What is Corporate Account Takeover?

Corporate Account Takeover is an evolving electronic crime typically involving the exploitation of businesses of all sizes, especially those with limited computer safeguards and minimal or no disbursement controls for use with their bank’s online business banking system. These businesses are vulnerable to theft when cyber thieves gain access to its computer system to steal confidential banking information in order to impersonate the business and send unauthorized wire and ACH transactions to accounts controlled by the thieves. Municipalities, school districts, large non-profit organizations, corporate businesses, and any customers that perform electronic transfers are potential targets. Losses from this form of cyber-crime range from the tens of thousands to the millions with the majority of these thefts not fully recovered. These thefts have affected both large and small banks.

This type of cyber-crime is a technologically advanced form of electronic theft. Malicious software, which is available over the Internet, automates many elements of the crime including circumventing one time passwords, authentication tokens, and other forms of multi-factor authentication. Awareness of online threats and education about common account takeover methods are helpful measures to protect against these threats. However, due to the dependence of banks on sound computer and disbursement controls of its customers, there is no single measure to stop these thefts entirely. Multiple controls or a “layered security” approach is required.


Incident Response Plans

Since each business is unique, customers should write their own incident response plan. A general template would include:

  1. The direct contact numbers of key bank employees (including after hour numbers);
  2. Steps the account holder should consider to limit further unauthorized transactions, such as:
    • Changing passwords;
    • Disconnecting computers used for Internet banking; and
    • Requesting a temporary hold on all other transactions until out-of-band confirmations can be made;
  3. Information the account holder will provide to assist the bank in recovering their money;
  4. Contacting their insurance carrier; and
  5. Working with computer forensic specialists and law enforcement to review appropriate equipment.

Resources for Business Account Holders

  1. The Better Business Bureau’s website on Data Security Made Simpler:

  2. The Small Business Administration’s (SBA) website on Protecting and Securing Customer Information:

  3. The Federal Trade Commission’s (FTC) interactive business guide for protecting data:

  4. The National Institute of Standards and Technology’s (NIST) Fundamentals of Information Security for Small Businesses: http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

  5. The jointly issued “Fraud Advisory for Businesses: Corporate Account Takeover” from the U.S. Secret Service, FBI, IC3, and FS-ISAC available on the IC3 website
    (http://www.ic3.gov/media/2010/CorporateAccountTakeOver.pdf )
    or the FS-ISAC website

  6. NACHA – The Electronic Payments Association’s website has numerous articles regarding Corporate Account Takeover for both financial institutions and banking customers: