Online Banking Fraud: A Devastating New Threat to Your Business
The biggest risk to your manufacturing company’s financial security does not come from domestic regulations and taxes, or even from a highly competitive China. It comes from an altogether new territory: Russia and Eastern Europe, where organized crime syndicates are raiding U.S. businesses’ bank accounts, often with devastating consequences. The threat of these sophisticated and targeted online-banking hacks is real and growing.
If your company uses online banking (payroll account transfers, wire transfers, ACH transactions, etc.), consider yourself a target.
New computer attacks specifically target your business
The old-school “Nigerian prince” email scams are mostly a thing of the past, and you can no longer rely on your common sense and savvy to recognize a fraudster. Gone are the days when cybercriminals attempted to trick individuals and businesses into forfeiting access to financial and credit card information by sending mass emails and waiting for someone to take the bait. The new attacks specifically and precisely target your business. Here's how it works:
- Criminals research your company online to learn details like names and emails of key managers, often from your company's own website. They might even call and get additional information from your receptionist.
- From this information, they compose an email to a specific employee that contains just enough detailed information to lure him or her into opening a link to a website. The link will open a web page that looks legitimate, and the employee may keep it open. During that time, malicious software (malware) is loaded onto the employee’s computer without his or her knowledge.
- Once loaded, the malware spreads from computer to computer on your network until it recognizes a user who is making online banking transactions. The malware records keystrokes and sends it back to the hacker. Now the criminal knows the specific keystrokes to make an online banking transaction. Equipped with the correct identification numbers and passwords, the hacker simply logs into your online banking site and directs an ACH transaction to an offshore account, effectively cleaning out your bank account.
A full 32 percent of our survey respondents reported an information security incident in the last year. That’s just one of the many fascinating pieces of information coming out soon in our next annual Manufacturing and Distribution Outlook report.
These attacks aren’t random; they are studied and premeditated, making penetration into your system nearly undetectable — until it’s too late and your business’s funds are desolated.
Banks and insurance companies may not cover the loss
Financial responsibility for these attacks is currently a gray area. Banks typically have assigned fault to the victim, arguing it was the business’s computer system that was compromised, not the bank's. There are lawsuits on both sides of the issue, but there is no settled law at this point. Meanwhile, it appears that attempts to get the bank to pay will be a long and possibly fruitless legal battle. This doesn’t change the fact that your account is depleted.
Insurance coverage completely depends on the provisions of each individual policy. This type of risk is relatively new, so specific coverage in your policies is unlikely. Some policies have coverage written broadly enough to protect against the risk, but based on the known cases so far, adequate insurance coverage often is not in place. Many of the victim businesses are simply out the money with no recourse.
You are probably more vulnerable than you believe
Most businesses’ information technology (IT) teams do a stellar job with the resources they have. They are usually quite confident that their systems are secure and invulnerable to attack. But the reality is that most IT teams are spread a little thin and juggle a wide variety of tasks. They are genuinely surprised when they learn the systems they guard and maintain are indeed vulnerable to attack. The time and resources required to keep up on new security threats and to adequately reduce risk from these targeted attacks often outpaces the daily grind of your IT team. It’s wise to invite in an outsourced penetration tester to root out vulnerabilities and shore up security.
How to protect your company
One of the simplest ways to reduce the risk of accidently allowing malware to be opened is to teach your employees to recognize and report suspicious emails and websites. This dramatically reduces the chances of the malware being planted. But this is problematic because the emails can look so authentic.
For example, our team of specialists recently tested a client's vulnerability by sending a fake email (one that mimicked the type used by criminals) to 18 different employees. Seventeen opened the link and kept it open long enough for malware to be deployed. This result is not unusual, reinforcing the critical need for ongoing education on new threats and methods.
Test and strengthen firewalls
Just because the malware was deployed does not mean it will automatically spread. A strong firewall and other protective measures can help prevent the spread of the malware across your network. With this specific threat, the malware must be able to find which computers in your organization are used for online banking transactions. Protective software and other stronger online banking security measures can reduce the effectiveness of the malware.
Talk with your bank and insurance company
Communicate with your bank to make sure enhanced security measures are in place to make it more difficult for malware to operate effectively. Security measures such as multi-factor authentication and ACH white listing (if available from your bank) can be effective. The available controls are often either bypassed by the user for convenience reasons or are not put in place due to cost. In addition, you should communicate with your insurance company to make sure that these and other similar thefts are covered.
How we can help
If your company uses online banking services, take steps to prevent a potential attack on your business. If you can minimize the risk using your in-house team, get started today. If you need outside help, call on payment fraud-protection professionals. These services will be far more valuable as front-end protectors, rather than being called in after the fact to assess damage and reconstruct an attack for potential use in litigation. CLA’s manufacturing industry and information security professionals can guide you through this entire process.