The rise in popularity and the pervasive nature of online banking over the last decade have been meteoric. The power of convenience has largely trumped customer fears about security, but there are signs that the tide may be turning. Perhaps exacerbated by the global recession and shocks to the financial markets, cybercriminals have been targeting business bank accounts at increasing frequencies over the last year, catapulting the conversation about online banking security into corporate realms. With cybercriminals readjusting their focus from individual to much more lucrative business accounts, this disturbing trend is now getting the attention of authorities such as the FBI, FDIC, and Department of Homeland Security, and has been described by many as a leading cybercriminal trend for 2010.
Particularly because employers are increasingly liable for these incidents, with Regulation E of the Federal Electronic Funds Transfer Act not protecting business accounts as it does for individuals, businesses must reexamine their online business banking practices to proactively protect themselves from such attacks and the associated potential monetary losses. Banks, too, must amplify their security practices to combat the tactics cybercriminals are now using to perpetrate this type of fraud.
Business banking attacks on the rise
Consider that in a single month this past August, no less than the FDIC, NACHA (the Electronic Payments Association), the Financial Services Information Sharing and Analysis Center (FS-ISAC) and IT advisory firm Gartner all published alerts about rising Internet threats to business banking.
The following month, the Senate Committee on Homeland Security and Governmental Affairs held a special hearing to discuss cybercriminals targeting small- and medium- sized businesses. New protective cybersecurity legislation has been introduced. Reports of victimised businesses continue to inundate the media into 2010, with several companies even sueing their banks.
The losses are substantial. The Washington Post reported that recent victims include a school district that lost $700,000 and an electronics testing firm that lost $100,000. One of Guardian Analytics' customers recently intercepted an attempted ACH transfer of $800,000 for a business banking customer in a scheme involving more than 80 smaller transactions arranged to be sent to unwitting mules. For many small- to medium-sized businesses, these types of losses are catastrophic and can potentially mark the beginning of the end if banks refuse to reimburse them.
Cyberfraud schemes becoming highly sophisticated
Cybercriminal activity is constantly evolving to capitalise on new profit streams. In the case of business banking, by stealing in amounts under $10,000 from business accounts, online fraudsters have managed to avoid triggering traditional fraud alerts. The malware used to initially gain access to accounts is often so well written that the connection comes from an authorised and authenticated computer—a legitimate computer and session that has been hijacked—circumventing even token-based authentication. The money is then transferred to "money mules," often recruited over Internet job boards, who unwittingly help fraudsters all the while they work for a legitimate company.
The use of electronic funds transfers—such as the increasing volume of automated clearing house (ACH) transactions for corporate payments—is making this channel a particularly attractive target for fraud. Historically low risk, the ACH network has recently expanded to include more participants and new types of non-recurring payments such as web-initiated ACH files. Over the past year, the FDIC has reported an increase in the number of reports and the amount of losses resulting from unauthorised transfers from business customers whose online business banking software credentials were compromised. A JP Morgan study found that 71 percent of financial institutions experienced attempted or actual payments fraud in 2008. This number jumps to 80 percent for firms with revenues more than $1bn.
Corporate account takeovers employing ACH fraud are becoming more prevalent. Criminals are targeting corporate cash management accounts and moving money out via seemingly innocent consumer accounts. The crook starts by stealing user IDs and passwords of cash management account owners, and by signing up random consumers via phishing attacks. The offer asks them to accept money into their accounts and then transfer it to the criminal's offshore account while retaining a five percent commission. Clever social engineering techniques in their phishing e-mails get consumers to sign up. After the groundwork has been laid, the crook simply goes into the corporate cash management account and transfers funds, using ACH fund transfer facilities, out of the corporate account to the phished consumer accounts. The victimised commercial banks generally fail to recover the stolen funds.