Corporate Takeover Account Plan

Quincy Credit Union

Corporate Takeover Account Plan

CorporateAccountTakeoverGuide(CATO)

This guide was created to increase our Member’s awareness of the potential risks and threats that are associated with Internet and electronic-based services and to provide solutions and tools to help prevent fraud and scams.

CorporateAccountTakeover isagrowingform ofelectroniccrimewherethievestypicallyusesomeform of malware, or malicioussoftware,toobtainlogincredentialstocorporateonlinebanking accountsandfraudulently transfer fundsfrom theaccounts. Anothermeansfraudsters commonlyemployisphishing,masquerading asa trustworthyentityinanelectronic communicationorthroughsocial engineeringtogainaccesstoyoursensitive information.

Theseattackscanresultinsubstantialmonetaryloss foryourcompanythat,often,cannotberecovered.Asa financial institution,wedoeverythingwecantokeepyourmoney safe.Unfortunately, our securitypracticescanonlygosofar toprotectyour accountsfrom corporateaccounttakeover.Thereare somevulnerabilitiesthatcanonlybe addressedfrom your sideandthereforerequirethatthebusinessimplementsoundpracticeswiththeirStaff, systemsandoffices.

The following sections are contained in this Guide:

General information on how CATO fraud work
Sound Business Practices to combat this threat
Education & Internet Risk Awareness
Security
Computer
Account
User

Detection and Response
Explanation of Potential Liability
Other resources

1.HOW DOESCATOFRAUDHAPPEN?

CATOattacksdonottargetthe security systemsor computersofthefinancialinstitutions;insteadtheseattacks seektofindMembersthathavetheabilityto initiate fundstransfersfrom theiraccountsusing their computers. Thegoal istoobtaintheMember’saccess codes,(user nameandpassword),withouttheMember’sknowledge sotheywill continuetobeactiveandthe fraudstercanperform financialtransactionsimpersonating theMember. A

commonwaythisisdoneistogettheMember toclickona linkinanemail,websiteorpop-upthatinstallsa malwareprogram ontheMember’s computer. ThemalwarewillsecretlyrecordtheMember’sactivityandusea “key-logger”torecordtheuser namesandpasswordsastheyareenteredwhenlogging intoa banking site. This informationiseither retrievedbythefraudsterusingaremoteconnectionopenedbythemalwareor senttotheir computer forthem touseremotely. Theymayalsocompromisetheemailaccountsoftheuser tosendtransfer requestsfromtheMember’semailaccount.Other computer informationisalsostolensuchassecurity cookiesor other informationtoallowthefraudster tologontotheCredit Union’ssystem tomakeeverythingappear to lookliketheyaretheactualuser.

Insomecases, thefraudstermayuse“social engineering” asthewaytogetthisinformation. Todothis, the fraudster mayplaceacall orsendanemailandclaimtobefromtheCredit Union or another trusted sourceandrequeststheinformationaspartofatrouble-shooting effort. Manytimesitisdonewithanemailthatclaimstheusermustupdatetheiraccount informationor confirm apasswordduetoaproblem orsecurityalertthatappearstobefrom afinancialinstitution.

Oncethefraudster hastheMember’sbanking credentials(login andpassword), theywilllogontothe banking sites. QCU does not allow Wire Transfers or ACH transfers online. Transactions that may occur during this time is to move money through Account-to-Account; ($2,500) People-to-People; ($2,500) Bill Payment services or Remote Deposit Capture. Thesemethodsaretheprimaryonesselectedbecausetheycan sendlarge amountsofmoneyandthefundsareimmediately availablefor withdrawalwhenreceivedor onthenextday. The moneymaygostraighttothefraudster,butmoreoftenitwill gotoapersonthathasbeenrecruitedto receive andimmediatelyforwardthefundstothecrooks. The“money-mule” willtypicallynotknowtheyarepartofa fraudandrespondedtoanemploymentorother advertisementonthewebthatpromisedtheycankeepa handling fee. Thistrickkeepsthefraudster’sidentityandlocationoutofthetransaction.Oncethemoneyhas beenwithdrawn,recoveryisnearlyimpossibleduetothebanking rules.

After thediscoveryofthefraudulenttransactions, thebusinessand the Credit Unionwillneedtoworktogether totryto recover funds.Inmostcases, therewillbeanamountthatcannotberecoveredandrepresentalosstoeither the Memberor financial institution. Therearecurrentlynoclear rulesonwhowillsufferthelossinthese situations. Manylosseshavebeensettledonacase-by-casebasisdepending ontheentitythathaditssecurityresponsibility breachedbythecompromise. Incaseswhereabusinessfailstouseanyoftherecommended securityprocedures offeredbytheCredit Unionorhaslaxinternalsecurityandcontrols, theyhaveoftenbeenheldtoabsorballoraportionof theliabilityfor theloss.

2.SOUNDBUSINESSPRACTICESTHATCANHELPPREVENTCATO LOSSES

Wehaveoutlinedsomeideasonareasor toolsthatcanbeusedtothwartfraudstersthatwanttoattackyour businessor staff. Althoughevenifeverysuggestionor recommendationisadoptedbythebusiness;apotential for aMember’saccounttobecompromisedwillbepresent. TheCredit Union isconstantlyworkingtoaddothersecuritymeasuresonour sidetoproactivelydetectsuspiciousactivityor perform othersecurityreviewsandout-of-walletconfirmationsprior toallowing thecompletionofafundstransfer.Hereare some securitymeasuresweurgeyou totaketosafeguardyour businessfrom fraud.

2 a.EDUCATIONINTERNET RISKAWARENESS

ThebattlebeginswithcreatingaworkenvironmentwheretheStaffisawareofthethreatsposedbyusingthe internetandhowitisadoorwayintothecomputernetworkofthecompany. Sharingthisdocumentcanhelp educateyouremployeesaboutcybercrimesandothermeans fraudstersmayattempttostealaccesstothe business’accounts.

Itiseveryone’sjobtohelpkeepthecomputersystemssecurefromFraudsters.Evenalaptopor homecomputer thathasremoteaccesstothenetworkcanallowhackersaccessiftheuser’s PCis compromisedandhassufficient networkrights.Beloware sometipsthat shouldbe sharedwiththestaff:

•Think!Respondingtoanycalloremail,firstaskyourself, “Doesthisemailor phonecallmake sense?”

•Deny!Never provideyouruser ID andpasswordtoanybody.

•Distrust!DonottrustANYemail,internet site,linkor callerunlessyouknowforsureitislegitimate

•Conduct TrainingSessionsand StayCurrent: Holdstafftraining abouttherisksandkeepupwithnewsarticles orfraudawarenessupdates.

•LinkAvoidance.Never clickona linkinanemailor internet siteunlessyouknowforsureitislegitimate

•DownloadAvoidance. Neverapproveanythingtobeloadedonyour computer thatwasdownloadedfroman emailor websiteunlessyou specifically wenttoatrusted siteormadetherequest.(Whenindoubt,don’t allowit!)

•Auto Log-Off Setting.Haveyour PCautomaticallytime-outandrequireapasswordorbiometric loginto reactivate. Don’tleaveyour computer unattendedinanunlockedmode.

•Keep passwordsprivate. Don’tsharepasswordsor writethem down. Pickpasswordsthatarehardtocrack, buteasytoremember. Changethemonafrequentbasis.

•Secureyourcomputerandnetworks. Installandmaintainfirewalls,spam filters, andreal-timeanti-virus, spywareandmalwareprotection software.Blockaccesstositesthatareunnecessaryor representhighfraud riskfor malware, (onlinegamblingsocial media, adultentertainment, hacker sites, etc).

•Limit administrativerights.Don’tletemployeesinstallsoftwarewithoutpriorapproval.

•Blockpop-ups.SurftheInternetcarefully.

•Be on thealertforsuspicious emails.Donotopenemailattachmentsorclickonlinks.

•Noteanychangesin theperformanceofyourcomputer.Dramaticlossofspeed, unexpectedrebooting, computer locksup, unusual popups, etc.

•Tokens: Considerusingsecuritytokens,(softor fob), toofferanother levelof out-of-walletauthentications whichcanberequiredforanyfundstransfer transaction.

•NeveraccessCredit Unionaccounts frompublic Wi-Fihotspots.Airports, coffeeshops, etc.

•Monitorand reconcileaccountsdaily.Make sureemployeesknowhowandtowhom toreportsuspicious activityatyour companyandtheCredit Union.

•Takeadvantageofsecurityoptionsoffered bytheCredit Union.Consultwithyour Credit Uniontodeterminewhat security settingsandoptionsmayhelpminimizeyour riskandhavethem activated.

•Don’twait.Notifyyour manageror ITdepartmentifyou suspectanythingisunusual or not rightimmediately. Ifitis somethingthataffectsQuincy Credit Union, call 617-479-5558sowemay assist you with investigating theissue.

2 b.COMPUTER SECURITY

Protectingcomputersandinternalnetworksfrom unauthorizedaccessisachallengewherethe securityplanwill differateachbusinessor Member duetotheirspecific computingneedsand structure. Layersofsecurity systems andaccessrightsgenerallywilloffer greater protection,buteverybusinessshoulddevelopandimplementa securityplanthatisdesignedtopreventandmitigatetheriskofCATO. Someofthecommonelementsofa

securityplanwouldincludemanyoftheitemslistedbelow.

•NetworkProtection Tools.Theseitemsareusedtoblockunauthorizedtrafficfrom enteringtheinternal network,checkingfor virus/malwareandreportingsuspiciousactivity.

oFirewall(Blocksunauthorizedtraffic)

oAnti-VirusProgram(identifiespotentiallymaliciousprogramsandquarantinesor

automaticallyremovesthem from the systemand setthescanstoupdateandrundaily)

oEncryption(makesdataonthenetworkunreadableifstolen)

oAnti-Spyware/Malware(relatedtoAnti-Virusdetection suite)

oIntrusion Detection System(looksfor incoming attacksto immediatelyblockreportthem)

•IsolatedComputer you do your banking on. SometimesitmaybepossibletolimitaPCtoonlyconductbanking activityand notallowing itconnectionsfor general webbrowsing, emailandsocialnetworkingto reducethethreatof beinginfected.

•Screensavers: Thiswilllockunattendedcomputersandrequireapasswordtounlockit.

•NetworkRights: Services, directories, programsandaccessis controlledtolimitauser toonlybeableto perform tasksoraccessdatathattheyhaveabusinessneedtouse.

•CDDrivesThumb-driveDeactivations: Disabledrivestopreventanyprogram or filestobeuploadedor downloadedfromthenetworkorPCtotheseremovabledatamedia.

•Website,Application &Pop-Up Blocking. Thefirewallor activitymonitoringsystem canbe senttoblock sites orapplicationsthatmayrepresentagreater riskformalwareor fraud.

•SecureEmail.Ifconfidentialinformationissentusingemail,therearesystemsthatcanencryptthemessage so itcanonlybereadbytheintendedrecipient.

•Penetration Test andVulnerabilityScans.In somecases, abusinessmayhaveanexternal consultanttestthe securityoftheir systems forpossiblevulnerabilitiesfrom theoutsideor internalworkstations.

•LaptopsRemoteAccessSecurity.InsurethatanyPCor devicethatcanaccesstheinternalnetworkusesa secureconnection. Companylaptopsmayconsider encryptingthedatadrivesifconfidentialinformationis present.

• Patch Updates. Enableautomaticupdatesfor operatingsystem patchesandbrowsers.

2c.ACCOUNT SECURITY

Akeyelementofthesecurityproceduresisthereviewing of activityonyour accountstohelpdetectanyunusual, unauthorizedorsuspicious activityassoonaspossible. StatisticsshowthatMemberswilldiscover fraudbeforetheCredit Unioninover 60%ofthecases. Hereare sometipsonhowtohelp secureyour accounts.

•ReviewDailyActivity. Checktheaccounttransactionsthatpostonadailybasistolookforanythingthatisnot authorized. . IfyouusedQuickenor QuickBooks,considerdownloading transactionsdailytokeepyour accountingrecordsup-to-dateandquicklyidentifyanythingunusual.

• Reconcile:Balancetheaccountsatleast-monthlyandreportanyerrorsorunauthorizedentriespromptly

•LimitAccess:Onlyallowstaffwithaneedtoaccessor initiatetransactionsrightstotheaccount. (Reviewthe stafflistandaccessrightsoccasionallytomake suretheyaresetproperly.)

•Alerts.Enrollinalerts(textand/or emails)tobesenttotheappropriate stafffor anyactivitythatmay representagreater risk, suchasdebitcards, ACHoriginations,Wiretransfers, externaltransfers, maintenance changesor significantbalancechanges.

•RecordSecurity. Shredold statements, checksorother confidentialrecordswithaccountnumbersandaccess information. Consider e-Statementsto minimize paper record or “dumpster driving”.

2 d.USER SECURITY

•LimitAdministrativeRights.Donotusetheadministratorusercredentials forperformingday-today processing.

•NeverShareUserIDs/Passwords.Issue separateIDsfor everystaffmember andmakesurethestaffdoesnot shareorpostthepasswordwhereothers canviewor useit.

•Multi-factorAuthentication Logins.UseaCredit Unionthatemployssystemsthatusemultiplewaystoconfirmthe user’sidor authorization, suchasQuincy Credit Union.

•UseDualControl. Formonetarytransactions, requiretwodifferentuserstocompletethetransaction.One wouldcreatethetransactionandadifferentuserwillberequiredtoapproveitbeforeitcanbeprocessed.

•EnrollinAlerts. Signupfor transaction, debitcards, maintenanceandbalancealertstobe sentwhenever thereisactivityontheaccountoruser.

•KeepContactInformationCurrent.ThisisimportantiftheCredit Unionneedstocontacttheusertoconfirmany suspicioustransaction. Thecellphonenumber isveryimportant.

• Requiregood passwordsand changes.Thisisabasicsecurityrecommendationfor anyuser.

• LimitAccountAccessand RightReviews.Onlygiverightsthattheuser needstoperform their duties.

2 e. DETECTIONandRESPONSE

Timeismoney! Nowhereisthistruer thanwithaCATOattackbecausethe sooner thefraudisdetectedand reported, thegreater chancetostopfuturelossesandpotentiallyrecover fundsthatmayhavebeentaken. The stepslistedinthepriorsectionswillenhancethe securityproceduresthat shouldhelpstopor detect suspiciousof unauthorizedactivityquickly.

Ifyoususpector identify anunauthorizedtransactionhasbeenattemptedor completed, NOTIFYUS IMMEDIATELY! Wepreferatelephonecalltoat(617)479-5558anda Call Center Representative will gather information,blockuser accessandget the investigation started. Ifyoufeel your PChas beencompromised,turnitoffordisconnectfrom theInternetimmediatelytoblockfurther accessbythe Fraudster. Wewillworkwithyour Stafftomonitor youraccountsanddeterminethesourceofthe securitybreach.

If necessary, QCU may recommend that you contact your local police department.

3.EXPLANATIONOFPOTENTIALLIABILITY

Businessesare expectedtoemployreasonablesecurityprocedureswhenconductingfinancialtransactions. CATOfrauds typicallytargetsecuritylapsesat thebusiness,accessdevice(PC,email,mobilephone)oruserlevel. Inmostcases,theCredit Unionis not inapositionto controlordictatewhatsecuritypoliciesorproceduresare actuallyusedbythe businessorMemberwhen conductiontheir bankingelectronically. Asmentionedbefore, ifalossoccurs, the business/Membermay be heldliablefor the portionof the loss thatcanbe attributedto their failureto usereasonablecareandsecurityproceduresas recommended bythe Credit Union. Theamountof losscanbe sizableand thereforerequiresthatthe businesstakeappropriatemeasuresto incorporatethe securityproceduresthatarerecommendedandavailableas longasthey donotresultinunreasonable demandson the businessoruser.

IfaCATOlossdoesoccur, the Credit Unionwillwork withourMemberstoseekthe mostappropriateresolutionto the situation. Ifthe Credit Unionfails to performourfiduciarydutiesin accordanceto industrystandards,we generallywillassumeallorsomeofthe liability. We willfollowallapplicablelawsandregulationswhendealingwithaCATOincident.

5.OTHERRESOURCES

Belowaresomeresourcesthatmay provideotherhelpfulinformationfor yourbusinessorstaffrelatedto fraudsandsecurity.

Quincy Credit Union’sSecurityPage. Accessonour websiteat:

Phishing: Don't take the bait!

Identity Theft: Protect Yourself!

Internet Fraud: If it sounds too good to be true, it probably is

Social Media: Be Careful Who You Trust

Play it Safe with Portable Devices

Quincy Credit Union’s Security Page within Homebanking Platform:

Kevin Mitnick “Home Internet Security Course”

FederalTradeCommissionFederalGovernmentID TheftResponseGuide.

FederalTradeCommission(FTC)BusinessGuideforProtectingData.(use linkbelow)

Secret Service Electronic Crimes Task Force:

Tools and resources:

Quincy Credit Union base the level of risk as moderate for those business members who utilize Bill Payment, Home Banking Pop Money, A2A, Wires and or Deposzip.

Reviewed Dec 16, 2015; Reviewed Dec 21, 2016