What would you do if you suddenly noticed that huge sums of money were being drained from your corporate account into overseas accounts?
What is Enterprise Account Acquisition?
Corporate account hijacking is a type of fraud where thieves access a company’s finances to make unauthorized transactions, including transferring company funds, creating and adding fake new employees to the payroll and steal sensitive customer information that may not be recoverable. Thousands of businesses have fallen victim to this type of fraud and the losses have ranged from a few thousand to several million dollars.
Consumer bank accounts have a certain level of protection that business bank accounts do not. Under Regulation E, there are limitations on liability for unauthorized electronic funds transfers affecting consumers’ bank accounts. Corporate bank accounts do not have this type or protection. So when business accounts are compromised, they often lose all or at least some of their money.
Customer vs bank
A good example of this is the legal case between Patco Construction Company and its financial institution Ocean Bank. Patco computers were infected with malware that allowed fraudsters to make six wire transfers using the automatic transfer system (ACH) for more than $588,000. Only $243,000 of the stolen money was recovered. What follows is a three-year court battle – between the company and its financial institution to decide who is to blame. In the end, both were losers. Businesses and banks don’t just lose millions to fraud; they lose millions more in legal fees, lost productivity and negative public relations. The only winners in these cases are the cybercriminals.
What regulators and banks are doing to prevent the acquisition of corporate accounts
To protect consumers and businesses from financial fraud, the Federal Financial Institutions Examination Council (FFIEC) has implemented and continues to establish new security guidelines for financial institutions. These guidelines apply the implementation of a layered security approach, risk assessments, and customer security education and awareness. You can find out more about this from your financial institution.
Who is responsible?
The question remains: “Given growing and more sophisticated cyber threats, who is ultimately responsible for the security of your bank account?” The financial institution must protect its online banking technology and guarantee the security of online transactions, but what responsibility does the customer have to protect their computer systems against attacks? Today, security is a shared responsibility between the financial institution and the customer.
As in the case of Patco Construction, corporate account takeover attacks today are typically perpetrated silently by introducing malware through a simple phishing email, a deceptive social engineering ploy, or an infected website. For a company that has a low resistance to such attack methods, the malware introduced into its system may not be detected for weeks or even months.
How can I protect myself and my business?
The best way to protect against corporate account takeovers is a strong partnership with your financial institution. Work with your bank to understand the necessary business security measures and to establish account safeguards that can help the bank identify and prevent unauthorized access to your funds.
Joint liability between the bank and the company is the most effective way to prevent the acquisition of the corporate account.
Consider these tips to ensure your business is well prepared:
- Develop a safety plan. Every business should assess its risk profile for taking control of the business and develop a security plan that includes sound business practices.
- Protect your online environment. Protect your cyber environment like your money. Use appropriate tools to prevent and prevent unauthorized access to your network and be sure to keep it up-to-date. Encrypt sensitive data and use complex passwords and change them regularly.
- Create a safe financial environment. Dedicate one computer exclusively to online banking. This computer must not be connected to the business network, have e-mail capabilities or connect to the Internet for any purpose other than online banking.
- Partner with your bank to prevent unauthorized transactions. Talk to your banker about programs that protect you against unauthorized transactions. Positive Payments and other services offer reminders, device authentication, multi-person approval processes, and batch limits to protect against fraud.
- Pay attention to suspicious activity and react quickly. Monitor for unexplained accounts or network activity, pop-ups and suspicious emails. If detected, immediately contact your financial institution, cease all online activity, and remove any system that may have been compromised. And keep a record of what happened.
- Understand your responsibilities and accountabilities. The account agreement with your bank will detail the reasonable commercial security measures required in your business. You must understand and implement the security safeguards in the agreement. Otherwise, you may be liable for losses resulting from a takeover. Talk to your banker if you have questions about your responsibilities.
- Educate all employees about cyber crimes to understand that a single infected computer can lead to a takeover. An employee whose computer is infected can infect the entire network. For example, if an employee brings a laptop home and accidentally downloads malware, criminals could gain access to the entire corporate network when the employee returns to work. All employees, even those who have no financial responsibility, should be aware of these threats.
Stay informed about the defenses against the takeover of the company’s account. As cyber threats change rapidly, it is imperative that you stay informed of evolving threats and adjust your security measures accordingly.
You and your employees are the first line of defense against corporate account takeovers. A strong security program with employee training on warning signs, safe practices and responses to a suspicious purchase is essential to protect your business and your customers.