So you think you know the ins and outs of money transfers over the Internet. You make up strong passwords and you even remember to change them once in a while. You have “normal” security in place (last Monday you hid the sticky note with your bank’s password and login on it—it’s no longer on your monitor).
However, a little while ago there was nothing typical about Monday morning for Bradenton attorney Kimberly Graus. It might have started out bright and sunny, but that Monday turned out to be a dark day for one of the trust accounts she administers—$35,000 was missing and she could not account for it. Her computer had been hacked and the money was winding its way to Eastern European criminals.
According to her bank, her own IP address was the source of the wire transfer orders and after further study by computer forensic experts, the culprits were found. The criminals had made four wire transfers from Graus’ trust account. Fortunately, Kimberly spotted it fast enough that she could notify Superior Bank and they were able pull back three of the orders, but the fourth, for $9,500, had already been transferred to Ukraine and cashed.
And Graus was lucky that the previous Friday morning, she had wired $400,000 to pay off client mortgages. The hackers struck in the late afternoon; otherwise they might have gotten a much bigger haul and potentially bankrupted her practice.
Not only did Graus lose $9,500, but there were other expenses arising from this incident, including a new laptop to be used for banking purposes only and the cost of the forensic investigation, not to mention the time spent closing and setting up new bank accounts. There is also the potential loss of trust from her clients and other business associates, including her bank. Superior Bank is adamant that it bears no responsibility for the theft, but recent case law has changed some of that. You should Google the case of Patco Construction in Maine.
Computer consultants told Graus that the malware on her system most likely came in the form of an email phishing attempt that she clicked on. The malware was able to capture passwords and logins and took over her accounts, despite the presence of standard antivirus software.
Digital crime now outpaces real-world bank robberies in terms of losses. In 2009, there were 8,818 bank robberies netting criminals an average of $4,029—a total of about $35.5 million, according to the FBI’s Uniform Crime Reporting program. However, 60 percent of bank robbers were caught, often very quickly.
Compare that with fraud statistics of Automatic Clearing House (a company in charge of electronic fund transfers and credit card payment processing). The recent arrests connected with notorious Zeus malware accounted for some 390 reported cases, in which $70 million was stolen from accounts. The criminals had attempted to steal some $220 million. The investigation mainly netted the lowest ranks of the criminal network—the so-called money mules that remove stolen funds from their accounts and transfer the money to international accounts abroad. In general, the money mules are people who are duped into believing they are working for a legitimate company processing payments.
If you are a business doing online banking and are only relying on the bank’s security and safeguards, you may be bound for major trouble. Commercial accounts do not have the same FDIC insurance as personal accounts. Before you use online banking, read the rules carefully. Check all online accounts daily, and make sure your corporate defense-in-depth is in good shape.
I strongly recommend that you instruct your company’s bank not to allow outside transfers without a hard-copy of written authorization signed by an account signatory for any transfer request. In addition, I recommend a formal Internet security awareness training program for all employees.
The bad guys are bypassing antiviruses on your workstations by making users click on something that will infect the