In May 2010, Golden State Bridge, an engineering and construction company based in Martinez, Calif., was robbed of more than $125,000 when cybercriminals hacked into its bank account.
The hackers made two automated clearinghouse batch transactions with the office manager’s username and password, routing stolen money to eight other banks across the country.
Ann Talbot, Golden State’s chief financial officer, learned later that the office manager had violated policy by visiting a social networking site, which the company said it believed was how her computer was infected with malicious software, or “malware,” that antivirus software did not detect.
Computer security specialists say these crimes, called “corporate account takeovers,” have become increasingly common and small businesses are especially easy prey because many lack firewalls and monitoring systems. Gartner, an information technology research company, says regulators have not compiled statistics on the extent of the fraud, but the company estimates that more than 10 percent of small businesses have had funds stolen from their bank accounts – losses totaling more than $2 billion.
“People think, ‘It’ll never happen to me,’ but these are incredibly sophisticated criminals, and we’re not IT experts,” Talbot said. “When you work for a big company, you have a full IT staff and you’re locked down like Fort Knox. When you work for a small to midsize company, you’re not locked down at all.”
Even worse, owners often assume incorrectly that the protection they have on personal bank accounts applies to their business accounts. Many are shocked to learn that most banks do not take responsibility for unauthorized debits from business accounts. Unless the owners have fraud insurance, they must shoulder the losses alone. One reason this is not more widely understood is that owners who have been victimized are often reluctant to speak about it, out of embarrassment or fear that the publicity could further distract their struggling businesses.
Although many financial institutions have taken measures to thwart hackers, they emphasize that other businesses must also defend themselves. Here are tips from security specialists and from owners who have learned these lessons the hard way.
Best Practices: Authorities recommend keeping firewalls up to date and limiting the number of employees with access to accounts. Sari Stern Greene, president of Sage Data Security in South Portland, Maine, advises being diligent about applying security patches to operating systems like Windows.
Owners should also educate their employees and enforce strict rules for office computers. Social media should be forbidden, and workers should avoid unusual links and emails. In some cases, companies receive email that resembles official communication from agencies like the Internal Revenue Service. When a business owner or chief financial officer clicks on an email saying, for example, that the company is being audited, a virus infects the computer. Some viruses capture keystrokes, enabling criminals to view usernames and passwords as they are typed, while others allow criminals to manipulate computers from afar. Some obtain identifying information from shadow Web addresses that mimic a bank’s website, persuading users to log on.
Banking Precautions: Business owners who have been hacked often feel most betrayed by the banks they thought were protecting their money. But banks have no legal obligation to reimburse businesses for attacks – federal regulations do not cover commercial accounts. Regulatory bodies such as the Federal Deposit Insurance Corp. and the Federal Financial Institutions Examinations Council offer guidance on fraud controls for financial institutions, and owners should make sure their banks are up to speed.
Owners may want to place accounts with larger banks – such as Chase, Bank of America and Wells Fargo – that have more mature pattern-recognition and monitoring capabilities. Banks should have automated systems to detect anomalous activity in accounts, but because these systems are expensive, many banks still rely on laborious manual processes. And if banks use third-party processors to handle transactions, as almost all but the largest do, business owners should confirm that the processors’ practices are equally secure.
Owners should require multiple people to approve every transaction and should insist their bank use multiple forms of verification to confirm an owner’s identity before making a transfer. This necessitates approval through multiple channels, such as email, text and verbal assurance by phone. Some banks require businesses to use a token, or secure ID card that generates new passwords that are valid for a very short time.
Businesses should also place limits on the amounts of all automated clearinghouse transactions. If a normal payroll transaction is capped at $65,000, a hacker will not be able to increase the amount when trying to take cash.
Still, Brian Krebs, a computer security authority who writes the blog Krebs On Security, says these are not foolproof against sophisticated hackers and that precautions are “like safe sex – it only works if you do it all the time.” Krebs said the most effective way to guard against corporate account takeover was to dedicate one computer solely for online banking. Employees should never send email or browse the Web from this machine.
Monitor Your Balances: In corporate account takeover, timing is everything. Cybercriminals, many of whom are based in Eastern Europe, move quickly, so business owners need to be vigilant about reconciliations and check accounts daily.
Buy Fraud Insurance: Most unsuspecting owners do not own fraud insurance, and if they do, it includes only crimes like employee embezzlement.
Because Golden State Bridge had been hacked previously, in 2006 at a different bank, Talbot knew to buy insurance with a rider covering cybercrime and fraudulent bank transfers.
“It’s very rare that policies have them,” she said. “I’ve talked to brokers who tell me only one in 10 business customers ask for it, and it’s cents on the dollar.”