The year 2006 marked the emergence of the fraudulent activity we now know as corporate account takeover.
Contrary to what one might believe about corporate account takeover, the targets are most often small to medium-sized businesses; city, county and other local governmental agencies, including school districts; and nonprofit organizations. This type of fraud can seem complicated, but actually, it is very simple and can sometimes net criminals hundreds of thousands or even millions of dollars. It works like this:
An email is sent to an employee of one of the targeted entities. The employee clicks on a link or attachment within the email, and his or her computer is infected with malicious software (malware). The purpose of the malware is to obtain login credentials to the employer’s online banking account.
Once the malware is downloaded, fraudulent Automated Clearing House and wire transfer files are created using login credentials belonging to an authorized user of the organization’s online banking account. The receivers of the funds, called money mules, are individuals who often believe they are helping a “boyfriend or girlfriend” or “working from home.” The money is sent to the mules, who then withdraw the funds and transfer the money overseas via Western Union or some other money transmission service.
Investigation into these crimes is difficult because they often emanate from overseas and that is also where the money ultimately ends up. Federal law enforcement officials are dependent on their relationships with and cooperation from foreign law enforcement agencies.
Anti-virus protection is essential; however, these protections can be up to 60 days behind the threats that are emerging on a daily basis.
In addition to anti-virus protection, ask your financial institution about the different layers of security it has in place to help you combat this type of fraud and prevent your organization from taking what could be a catastrophic loss. Username and password are no longer acceptable when it comes to a secure login. Additional layers of security that your financial institution should offer include, but are not limited to: device recognition, out of band authentication and anomaly detection.
Employee education is also critical. Employees need to know the risks of email and Web surfing. Companies should restrict Web surfing whenever possible and train their employees in identifying suspicious email. Several small and mid-sized businesses in the Des Moines area have already been targeted, as well as local nonprofits.
Internet banking is a convenient and efficient way to conduct banking transactions. Anytime something is convenient and efficient for a user, it’s also convenient and efficient for a fraudster. Though security measures may be inconvenient, those additional layers could be the deterrent that moves the fraudster from your account to an account that is less protected.
If one of your computers becomes infected with malware, contact your financial institutions immediately so the threat of account takeover can be mitigated.
For additional information on account takeover, the American Bankers Association published The Small Business Guide to Corporate Account Takeover and made it available on its website, www.aba.com.
Jodi Selby is the vice president of security at Bankers Trust Co.