Corporate account takeover is an umbrella term used to describe a variety of attacks against corporate bank accounts and cash flows. Although these attacks take many forms, all of them involve theft of the business’s identity in order to make fraudulent transactions. Successful corporate account takeover attacks divert company funds into bank accounts controlled by criminals.
The most common types of corporate account takeover fraud are:
- Phishing and spear-phishing attacks (malware) that place software on corporate systems to steal account login information
- Business email compromise (BEC) attacks that take control of corporate email accounts and use them to instruct employees to divert funds to accounts controlled by the hacker
- Social engineering attacks that psychologically manipulate employees into performing actions that bypass corporate security procedures and systems
- Man-in-the-middle attacks that intercept communications between systems allowing hackers to learn secure account information
- Key logger attacks that send users to websites that look legitimate but in reality record a user’s keystrokes when they enter their login credentials
Companies looking to learn more about what account takeover is and how to prevent it generally can read our comprehensive post on the subject.
In this article, we discuss the following topics:
- Corporate Account Takeover Risk Assessment
- Corporate Account Takeover Training
- Corporate Account Takeover Incident Response Plan
Corporate Account Takeover Risk Assessment
How to perform a corporate account takeover risk assessment properly is dependent on your organization. Companies should conduct regular assessments of their ability to stop corporate account takeover attacks. In general, conducting once assessment a year is considered the bare minimum. Some of the essential factors to evaluate when conducting a risk assessment are:
- Review of the known and emerging account takeover strategies and tactics used by hackers
- Assess anomaly detection alerts for “automated pass-through” payments
- Evaluate any new products and/or services offered. New functionality should be double checked to ensure no vulnerabilities exist
- Conduct an accounting of all known attacks, attempted or successful, in the industry and against the company specifically. The goal is to identify weaknesses, transport successful defensive tactics and strategies, and evaluate readiness for future attacks
- Analyze processes for high-risk actives such as ACH and wire transfers
- Check for layered security and enhanced controls on all user accounts. Ensure proper access levels for administrative accounts
- Update awareness and education programs for risk management for both customer-facing and internal account holders
- Look at IT procedures and ensure that employees across the company are aware of the technical aspects of how to prevent account takeover
- Reevaluate insurance procedures against theft, and ensure the internal understanding of any policy matches up with the insurance carrier’s
Corporate Account Takeover Training
Businesses should provide corporate account takeover training to teach employees and management how to safely use email and internet, manage corporate user accounts, protect computer backend systems, and create secure decision making processes.
Safely use email and internet
Hackers consider employees a soft target as an entry point for account takeovers and businesses must educate their staff to understand those risks and incentivise them to do everything possible to mitigate them.
First, businesses must establish known processes for funds transfers, and coach employees to be wary of any requests they get to transfer funds, provide account credentials, or pay invoices via phone or email. Hackers will send convincing messages to employees known to have access to sensitive accounts claiming an urgent need for action. In all cases, these communications will seem to come from a legitimate actor in the corporate hierarchy. The hackers rely on the emotional response employees have to an urgent or angry request from management to put them into a mindset where they do not act rationally and do not verify that the request is legitimate.
Second, businesses should not allow employees to access social media accounts from work computers. Brand takeovers—where hackers setup a fake social media account designed to trick people into believing they are interacting with a company they trust—are a common account takeover tactic. Often, these fraudulent accounts will offer fake promotional links that infect computers when clicked.
Third, businesses must continually reinforce the known best practice of never clicking on a file or link unless they are absolutely certain of who the sender is. Today’s phishing attacks are extremely sophisticated, and often require vigilance to be detected. Although there are many corporate phishing attack solutions available, the best line of defense is still employee awareness and good judgment.
Manage corporate user accounts
A company’s corporate user accounts should not grant employees more permissions than they need to accomplish their jobs. This will minimize the damage if there is a successful attack. Similarly, account permissions should not allow the legitimate account holder to download any software to their machine. Employees should never have administrative access to their own computers.
In the case of an employee leaving the company, their user account should be made inactive as soon as they move on. In the case of an employee being let go, their account should be disabled even before they become aware of the move, if possible.
Protect computer back-end systems
Corporate computer systems must be secure. This means installing and updating anti-virus programs that protect against all known malware attacks. Similarly, companies must continue to patch their systems against known vulnerabilities, as well as stay up to date on new attack vectors that might not be included in previous updates.
Corporate leadership must also foster a security culture that includes IT stakeholders. IT should dedicate resources and staff to continually monitoring and updating systems. That also means having controls in place that will automatically notify relevant stakeholders of the red flags of a corporate account takeover attack which include administrative changes, unusual user account activity, and large or otherwise unique cash transfers.
Corporate Account Takeover Incident Response Plan
A corporate account takeover incident response plan must address mitigating the damage of an attack as much as possible, document the incident details, and create an understanding of the attack that can be used to improve defences in the future.
Designate a single source of truth to lead the organisational response. Often, this is a committee of people with a single person as the go-between for executives, management, and employees.
The most critical factor in the incident response plan is that it allow the committee to convince and take quick action whenever possible. Lines of communication must be open, with designated employees given specific responsibilities and actionable tasks such as resetting login credentials, notifying receiving banks of the funds transfer (if possible), performing computer forensics, and updating hardware and software to fix any vulnerabilities.
For enterprise company account takeovers, it’s also a good idea to have a dedicated spokesperson in the event of a high-profile or high-value attack. Even if just a single supplier is impacted, compromised data shakes confidence at all levels, so it is important to be as open and clear as possible with both customers and corporate partners.
Document incident details
Generate and gather records of every relevant aspect of the attack. Internally, document what the vulnerability was that allowed for a successful attack, record the damage it caused, and document the steps taken to prosecute it to completion. Externally, take documentation about the transfer to corporate partners and try to have as many transactions halted or reversed as necessary and feasible.
Companies should also contact law enforcement agencies and inform them of the attack.
Improve defenses for the future
After dealing with the attack, companies should use the documentation generated while identifying the attack to comprehensively review what went wrong. After that, the most important thing is to limit the amount of exposure to risky activity that is undertaken until a comprehensive understanding can be arrived at and translated into concrete changes that eliminate vulnerabilities.
Once a new plan is agreed to, document the changes in a way that can be used both as institutional memory as well as for benchmarking future results. Once a vulnerability patch is documented, it should become part of a cannon of internal corporate literature that is constantly reviewed when making adjustment as part of regular security system evaluations.
Further reading about corporate account takeover fraud: