked for users to provide their credentials without knowing that a perpetrator is stealing their security credentials through a fictitious representation which appears to be their financial institution.
- Malware – infects computer workstations and laptops via infected e-mails with links or document attachments. It can also be downloaded to a user’s workstation or laptop from legitimate websites, particularly social networking sites. Clicking on documents, videos, or photos can activate the download of the malware.
Corporate Account Takeover Best Practices - How to Protect My Business
The best way to protect your business against Corporate Account Takeover is to have a strong partnership with your financial institution. We have put together a list of helpful digital banking security practices that you can follow to help ensure you that your corporate bank account is secure.
Mobile Device Security
- Configure your device to require a passcode to gain access.
- Avoid storing sensitive information. Mobile devices have a high likelihood of being lost or stolen, so you should avoid using them to store sensitive information. If sensitive data is stored, enable encryption to secure it.
- Keep your mobile device’s software up-to-date.
- Disable features not actively in use, such as Bluetooth, Wi-Fi, and infrared. Set Bluetooth-enabled devices to “non-discoverable” when Bluetooth is enabled.
- Delete all information on a device before the device changes ownership. Use a “hard factory reset” to permanently erase all content and settings stored on the device.
- “Sign Out” and/or Log Off” when finished with an app, rather than just closing it.
- Utilize antivirus software on ALL electronic devices that can run antivirus. This includes Apple iPhones/iPads, Android Phones, Linux, MacOS, and Windows based laptops, desktops, and tablets.
- Do not jailbreak or otherwise circumvent security controls.
- Never click on suspicious links in emails, tweets, posts, or online advertising. Links can take you to a different website than their labels indicate. Typing an address in your browser instead of clicking a link in an e-mail is a safer alternative.
- Ensure your information is protected as it travels across the Internet by only submitting sensitive information to websites that use encryption. Verify the web address begins with “https://” (the “s” is for “secure”) rather than just “http://”. Some browsers also display a closed padlock.
- Do not trust sites with certificate warnings or errors. These messages could indicate your connection is being intercepted or the web server is misrepresenting its identity.
- Avoid using public computers or public wireless access points for online banking and other activities involving sensitive information.
- Always “Sign Out” or “Log Off” of password protected websites when finished to prevent unauthorized access. Simply closing the browser window may not actually end your session.
- Be cautious of unsolicited phone calls, emails, social media messages or texts directing you to a website or requesting personal information.
General PC Security
- Maintain active and up-to-date antivirus protection provided by a reputable vendor. Schedule regular scans of your computer in addition to real-time scanning. If your antivirus product includes cloud-based protections be certain those are enabled.
- Update your software frequently to ensure you have the latest security patches. This includes your computer’s operating system and other installed software (e.g., web browsers, Adobe Flash Player, Adobe Reader, Java, Microsoft Office, etc.)
- Automate software updates, when the software supports it, to ensure it’s not overlooked.
- If you suspect your computer is infected with malware, discontinue using it for banking, shopping, other activities involving sensitive information. Use security software and/or professional help to find and remove malware.
- Use firewalls on your local network to add another layer of protection for all devices that connect through the firewall (e.g., PCs, smart phones, and tablets).
- Require a password to gain access. Log off or lock your computer when not in use.
- Use a cable lock to physically secure a laptop when the device is stored in an untrusted location.
Training & Internal Networking
- Education is key – Train your employees
- Secure your computer and networks
- Limit administrative rights – don’t allow employees to install any software without receiving prior approval
- Install and maintain spam filters
- Keep antivirus software current
- Install routers and firewalls to prevent unauthorized access to your devices or network
- Block pop-ups
- Use strong password policies
- Monitor and reconcile bank accounts daily
- Make sure employees know how and to whom to report suspicious activity – both at your company and your bank
- Use multi-layer security
- Enable two-factor authentication
- Review your statements
- Create unique passwords. Create unique passwords for all the different systems/websites you use. Otherwise, one breach leaves all your accounts vulnerable.
- Never share your password over the phone, in texts, by email, or in person. If you are asked for your password, it’s probably a scam.
- Use unpredictable passwords with a combination of lowercase letters, capital letters, numbers, and special characters. We recommend using a secure Password Manager software to help keep track of passwords and for generating secure unique passwords.
- The longer the password, the tougher it is to crack. Use a password with at least eight (8) characters. Every additional character exponentially strengthens a password.
- Avoid using obvious passwords such as names (e.g. your name, family members’ names, business name, username, etc.), dates (e.g. birthdays, anniversaries, etc.), and dictionary words.
- Choose a password you can remember without writing it down. If you do choose to write it down, store it in a secure location.
More about Business Email Compromise
At the heart of what the FBI has named a "$26 billion scam" is something you casually navigate every day: your email. In the last few years, Business Email Compromise (BEC) has ballooned into the most costly type of cybercrime, targeting business and personal accounts alike.
What should I do if I think I could be a victim of identity theft?
- Notify Vantage Bank immediately
- Close any accounts that have been tampered with or opened fraudulently
- Place a fraud alert on your credit reports and review your credit reports
- File a report with your local police or the police in the community where the identity theft took place
- File a complaint with the Federal Trade Commission (FTC)
Incident Response Plans
Your incident response will most likely be unique to your business. However, here is a simple incident response plan template to get you started:
- Your commercial banker’s direct contact numbers (including after-hours numbers).
- Steps the accountholder should follow to limit further unauthorized transactions:
- Change passwords
- Disconnect devices used for Digital Banking
- Request a temporary hold on all other transactions
- Contact your insurance carrier
- Work with computer forensic specialists and law enforcement to review appropriate equipment
How Vantage Bank protects you
Vantage Bank is committed to helping ensure the safety of your financial identity, your financial assets, and your personal information. We utilize security tools such as passwords and PINs to protect your account data.
To learn more about information security, visit any of the following websites or contact our team at Vantage Bank.
DISCLAIMER: This material is for informational purposes only. Vantage Bank assumes no liability for any loss or damage resulting from one's reliance on the material provided.