Protecting Corporate Accounts from Cyber Thieves

The Internet presents a world of opportunity — and computers are the doorway to that world, providing entryway for the bad, as well as the good, among us. Today, a network of cunning, organized criminals are engaging in cyber crime, netting millions from unsuspecting consumers and corporations alike. The threats are global in nature, very sophisticated and often difficult to prosecute. Often, these cyber criminals are in countries where the levels of security are not as stringent as they are in the United States or Europe , but their operations are as organized as any modern global business. In essence, a criminal "supply chain" has developed with participants providing stolen information, development of crimeware, marketplaces for software and stolen data, and direct attackers.

How They Work

With increasing frequency, perpetrators of cyber crimes are targeting corporate accounts, making the customers of Originating Depository Financial Institutions (ODFIs) vulnerable to attack. Cyber criminals dupe targets into providing sensitive information and security credentials in a variety of ways.

For instance, e-mails can be made to look as if they are from known entities, such as banks and e-commerce sites, and recipients of these e-mails unwittingly download malware on to their systems. Malware can also be downloaded when users visit legitimate websites, especially social networking sites, and click on documents, videos or photos posted there. Another problem: computer malware can go undetected for an extended period of time, passively monitoring financial websites for months before initiating any unauthorized transactions.

Malware that is unknowingly downloaded onto corporate systems allows cyber thieves to act like legitimate users, originating wire transfers and ACH batches. Perpetrators can create ACH files with CCD debits to a corporate victim's compromised account and send Pre-Arranged Payment or Deposit ( PPD ) credits to new accounts opened at one or more Receiving Depository Financial Institution (RDFI). According to NACHA, entire balances are typically withdrawn shortly after receiving the money, and 90 percent or more of these funds go overseas via wire transfer or other popular money transfer services.¹ The problem is serious enough that law enforcement agencies, such as the U.S. Federal Bureau of Investigation, and such agencies as the Federal Deposit Insurance Corporation have recently issued several alerts to businesses and the general public.

How Can Corporations Protect Themselves?

Corporations can learn from financial institutions, which do a great deal to keep their platforms secure through the use of technology solutions. There are two levels of precautions. The most basic include²:

• Using multiple factors to prove identity. The use of PINs or passwords, combined with physical tokens or password-generated tokens, can be very effective in help to mitigate the risk of an attack.
• Limiting administrative rights on users' workstations. This can help prevent the inadvertent downloading of malware or other viruses.
• Staying up to date with software patches. Using the most current firewalls, virus protection and spyware removal software will help control network intrusions.
• Knowing your firm's policies, practices and incident processes regarding potential fraudulent activity. Update these policies regularly and make sure all necessary staff are aware.
• Knowing how to use your company's resources for forensic and incident response, investigation and disaster and document recovery so that you can respond quickly and effectively to any threat of fraud.
• To help safeguard online activity, installing spam blocking filters, using privacy locks to restrict access to sensitive data, and frequently updating browser and security software information.

The second, more stringent level of precautions includes:

• Always being aware of the potential of internal threats. Conduct thorough background checks on new employees and periodically review existing employees.
• Using dual controls — where one individual initiates a payment file creation while another approves it for release — to help control fraud.
• Segregating accounts for better control. For example, collection vs. disbursement activity should be separated, as should ACH debits vs. credits.
• Using encrypted mail for confidential, nonpublic information.
• Reconciling bank accounts daily. Many corporations do not follow this practice, allowing the two-day return time to pass before an unauthorized debit is noticed.³

What Should You Expect From Your Bank?

Financial institutions should work with their clients to protect their corporate accounts. If your bank can not provide the latest in online fraud protection, your organization will be at high risk. Among the critical components you should look for in a banking partner are:

• Encryption techniques.
• Multi-factor-based individual and machine authentication models.
• Enforcement of the dual-authority model and/or "step up authentications" for transactions.
• Comprehensive fraud monitoring and detection systems.
• Customer education and support programs.

Protecting J.P. Morgan Clients

J.P. Morgan Treasury Services uses a variety of advanced methods and technologies to keep client confidential information secure and out of the hands of criminals.

Our J.P. Morgan ACCESS^SM portal, for example, is a highly advanced gateway with patented technology that uses physical tokens for the highest level of security on transactions. Through this proprietary technology, which uses a mix of system and human level authentication processes, clients verify that they are the user of the system, and verify the transaction they are working on, in one secure step. In addition to offering powerful security and ease of use, the technology is extremely portable.

Required: Constant Vigilance

Fraudsters are a moving target. They are resourceful, creative and constantly inventing new ways to exploit, deceive and steal — and should never be underestimated. Effective protection against cyber crime requires a combination of internal controls, consistent policies across an organization and a financial partner that has made reducing payments fraud a top priority. With constant vigilance and a banking partner that continuously invests in technology and processes, you will be able to keep your company ahead of the curve.

To learn more about J.P. Morgan ACCESS, contact your treasury management representative or visit jpmorgan.com/ts.

¹ NACHA Risk Management Alert, "ACH Network Risk Management," 2009.

² NACHA Risk Management Alert, "ACH Network Risk Management," 2009.

³ "Payments Fraud. How it happens. And what you can do to protect your organization." J.P. Morgan Treasury Services, 2009.