What is Corporate Account Takeover?
Corporate Account Takeover is a form of business identity theft where cyber thieves gain control of a business' bank account by stealing employee passwords and other valid credentials. Thieves can then initiate fraudulent wire and ACH transactions to accounts controlled by the thieves.
Basic Security Practices for Business Online Banking Customers
The following security practices can be implemented by businesses to reduce the risk of theft:
- Provide continuous communication and education to employees using online banking systems. Providing enhanced security awareness training will help ensure that your employees understand the security risks related to their job functions.
- Update anti-virus and anti-malware programs frequently.
- Update, on a regular basis, all computer software to protect against new security vulnerabilities.
- Communicate to your employees that passwords should be strong and should not be stored on the computer used to access online banking.
- Institute dual control procedures.
- Use separate computers to originate and transmit wire/ACH instructions.
- Transmit wire transfer and ACH instructions via a dedicated and isolated computer.
- Practice ongoing account monitoring and reconciliation, especially near the end of the day.
- Adopt advanced security measures by working with consultants or dedicated IT staff.
- Utilize resources provided by trade organizations and agencies that specialize in helping small businesses (see below).
Additional Resources for Business Customers
You can visit the following websites to learn more about how to protect your small business:
- Better Business Bureau: Data Security Made Simpler
- U.S. Chamber of Commerce: Internet Security Essentials for Business
- Federal Communications Commission: Small Biz Cyber Planner
- Federal Communications Commission: 10 Cybersecurity Strategies for Small Business
Examples of Deceptive Ways Criminals Contact Account Holders
Below are a few examples of methods cybercriminals could utilize in an attempt to gain unauthorized access to your account information.
- The FDIC does not directly contact bank customers (especially related to ACH and Wire transactions, account suspension, or security alerts), nor does the FDIC request bank customers to install software upgrades. Such messages should be treated as fraudulent. Don't click on any links within the message. In addition, the message should be permanently deleted.
- Messages or inquiries from the Internal Revenue Service, Better Business Bureau, NACHA, and almost any other organization asking the customer to install software, provide account information or access credentials is probably fraudulent and should be verified before any files are opened, software is installed or information is provided.
- Phone calls and text messages requesting sensitive information are likely fraudulent. If in doubt, customers should contact the organization at the phone number the customer obtained from a different source (such as the number you have on file, that is on your most recent statement, or that is from the organization's website). Customers should not call phone numbers (even with local prefixes) that are listed in the suspicious email or text message.
- We will never call or send you emails asking you to provide, update, or verify personal or account information, such as passwords, social security numbers, PINs, debit or credit card numbers or other confidential information. If you receive any communication from someone posing as American Bank requesting such information, please contact us at 888.366.6622 to confirm authenticity.