Corporate Account Takeover

Presented by:Jim Vogt, CFE, CTP

The Definition of FraudSeven Specific Parts of Fraud

A representation… about a material point… which is false…

and intentionally or recklessly so… which is believed… and acted upon by the victim… to the victim’s damage.

2

1234567

OR…

Theft by deception

MULTIPLE THREATS

• Fraud threats exist both inside and outside your organization

• It’s not a question of “if” but WHEN your organization will be threatened or impacted by one of these many threats

EXTERNAL THREATS• Primary external threat is payments fraud

– Check Fraud– ACH/Wire fraud, etc.

• Seventy-one percent of organizations experienced attempted or actual payments fraud in 2010.

• 93% of these companies were victims of check fraud.– ACH debits – 25 percent

• Other external threats– Corporate Account Takeover– Corporate Identity Theft

2011 AFP Payments Fraud and Control Survey

6

In the News…• N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss • European Cyber-Gangs Target Small U.S. Firms, Group Says • e-Banking Bandits Stole $465,000 From Calif. Escrow Firm • La. firm sues [bank] after losing thousands in online bank fraud • Cyber attackers empty business accounts in minutes • Zeus hackers could steal corporate secrets too • TEXAS FIRM BLAMES BANK FOR $50,000 CYBER HEIST • Computer Crooks Steal $100,000 from Ill. Town • FBI Investigating Theft of $500,000 from NY School District • Zeus Botnet Thriving Despite Arrests in the US, UK

-News headlines from The New York Times, The Washington Post, Computer World, and Krebs on Security

7

Examples…

…company fell prey to fraud after hackers were able to break into the company's network, steal bank credentials and send 26 consecutive wire transfers out of the country, totaling $465,000. …construction company, had its corporate bank account raided over a six-day period by cyber thieves who were able to move over $588,000 to dozens of money mules throughout the country.

8

Other Examples of Losses

• $700,000 school district• $1.2 million Texas company• $100,000 electronics testing firm

9

What is Corporate Account Takeover?

• Cyber criminals target the financial accounts of owners and employees of small and medium sized businesses

• Creates significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts

• Often these funds are not recovered

10

Corporate Account Takeover

• First identified in 2006• Millions of dollars are lost every year• Has morphed in terms of the types of

companies targeted and the technologies and techniques employed by cyber criminals

• Initially targeted large corporations, they now target municipalities, smaller businesses, and non-profit organizations.

11

What is Corporate Account Takeover?

Purpose: Gain access to financial accounts• How: cyber criminals target employees – often senior

executives or accounting and HR personnel - and business partners and cause the targeted individual to spread malicious software (or "malware")

• Malware steals their personal information and log-in credentials.

• Once the account is compromised, the cyber criminal is able to electronically steal money from business accounts.

13

How is it Done?

1. Target victims by way of phishing, spear phishing or social engineering techniques.2. Victims unknowingly install malware on their computers, often including key logging and

screen shot capabilities.3. The victims visit their online banking website and logon per the standard process.4. The malware collects and transmits data back to the criminals through a back door

connection.5. The criminals leverage the victim’s online banking credentials to initiate a funds transfer

from the victim’s account.Joint Fraud Advisory for Businesses - U.S. Secret Service, the Federal Bureau of Investigation, the Internet Crime Complaint Center (IC3) and the Financial Services Information Sharing and Analysis Center (FS‐ISAC).

“Phishing” for Victims• Mass emails• Pop-up messages• Social networking or internet career sites• Use these various methods to:

– Ask for personal or account information– Entice employee to click on a malicious link or

attachment• Even “vishing” – Soliciting victims over the

phone of VoIP

15

Other Tricks

• Cyber criminals use various methods, both technological and non-technological to install malware– Email attachments– Fake friend requests on a social networking site– Legitimate, but compromised, website

16

More TricksTo get employees to open email messages and/or attachments or click on links, cyber criminals will:• Disguise the email to look as though it’s from a legitimate business.

– Usually a scare tactic is used to entice the employee to open the email and/or provide account information. Examples include:

• UPS (e.g., “There has been a problem with your shipment.”)• Financial institutions (e.g., “There is a problem with your banking account.”)• Better Business Bureaus (e.g., “A complaint has been filed against you.”)• Court systems (e.g., “You have been served a subpoena.”)

• Make the email appear to provide information regarding current events:– Natural disasters– Major sporting events– Celebrity news

• Use email addresses or other credentials stolen from company websites or victims, such as relatives, co-workers, friends, or executives to design an email to look like it is from a trusted source

17

The Mission…

Get the malware installed. • This allows the fraudster to “see” and track

employee's activities across the business’ internal network and on the Internet

• The main target: visits to the financial institution and use of online banking credentials used to access accounts (account information, log in, and passwords).

Moving the Money

• To make the transaction appear legitimate, wire transfers or ACH credits are sent to the accounts of one or multiple money mules throughout the U.S

• Mules then withdraw the money and send it to criminal associates, usually overseas in countries like Ukraine, Russia and Moldova.

Money Mules

Consumers lured into fake work-at-home scams, in which their employment involves receiving money and then forwarding the funds, usually to Eastern Europe. All you have to do is respond to the ad on Monster.com or other legitimate sites and: • send a résumé with some personal information • They, in turn, ask you to set up a checking account that soon

starts filling with cash. • You take the money to Western Union and wire it to your new

employer, keeping 5% and 10% for yourself. • Easy money, right?• Except that it's illegal money laundering, called "money

muleing" by the security industry.

Mule Recruitment-- email Location: USAStatus: OpenedEmployee Type: Part-Time EmployeeCompany: Broad Capital Company, Inc.• Duties of the Service Representatives include holding and supporting a local

business used for payments processing between the company and the clients, managing cash flows, creating reports, providing support to the clients. Every office of the company starts from the local Service Representative cooperation, so the position is very prospective.

Requirements:• Advanced user ability to operate computer and to use Internet and e-mail.• An existing bank account opened on personal or business name• Basic skills in managing payments and money transfers.• Ability to schedule working hours effectively.• Availability of spare time (3-4 hours per day).• Legal age.

Mule Recruitment (cont’d)

Payment: basic salary $2500 monthly plus payments turnover bonus.Benefits:• Flexible work schedule.• Possibility to combine the job with primary employment.• Free training course.How to apply:• To apply, please reply back with your contact details. Phone

number, contact name and attach any copy of your document with photo.

• Please reply ONLY to our e-mail: willi_recruit@yahoo.com

22

“Poof”

Money is quickly gone and often not recovered

23

Who is Responsible?

• The bank?• The client?

24

Other Variations

• Use various attack methods to exploit check archiving and verification services that enable them to issue counterfeit checks

• Impersonate the customer over the phone to arrange funds transfers

• Mimic legitimate communication from the financial institution to verify transactions, create unauthorized wire transfers and ACH payments, or initiate other changes to the account

• Gain customer lists and/or proprietary information - often through the spread of malware - that can also cause indirect losses and reputational damage to a business

BEST PRACTICES• Educate your employees• Exercise extreme caution when confronted

with any request to divulge account information or banking access credentials

• Never open file attachments or click on web links if you are unsure of the source

• Be wary of pop-up messages• Teach and require best practices for IT security

BEST PRACTICES• Enhance the security of computers and networks

– Install a dedicated, actively managed firewall– Create strong passwords (at least 10 characters) and

update them several times per year– Install commercial anti-virus and spyware detection

programs on all computer systems– Run regular scans for viruses, spyware, and malware– Ensure virus protection and other security software are

updated regularly– Pay attention to warnings (viruses, etc.)– Note any changes in computer performance

BEST PRACTICES• Reconcile all bank transactions (including checking

online for electronic transfers) on a daily basis• Enhance corporate banking processes and

protocols– Multi-factor authentication– Dual control/authorization– Access controls– Watch for suspicious or out-of-pattern activity– Immediately report any transactions in your accounts

that you question

BEST PRACTICES (cont.)• Never leave a computer unattended while

using any online banking or investing service• Never access bank, brokerage or other

financial services information at Internet cafes, public libraries, etc.

Contact

Jim Vogt, CFE, CTP(858) 625-8871james.vogt@awbank.net

NO PART OF THIS DOCUMENT MAY BE REPRODUCED IN ANY FORM OR BY ANY MEANS WITHOUT THE EXPRESSED WRITTEN PERMISSION OF JIM VOGT.

ALL RIGHTS RESERVED, © 2012.