Man Working in a Small Office

Businesses that never considered themselves targets are becoming victims of credit card fraud, automatic clearing house (ACH) fraud, and wire fraud.

Reducing risk

Protecting Your Small Business From Online Payment Fraud

  • Mark Eich
  • 2/18/2013

We’ve all heard the famous quote attributed to Willie Sutton, the notorious bank robber who, when asked why he robbed banks, replied “because that’s where the money is.”

In today’s connected world that assumption is no longer valid. Improved defensive measures have made direct bank attacks very difficult and time consuming, but a bank’s customers are typically much easier targets. Businesses of all sizes are being targeted by malicious attackers as never before.

Businesses that never considered themselves targets are becoming victims of credit card fraud, automatic clearing house (ACH) fraud, and wire fraud. These crimes are often perpetrated from outside the country by attacking the online cash management features that banks provide their customers. Health care organizations, trade associations, construction contractors, Main Street retailers, and many other small businesses have fallen victim to such attacks.

There are steps you can take to protect your business, but before taking action, you must first understand and acknowledge this growing threat.

Beware of online banking malware

By far the most common method of attack is a phishing message that delivers malicious software (malware) and attacks online cash management systems. Once the malware has been delivered, it monitors and records system activity, stealing personal information, login credentials, and codes for the internet banking services. Attackers then use this login information to pose as the victim — they simply login and create fraudulent ACH entries or wire transfers. More sophisticated malware, such as advanced versions of the Zeus Trojan horse, can even be used to bypass more robust defensive measures such as multi-factor authentication tokens like RSA tokens. This type of attack is often called corporate account takeover.

Email spear phishing

Malware code is often delivered via email, either by a file attached directly to the message, or more commonly, by use of a website link directing the user to a rogue website. In the later case the malware returns with the web page and attempts to install itself on the victim’s computer. This type of phishing attack has been dubbed “spear phishing” since only one email is often sent to the victim organization.

Spear phishing emails have improved significantly in their sophistication and effectiveness and can be very difficult for users to identify as fraudulent. They often use carefully crafted messages to entice the user to click the link. In some cases, the emails are even “spoofed,” that is, crafted to appear to come from someone inside the victim organization (e.g., the company president). In other cases the emails are spoofed to appear to come from a legitimate business or organization, such as UPS, American Express, PayPal, or the IRS. These spoofing tactics are designed to increase the likelihood that the recipient will act quickly, clicking on the link without much thought.

Protecting your business

Preventing these attacks is no small task. It requires a multi-layered approach. Businesses should consider each of these tactics:

  • Educate users to spot potentially fake emails and to be wary of website links and file attachments.
  • Keep current on technical defensive measures such as firewalls, intrusion detection systems, and spam filters.
  • Keep up-to-date on the anti-virus software on each device, and complete regular scans to keep them clean.
  • Keep all network servers and PC workstations current with the latest security updates and patches.
  • Limit the number of PCs used to conduct online cash management. If possible, isolate them from the rest of the company network.
  • Encrypt sensitive data, such as intellectual property and personal financial information.
  • Become familiar with and utilize all key bank security tools for online cash management. Banks are eager to educate customers on the proper use of these tools, which include:
    • Multi-factor authentication
    • ACH blocks and filters
    • Daily and individual transaction limits
    • Wire call-back features
    • Positive pay systems to reduce check fraud
  • Monitor activity and balance online accounts daily.
  • Read and thoroughly understand your agreements with your bank related to online activity.
  • Identify the primary contact at your bank who will be your first call for help in the event of a breach.
  • Have an incident response plan so users know who to contact immediately if they suspect malicious activity on their computer.
  • Make regular backups of key data and systems and store them in a secure off-site location.
  • Establish a relationship with local law enforcement agencies that are familiar with online crimes.
  • Perform periodic vulnerability or penetration assessments to validate that controls believed to be in place are functioning as intended.

Reliance on technology is a reality for even the smallest business. Pulling the plug is not an option. Conducting business securely in an environment of ever-increasing threat is possible with the right strategy and implementation. Businesses owners must embrace security as part of any technology strategy.