What every business should know about corporate account takeover
If you’ve never formally heard of account takeover, you’re still likely familiar with the concept. It’s a type of cybercrime where a malicious party accesses and then takes control of a victim’s online account, such as an email address, bank account, or social media profile.
Account takeover is on the rise and can have costly consequences – particularly in the business arena, which typically has more sizeable financial accounts at stake.
In this article, we’ll discuss the impacts corporate account takeover can have on your business and provide actionable strategies to help you avoid becoming a victim.
What is Corporate account takeover (CAT)?
Corporate account takeover is a form of business identity theft and a common tactic in financial fraud. It’s also one of the top fraud trends you should watch out for.
Here’s how it works.
The fraudster either steals account credentials or manipulates an employee into divulging their log-in IDs or passwords. The criminal then uses the credentials to install malware or take direct control of the company’s bank account — essentially allowing them free rein to transfer funds, make unauthorized transactions, create fake invoices and payments to themselves, or manipulate financial data for their own benefit.
Why would an employee share their credentials?
Because fraudsters are skilled in the art of deception. They’ll contact an employee, usually by phone, and convincingly pose as a reputable business associate, such as a KeyBank representative. They’ll create a sense of panic by fabricating an urgent situation — typically about fraudulent activity on the business’s accounts. Then they’ll ask the employee to provide sensitive information, such as log-in credentials, so they can immediately "correct" the issue before there are dire financial consequences.
The second the employee provides this information, your business becomes a victim.
Fraudsters are using increasingly deceptive tactics — such as phone number spoofing, where the phone number they are calling from falsely shows up in caller ID as KeyBank or another reputable entity.
Details like this make their efforts appear more legitimate. And when combined with a sense of urgency and pressure to make split-second decisions — unfortunately, they often work.
How can I protect my business from CAT?
As with most types of business fraud, preventing CAT is a shared effort among all employees. Here are some measures your business can take to help avoid becoming a victim:
- Build awareness and educate employees about CAT and associated tactics such as phone number spoofing.
- Never share sensitive information, including log-in IDs, passwords, or one-time passcodes.
- Be cautious of all unexpected phone calls requesting information — and watch for these red flags:
- Urgent situation and pressure to act quickly
- Requests for sensitive information
- Claims of suspected fraud or that you need to authenticate or unlock your account
- Hang up on a suspicious caller and verify the situation immediately by calling a known phone number or contact at the business or financial institution.
- Report to us immediately any suspicious calls about your KeyBank accounts.
- Invest in continuous education to stay on top of emerging fraud tactics and trends.
REMEMBER: Always pay attention to who reached out first.
When you initiate an interaction with KeyBank, we may ask for information such as the last four digits of your Social Security number, login ID, or a one-time passcode to verify your identity.
However, KeyBank will never contact you unexpectedly by phone, text, or email and ask for your full Social Security number, login ID, or other personal information if you did not initiate the communication.
Verify these requests by contacting a known KeyBank resource such as your local branch, 1-800-KEY2YOU®, or our Fraud Hotline (1-800-433-0124) before providing any sensitive information.
At Key, we seek to help your business avoid fraud altogether.
To help prevent corporate account takeover within your business, stay vigilant and follow the guidelines above. And remember to trust your instincts — it’s always best to err on the side of caution and verify questionable phone calls and requests.
If you suspect your business has been a victim of CAT or other fraud, contact your banker or Payments Advisor, or call our Fraud Hotline at 1-800-433-0124.
We’re committed to arming you with the latest information on cybercrime and payments fraud. Visit key.com/cybersecurity to learn more. For information about KeyBank’s Core Fraud Solutions, connect with your Payments Advisor or Relationship Manager.
All rights reserved. KeyBank Member FDIC. The KeyVAM platform is not FDIC insured or guaranteed. All merchant services, credit, and leasing products are subject to credit approval, terms of service, and any applicable collateral requirement(s).