Corporate Account Takeover
Protect Your Business
Corporate account takeover is the business equivalent of identity theft.
Criminals use various means, such as phishing attacks or business email compromise, to gain access to a business’ cash or confidential information. Often small- and medium-sized businesses and non-profits are targets for account takeover because IT resources may be limited and employees may not receive adequate training on cybersecurity.
The best defense against corporate account takeover is personnel education and awareness across all levels of the business.
Protect Computer Networks
It is essential to maintain adequate system security. Up-to-date anti-virus and anti-malware programs and firewalls are critical. Current versions of operating systems and browsers should be used, and any third-party software patches applied in a timely manner.
As a best practice, computers used for online banking should not be used for email or general internet access. This will reduce the risk of key-logging malware, or other malicious programs that can steal bank login credentials, from infecting the device.
Complex passwords using letters, numbers, and symbols should be required to access the network and its software applications, and passwords should be changed periodically. It’s also recommended that employees only be given the necessary access and programs to perform their duties while at work.
Email is the primary carrier of malicious software into a business’ network, but it can also be introduced by clicking ads on websites or links in social media. Cybersecurity training that emphasizes caution when opening attachments or clicking embedded links should be given to all employees.
Whenever possible, it’s a good practice to configure email inboxes to display the sender’s domain – that way the sender’s identity can be verified before opening the email.
Some of the schemes used by cyber-thieves include:
- Emails that appear to be from reputable institutions, such as a bank, asking the receiver to click a link and login, then user credentials are stolen
- Pretending to be a vendor requesting immediate payment of an invoice, but of course the payment never reaches the vendor
- Posing as a company executive and giving staff approval to send an “emergency” wire because they are in a meeting, however, the funds go to the thieves.
Awareness of cyber-thief tactics goes a long way in preventing employees from acting on a fraudulent request that will most likely cause a loss to the business.
Adopt Layered Security
When available, use more than just login IDs and passwords for access to systems that contain sensitive information or allow money movement. Secure token devices or authentication codes can be used, and sometimes must be used, with online banking and accounting programs.
Implement dual control on key online banking functions, such as user set-up, or wire and ACH initiation, and only allow limited staff the entitlements to use these features.
Monitor bank account information daily to ensure no unauthorized transactions are listed. If there is suspicious activity, alert the bank immediately. Normally a fraudulent check or electronic transaction can be returned if caught within 24 hours.
Positive Pay is a banking service that is highly recommended for use by businesses as a tool to detect fraudulent activity. It can monitor your clearing checks, as well as incoming electronic transactions, based on criteria and information you establish with the bank. Contact one of our Business Bankers if you would like more information on how Positive Pay can protect your accounts.
Remember, Mission Bank will never contact you and ask for personal information via email or text messaging.