CATO or Corporate Account Takeover is a huge financial exposure to unsuspecting businesses. CATO basically is a form of identity theft whereby cyber thieves are able to steal a business’ valid online banking credentials or they take over browser sessions to access a customer’s account. Other terms used to describe this type of cyber theft are “Electronic Crime and Social Fraud Engineering”.
Cyber thieves use a phishing exploit or other social engineering-type attack to target employees and businesses of all types and sizes with the distinct purpose of luring them into downloading and spreading malware. This enables the cyber thieves to have unauthorized access to financial accounts and other confidential information. Once these cyber thieves are behind the firewalls they can be very patient as they now have access to all company financial accounts with authorized usernames, passwords and pins, company email, employee Facebook and Linked-In accounts, vendor/supplier information and confidential customer and employee information.
The cyber thieves can then “spoof” a business and/or the individuals who are authorized to wire funds for the business by getting between the business and its bank. The thieves using the valid credentials of the business or employee send an instruction to the bank to wire funds to an account at another bank. Since the credentials used are valid the funds are transferred as requested resulting in a huge financial loss to the business.
The cyber thieves can also “spoof” a senior officer such as the president of the company by sending an email supposedly from the president to an employee in the accounting department to wire funds to a specific account at another bank to finalize a specific business transaction on behalf of the unsuspecting business. If the employee receiving the email just does as requested without verifying the authenticity of the request the funds again are lost.
The business customer is out the money that was transferred unless the business has established in writing beforehand specific procedures requiring their bank to call them to verify the wire transfer instructions prior to executing them, or their financial institution has internal procedures in place to call any corporate customer back upon receipt of wire transfer instructions. Lack of safeguards such as these can result in a huge financial hit to the bottom line of one’s business.
Unfortunately, unless a business has both a properly structured and endorsed commercial crime policy and a cyberliability policy in effect at the time of the loss their chance of recoveringthe lost funds is minimal at best. We can assist all of our corporate customers in establishing the proper coverages they need to protect them for this exposure as well as arrange CATO training and cash management services through our corporate owner. If you would like to learn how we do this please give us a call.