Owners may want to place accounts with larger banks — such as Chase, Bank of America and Wells Fargo — that have more mature pattern-recognition and monitoring capabilities. Banks should have automated systems to detect anomalous activity in accounts, but because these systems are expensive, many banks still rely on laborious manual processes. And if banks use third-party processors to handle transactions, as almost all but the largest do, business owners should confirm that the processors’ practices are equally secure.
“If you go two states over and use your credit card to buy gas, the credit card company calls you to say it’s out of the norm, but most banks have no idea,” said Mark Patterson, whose construction company, Patco, in Sanford, Me., was robbed of $588,000 in 2009 by ZeuS Trojan, a form of malware. “Our bank had no alarms to say, hey, over five consecutive nights, Patco’s wiring money all over the country — to California, Florida, places we don’t normally send money, and definitely not from an I.P. address outside the U.S.”
Owners should require multiple people to approve every transaction and should insist on “multifactor authentification,” or more than one way for a bank to confirm an owner’s identity before making a transfer. This necessitates approval through multiple channels, such as e-mail, text and verbal assurance by phone. Some banks require businesses to use a token, or secure ID card that generates new passwords that are valid for a very short time.
Businesses should also place limits on the amounts of all automated clearinghouse transactions. If a normal payroll transaction is capped at $65,000, a hacker will not be able to increase the amount when trying to take cash.
Still, Brian Krebs, a computer security authority who writes the blog Krebs On Security, insists these are not foolproof against sophisticated hackers, and that precautions are “like safe sex — it only works if you do it all the time.” Mr. Krebs said the most effective way to guard against corporate account takeover was to dedicate one computer solely for online banking. Employees should never send e-mail or browse the Web from this machine.
MONITOR YOUR BALANCES In corporate account takeover, timing is everything. Cybercriminals, many of whom are based in Eastern Europe, move quickly, so business owners need to be vigilant about reconciliations and check accounts daily.
Karen McCarthy, the owner of Little & King, a marketing agency based in Great Neck, N.Y., discovered money missing from her account the day after it had been taken and immediately called her bank. But because it was a holiday, she said, the bank took more than a day to freeze her account. By then, $164,000 had been stolen.
Golden State Bridge was able to recover about $29,000, and Patco halted or clawed back about $200,000 from transfers processed within 24 hours of discovering the fraud. But money stolen the previous four days was gone for good. Mr. Patterson took his bank to court and lost. “This hurt a lot. If we hadn’t always been very conservative financially, it could have put us out of business,” he said. “Our legal fees are not recoverable either. The bank kept filing motions to dismiss and we had to defend those. It’s been a very complicated, expensive process.”
BUY FRAUD INSURANCE Most unsuspecting owners do not own fraud insurance, and if they do, it includes only crimes like employee embezzlement.
Because Golden State Bridge had been hacked previously, in 2006 at a different bank, Ms. Talbot knew to buy insurance with a rider covering cybercrime and fraudulent bank transfers. “It’s very rare that policies have them,” she said. “I’ve talked to brokers who tell me only one in 10 business customers ask for it, and it’s cents on the dollar.”
For owners without fraud insurance, like Ms. McCarthy, the crime can be devastating. It derailed Little & King’s sale to a global marketing agency, which was scheduled to occur the day after hackers invaded in 2010. Ms. McCarthy took out a loan, slashed staff salaries and found cheaper office space, but that was not enough. “I didn’t have the funds to operate anymore, so I had to merge with another agency,” she said. “I lost my agency.”