Online financial fraud and business accounts:
According to Federal law enforcement agencies, (see sources below), cyber criminals are targeting the financial accounts of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transactions. Often, these funds may not be recovered.
In light of these risks, business owners should be aware that while federal law affords certain protections to consumer bank accounts against fraudulent losses, business accounts, including small business "DBA" accounts, are not afforded these same protections.
Corporate Account Take-Over Fraud
In a document titled "Fraud Advisory for Businesses: Corporate Account Take Over," (see sources below) Federal law enforcement agencies describe "Corporate Account Take-Over" as a widespread form of targeted online fraud impacting businesses, non-profits, schools and public sector entities, which utilize commercial web banking services. Perpetrators of this crime gain control of business customers' computers and attempt to transfer money out of bank accounts using wire transfers and ACH transactions.
From the fraud advisory:
"To obtain access to financial accounts, cyber criminals target employees– often senior executives or accounting and HR personnel and business partners and cause the targeted individual to spread malicious software (or "malware") which in turn steals their personal information and log-in credentials. Once the account is compromised, the cyber-criminal is able to electronically steal money from business accounts. Cyber criminals also use various attack methods to exploit check archiving and verification services that enable them to issue counterfeit checks, impersonate the customer over the phone to arrange funds transfers, mimic legitimate communication from the financial institution to verify transactions, create unauthorized wire transfers and ACH payments, or initiate other changes to the account. In addition to targeting account information, cyber criminals also seek to gain customer lists and/or proprietary information - often through the spread of malware - that can also cause indirect losses and reputational damage to a business."
The fraud advisory recommends these risk mitigation techniques, among others:
- Educate Employees:
- "Don't respond to or open attachments or click on links in unsolicited e-mails."
- "Be wary of pop-up messages claiming your machine is infected and offering software to scan and fix the problem […]"
- Enhance computer and network security:
- "Conduct online banking and payments activity from at least one dedicated computer that is not used for other online activity."
- "Install routers and firewalls to prevent unauthorized access to your computer or network."
- "Keep operating systems, browsers, and all other software and hardware up-to-date."
- Enhance the security financial business processes:
- "Initiate ACH and wire transfer payments under dual control using two separate computers. For example: one person authorizes the creation of the payment file and a second person authorizes the release of the file from a different computer system. This helps ensure that one person does not have the access authority to perform both functions, add additional authority, or create a new user ID."
- "If, when logging into your account, you encounter a message that the system is unavailable, contact your financial institution immediately."
Business Email Compromise
In a Public Service Announcement (PSA) document titled "Business E-Mail Compromise – E-Mail Account Compromise – The 5 Billion Dollar Scam," (see sources below) Federal law enforcement defines "Business E-mail Compromise" (BEC) as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The "E-mail Account Compromise" (EAC) component of BEC targets individuals that perform wire transfer payments.
The scams are carried out when criminals compromise legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
"The victims of the BEC/EAC scam range from small businesses to large corporations. The victims continue to deal in a wide variety of goods and services, indicating that no specific sector is targeted more than another.
It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam. The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive "phishing" e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.)."
The Public Service Announcement recommends these risk mitigation techniques, among others:
- Educate Employees: "Businesses with an increased awareness and understanding of the BEC/EAC scam are more likely to recognize when they have been targeted by BEC/EAC fraudsters, and are therefore more likely to avoid falling victim and sending fraudulent payments."
- "Avoid free web-based e-mail accounts: Establish a company domain name and use it to establish company e-mail accounts in lieu of free, web-based accounts."
- "Consider implementing two-factor authentication for corporate e-mail accounts. Two-factor authentication mitigates the threat of a subject gaining access to an employee’s e-mail account through a compromised password by requiring two pieces of information to log in: (1) something you know (a password) and (2) something you have (such as a dynamic PIN or code)."
- "Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.""Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner."
- "Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel."
- "Confirm requests for transfers of funds. When using phone verification as part of two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request."
Sources & Resources
- The contents of this page, including the recommendations for mitigating fraud risks, are based Information and recommendations from:
- "Fraud Advisory for Businesses: Corporate Account Take Over," developed jointly by the FBI, US Secret Service and others. (www.ic3.gov)
- Public Service Announcement: Business E-Mail Compromise – E-Mail Account Compromise – The 12 Billion Dollar Scam," developed jointly by the Federal Bureau of Investigation and the Internet Crimes Complaint Center. (www.ic3.gov)
- Computer and online security for small business. (www.onguardonline.gov)