Corporate account takeover is a form of identity theft where an unauthorized individual gains access to your business bank account. Once the fraudster breaches the account, they have free rein to your hard-earned money and the ability to steal sensitive customer information. One of the biggest misconceptions about these attacks is they are highly technical. These attackers rely on simple deception to trick users into providing login details. These attacks are only becoming more common.
Common Attacks: A List by Michael Halstead at Launch Consulting
- Phishing: This remains a popular method of attack as it has become much more sophisticated, such as testing to avoid common defensive tools. Artificial intelligence (AI) has also created new challenges with near-perfect phishing emails. SMS text messages have also become a popular technique. Unlike email, mobile phones don’t have strong filters to block text messages containing spam or smishing attempts.
- Pretexting: The human equivalent of phishing where an attacker creates a false pretext, e.g., impersonating a person in authority, to deceive employees into revealing sensitive information or performing certain actions.
- Business email compromise (BEC): This specifically targets corporate email accounts. Attackers compromise or spoof employee email accounts to trick others within the organization (or external parties) into performing fraudulent actions. This can include wire transfers, changing payment details, or disclosing sensitive information. In 2022, the FBI IC3 (Internet Crimes Complaint Unit) received 21,832 BEC complaints with adjusted losses of over $2.7 billion.
- Social engineering: Uses human psychology and trust to manipulate individuals, often employees, into sharing sensitive information or granting unauthorized access. Like phishing, social engineering attacks have become much more sophisticated, using AI to impersonate legitimate entities via phone calls or video.
- Phone calls impersonating legitimate entities: Attackers target company leaders, business partners, or financial institutions, to trick employees into revealing login credentials, account details, or sensitive information. Attackers then use them to gain unauthorized access to corporate accounts.
- Deepfakes: The use of AI to create a video or audio recording of a high-ranking executive to trick an employee into transferring funds, sharing sensitive data, or giving an attacker control over a corporate account. Deepfake will likely become more prevalent as advances in AI are made and news of successful attacks increase.
- Leveraging insiders: Bad actors use employees to assist with corporate account takeovers. The motivation can be financial, affinity to a particular cause, and/or threats of blackmail. Employees or individuals with privileged access can be convinced to misuse their privileges for personal gain or malicious purposes.
Your Best Defense Against Corporate Account Takeovers
Unfortunately, there is not one specific security practice and control that can prevent corporate account takeover attacks. It takes a combination of practices to reduce the risk. Below is a list of the six best practices to prevent corporate account takeover attacks.
- Defense in Depth – Companies must implement a defense-in-depth approach. Maintain a strong security posture remains key in preventing corporate account takeovers among other cyberattacks. It’s best to implement layers of defense including: vulnerability management, email and web filtering, network segmentation, third-party risk management, intrusion detection and monitoring, and incident response.
- Multifactor authentication (MFA) – It’s important to have strong multifactor authentication around all corporate accounts.
- Strong access management strategies – Implementing strong access management measures is essential.
- Contextual access management measures – Businesses should also implement contextual access management that considers a user’s current location, time of access, behavior patterns, network environment, the device being used, and other contextual information.
- Robust security monitoring – Having a team or third party that can continually monitor all security alerts that come in 24/7.
- Employee education and training, a human firewall – Employee education and awareness are key and one of the first lines of defense. This “human firewall” remains a very important defense in preventing corporate account takeovers. Ensure you regularly educate and train employees about the risks associated with corporate account takeovers, particularly those who have access or are in areas such as payments and finance. This includes making employees aware of the key things to look for in an email to know that it was a malicious email or had malicious intent in some way.
