The document summarizes guidance from federal law enforcement on corporate account takeover fraud. It describes how criminals target businesses by installing malware on computers to access online banking credentials. It provides tips for businesses to protect, detect, and respond to potential fraud by educating employees, enhancing computer security, monitoring accounts, and reporting any suspicious activity to banks immediately. The guidance advocates for a layered approach using multiple security controls.
2. Information Source
Fraud Advisory for Businesses: Corporate Account Take Over
www.ic3.gov/media/2010/CorporateAccountTakeOver.pdf
Source: FBI "Fraud Advisory for Businesses: Corporate Account Take Over” dated 10/20/10 2
3. Disclaimer
Arvest Bank does not provide computer or
related advisory services, including security
recommendations.
3
4. Federal Fraud Advisory Contents
• The Problem: fraud description, victim
selection, perpetration methods
• Protect: education; computer, network &
process enhancements; responsibilities and
liabilities
• Detect: account monitoring, warning signs,
anti-virus software
• Respond: compromised computer handling
and reporting suspicious activity
Source: FBI "Fraud Advisory for Businesses: Corporate Account Take Over” dated 10/20/10 4
5. Dissecting an Attack Criminals target victims by
way of phishing, spear
phishing or social
engineering techniques.
The criminals leverage the 1
victim’s online banking The victims unknowingly
credentials to initiate a funds Target install malware on their
transfer from the victim’s Victims computers, often including
account. key logging and screen shot
capabilities.
5 2
Initiate Install
Funds Account Malware
Transfer(s) Take Over
Dissecting
An Attack
4 3 The victims visit their online
Collect & banking website and logon per
Transmit Online the standard process.
The malware collects and Data Banking
transmits data back to the
criminals through a back door
connection.
Source: FBI "Fraud Advisory for Businesses: Corporate Account Take Over” dated 10/20/10 5
6. Protect: Educate
• Cyber criminals try to trick victims into
divulging account information
• Don’t respond to, open attachments or click
on links in unsolicited email
• Be wary of anti-virus pop-up messages
• When logging in, if you encounter a message
that the system is temporarily unavailable,
contact your bank immediately
Source: FBI "Fraud Advisory for Businesses: Corporate Account Take Over” dated 10/20/10 6
7. Protect: Computer & Network
Enhancements
• Dedicate computers to online banking and
accounting functions which cannot be used
for email or general Web browsing
• Remove administrative privileges from
computers used for online banking to reduce
the risk of unauthorized software installations
• Utilize network routers and firewalls to reduce
the risk of unauthorized access to your
computers and network
Source: FBI "Fraud Advisory for Businesses: Corporate Account Take Over” dated 10/20/10 7
8. Protect: Computer & Network
Enhancements
• Change default passwords on all network devices
• Install security updates to operating systems and
critical software such as Microsoft Windows,
Microsoft Office, Web browsers and Adobe
products
• Install, use and maintain email SPAM filters
• Install, use and automatically update “always on”
real-time anti-virus, anti-spyware and desktop
firewall systems
Source: FBI "Fraud Advisory for Businesses: Corporate Account Take Over” dated 10/20/10 8
9. Protect: Enhance Corporate Processes
• Implement dual controls for creating and
approving ACH batches and wire transfers using
multiple users and computers. Please note:
some systems have a “Security Administrator”
function which should not be used for routine
daily business
• Review and reduce ACH and wire transfer
transaction limits to the lowest acceptable dollar
amounts for routine transactions and temporarily
raise them for exceptional transactions
Source: FBI "Fraud Advisory for Businesses: Corporate Account Take Over” dated 10/20/10 9
10. Protect: Responsibilities & Liabilities
• Become familiar with your bank’s account
agreement
• Be aware of your liability for fraud under the
agreement and the Uniform Commercial code
(UCC) in your jurisdiction
Source: FBI "Fraud Advisory for Businesses: Corporate Account Take Over” dated 10/20/10 10
11. Detect: Monitoring and Awareness
• Monitor or reconcile accounts at least once a day
• Be on the alert for computer performance
changes such as:
– Dramatic loss of speed
– Changes in the way things appear
– Lock-ups, shut downs or restarting
– Unexpected password or token code requests
– Unusual or unexpected pop-up messages, toolbars or
icons
• Pay attention to anti-virus warnings and contact
your IT professional immediately
Source: FBI "Fraud Advisory for Businesses: Corporate Account Take Over” dated 10/20/10 11
12. Detect: Monitoring and Awareness
• Be on the alert for rogue email:
– Please note: Be wary of unsolicited email from any
source containing warnings, alerts, reports or
requests for information, and containing links or
attachments. Please forward suspicious email to
REPORTFRAUD@ARVEST.COM
– If someone says they received an email from you
that you did not send, you probably have malware
on your computer
Source: FBI "Fraud Advisory for Businesses: Corporate Account Take Over” dated 10/20/10 12
13. Respond
• If you suspect suspicious activity, immediately:
– Cease all online activity
– Remove any computer that may be compromised
from the network, but leave it turned on
– Make sure employees know how and to whom to
report suspicious activity
– Maintain a written chronology of what happened
Source: FBI "Fraud Advisory for Businesses: Corporate Account Take Over” dated 10/20/10 13
14. Respond: Contact your bank
• Contact your bank so that the following actions
may be taken:
– Disable online access and change passwords
– Review transactions and account access
– Take other measures as needed to protect your
accounts
Source: FBI "Fraud Advisory for Businesses: Corporate Account Take Over” dated 10/20/10 14
15. Summary, Questions & Comments
• A continuous “cat and mouse” game is being “played” with
cyber criminals from around the world
• No single preventative control or procedure can ever be
100% effective. What works today, may not work
tomorrow
• As presented in the federal guidance, a “layered approach,”
using more than one protective control to reduce the risk
of a threat, is more effective than a single preventative
control
• Please review this federal guidance with your board of
directors, management & IT staff or advisors to determine
what controls may be appropriate for your environment
• THANK YOU! Questions or Comments?
Source: FBI "Fraud Advisory for Businesses: Corporate Account Take Over” dated 10/20/10 15
Editor's Notes
Presenter’s Notes: Note taking is optional as the FBI source document contains the information presented.
Presenter’s Notes: This presentation summarizes information from an FBI/Secret Service advisory regarding a type of fraud being attempted with increasing frequency. Targets tend to be small to medium sized businesses along with municipalities and other public institutions. High tech criminals are targeting the financial accounts of owners and employees of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts. Often these funds may not be recovered.
Presenter’s Notes: Targeting Victims : According to the FBI, the perpetrators of these attacks research their victims and may send spoofed email to specific persons in a small or medium business. Their primary targets are individuals with treasury management or accounting responsibilities. The FBI indicates that the perpetrators use various public sources and even a company’s Web site to research their targets and may have people in our communities working at social establishments where business owners or employees may gather. Install Malware : The fraudulent email may appear to come from NACHA, the IRS, The Federal Reserve or your bank and will attempt to trick you into clicking on a link or opening an attachment. Clicking on the link or opening the attachment infects the computer and installs banking Trojan software which contains Web browser hijacking, keystroke logging and remote control capabilities. Online Banking : The malicious software monitors the victim’s activities and waits for them to visit and logs onto an online banking site. Collect & Transmit Data : Through the malicious software which has hijacked the victim’s Web browser, the perpetrator is able to take control of the Web banking session as the victim logs in. From the bank’s perspective, the perpetrators actions may be indistinguishable from the victim’s normal actions. Initiate Funds Transfer(s): Once the perpetrator has taken control of the customer’s Web browser and the customer has logged in, the perpetrator is able to collect information and initiate transactions.
Presenter’s Notes: Cyber criminals employ various technological and non-technological methods to manipulate or trick victims into divulging personal or account information. Such techniques may include performing an action such as opening an email attachment, accepting a fake friend request on a social networking site, or visiting a legitimate, yet compromised, website that installs malware on their computer(s). Don’t respond to or open attachments or click on links in unsolicited e-mails. Contact the financial institution using the information provided upon account opening to determine if any action is needed Please note: Phishing scams are still quite common, and come in a variety of forms. They may come in the form of customer service surveys, telephone calls or even cell phone text messages. Please be aware that while some Phishing scams direct you to fake web sites, others may ask you to call a phone number where an automated phone system prompts you to divulge confidential information. While it can be difficult to identify spoofed email messages, web sites, and automated phone systems, it is not difficult to know if any of the above may be fraudulent. The key is knowing that legitimate entities do not send unsolicited messages to consumers or businesses prompting them to divulge confidential information. If you receive such a message, no matter how genuine it may appear, assume it to be fraudulent and please notify the legitimate entity immediately. Be wary of pop-up messages claiming your machine is infected and offering software to scan and fix the problem, as it could actually be malicious software that allows the fraudster to remotely access and control your computer. Please note: Your IT Staff can teach you what to expect if a real virus is detected on your computer. When logging in, if you encounter a message that the system is temporarily unavailable, contact your bank immediately.
Presenter’s Notes: Minimize the number of, and restrict the functions for, computer workstations and laptops that are used for online banking and payments. A workstation used for online banking should not be used for general web browsing, e-mailing, and social networking. Conduct online banking and payments activity from at least one dedicated computer that is not used for other online activity. Do not leave computers with administrative privileges and/or computers with monetary functions unattended. Log/turn off and lock up computers when not in use.
Presenter’s Notes: Install routers and firewalls to prevent unauthorized access to your computers or network. Please note: you may wish to logically segregate treasury management workstations on your network as an additional safeguard. Change the default passwords on all network devices. Keep operating systems, browsers, and all other software and hardware up-to-date. Install security updates to operating systems and all applications, as they become available. These updates may appear as weekly, monthly, or even daily for zero-day attacks. Use/install and maintain spam filters. Install and maintain real-time anti-virus and anti-spyware desktop firewall and malware detection and removal software. Please note: Anti-virus solutions may not be effective in detecting banking Trojan malware. Make regular backup copies of system files and work files. Encrypt sensitive folders with the operating system’s native encryption capabilities. Preferably, use a whole disk encryption solution. Do not use public Internet access points (e.g., Internet cafes, public wi-fi hotspots (airports), etc.) to access accounts or personal information. If using such an access point, employ a Virtual Private Network (VPN) Keep abreast of the continuous cyber threats that occur. See the Additional Resources section for recommendations on sites to bookmark. The “Resources” section of the FBI fraud advisory contains links to helpful and detailed tips on how to enhance your information technology (IT) security.
Presenter’s Notes: Initiate ACH and wire transfer payments under dual control using two separate computers. For example: one person authorizes the creation of the payment file and a second person authorizes the release of the file from a different computer system . This helps ensure that one person does not have the access authority to perform both functions, cannot add additional authority, or create a new user ID. Please note: In a small office environment, one person could use two separate sets of credentials, one for initiating transactions and one for approving them. While this may help deter external threats, it is not a true “segregations of duties” which helps to deter internal fraud. Please note: Do not use Security Administrator credentials for routine daily business, but only when needed. Keep the Security Administrator hardware token securely locked up and if possible, under dual physical control. Please note: ACH and Wire limits should be reviewed and reduced. Limits should be conservatively based on the lowest acceptable limits for routine transactions and only raised temporarily when needed. If ACH or wire transfer capability is used infrequently, consider setting the limits to zero and/or removing these privileges from users entirely.
Presenter’s Notes: Please note: Federal Reserve Board Regulation E (12 CFR 205) only protects retail customers against loss and does not protect business customers. Liability for a fraudulent loss would be determined on a case by case basis after reviewing the unique circumstances of an incident.
Presenter’s Notes: Account activity should be reviewed daily, (or more often when warranted), for unauthorized transactions or transfers. Please note: Also watch for unauthorized transfers between your own accounts. Please note: Be alert to apparent changes to, or warning messages from, banking Web sites. Please note: Malicious software can be installed via fake “anti-virus” warnings. Ask your IT advisor what legitimate warnings look like and how to respond.
Presenter’s Notes: Please note: Be wary of unsolicited email from any source containing warnings, alerts, reports or requests for information, and containing links or attachments. Please forward suspicious email to REPORTFRAUD@ARVEST.COM. Check your “outbox” for email that you did not send.
Presenter’s Notes: If you suspect suspicious activity, immediately: Cease all online activity. Disconnect the network (Ethernet) cable or other network connections, including wireless connections, to isolate the system and prevent any unauthorized access. Please note: Leave the computer turned on, as this allows Federal law enforcement to inspect the computer at their option. Make sure employees know how and to whom to report suspicious activity both within your company and to your financial institution. Maintain a written chronology of what happened, what was lost, and the steps taken to report the incident.
Presenter’s Notes: If you suspect suspicious activity, immediately: (continued) 5. Contact the bank so the following actions may be taken: Disable online access to accounts and change passwords A review of your transactions, account access and authorizations Take other measures as needed to protect your accounts, such as open new accounts Note: the bank may contact federal law enforcement and depending on the circumstances, they may wish to examine your computer
Presenter’s Notes: Your time is valuable! THANK YOU!