First identified in 2006, the financial services sector has been battling a form of cybercrime known as “corporate account takeovers,” in which cyber criminals target employees of businesses and cause the targeted individual to spread malicious software (or “malware”) which in turn steals their online banking credentials. Armed with these credentials, the criminal is able to compromise the target’s financial account and electronically steal money from business accounts, often via unauthorized wire transfers and ACH payments.
Building upon a risk management “Protect, Detect, and Respond” framework developed by the United States Secret Service (USSS), the Federal Bureau of Investigation, the Internet Crime Complaint Center, and the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Texas Bankers Electronic Crimes Task Force in cooperation with the USSS has developed a list of nineteen recommended processes and controls to mitigate the risks of corporate account takeovers. Such topics include expanding the risk assessment to incorporate risks related to online payment services, risk rate each customer that performs online transactions, outline these evolving and significant threats to the Board of Directors, communication basic online security practices to customers, enhance security awareness education, establish layered security controls, review customer agreements, contact vendors to regularly receive updated information on risk reducing controls, establish manual or automated monitoring systems, educate bank employees and customers on warning signs that an attack may be in process, update incident response plans to include new threats/attacks, immediately verify if a suspicious transaction is fraudulent, immediately attempt to reverse all fraudulent transactions and notify receiving institution, send a “Fraudulent File Alert” through FedLine, suspend any compromised systems, contact law enforcement and regulatory agencies, document recovery efforts, and implement established procedures around customer relations.
These practices build upon the minimum expectations conveyed by the Federal Financial Institutions Examination Council (FFIEC) in its Supplement to Authentication in an Internet Banking Environment issued on June 28, 2011.