When Hackers Wipe Out a Business Bank Account
In May 2010, Golden State Bridge, an engineering and construction company based in Martinez, Calif., was robbed of more than $125,000 when cybercriminals hacked into its bank account.
The hackers made two automated clearinghouse batch transactions with the office manager’s user name and password, routing stolen money to eight other banks across the country. Ann Talbot, Golden State’s chief financial officer, learned later that the office manager had violated policy by visiting a social networking site, which the company said it believed was how her computer was infected with malicious software, or “malware,” that antivirus software did not detect.
Computer security specialists say these crimes, called “corporate account takeovers,” have become increasingly common, and small businesses are especially easy prey because many lack firewalls and monitoring systems. Gartner, an information technology research company, says regulators have not compiled statistics on the extent of the fraud, but the company estimates that more than 10 percent of small businesses have had funds stolen from their bank accounts — losses totaling more than $2 billion.
“People think, ‘It’ll never happen to me,’ but these are incredibly sophisticated criminals, and we’re not I.T. experts,” Ms. Talbot said. “When you work for a big company, you have a full I.T. staff and you’re locked down like Fort Knox. When you work for a small to midsize company, you’re not locked down at all.”
Even worse, owners often assume incorrectly that the protection they have on personal bank accounts applies to their business accounts. Many are shocked to learn that most banks do not take responsibility for unauthorized debits from business accounts. Unless the owners have fraud insurance, they must shoulder the losses alone. One reason this is not more widely understood is that owners who have been victimized are often reluctant to speak about it, out of embarrassment or fear that the publicity could further distract their struggling businesses.
Although many financial institutions have taken measures to thwart hackers, they emphasize that other businesses must also defend themselves. Here are tips from security specialists and from owners who have learned these lessons the hard way.
BEST PRACTICES Authorities recommend keeping firewalls up to date and limiting the number of employees with access to accounts. Sari Stern Greene, president of Sage Data Security in South Portland, Me., advises being diligent about applying security patches to operating systems like Windows.
Owners should also educate their employees and enforce strict rules for office computers. Social media should be forbidden, and workers should avoid unusual links and e-mails. In some cases, companies receive e-mail that resembles official communication from agencies like the Internal Revenue Service. When a business owner or chief financial officer clicks on an e-mail saying, for example, that the company is being audited, a virus infects the computer. Some viruses capture keystrokes, enabling criminals to view user names and passwords as they are typed, while others allow criminals to manipulate computers from afar. Some obtain identifying information from shadow Web addresses that mimic a bank’s Web site, persuading users to log on.
BANKING PRECAUTIONS Business owners who have been hacked often feel most betrayed by the banks they thought were protecting their money. But banks have no legal obligation to reimburse businesses for attacks — federal regulations do not cover commercial accounts. Regulatory bodies such as the Federal Deposit Insurance Corporation and the Federal Financial Institutions Examinations Council offer guidance on fraud controls for financial institutions, and owners should make sure their banks are up to speed.
Owners may want to place accounts with larger banks — such as Chase, Bank of America and Wells Fargo — that have more mature pattern-recognition and monitoring capabilities. Banks should have automated systems to detect anomalous activity in accounts, but because these systems are expensive, many banks still rely on laborious manual processes. And if banks use third-party processors to handle transactions, as almost all but the largest do, business owners should confirm that the processors’ practices are equally secure.
“If you go two states over and use your credit card to buy gas, the credit card company calls you to say it’s out of the norm, but most banks have no idea,” said Mark Patterson, whose construction company, Patco, in Sanford, Me., was robbed of $588,000 in 2009 by ZeuS Trojan, a form of malware. “Our bank had no alarms to say, hey, over five consecutive nights, Patco’s wiring money all over the country — to California, Florida, places we don’t normally send money, and definitely not from an I.P. address outside the U.S.”
Owners should require multiple people to approve every transaction and should insist on “multifactor authentification,” or more than one way for a bank to confirm an owner’s identity before making a transfer. This necessitates approval through multiple channels, such as e-mail, text and verbal assurance by phone. Some banks require businesses to use a token, or secure ID card that generates new passwords that are valid for a very short time.
Businesses should also place limits on the amounts of all automated clearinghouse transactions. If a normal payroll transaction is capped at $65,000, a hacker will not be able to increase the amount when trying to take cash.
Still, Brian Krebs, a computer security authority who writes the blog Krebs On Security, insists these are not foolproof against sophisticated hackers, and that precautions are “like safe sex — it only works if you do it all the time.” Mr. Krebs said the most effective way to guard against corporate account takeover was to dedicate one computer solely for online banking. Employees should never send e-mail or browse the Web from this machine.
MONITOR YOUR BALANCES In corporate account takeover, timing is everything. Cybercriminals, many of whom are based in Eastern Europe, move quickly, so business owners need to be vigilant about reconciliations and check accounts daily.
Karen McCarthy, the owner of Little & King, a marketing agency based in Great Neck, N.Y., discovered money missing from her account the day after it had been taken and immediately called her bank. But because it was a holiday, she said, the bank took more than a day to freeze her account. By then, $164,000 had been stolen.
Golden State Bridge was able to recover about $29,000, and Patco halted or clawed back about $200,000 from transfers processed within 24 hours of discovering the fraud. But money stolen the previous four days was gone for good. Mr. Patterson took his bank to court and lost. “This hurt a lot. If we hadn’t always been very conservative financially, it could have put us out of business,” he said. “Our legal fees are not recoverable either. The bank kept filing motions to dismiss and we had to defend those. It’s been a very complicated, expensive process.”
BUY FRAUD INSURANCE Most unsuspecting owners do not own fraud insurance, and if they do, it includes only crimes like employee embezzlement.
Because Golden State Bridge had been hacked previously, in 2006 at a different bank, Ms. Talbot knew to buy insurance with a rider covering cybercrime and fraudulent bank transfers. “It’s very rare that policies have them,” she said. “I’ve talked to brokers who tell me only one in 10 business customers ask for it, and it’s cents on the dollar.”
For owners without fraud insurance, like Ms. McCarthy, the crime can be devastating. It derailed Little & King’s sale to a global marketing agency, which was scheduled to occur the day after hackers invaded in 2010. Ms. McCarthy took out a loan, slashed staff salaries and found cheaper office space, but that was not enough. “I didn’t have the funds to operate anymore, so I had to merge with another agency,” she said. “I lost my agency.”