Close X
Saturday, November 23, 2024
ADVT 
Tech

Hacked! Business Bank Accounts Vulnerable To Cybercriminals

Darpan News Desk The Canadian Press, 03 Mar, 2016 10:52 AM
    It's a chilling moment when a small business owner discovers hackers have stolen thousands of dollars from the company checking account.
     
    Cybercriminals took an average $32,000 from small business accounts, according to a December survey of owners by the advocacy group National Small Business Association. And businesses don't have the same legal protection from bank account fraud consumers have.
     
    The Electronic Funds Transfer Act, passed in 1978, states that it's intended to protect individual consumers from bank account theft, but makes no mention of businesses. Whether a business is protected depends on the agreement it signs with a bank, says Doug Johnson, a senior vice-president with the American Bankers Association, an industry group. If the business hasn't complied with any security measures required by the agreement, it could be liable for the stolen money, he says.
     
    Any business is vulnerable, but small companies are less likely to have security departments and procedures to guard against online theft than big corporations do. They also don't have big revenue streams that are better able to absorb losses from a theft. And even if they get the money back, they still have to spend time and money dealing with the hassles of closing accounts and opening new ones.
     
    Sandy Marsico's company accounts were attacked — twice. Her bank contacted her in December 2014, saying a transfer of over $50,000 to Mexico had been requested from her checking account. The thieves had obtained the account information; Marsico, owner of Sandstorm Design, a Chicago-based marketing company, still doesn't know how. The bank did an investigation but didn't share its findings with her.
     
    Marsico didn't approve the transfer, the account was closed and a new one opened. But the following November, someone began withdrawing money from the new account in increments ranging from $1,000 to $4,000, a total of $20,000 in the course of a month. Marsico didn't discover it until she got her monthly statement.
     
    "My stomach dropped when I wasn't able to identify these as our charges," Marsico says.
     
    The bank, which again did an investigation but didn't tell Marsico the results, again reimbursed Sandstorm. Marsico has since moved some of her accounts to another bank.
     
    HOW IT HAPPENS
     
    Cybercriminals are creative, changing methods as companies and banks find ways to prevent attacks.
     
    Thieves are increasingly using realistic-looking emails to trick companies into transferring money from their accounts with what's known as wire transfers, says Avivah Litan, a security analyst with the research company Gartner. Often, an employee receives an email purportedly from a company executive asking them to transfer the money from the company's account into a specific external account. If employees don't check to be sure the request is legitimate, they might go ahead and authorize a withdrawal.
     
     
    The first attack on Marsico's account was a wire transfer attempt but didn't use an email to her company.
     
    The FBI reported last August that more than 7,000 U.S. companies of all sizes had been victimized in emailed attacks since late 2013, with losses of more than $740 million. The government said the number of identified victims had surged 270 per cent between January and August of last year. Most of the thieves are believed to be in organized crime groups in Eastern Europe, the Middle East and Africa, the FBI said.
     
    Criminals can also operate by planting malicious software known as malware on a company computer, often via an email that has a link or attachment. If the computer is used to log into a bank account, the malware can record the login and password and send it back to the criminals, who then withdraw funds. But many banks have procedures designed to protect against stolen logins. If bank computers don't recognize a device trying to log in, the bank will send a one-time access code to the account holder on a separate device like a phone. Without that code, a fraudster can't log in.
     
    Using a computer or smartphone in a public place that has a Wi-Fi environment can also be risky, says Kevin Watson, CEO of Netsurion, a Houston-based company that provides cybersecurity for small businesses. Some Wi-Fi spots may have weak security, and savvy hackers know how to steal information that someone keys into their device.
     
    And some thieves do it the old-fashioned way, simply by copying account numbers and routing information from checks and then printing phoney checks and depositing them. One thief made two withdrawals from the checking account at Mark Waring Ventures two months ago, one for $800 and another for $1,000.
     
    "Someone can just look at a check and they're a good part of the way to hacking into your account," says Dave Waring, managing partner of the New York-based company that provides financial and other services to small businesses.
     
    The bank reimbursed Waring, the account was closed and he now makes payments electronically.
     
    At Neil Palache's company, the culprit used a counterfeit debit card. Two thefts totalling $1,400 happened while Palache was online, looking at his account, and the card was immediately cancelled. The bank refunded his money and Palache got a new card.
     
    "I was thinking, 'they're going to wipe me out of this keeps going,'" says Palache, owner of The Wealth Creator Co. for Women, a Westlake Village, California, company that teaches women how to manage their money.
     
     
    WHAT CAN YOU DO?
     
    Business accounts are safer at banks that use what's known as two-factor authentication, requiring unfamiliar account users or devices to supply additional information like one-time access codes, says Timothy Ryan, a managing director with the security company Kroll in New York. Sophisticated banks also have software that flags emails or attempted logins from unfamiliar Internet service providers, he says.
     
    Additional steps owners can take:
     
    —Everyone in the company must be hypervigilant about emails, being wary about clicking on links and attachments and checking the addresses that emails came from. Criminals may create email addresses that look familiar but that might have an extra letter like an "I'' or "i'' not apparent at first glance.
     
    —In the case of wire transfers, put procedures in place so several managers must sign off before a transfer can made.
     
    —Keep a close eye on accounts. If you can't check your balance daily, get text alerts whenever there's a withdrawal.
     
    — Don't log into your bank from an airport, hotel lobby, coffee shop or other public space that offers free Wi-Fi. Resist the temptation to log in until you're home or in your office.
     
    "It's a simple protection for a complex problem, but it takes discipline and that's where people fall down," says Watson, the Netsurion CEO.

    MORE Tech ARTICLES

    Alibaba Buys Nearly 33 Million Shares Of Groupon

    Alibaba Buys Nearly 33 Million Shares Of Groupon
    Groupon Inc.'s stock jumped more than 40 per cent in afternoon trading Tuesday.

    Alibaba Buys Nearly 33 Million Shares Of Groupon

    Indian-Origin Engineer Discovers Ground Breaking 2D Semi-Conducting Material

    Indian-Origin Engineer Discovers Ground Breaking 2D Semi-Conducting Material
    A team led by an Indian-origin engineer from the University of Utah has discovered a new kind of 2D semi-conducting material for electronics that opens the door for much speedier computers and smartphones that consume a lot less power.

    Indian-Origin Engineer Discovers Ground Breaking 2D Semi-Conducting Material

    Young Adults Swipe Right On Tinder, But Is It Just A Game?

    Young Adults Swipe Right On Tinder, But Is It Just A Game?
    NEW YORK — Online dating services are now hip with young adults, but not always for dating.

    Young Adults Swipe Right On Tinder, But Is It Just A Game?

    Watch: Google Boss Asked 'What Do You Get Paid?' By UK Lawmakers

    Watch: Google Boss Asked 'What Do You Get Paid?' By UK Lawmakers
    A British parliamentary committee has grilled Google's president of European operations, questioning in blunt terms whether the Internet giant had paid its fair share of taxes.

    Watch: Google Boss Asked 'What Do You Get Paid?' By UK Lawmakers

    Magazine Publisher Time Inc. Buys What's Left Of MySpace

    Magazine Publisher Time Inc. Buys What's Left Of MySpace
    It does, and the company that owns the once-ubiquitous social network is being bought by Time Inc. to help the magazine publisher target ads.

    Magazine Publisher Time Inc. Buys What's Left Of MySpace

    Disappearing Act: Twitter Reports Flatlining User Growth

    Disappearing Act: Twitter Reports Flatlining User Growth
    Twitter set out to build a virtual town square bustling with billions of people. But it's starting to look more like a novelty stand as the masses flock to other services that strike a more personal chord.

    Disappearing Act: Twitter Reports Flatlining User Growth