The rise in popularity and the pervasive nature of online banking over the last decade have been meteoric. The power of convenience has largely trumped customer fears about security, but there are signs that the tide may be turning. Perhaps exacerbated by the global recession and shocks to the financial markets, cybercriminals have been targeting business bank accounts at increasing frequencies over the last year, catapulting the conversation about online banking security into corporate realms. With cybercriminals readjusting their focus from individual to much more lucrative business accounts, this disturbing trend is now getting the attention of authorities such as the FBI, FDIC, and Department of Homeland Security, and has been described by many as a leading cybercriminal trend for 2010.
Particularly because employers are increasingly liable for these incidents, with Regulation E of the Federal Electronic Funds Transfer Act not protecting business accounts as it does for individuals, businesses must reexamine their online business banking practices to proactively protect themselves from such attacks and the associated potential monetary losses. Banks, too, must amplify their security practices to combat the tactics cybercriminals are now using to perpetrate this type of fraud.
Business Banking Attacks on the Rise
Consider that in a single month this past August, no less than the FDIC, NACHA (the Electronic Payments Association), the Financial Services Information Sharing and Analysis Center (FS-ISAC) and IT advisory firm Gartner Inc. all published alerts about rising Internet threats to business banking.
The following month, the Senate Committee on Homeland Security and Governmental Affairs held a special hearing to discuss cybercriminals targeting small- and medium- sized businesses. New protective cybersecurity legislation has been introduced, co-sponsored by Committee Chairman Joe Lieberman (ID-Connecticut) and Ranking Member Susan Collins (R-Maine). Reports of victimized businesses continue to inundate the media into 2010, with several companies even suing their banks.
The losses are substantial. The Washington Post reported that recent victims include a school district near Pittsburgh that lost $700,000 and an electronics testing firm in Baton Rouge that lost $100,000. One of Guardian Analytics' customers recently intercepted an attempted ACH transfer of $800,000 for a business banking customer in a scheme involving more than 80 smaller transactions arranged to be sent to unwitting mules. For many small- to medium-sized businesses, these types of losses are catastrophic and can potentially mark the beginning of the end if banks refuse to reimburse them.
Cyberfraud Schemes Becoming Highly Sophisticated
Cybercriminal activity is constantly evolving to capitalize on new profit streams. In the case of business banking, by stealing in amounts under $10,000 from business accounts, online fraudsters have managed to avoid triggering traditional fraud alerts. The malware used to initially gain access to accounts is often so well written that the connection comes from an authorized and authenticated computer—a legitimate computer and session that has been hijacked—circumventing even token-based authentication. The money is then transferred to "money mules," often recruited over Internet job boards, who unwittingly help fraudsters all the while they work for a legitimate company.
The use of electronic funds transfers—such as the increasing volume of automated clearing house (ACH) transactions for corporate payments—is making this channel a particularly attractive target for fraud. Historically low-risk, the ACH network has recently expanded to include more participants and new types of non-recurring payments such as web-initiated ACH files. Over the past year, the FDIC has reported an increase in the number of reports and the amount of losses resulting from unauthorized transfers from business customers whose online business banking software credentials were compromised. A J.P. Morgan study found that 71 percent of financial institutions experienced attempted or actual payments fraud in 2008. This number jumps to 80 percent for firms with revenues more than $1B.
Corporate account takeovers employing ACH fraud are becoming more prevalent. Criminals are targeting corporate cash management accounts and moving money out via seemingly innocent consumer accounts. The crook starts by stealing user IDs and passwords of cash management account owners, and by signing up random consumers via phishing attacks. The offer asks them to accept money into their accounts and then transfer it to the criminal's offshore account while retaining a five percent commission. Clever social-engineering techniques in their phishing e-mails get consumers to sign up. After the groundwork has been laid, the crook simply goes into the corporate cash management account and transfers funds, using ACH fund transfer facilities, out of the corporate account to the phished consumer accounts. The victimized commercial banks generally fail to recover the stolen funds.
Taking Action: Preventing Business Banking Fraud
Given the rise in recent rise in these targeted attacks against businesses, security officers should be anxious but educated, taking steps to prevent the potential significant losses. Here are some practical tips to protect your company from online business banking fraud:
- Choose a bank with proactive fraud prevention technologies. Ask your bank if they have a fraud monitoring system in place to proactively detect suspicious online account activity, how they respond to alerts and how quickly. Despite increased regulation, many financial institutions still have not implemented the latest technologies beyond user authentication that are necessary to fight today's sophisticated threats. Your bank's online account platform is only as secure as the technology behind it.
- Educate your financial managers on the risks and threats. Forward the latest advisories from your bank or regulators, such as the FDIC, to whoever manages your online business accounts, perhaps even to the entire finance department as well as heavy online users such as the CEO. Distribute the latest cyber attack reports to the entire IT group so more stakeholders can become educated about cybercrime and its methods.
- Isolate your Internet banking activities. Dedicate specific machines or facilities to hosting your Internet banking activities, and harden their defenses to external attack. Don't transact financial business on machines hosting non-transactional systems or applications, such as Web browsing, since this continual exposure to the public Internet creates another potential weak link in your layered security effort.
- Understand your bank's fraud loss policy and procedures. If your business becomes the victim of online banking fraud, you have fewer rights than you do as an individual consumer. Ask your bank what their policies are on protecting business accounts, investigating possible fraud incidents, assigning fault in a claim and making your accounts whole. Better to understand your risk exposure and have a plan of attack before entering any dispute with your bank.
- Monitor for irregularities and missing funds. It is imperative for any business to always be on the lookout for abnormalities. Many banks offer transaction alerts so customers can be automatically and instantly notified of important account activity. One is called a "debit block", used to stop any transactions from going through except those that are preauthorized. Ask your bank about such services, and sign up for them.
- Re-examine your anti-malware software and firewalls. Keeping your network's anti-malware and firewalls updated, particularly in the Finance Department, is Job No. 1 for security pros. Falling behind on updates and patches could jeopardize your business's entire financial health. In the event of a breach, your bank will automatically assume that your machines have been compromised. Be ready to prove them wrong.
Banks should be taking the recent attacks seriously. If you work at a financial institution, here are some recommendations for what you should be doing to protect both yourself and your customers:
- Assume that customer machines have been compromised and react accordingly. Forward-looking banks already do this by implementing sophisticated back-end fraud prevention solutions that go beyond multi-factor authentication and look for anomalies in individual customer behavior to reveal account compromises. Fraud attempts will happen, so you have to think proactively.
- Strengthen your online fraud defenses. Would your current fraud system recognize online fraud like the ones detailed above? If not, it's time to strengthen your security defenses. Security should be commensurate to the risks, which is the essence of the FFIEC authentication guidance of 2005.
- Educate management and employees on the threat. Distribute the latest fraud attack reports cross-functionally beyond the fraud team, so more stakeholders can become educated about questionable transactions as well as understand the risks to the institution should a business customer fall victim.
- Be proactive. Don't let your institution get unexpectedly tangled in lawsuits. Meet with legal counsel to discuss procedures following a business banking fraud discovery. Know your rights should a customer ever decide to sue. At best, avoid losing lucrative customers by assuring them that you have the most effective fraud prevention solutions in place.
- Educate customers on the threat. Initiate programs to educate financial managers within small business customer organizations—forwarding the latest fraud advisories and stressing distribution to heavy online users such as the CEO, CFO and accounting. Aim to increase general customer awareness of optional security features of your online banking platform such as dual control of transfers, and advocate use of the latest anti-malware software and security firewalls.
Craig Priess is founder and VP of Products and Business Development at Guardian Analytics.