Electronic Crimes
Corporate Account Takeover
Businesses across the United States have suffered large financial losses from electronic crimes through banks of all sizes. These thefts have ranged from a few thousand to several million dollars. Along with the financial impact, there is a very high level of reputational risk for financial institutions, which can undermine confidence in the banking system.
What is CATO?
Corporate Account Takeover is an evolving electronic crime typically involving the exploitation of businesses of all sizes, especially those with limited to no computer safeguards and minimal or no disbursement controls for use with their bank’s online business banking system. These businesses are vulnerable to theft when cyber thieves gain access to its computer system to steal confidential banking information in order to impersonate the business and send unauthorized wire and ACH transactions to accounts controlled by the thieves. Municipalities, school districts, large non-profit organizations, corporate businesses, and any customers that perform electronic transfers are potential targets. Losses from this form of cyber-crime range from the tens of thousands to the millions with the majority of these thefts not fully recovered. These thefts have affected both large and small banks.
This type of cyber-crime is a technologically advanced form of electronic theft. Malicious software, which is available over the Internet, automates many elements of the crime including circumventing one time passwords, authentication tokens, and other forms of multi-factor authentication. Customer awareness of online threats and education about common account takeover methods are helpful measures to protect against these threats. However, due to the dependence of banks on sound computer and disbursement controls of its customers, there is no single measure to stop these thefts entirely. Multiple controls or a “layered security” approach is required.
Best Practices
Extensive Best Practices for reducing the risks of these Corporate Account Takeovers thefts have been developed by task force of bankers while working with the US Secret Service’s Dallas ECTF office and the Texas Department of Banking. These “industry developed” Best Practices have been in use in Texas since January 2012, where they have been extremely well received and welcomed by the banking industry, and where they have already helped prevent millions of dollars of losses.
The Conference of State Bank Supervisors (CSBS) and the FS-ISAC have joined with the US Secret Service and Texas Department of Banking to make the practices for mitigating the risks of Corporate Account Takeover available to financial institutions nationwide.