In recent years, the financial services industry has seen a dramatic increase in account takeover schemes. In 2015, total losses due to account takeover more than doubled while total losses related to business e-mail compromise alone increased nearly threefold. Between October 2013 and August 2015, total related losses exceeded $1.2 billion. Additionally, account takeover fraud results in reputational damage, loss of client confidence, and significant financial liability.

Account takeover occurs when an attacker either obtains an individual’s personal information (e.g. username, password, account number, social security number) or impersonates a customer, gaining access to the customer’s bank accounts or  payment systems to make unauthorized transactions.

The most rapidly growing form of an account takeover is business e-mail compromise, which involves taking over an e-mail account or spoofing an e-mail address in order to initiate theft via unauthorized ACH or wire transfers. Business e-mail compromise scams usually target a company’s senior executives, senior employees who are authorized to transfer payments or customers.

Basically, in the cyber world, criminals are communicating with you posing as your customers. Worse, they are communicating
with your customers posing as YOU. For example, the hacked e-mail account of a CFO could be used by an attacker to request
a wire transfer. Attackers often research their target’s schedule, waiting until the target is traveling or otherwise unavailable
for immediate verification. Someone from the finance or operations team recognizes the CFO’s e-mail address and carries out
the wire instructions, unaware the e-mail did not legitimately come from the CFO. The funds are then received by an account
under the control of the attacker.

For real estate transactions, the above scenario is played out usually where the attacker has hacked the real estate agent’s
unprotected personal e-mail address, begins monitoring the closing process, waits for wire instructions to be sent by the escrow/title company, creates a slightly different domain name as the escrow/title company (e.g. www.octitles.com instead
of www.octitle.com) and then resends different wire instructions to the buyer to an account again under the control of the
attacker. Buyer wires their funds to this bad account. Escrow/title company follows up with buyer on status of when they are
sending in their funds to close. Buyer says they already did and by the time all realize the fraud, the money is long gone usually
wired somewhere overseas.

Other types of successful account takeover schemes include phishing e-mail, “man-in-the-middle” and “man-in-the-browser”
attacks.

Phishing e-mails trick the recipient into thinking it is a legitimate e-mail coming from their bank, IRS, e-fax vendor, etc.
where the recipient clicks on the link and gives their sensitive information, such as their bank account data, or the link installs a
virus (malware) on the recipient’s computer which allows the attacker to eavesdrop on the computer use activity to get personal
information. Common examples of the e-mail subject lines included “there was an error processing your wire,” or “you’ve received an e-fax,” or “your pay statementis available.”

“Man-in-the-middle” attacks occur when an attacker intercepts information, usually via an unsecured WiFi connection allowing the attacker to install a virus (malware), which allows them to alter information sent over the WiFi connection. This allows the attacker to impersonate one party and then to reroute funds by alerting account numbers or wire instructions.

“Man-in-the-browser” attacks occur where the attacker exploits vulnerabilities in the web browser to manipulate websites,
allowing the attacker to obtain and alter sensitive date fields at the website. The most common fields being account login
information, bank account numbers and credit card numbers.

Vigilance and a healthy dose of skepticism are the best weapons in the battle against cyber fraud, including the following:
Wire and other disbursement instructions received by e-mail should be confirmed by telephone at a known or independently-confirmed number, NOT the telephone number at the bottom of the e-mail you are trying to confirm.
Consider providing YOUR wire instructions via hard copy only, with a notation: With cyber-crimes on the increase, it is important to be ever-vigilant. If you receive an e-mail or any other communication that appears to be generated from our office, containing new, revised or altered bank wire instructions, consider it suspect and call our office at a number you trust. Our bank wire instructions seldom change.
Be especially skeptical of any change in wiring instructions. Who really changes their wire instructions that frequently?
Confirm the account to which you are wiring is in the name of the party entitled to the funds.
Be suspicious of e-mails from free, public e-mail account domains as they are often a source of risk.
Be leery of a new deal coming to your office out of nowhere.
Example: “I have a sales contract and a deposit for property I am purchasing, and I was referred to your office. Will your office act as title and settlement for my transaction?” This conversation is typically followed by a subsequent request to wire out funds originally deposited by check.
Watch out for phishing e-mails with embedded links, even when they appear to come from a trusted source.
Do not open e-mails and links purporting to be from somebody, unless you are expecting something from them and the “From” section of the e-mail contains a valid e-mail address.
Carefully review the sender information, determine if you recognize and are expecting anything from him/her, If not, don’t open any links.
Carefully review e-mail headers, domain names in the “from” field of the e-mail, and the “reply” field of e-mails. For more suspicious e-mails, employers should review e-mail headers using analyzer software.
Scrutinize links contained within e-mails by hovering over the link with the cursor to expose the associated web address. If a suspicious address is revealed, further authentication must be conducted.
Spot behavioral anomalies in payment requests received via e-mail. These anomalies include requests received at odd hours, payments requested to an unusual person, international wires or unusual payment amounts.
Train employees to the above described.
Adopt multi-factor authentication and/or out-of-bank authentication to verify customer identity.
Use enhanced fraud monitoring systems.
Develop a cybersecurity program within your companies, including adding a Chief Information Security Officer. Industry Associations and Departments of Insurance are issuing mandatory cybersecurity requirements for financial services
companies.
Share prevention and recent attack information within the industry.