Skip Navigation Documents in Portable Document Format (PDF) require Adobe Acrobat Reader 5.0 or higher to view,download Adobe® Acrobat Reader.
First State Bank of De Queen

Commercial Customer Education

Subjects


Corporate Account Takeover

Business Email Compromise



Corporate Account Takeover (CATO)

What is it?
Corporate Account Takeover (CATO) is a type of identity theft where thieves gain access to a commercial customer's online banking credentials (username and password). Once the thieves have access to the credentials, the can then log into the customer's online banking account to initiate fraudulent wire and ACH transactions. These transactions will re-direct the customer's funds to accounts that are controlled by the thieves.
 
Businesses of all sizes are susceptible to this type of crime, ranging from commercial farm accounts to governmental entities. The size of the theft can range from a few hundred dollars to several million. Small to medium-sized businesses are viewed as easier targets as many do not have the infrastructure or monitoring in place to help detect this type of theft. While the pay-off per theft may not be as great, thieves will often target the easiest path to complete their crime.

How does it happen?
The most common method of gaining access to online banking credentials is through the use of "phishing" emails. A "phishing" email is a specially crafted email that appears to be from a legitimate source. If often will contain either a link to a malicious website or attachments for it's recipient to click or open. Once the recipient has fallen for the bait, malware in the form of "key-loggers" can be installed on the unsuspecting victims computer which will be used to steal the credentials. In some cases, the malicious site will mimic the actual online banking website, tricking the victim into entering their credentials.

Once the criminals have access to the victim's online banking account, they can initiate wire transfers or ACH transactions that will move the victim's funds to an account that the criminal controls. Once the criminal has received the funds, they will typically wire the funds to an international account making recovery difficult, if not impossible.

Other possible sources of theft include:
  • Clicking on infected documents, videos, or links on legitimate sites, especially social networking sites, from a computer used to log into online banking
  • Inserting an infected USB device in a computer used to access online banking
  • Phone calls impersonating bank employees requesting online banking credentials due to a system upgrade or potential fraud being monitored on the account

What protections does First State Bank of De Queen have in place?
First State Bank of De Queen provides the following protections to Cash Management ACH Originators1:
  • Complex Passwords We require the use of strong, complex passwords for Cash Management users. We know that changing passwords can be a burden, but we highly recommend that users periodically change their passwords.
  • Multifactor Authentication (MFA) Users of Cash Management are required to utilize MFA. This is accomplished through the use of a "hard" token or a "soft" token, which is an application installed on the users phone or desktop. This token generates a random 6 digit code every 30 seconds that must be entered during user login.
  • Dual Controls Cash Management requires the use of dual controls. This type of control prevents a single user from both creating an ACH batch, and then approving the batch. 
  • Challenge/Security Questions Every Cash Management user is required to establish security questions/answers when setting up their account. The user will be prompted with these questions when transactions that are abnormal are created. Examples would be batches submitted during closed hours, sharp increases in amounts, or a login attempt from different state or county than normally used to access Cash Management.
  • Exposure Limits Exposure limits are set to establish the maximum allowed daily dollar limit for ACH Origination files. Separate limits, up to the maximum, may be applied individually among a company's Cash Management users.
  • Time Restrictions Time restrictions can be set per user to allow access to Cash Management during specified times each day.
  • Bank Release of New Users When a new user is created, the bank must enable the account before it can be used. This prevents a criminal from taking over an administrator account and creating new users for immediate use.
  • Internal Monitoring of ACH Origination Activity The bank has internal processes that detect any abnormal ACH Origination activity. These processes allow us to respond to any abnormal behavior quickly.

It is important to note, that while the protections we have in place provide a good deal of protection, they are not fool-proof and the risk from this type of crime remains high.

How can you help protect yourself against CATO Fraud?
While First State Bank of De Queen employs the protections above, it is vitally important that customers also implement controls and practices to prevent falling victim to CATO. 

Controls
  • Use a dedicated workstation for Cash Management/Online Banking that is not used for email or other activity. Lock down use of USB/Thumb drives.
  • Use anti-virus on all workstations with real-time scanning and regularly scheduled scans. Keep definitions updated.
  • Keep your workstations up-to-date with operating system patches. Microsoft Windows provides settings to automatically download and install Windows patches as they are released.
  • Prevent workstation access after work hours.
  • Limit administrative access to the workstations.
  • Ensure firewalls are enabled on all workstations. Utilize a firewall on your internet connection that allows only certain traffic into/out of your network.
  • Download software only from trusted, secured sources.
  • Treat all email as malicious. Do not click on links or open attachments that you were not expecting, even if the sender is a trusted sender.
  • Lock computers when not in use.
  • Only visit trusted web sites.

Security Practices
  • Avoid password re-use. Create unique usernames and passwords for all of the sites you visit. You can utilize a password vault to keep up with your passwords. Most will automatically generate long complex passwords that you don't have to remember, you can just copy and paste.
  • Avoid saving your username and password in your browser. Many browsers will offer to "store" your username and password, this should be avoided.
  • Never share your username and/or password.
  • Review daily ACH Origination activity.
  • Limit access to Cash Management to only those users that need it
  • Develop an Incident Response Plan that defines what your response will be to a CATO event. Include how you will monitor for activity, who is responsible for implementing the activities of the plan, who you will contact, etc.
  • Sign up for text/email alerts for ACH Origination activity on your account.
  • Notify the bank immediately if you suspect fraud.
  • Perform periodic user reviews, to include whether or not access is still needed, daily limits, time restrictions, and account restrictions.
  • First State Bank of De Queen will never email or call requesting your account credentials. If you believe your credentials have been compromised, contact the bank immediately.
  • Educate your employees on the threat of a CATO attack.

Business Email Compromise (BEC)

What is it?
Business Email Compromise (BEC) is a type of fraud where a criminal will gain control over an email account, or "spoof" an email account, and send an email requesting the transfer of funds to a designated account controlled by the criminal. Most often, the means of transferring funds is via a wire transfer.

How does it work?
A criminal impersonates the email address, either by taking over the account or making it look like the email is sent from the account, of someone with authorization to request wire transfers. This can be an internal person (CEO, CFO, business line manager, owner, etc.), or an external person (Vendor, contractor, etc.). The email will come at a busy time of the day, say opening on a Monday, or closing on a Friday, and will typically have a sense of urgency. It will instruct the wiring of funds to a designated account. Due to the urgency and the believable email, the victim will initiate the wire transfer to the account requested. Once the criminal has received the funds, they will wire the money to an international account, most likely preventing recovery of funds.

How can I prevent it?
First State Bank of De Queen does not accept wire transfers through its Cash Management product. As ACH Origination can also provide a means of transferring funds, here are some steps that can be taken to mitigate the risk of BEC:
  • Simply don't accept Wire/ACH requests via email.
  • Develop internal processes and procedures to verify request to transfer funds that do NOT involve the use of email.
  • Be cautious of requests where the Wiring/ACH instructions are foreign, or they are not part of your normal businesses that you wire money to.
  • Require written supervisory approval of Wires prior to initiating the Wire/ACH Origination request.
  • Impose a cut-off time for submitting Wire/ACH transfers

1First State Bank of De Queen Cash Management does not provide the capability to generate wire transfers