Skip to main content




Many financial institutions and business customers have experienced the type of electronic banking theft known as Corporate Account Takeover (CATO). With this type of compromise, thieves attack the customer’s computer system and use this access to fraudulently change the automated Clearinghouse (ACH) origination file.
A common way for the hacker to gain access to the business customer’s computer or network is through malware delivered in an email, malicious download, or illegitimate website. Once the cyber thief gains access to the computer, they monitor activity for the input of sensitive data such as internet banking credentials. They then change routing/account numbers on the ACH origination file to account numbers they control. During this type of theft the hacker will often only modify some of the routing/account numbers to help increase the chance of the fraudulent credits slipping past the customer and the financial institution. The hacker typically does not change batch total amounts or the names of the people being credited. They understand that these entries are reviewed by both the origination customer and the financial institution so changes would likely be detected. CATO attacks have been common at institutions of all sizes and in every state for amounts ranging from $15,000 to $750,000 and up.

According to the appendix in FIL 50-2011, FFIEC Supplement to Authentication in an Internet Banking Environment, whitelisting is one of the controls mentioned that can greatly reduce CATO and ACH fraud. The main purpose of whitelisting is to provide a layer of detective security to help customers and financial institutions identify and prevent CATO. This is an especially effective tool if customers and institutions are originating payroll files.

There are many automated tools in the marketplace that automate the ACH whitelisting process. The problem with most of these tools is the large check that must be written by the institution each year to use them. SBS would like to introduce the Verify software tool to help alleviate this problem. Verify is an affordable solution that uses whitelisting to authenticate known payee information against information submitted in the ACH batch file. Verify compares every routing number, account number, and amount paid in each batch against the historical pay records of that respective company. Any discrepancies in the payment amount or account information are reported to the user.

Here is how whitelisting with Verify works:

  1. The institution receives outgoing ACH files from customers who have origination accounts. These may be received through secure email, personal delivery, internet banking, or other methods.
  2. The file is uploaded into the Verify software.
  3. Verify then sorts each file by customer and compares the ACH credits with historical credits from those customers. Verify compares every outgoing credit transaction (ACH Transaction Code 22, 23, 32 & 33) against a list of approved endpoints (new routing/account numbers) for each individual customer.
  4. If the routing/account number exists in the database, the amount is compared to the historical norms for that customer.
  5. If the amount differs by a set amount or percentage (the bank can configure this according to risk appetite), a report is created in Verify for the institution’s review.
  6. If the routing/account number is not in the database there is a possibility that the file could be fraudulent. Any new endpoints are reported to the operator for review and research. This allows the bank to conduct a call back to the customer.

Whitelisting can be an important layer of security in an institution’s program to help prevent, detect, and respond to CATO. Each institution should follow a risk-based approach that addresses the 19 Best Practices to Prevent CATO as outlined by the Texas Bankers Electronic Crime Task Force and implement the methods that help mitigate individual risks for businesses, customers, and financial institutions.

Learn more about Verify™.

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, June 17, 2015
Categories: Blog