During the summer of 2008, a different type of cybercrime was identified — corporate account takeover. It is costly and ranks among the fastest and most stealthy type of attack. Cybercriminals engaging in this activity surreptitiously obtain an entity’s financial banking credentials, use software to hijack one of its computers remotely and steal funds from the entity’s bank account, often costing the entity thousands of dollars.
According to David Nelson, FDIC Cyber Fraud and Financial Crimes Section specialist, small- and mid-size businesses (SMBs) and their financial institutions suffered about $120 million in losses due to electronic funds transfer fraud in the third quarter of 2009, up from about $85 million from two years earlier. According to the FBI, November 2009 losses alone were about $100 million.
THE CRIME’S COURSE
Although corporate account takeovers can take different forms, the discussion here primarily is limited to electronic funds transfer fraud, such as Automated Clearing House (ACH) or wire transfer. These types of schemes involve three steps:
- Illicitly acquire login credentials. The credential compromise usually is accomplished by using a malicious program distributed as an email attachment, unintended web-browsing download or file transfer of a seemingly legitimate/safe file. The user inadvertently allows this malicious program, such as a Trojan, to be downloaded and executed, and usually is unaware that anything malicious is occurring.
- Covertly gain unauthorized access to the victim’s computer to avoid the bank’s security features, activated when it does not recognize the login “fingerprint.” The cybercriminal uses a hacker tool to hijack the victim’s computer system, using the system as a trusted source to avoid the security check of the bank’s login fingerprint. This approach allows the criminal to conduct fraudulent wire transfers out of the victim entity’s bank account.
- Transfer the victim’s bank funds to an account controlled by the cybercriminal. The cybercriminal transfers most, if not all, of the funds in the victim’s bank account, usually by wire transfers. The criminal typically transfers the funds to individuals known as money mules, who move the funds to a protected account such as an overseas bank account in a country that is uncooperative with U.S. banking rules and protocols.
THE OPPORTUNITY FOR CYBERCRIMINALS
SMBs are the targets for this crime because they tend to pay less attention to information security, controls and risk assessments. Thus, their systems tend to be more vulnerable than larger entities. SMBs also have resource constraints, including finances and expertise, which can lead to further risks.
The specific person targeted often is the person most likely to be conducting online banking transactions for the entity, such as the chief accounting officer (CAO), chief financial officer (CFO), treasurer or controller, all of whom are relatively easy to identify online. The savvy cybercriminal also knows the steps that need to be taken to access accounts as well as online banking’s typical security features.
There are at least two risk areas for clients of CPAs and CPAs in business and industry who perform online banking transactions.
First, the CAO, CFO, treasurer or controller often is unaware of corporate account takeovers and the repercussions and liability that can follow. According to one source, a survey of small businesses reported that only 18 percent of those surveyed understood they are liable for cyber losses, which reveals a severe lack of basic cybercrime knowledge.
Second, there is a lack of adequate controls over the online banking process. However, even fairly stringent controls can be overcome by a cybercriminal’s persistent attack, and these controls can create a false sense of security when, in reality, there still is substantial risk.
A 2009 Verizon study of 600 incidents of security breaches over a five-year period reveals that in 87 percent of cases, investigators concluded that breaches could have been avoided if reasonable security controls had been in place at the time of the incident. Thus, a good place to start BEFORE a breach occurs is reasonable security controls as defined by the information security profession as best practices or principles.
Remediation measures and controls that apply to one cybercrime often apply equally well to others, which results in multiple cybercrimes being addressed with a single countermeasure. This further supports the position that measures and controls taken by entities once a cybercrime occurs are the same measures and controls that should have been in place before the breach.
SECURITY AUDITS AND CONTROLS
A Computer Security Institute (CSI) survey ranked internal cybersecurity audits as the strongest weapon in preventing and detecting cybersecurity vulnerabilities. An effective internal security audit identifies cybersecurity risks and assesses the severity of each type of risk. Following the audit, preventive controls for the major risks that were identified need to be instituted. Three strategies that can help management develop those controls are:
Timely and proactively patching vulnerabilities, including vulnerable software.
Using least-access privileges (a security concept that grants a person the least amount of access to systems, technologies and data needed to perform his/her duties) and other sound logical access controls to help remediate crimes perpetrated internally. For external threats, sound perimeter controls such as firewalls and Intrusion Detection Systems (IDS) are critical to protection.
Monitoring systems, technologies and access, such as various logs created by technologies for those activities, with associated controls varying based on the threat level (also a detection strategy).
In an age of financially motivated cybercrimes, every entity should have sufficient business insurance coverage to recover any financial losses. Executive management team members, especially the CFO, must evaluate the entity’s insurance coverage to ensure that it could recover estimated losses from any cybercrime.
Reviewing coverage should be done on a reasonable periodic basis. Leaders also might consider enlisting service providers that offer cleanup and restore functions after certain crimes have been committed.