Cyber Criminals Targeting SMBs

August 26, 2009

A recent trend of cyber attacks on small and mid-size US firms is netting big profits for criminals in the multi-million dollar scam.  According to a report in Tuesday’s Washington Post, SMB customers of financial institutions are infected with a virus through phishing or other malicious activities.  The virus captures logon credentials for online banking systems and transmits the credentials to the cyber-thieves.

The credentials are then used to initiate wire transfers or other online banking transactions usually in increments of less than $10,000 to avoid anti-money laundering reporting requirements.  The criminals often enlist people to set up bank accounts in the US for the funds transfers.  The funds are then withdrawn and wired to accounts located in Eastern European countries.  In many cases, multiple wire transfers are initiated within minutes of each other.  According to the article in the Washington Post, one victim reported 43 transfers initiated within 30 minutes for a total of $1.2 million.

The fraud is particularly effective because many financial institutions have stronger controls over consumer funds due to the institution’s liability in regards.  Consumers typically have sixty days from the receipt of a bank statement to report fraudulent activity and if proven, the FI is liable.  Commercial banking customers however fall under different regulations and have only two days to dispute fraudulent activity if they want any chance of recovering the unauthorized transfers.

TrustCC is aware of at least two clients who have experienced this fraud first-hand.  Financial institutions should advise their commercial customers to take appropriate precautions to prevent wire transfer fraud.  Some precautions include:

  • Monitor electronic banking activity carefully and frequently.
  • Ensure proper anti-virus controls are in place and that all systems have current signature files.
  • Do not open suspicious emails.
  • Do not click on suspicious web sites.
  • Ensure that all systems are up to date with security patches and current operating systems.
  • Control access to online banking functions to only authorized and necessary personnel.
  • If malicious activity is suspected, notify your financial institution immediately and suspend all online banking transactions.
  • Notify appropriate authorities.

While we recognize that financial institutions cannot be expected to advise all of their commercial customer’s on proper security measures, we do recommend at a minimum that FIs advise their customer’s of this threat and monitor commercial wire transfers for unusual activity such as multiple transfers in a short period of time and transfers to offshore accounts if at all possible.

A few best practice ideas for SMBs from Rob Lee of Mandiant:

  1. Determine who in your organization is able to accomplish funds transfers (CFO, CEO, etc).
  2. Set up two machines for these individuals.  One in which money is handled and another for day to day.  Do not put email on the same machine as the funds transfers.  At least make thieves have to break into another machine.  Not difficult for the attacker to still achieve, but increases the annoyance factor.
  3. Awareness.  Train them to be extremely paranoid of emails that come to them.  This is an unwinnable battle as even the most paranoid person will be duped, but you still want to increase their awareness that this is going on.
  4. Set up with your bank that all transfers must be approved verbally.  Period.  Two factor authentication.  Use strong passwords too, if you can.
  5. Work with your bank to see if you can set up a temporary hold on transfers for 24-48 hours until it is actually committed.  Gives you a chance to stop it if it is detected.
  6. Email/Pager/Mail/Phone call notification of every transfer and who authorized it sent immediately.  Then the 24-48 hour clock begins.
  7. Insurance.  Insurance.  Insurance.  Find a policy, if possible, that if this does happen you can recover some of your money.  This is a hard one as usually finding a policy that is acceptable and within reality is going to be near impossible.  But you might inquire about it.  In addition, check with your bank on what protections you have if money is transferred.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: