An owner of a small business had a very unexpected and unpleasant surprise upon reviewing the firm’s recent financial transactions. Three days before, $360,000 was wired out of the victim’s business bank account and sent to Moldova. She immediately suspected that the transfer was the result of fraud, but as such, she assumed the bank would make her firm whole by refunding any incurred losses. Unfortunately for the business, that assumption was incorrect and ultimately, the firm absorbed the loss.
An internal investigation revealed that an administrator in the business had unintentionally installed malware on the business’s computer network when he clicked on a link in an email that appeared to have come from an overnight shipping company. This action initiated the download of a program that surreptitiously recorded the keystrokes on his computer, ultimately capturing the business’s user name and password for one of its bank accounts.
The fraudsters who specialize in malware delivery passed along the bank login credentials to another group in what is called a “cyber-criminal organizational enterprise.” That group specializes in extracting money from victim bank accounts in the form of electronic transfers. In this case, the transfer from the firm’s account was completed, settled through the financial network and picked up by the crooks in Moldova.
Flabbergasted would be one way to describe the collective reaction at the law firm when told by the bank, with which they had a fifteen year relationship, that the firm was responsible for the entire loss. Most people assume that banks refund money lost as the result of fraudulent bank transactions. That is true in the cases where personal accounts have been breached – if the fraud is reported within 60 days. For business accounts, the account holder has 24 hours to report the suspicious transaction – after that, the business may be accountable for losses due to fraud.
The crime described here is anything but unique. In fact, the FBI describes “account takeovers” as a growing crime with active investigations involving hundreds of separate victim companies and hundreds of millions of dollars in losses. Very little of this money will ever be recovered.
Prevention against the threat of account takeovers falls into two general categories: technology and behavior. Most banks have online technological tools that create “layers” of security to prevent large sums of money being fraudulently transferred out of bank accounts. Businesses should have ongoing discussions with their bankers about employing specific ways to mitigate the threat, such as “positive pay”, which is a payment management system designed to prevent fraud or “out-of-band authentication.” This adds a layer of security to prevent compromising the bank login process.
The best fraud prevention technology, however, can be rendered useless by the actions of uneducated users. Employees should be made aware of the latest email phishing threats and taught never to click on links or attachments from unknown senders. In a larger sense, on-going security training should be standard protocol for all business entities to prevent these account takeovers and many other types of fraud. After all, no one likes unexpected and unpleasant surprises when they look at their bank transactions.
This example is based on a true story.