Defend Your Company From Account Takeover

March 20, 2024

A corporate account takeover isn't limited to large companies. Businesses of all sizes are equally susceptible to this type of fraud where thieves gain access to a business’ finances to make unauthorized transactions, including transferring funds from the company, creating and adding new fake employees to payroll, and stealing sensitive customer information that may not be recoverable.¹

According to the National Automated Clearing House Association (NACHA), criminals may access these credentials by mimicking a financial institution’s website, using malware and viruses to compromise a system to gain account access, or using social engineering to incent customers into revealing security credentials or other sensitive data. Fraudsters may initiate contact by email, phone, fax or mailed letter to receive sensitive information.²

Utilize these best practices from NACHA and the American Banker's Association to keep your company safe:

Educate your employees. You and your employees are the first line of defense against corporate account takeover. A strong security program paired with employee education about the warning signs, safe practices, and responses to a suspected takeover are essential to protecting your company and customers.

Use firewalls, security suites, anti-malware and anti-spyware on all computers.

Avoid conducting financial transactions over public WiFi. If public WiFi must be used, connect to a secure website and use a VPN. Secure websites are those that begin with “https” rather than “http”. A VPN provides an encrypted path for your data through the internet connection.

Use caution when clicking on links and manually type the URL when in doubt.

Never provide password, username, authentication tools or account information when contacted. Financial institutions or corporations will not ask for this information. If in doubt, use a known contact list or publicly available contact information to confirm the validity of the contact.

Dedicate one computer exclusively to online banking and cash management activity and related security efforts and do not allow workstations to be used for general web browsing.

Initiate files using dual control – for example, file creation by one employee and file approval and release by another employee on a different computer.

Authenticate requests to make a payment of change payment instructions by vendors, and independently verify change in payment instructions.

Make ACH payment/information forms available only via secure means.

Partner with your bank to prevent unauthorized transactions. Talk to your banker about programs that safeguard you from unauthorized transactions. Positive Pay and other services offer call backs, device authentication, multi-person approval processes and batch limits help protect you from fraud. Take seriously calls received from your bank questioning the legitimacy of a payment.

Pay attention to suspicious activity and react quickly. Look out for unexplained account or network activity, pop ups, and suspicious emails. If detected, immediately contact your financial institution, stop all online activity and remove any systems that may have been compromised. Keep records of what happened.

Understand your responsibilities and liabilities. The account agreement with your bank will detail what commercially reasonable security measures are required in your business. It is critical that you understand and implement the security safeguards in the agreement. If you don’t, you could be liable for losses resulting from a takeover. Talk to your banker if you have any questions about your responsibilities.

Member FDIC