What is Corporate Account Takeover (CATO)?

Corporate Account Takeover (CATO) is a form of identity theft where thieves typically use some form of malware to obtain a business’ online banking credentials and then initiate fraudulent banking transactions, including wire transfers and Automated Clearinghouse (ACH) payments.

Cyber criminals are increasingly targeting the owners, employees and contractors of small and medium size businesses, municipalities, non-profits and school districts.

How CATO attacks happen

CATO attacks are not aimed at financial institutions; rather they target account holders, specifically the computers and internet connections that are used to access online bank accounts and your employees who are authorized to conduct electronic transactions on your bank account. Your workstations, network connections and account credentials should be secured.

Fraudsters can obtain your online banking credentials through malicious software, phishing, malicious websites, social media, ads from popular websites, or masquerading as a trustworthy person or entity in an electronic communication. These techniques may include clicking a link or opening an attachment in a phishing email, accepting a fake friend request on social networking sites, or visiting a legitimate website that is compromised and installs malware on your computer(s).

Here are some examples:

• In May 2010, Golden State Bridge, an engineering and construction company based in Martinez, Calif., was robbed of more than $125,000 when cyber criminals hacked into its bank account. The hackers made two ACH transactions with the office manager’s user name and password, routing stolen money to eight other banks across the country. Ann Talbot, Golden State’s chief financial officer, learned later that the office manager had violated policy by visiting a social networking site, which the company said it believed was how her computer was infected with malicious software, or “malware,” that antivirus software did not detect. It is likely that the antivirus software had not been updated to the latest release which may have caught the particular malware that infected the computer.
• A California escrow firm has been forced to take out a high-cost loan to pay back $465,000 that was stolen when hackers hijacked the company’s online bank account earlier this year. In March, computer criminals broke into the network of Redondo Beach based Village View Escrow, Inc., and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm. Owner Michelle Marisco said her financial institution at the time – Professional Business Bank of Pasadena, Calif. – normally notified her by e-mail each time a new wire was sent out of the company’s escrow account. However, the attackers apparently disabled that feature before initiating the fraudulent wires.

Ways Bristol County Savings Bank protects you

The Bank offers a number of security safeguards designed to protect your business from CATO, including:

• Call back procedures. When we receive a wire transfer request, we call back to verify wire authorization. E-mailed wire instructions will not be accepted for processing. The use of secure PINs and/or security questions will be required for all call back confirmations.
• Out-of-Band authentication. You will receive a one-time code via text, e-mail or voice based on your agreement.
• Security tokens. Tokens provide a passcode that randomly changes periodically. The token is used in addition to your user ID and password to authenticate users.
• Positive Pay. Positive Pay may reduce the likelihood that certain types of fraudulent checks will be paid against an account. For information about Positive Pay click here.
• PINs for wire transactions. 

We will NEVER e-mail or call you to ask for your account number, password or for information on tokens. If anyone contacts you requesting this information, do not provide it. Instead, contact Bristol County Savings Bank immediately at (800) 643-BCSB or (508) 828-5420 and press ‘3’ to speak directly to a Customer Service Center representative.

What to do if you believe your account has been compromised

If you believe an unauthorized transaction has occurred or your account has been compromised contact the Bank immediately at (800) 643-BCSB or (508) 828-5420 and press ‘3’ to speak directly to a Customer Service Center representative. Here are other steps you should take:

• Cease all online activity and remove any compromised systems from the network.
• Ensure all proper authorities are contacted, such as senior management at your firm, information technology personnel, banking institutions, and the police.
• Maintain a written log of events that have transpired since abnormal activity was detected.
• Consider what kind of data might have been accessed by the intruding party.
• File a police report and provide any facts known about the circumstances surrounding the loss.
• Have a contingency plan in place to recover systems that are suspected to have been breached.

Best practice recommendations for businesses to prevent CATO fraud

The Bank has many safeguards designed to reduce the risk of CATO fraud. However, there are also a number of best practices that businesses should implement to prevent CATO:

• Train all employees – education is key
• Enhance the security of devices and network
  • Minimize the number of machines used for various business functions. Consider conducting online banking on dedicated machines segregated from other business functions.
  • Always lock computers when unattended, especially those with administrator access.
  • Use strong password policies.
  • Install and maintain anti-virus, anti-malware and anti-spam programs that periodically scan file systems.
  • Utilize firewalls and routers to restrict network access.
  • Ensure that programs are consistently updated through an organized patching process.
  • Regularly backup system files.
  • Encrypt hard drives if possible, and if not, encrypt important documents including those containing sensitive information.
  • Avoid utilizing open internet access points for internet connectivity.
  • Be on alert for suspicious e-mails – do not click links or open attachments from e-mail.
  • Block pop-ups.
• Note any changes in the performance of your computer (e.g., dramatic loss of speed, computer locks up, unexpected rebooting, unusual popups, etc.)
• Be aware of emerging information security threats and what measures can be taken to mitigate the risk of unauthorized intrusion.

Processes and procedures for corporate banking activity may also be enhanced to include:

• When conducting ACH or wire transfer activities, utilize dual controls through two separate computers.
• Verify confirmation channels for approval and notification of activity with your financial institution.
• If, for any reason, your account information or settings have been changed without proper authorization, contact your financial institution immediately.
• Monitor and Reconcile accounts daily.
• Make sure that employees know how to, and whom to, report suspicious activity.

Understand your responsibilities and liability

Ensure that you understand the account agreement you have entered into with your financial institution. Understand how liability is determined for cases of fraud.

• Federal Regulation E does not apply to commercial accounts and financial institutions are not required to reimburse losses under certain circumstances.
• It is critical that you understand and implement the appropriate safeguards. Businesses are expected to employ reasonable security procedures when conducting financial transactions. CATO frauds typically target security lapses at the business, access device (e.g., PC, email, mobile device) or user level. It is the business’ responsibility to secure their workstations, network connections and account credentials.
• Failure to implement appropriate security safeguards may result in losses stemming from a takeover. The business may be held liable for the portion of the loss that can be attributed to their failure to use reasonable care and security procedures as recommend by best practices.

Additional Resources

There are a number of resources available to further educate yourself on CATO fraud:

• Fraud Advisory for Business: CATO, a joint effort of the United States Secret Service, Federal Bureau of Investigation, Internet Crimes Complaint Center and the Financial Services – Information Sharing and Analysis Center.
• Current Fraud Threats Resource Center from the National Automated Clearinghouse Association
• Data Breach Response: A Guide for Business from the Federal Trade Commission (FTC)
• CATO Tools and resources from the Conference of State Bank Supervisors (CSBS)

For additional cyber security and fraud related information visit the security awareness section of our website.

FBInsure provides specialty cyber liability insurance. If you are interested in more information contact Ed McGuire, FBInsure’s Director of Specialty Insurance at 508-824-8666 or emcguire@fbinsure.com.