Account Take-Over Attacks
Account take-overs are electronic attacks in which a fraudster compromises the victim’s computing device in order to log into and take control over the victim’s online banking account. The fraudster typically delivers malware (e.g., an online banking Trojan) to the victim via a phishing e-mail message or a “drive by download”. Phishing occurs when the fraudster sends the victim an e-mail message spoofing a legitimate sender that is used to deliver malware via an embedded hyperlink or attachment. A “drive by download” is when a person’s device is infected with malware via an online ad or link to a search engine result. Once the victim’s computer is infected with an online banking Trojan, this malware waits for the victim to log into his or her online banking site. At that point, it either steals the victim’s login credentials for use by the fraudster or hijacks the victim’s online banking session. The fraudster uses his or her access to the victim’s online banking account to transfer the victim’s money via ACH or wire transfer to another account that he or she controls.
Targets of Account Take-Over Attacks
Small and medium sized businesses are often targeted by fraudsters for account take-over attacks because they typically carry larger account balances, have an above average amount of account activity, and have less robust security protections in place. For this reason, in 2011, seventy two (72) percent of data breach cases affected businesses with 100 employees or less. Several small and medium sized enterprises have lost millions of dollars in account take-over attacks.
Liability for Account Take-Over Attacks
Most people are familiar with Regulation E, which strictly limits consumer liability for electronic banking fraud losses. However, the relationship between a financial institution and a commercial customer is governed not by Regulation E but by the applicable state’s implementation of the Uniform Commercial Code (UCC). Section 4A-202 of the UCC states that a financial institution is not liable for losses that occur as a result of its execution of a payment order when the identity of the submitter is validated via a commercially reasonable security procedure. Thus commercial customers can be held responsible for the losses they incur as a result of an account take-over attack.
How We Are Protecting Our Customers
Midland States Bank has implemented processes and technology to reduce the risk of account take-overs. It utilizes a hardware token based multifactor authentication system. Monetary transactions are secondarily authenticated. A sophisticated behavioral analytics based fraud detection system baselines normal customer activity and alerts the bank when suspicious events occur. An ACH fraud detection system is used to check ACH files for signs of tampering prior to their processing. The bank’s commercial online banking system allows customers to set up dual control (two person authorization) for monetary transactions and set authorization limits. All of these controls reduce the chances that Midland States Bank customers will become victims of account take-over attacks.
What You Can Do to Reduce Your Susceptibility
Despite all of the mechanisms that Midland States Bank has put in place to stop cyber fraudsters, there are limits to what it can do alone. The bank needs its customers to cooperate in their own defense. Some of things that customers can do to reduce their susceptibility to online fraud include the following:
- Consider doing online banking on a system that is dedicated to the task (or at least is not also being used for e-mail and web surfing).
- Educate employees about using caution when opening e-mail attachments or clicking on links embedded within e-mails that are unexpected or out of character for the sender.
- Deploy endpoint security software (e.g., anti-virus engines and personal firewalls) and keep that software up to date.
- Keep systems patched since most online banking Trojans exploit known vulnerabilities in commonly used software.
- Check account activity regularly for unauthorized transactions and alert the bank as soon as something unusual is detected.
- Use the security features that the bank makes available to commercial customers (e.g., dual control and positive pay).
Contacting Midland States Bank
If you have questions about online fraud or wish to report suspicious activities, contact the Midland States Bank Customer Care Center at 855-696-4352 or e-mail us at firstname.lastname@example.org (note: do not send confidential information via e-mail).