Operations Bulletin from NACHA*

Posted: December 3rd, 2009

Operations Bulletin from NACHA

Notice from the NACHA website:

This NACHA Operations Bulletin provides information to Participating Depository Financial Institutions about "corporate account takeover" - a specific type of cyber-crime that is targeting small- and medium-sized business customers of financial institutions. This Operations Bulletin also provides guidance on steps that business customers can take to reduce their vulnerabilities to corporate account takeover.

What is Corporate Account Takeover?

"Corporate account takeover" is when cyber-thieves gain control of a business' bank account by stealing the business' valid online banking credentials. Although there are several methods being employed to steal credentials, the most prevalent involves malware that infects a business' computer workstations and laptops. A business can become infected with malware via infected documents attached to an e-mail or a link contained within an e-mail that connects to an infected web site. In addition, malware can be downloaded to users' workstations and laptops by visiting legitimate websites - especially social networking sites - and clicking on the documents, videos or photos posted there. This malware can also spread across a business' internal network. In a recent attack, cyber-thieves sent millions of e-mails purporting to come from NACHA. Mimicking a reputable, national organization is a common tactic used by cyber-thieves to gain credibility and lure unsuspecting individuals into taking some action. The e-mail "reported" a rejected ACH transaction, and included a link for an "Unauthorized ACH Transaction Report." A recipient who clicked on the link would be taken to a fake web site that mimicked the real NACHA web site, which prompted the recipient to click on a fake transaction report. If the recipient clicked the link, the malware was downloaded to the recipient's computer.

This ACH Operations Bulletin is for information purposes and is not intended to provide legal advice. The guidance included in this bulletin is not an exhaustive list of actions, and security threats change constantly.

The malware installs keylogging software on the computer, which allows the perpetrator to capture a user's credentials as they are entered at the financial institution's web site. Sophisticated versions of this malware can even capture token-generated passwords, alter the display of the financial institution's web site to the user, and/or display a fake web page indicating that the financial institution's web site is down. In this last case, the perpetrator can access the business' account online without the possibility that the real user will log in to the web site. Once installed, the malware provides the information that enables the cyber-thieves to impersonate the business in online banking sessions. To the financial institution, the credentials look just like the legitimate user. The perpetrator has access to and can review the account details of the business, including account activity and patterns, and ACH and wire transfer origination parameters (such as file size and frequency limits, and Standard Entry Class (SEC) Codes). The cyber-thieves use the sessions to initiate funds transfers, by ACH or wire transfer, to the bank accounts of associates within the U.S. These accounts may be newly opened by accomplices or unwitting "money mules" for the express purpose of receiving and laundering these funds. The accomplices or mules withdraw the entire balances shortly after receiving the money, and then send the funds overseas via over-the-counter wire transfer or other common money transfer services.

Why are Smaller Businesses and Organizations Targeted?

The cyber-thieves appear to be targeting small- to medium-sized businesses, as well as smaller government agencies and non-profits, for several reasons:

1. Many small businesses and organizations have the capability to initiate funds transfers - ACH credits and wire transfers - via online banking (individual consumers generally do not have this capability except for payees set up in online bill payment systems); This funds transfer capability is often related to a small business' origination of payroll payments; In corporate account takeover, the cyber-thieves may add fictitious names to a payroll file (directed to the accounts of money mules), and/or initiate payroll payments off-cycle to avoid daily origination limits;
2. Small businesses often do not have the same level of resources as larger companies to defend their information technology systems;
3. Many small businesses do not utilize additional banking services, such as password-generating tokens, and do not monitor and reconcile their accounts on a frequent or daily basis;
4. Small businesses bank with a wide variety of financial institutions with varying degrees of IT resources and sophistication. Some financial institutions may not offer or require services that would defend against corporate account takeover.

The Top Things a Business can do are:

1. Initiate ACH and wire transfer payments under dual control. For example: One person authorizes the creation of the payment file; A second person authorizes the release of the file;
2. Ensure that all anti-virus and security software and mechanisms for all computer workstations and laptops that are used for online banking and payments are robust and up-to-date;
3. Restrict functions for computer workstations and laptops that are used for online banking and payments; For example, a workstation used for online banking should not be used for general Web browsing and social networking; A better solution is to conduct online banking and payments activity from a dedicated computer that is not used for other online activity, and/or is not connected to an internal network;
4. Monitor and reconcile accounts daily. Many small business clients do not reconcile their bank accounts on a daily basis, and therefore may not recognize fraudulent activity until it is too late to take action.
5. Utilize routine and "red-flag" reporting (i.e., alerts about unusual activity) for transaction activity.

If you have any questions or concerns regarding this bulletin please feel free to contact us.

* NACHA, The Electronic Payments Association®