Customer Education

Corporate Account Take Over (CATO)

What is Corporate Account Takeover (CATO)?

Corporate Account Takeover is a type of business identity theft in which a criminal entity steals a business’s valid online banking credentials. Small to mid-sized businesses remain the primary target of criminals, but any business can fall victim to these crimes. Attacks today are typically perpetrated quietly by the introduction of malware through a simple email or infected website. For a business that has low resistance to such methods of attack, the malware introduced onto its system may remain undetected for weeks or even months.

What is malware?

Short for “malicious software”, malware is software designed to infiltrate a computer system without the owner’s informed consent. Examples include viruses, worms, Trojan horses, spyware, dishonest adware, crimeware, etc.

Where does it come from?

Malicious websites, including social media sites, Email, ads from popular websites. Some experts believe email is the biggest security threat of all. Email has been the fastest, most effective method of spreading malicious software to the largest number of users. A good rule of thumb is to only include information in an email that you would feel comfortable sharing with a stranger.

What to do?

Introducing layered security processes and procedures can help protect businesses from criminals seeking to drain accounts and steal confidential information. These increased security procedures may help reduce the number of incidents, and mitigate financial losses and reputational damage that can result from such attacks

No single security measure alone is likely to be effective in preventing or mitigating all risks associated with Corporate Account Takeover. Similarly, some of these sound business practices may not be appropriate for or applicable to all businesses. Accordingly, each business must identify its own risks and design and implement appropriate security measures to prevent and mitigate risks associated with Corporate Account Takeover.

Sound business practices for entities suggested by Chelsea Savings Bank are outlined in the next pages.

Computer Security

Layered System Security - Use appropriate tools to prevent and deter unauthorized access and periodic reviews of such tools to ensure they are up to date. These tools include:

Firewall
Security suite
Anti-botnet, anti-malware, and anti-spyware programs
Encryption of laptops, hard drives, VPNs and/or other communication channels
Education of all computer users regarding appropriate internet usage

Install robust anti-virus and security software for all computer workstations and laptops and ensure that such software is automatically patched regularly and remains current.

Implement multi-layered system security technology. Anti-virus software alone will not protect a business from most threats. Layering security software constructs a multi-level barrier between businesses’ networks and criminals attempting to access such networks.

Implement security suites so all security options (i.e., firewall, anti-virus, anti-spyware, anti-malware, etc.) work harmoniously to provide superior protection.

Online Banking Safety

Create a secure financial environment by dedicating one computer exclusively for online banking and cash management activity. This computer should not be connected to the business network, have email capability, or connect to the Internet for any purpose other than online banking. Disallow any use for general Web browsing and social networking.

Verify use of a secure session (“https”) in the browser for all online banking activity.
Disallow online banking activities from free Wi-Fi hot spots, (airports and Internet cafes)
Cease all online banking activity if the online banking application appears different or questionable and immediately contact the appropriate financial institution.

Education

Educate all employees about cybercrimes so they understand that even one infected computer can lead to an account takeover. All employees, even those with no financial responsibilities, should be educated about these threats.

Educate all employees to think critically about each email and phone call received. An employee should always ask “Does this email or phone call make sense?”

A business should advise its employees to:

Not open suspicious emails or emails from unknown persons. Even opening an email may expose a computer and the network to malware.
Ask, “Does this make sense?” before taking action in response to an email. If an email is suspicious, do not click on a link or open an attachment. The link could navigate the employee to an infected website or download a malware program. Employees should be instructed to delete the suspicious email and not click a link or open an attachment.
Be particularly suspicious of emails or calls to be from a financial institution, government agency or other organization requesting account information, account verification or banking access credentials such as usernames, passwords, Personal Identification Numbers (PINs) and similar information. If such a suspicious email or call is received, the business should call the financial institution or agency to verify legitimacy. The business should not call the phone number included in the email, or click on the link or reply to the sender of such an email. Note that financial institutions and government agencies will not ask customers for login credentials.

Websites

Block access to unnecessary or high-risk websites. Common sites that carry high-risk include adult entertainment, online gaming, social networking and personal email.

Promptly deactivate or remove access rights of employees who no longer require access (e.g., inactive, transferred or terminated employees).

Require all employees to use strong passwords and change their passwords frequently on both the computer and online banking application.

In some cases a business may determine it is appropriate to utilize a “white-listing” tool to limit employees’ access to only websites that the business has reviewed and deemed safe.

User Accounts

Establish user accounts for every computer and limit administrative rights. Many malware programs require the user to have network administration privileges to infect the computer. Employ “user” settings to avoid unintentionally downloading a credential-stealing program. Often malware requires the user to be logged in as the network administrator for the malicious program to download.

Staying Informed

Stay informed about defenses to Corporate Account Takeover. Since cyber threats change rapidly, it is imperative that all businesses stay informed about evolving threats and adjust security measures in a timely manner. Among other things, this can be achieved by connecting with alert groups, and business and industry resources about threats and frauds

Account Security

Dual Control

Initiate payments under dual control, with assigned responsibility for transaction origination and authorization. Dual control involves file creation by one employee with file approval and release by another employee on a different computer.

Reconcilement

Reconcile accounts online daily. At a minimum, pending electronic activity.

Account Services

Take advantage of appropriate account services offered by its financial institution. Financial institutions offer a variety of services including debit blocks, Falcon Monitoring, call-backs, etc. Please contact Chelsea Savings Bank for Monitoring services provided.

Reporting Suspicious Activity

Monitor for and report suspicious activity. Ongoing monitoring and timely reporting of suspicious activity are crucial in deterring or recovering from these frauds. A business should report anything unusual to the financial institution, such as log-ins at unusual times of day, new user accounts, unauthorized transfers, etc., so the financial institution can immediately block the account and monitor activity.

Warning Signs of a Potential Compromise (but not limited to):

Inability to log into online banking (thieves could be blocking customer access so the customer will not see the theft until the criminals have control of the money)
Dramatic loss of computer speed
Changes in the way things appear on the screen
Computer locks up so the user is unable to perform any functions
Unexpected rebooting or restarting of the computer
Unexpected request for a one time password (or token) in the middle of an online session
Unusual pop-up messages, especially a message in the middle of a session that says the connection to the bank system is not working New or unexpected toolbars and/or icons
Inability to shut down or restart a computer

If You Notice Anything Suspicious

Review all accounts regularly to detect unauthorized activity.
Notify Bank of the Chelsea Savings Bank (319-444-3144) immediately if you suspect that your Login ID or Password has become known to any unauthorized person.
Immediately change all passwords associated with the online account.
Disconnect from the internet all computers used for Online Banking.
Request a temporary hold on all other transactions until verbal confirmation is obtained.
Work with appropriate computer forensic specialist and law enforcement to review impacted equipment.

Safe Online Banking Tips

As use of the Internet continues to expand, more banks and thrifts are using the Web to offer products and services to enhance communications with consumers.

The Internet offers the potential for safe, convenient new ways to shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or scams.

Tips to Help you if you are thinking about or already using online banking systems:

Confim that an online bank is legitimate and that your deposits are insured
Keep you personal information private and secure
Understand your rights as a consumer
Learn where to go for more assistance from banking regulators

Confirm that an Online Bank is Legitimate and that Your Deposits are Insured
Whether you are selecting a traditional bank or an online bank that has no physical offices, it is wise to make sure that it is legitimate and that your deposits are federally insured.

Key Information about the bank posted on its Web Site
Most bank Web sites have an "About Us" section that describes the institution. You may find a brief history of the bank, the official name and address of the bank, and information about its insurance coverage from the FDIC.

Verify the bank's insurance status
To verify a bank's insurance status, look for the familiar FDIC logo or the words "Member FDIC" or "FDIC Insured" on the web site. You can search for an institution by going to the FDIC's home page and selecting "Is My Bank Insured?". Enter the official name, city, and state of the bank, and click the "Find My Institution" button. A positive match will display the official name of the bank, the date it became insured, its insurance certificate number, the main office location, and its primary government regulator. If your bank does not appear on this list, contact the FDIC at 800-934-3342 or send an email via the FDIC's online Customer Assistance page.

Protect yourself from fraudulent Web sites
Watch out for copycat Web sites that deliberately use a name or Web address very similar to, but not the same as, that of a real financial institution. The intent is to lure you into clicking onto their Web site and giving your personal information, such as your account number and password. Always check to see that you have typed the correct Web site address for your bank before conducting a transaction.

Keep your Transaction Secure
The Internet is a public network. Therefore, it is important to learn how to safeguard your banking information, credit card numbers, Social Security Number and other personal data.
Contact your bank for information regarding their Web site security practices.

Security Features
Encryption, which is a process of scrambling private information to prevent unauthorized access. To show that your transmission is encrypted, some browsers display a small icon on your screen that looks like a lock or key whenever you conduct secure transactions online. Avoid sending sensitive information, such as account numbers, through unsecured email.

Passwords or personal identification numbers (PINs) should be used when accessing an account online. Your password should be unique to you and you should change it regularly. Do not use birthdates or other numbers or word that may be easy for others to guess. Always carefully control who you give your password to. If you use a financial company that requires your passwords in order to gather your financial data, make sure you learn about the company's privacy and security practices.

General security over you personal computer such as virus protection and physical access controls should be used and updated regularly. Contact your hardware and software suppliers or Internet service provider to ensure you have the latest security updates.

Before you order a product or service online, make sure you are comfortable with the reputation of the company making the offer. Only then should you give out your credit card or debit card number. Never give these numbers unless you initiated the transaction.

Important Customer Alerts

Due to Microsoft’s termination of support for systems that do not support TLS 1.2, we advise you to upgrade your OS version or browsers to help ensure that you do not experience unnecessary service interruptions. If you are unable to connect using TLS 1.2 you may receive a connection error. Please upgrade to a supported version to be able to connect using TLS 1.2. Contact the bank if you need assistance.

NOTICE OF EXPIRATION OF THE TEMPORARY FULL FDIC INSURANCE COVERAGE FOR NONINTEREST-BEARING TRANSACTION ACCOUNTS

By operation of federal law, beginning January 1, 2013, funds deposited in a noninterest-bearing transaction account (including an Interest on Lawyer Trust Account) no longer will receive unlimited deposit insurance coverage by the Federal Deposit Insurance Corporation (FDIC). Beginning January 1, 2013, all of a depositor’s accounts at an insured depository institution, including all noninterest-bearing transaction accounts, will be insured by the FDIC up to the standard maximum deposit insurance amount ($250,000), for each deposit insurance ownership category.