Best Practices to Reduce Corporate Account Takeover Risks
Warning signs of a System or Network compromise
- Inability to log into online banking (thieves could be blocking access so that you won't see the theft until the criminals have control of the money).
- Dramatic loss of computer speed.
- Changes in the way things appear on the screen.
- Computer locks up so the user is unable to perform any functions.
- Unexpected rebooting or restarting of the computer.
- Unexpected request for a one time password (or token) in the middle of an online session.
- Unusual pop-up messages, especially a message in the middle of a session that says the connection to the bank system is not working (system unavailable, down for maintenance, etc.).
- New or unexpected toolbars and/or icons.
- Inability to shut down or restart the computer.
Examples of deceptive ways criminals contact account holders
- The FDIC does not directly contact bank customers (especially related to ACH and Wire transactions, account suspension, or security alerts), nor does the FDIC request bank customers to install software upgrades. Such messages should be treated as fraudulent and the account holder should permanently delete them and not click on any links.
- Messages or inquiries from the Internal Revenue Service, Better Business Bureau, NACHA, and almost any other organization asking the customer to install software, provide account information, or access credentials is probably fraudulent and should be verified before any files are opened, software installed, or information provided.
- Phone calls and text messages requesting sensitive information are likely fraudulent. If in doubt, contact the organization at a phone number you obtained from a different source (such as the number you have on file, that is on your most recent statement, or that is from the organization's website). You should not call phone numbers (even with local prefixes) that are listed in the suspicious e-mail or text message.
Incident response plans
Since each business is unique, you should write your own incident response plan. A general template would include:
- The contact numbers of key employees, key vendors, and bank contacts.
Steps you should consider to limit further unauthorized transactions, such as:
- Changing passwords.
- Disconnecting computers used for Internet banking.
- Requesting a temporary hold on all other transactions.
- Information you can provide to assist the bank in recovering your money.
- Contacting your insurance carrier.
- Working with computer forensic specialists and law enforcement to review equipment.
Information security laws and standards affecting business owners
Although banks are not responsible for ensuring account holders comply with information security laws, making business owners aware of consequences for non-compliance if the information is breached can reinforce the message that they need to maintain stronger security.
Breaches of credit and debit card information from retail businesses are common. Loss of that information or sensitive personal information can create financial and reputations risks for the business. Business owners need to safeguard their own customers' sensitive information.
The Payment Card Industry Security Standards Council was launched in 2006 to manage security standards related to card processing. Any merchant that accepts credit or debit cards for payment is required to secure their data based on the standards developed by the council. The council website https://www.pcisecuritystandards.org/security_standards/index.php notes that noncompliance may lead to lawsuits, cancelled accounts, and monetary fines. The website provides information for small business compliance.
Resources for business account holders
- The Better Business Bureau's website on Data Security Made Simpler.
- The Small Business Administration's (SBA) website on Protecting and Securing Customer Information.
- The Federal Trade Commission’s (FTC) interactive business guide for protecting data.
- The National Institute of Standards and Technology’s (NIST) Fundamentals of Information Security for Small Businesses.
- The jointly issued “Fraud Advisory for Businesses: Corporate Account Takeover” from the U.S. Secret Service, FBI, IC3, and FS-ISAC available on the IC3 website.
- NACHA – The Electronic Payments Association’s website has numerous articles regarding Corporate Account Takeover for both financial institutions and banking customers.
This document was adapted from guidance by the Texas Bankers Electronic Crimes Task Force in September 2011 titled Best Practices for Banks Reducing the Risks of Corporate Account Takeover.