An executive at a 120-employee company receives a call at 10:50 a.m. from a representative at his bank, who asks him if the firm has made any recent wire transfers. The executive says no. In fact, 47 transfers have been made over the previous three hours, to accounts in far-flung places such as Russia, Scotland, Finland and China. The executive tells the bank rep not to honor any additional transfer requests, but over the next three hours, 38 more fraudulent wires are sent from the company's accounts, resulting in a loss of $560,000 for the company. This is just one instance of the growing trend of online fraud perpetrated against business bank accounts. In the case above, an employee of Experi-Metal Inc. (EMI), a manufacturer of specialty metal products in Sterling Heights, Mich., opened an e-mail that appeared to be from Comerica, its bank for over a decade. The e-mail said Comerica needed to perform maintenance work on its banking software and instructed EMI to log in to a linked Web site.
The employee logged in and provided the requested information. Alas, that information was obtained by fraudsters--most likely captured by so-called malware surreptitiously planted in the computer's operating system. The fraudsters "immediately began sending wire transfers out of EMI's bank accounts with Comerica, sending the funds to various foreign and domestic accounts," according to the complaint EMI filed in November 2009.
Comerica's filing a month later denied those claims. The litigation between Comerica and EMI was ongoing last November, and a trial date had yet to be set.
Although there are no hard numbers, such incidents of online fraud, perpetrated especially against smaller companies' bank accounts, appear to have increased significantly over the last 18 months.
"What's most interesting is the market being hit--smaller businesses, companies with $10 million or less in revenue," says Jacob Jegher, an analyst at Celent, a Boston-based consultancy.
Fraudsters tend to go after the easy prey, Jegher says, and smaller firms haven't had the expertise to ward them off. Much to the chagrin of those business owners, their banks have focused on protecting large corporate accounts, leaving the small fry to fend for themselves.
Over the last few years, defrauded companies have filed a rash of suits against their banks, claiming the banks should have spotted unusual transfers and raised red flags. Most have been settled, and typically neither party will discuss the terms, which would indicate which party was most at fault legally. Nevertheless, banks are starting to respond to the threat.
Atlanta-based SunTrust, for example, plans to roll out a suite of anti-online fraud services to small business customers--most already available to large and midsize companies--by the first quarter. And smaller banks have adopted anti-fraud technology once available to only the largest banks.
To thwart online fraud, companies first should take basic steps to prevent destructive software from infiltrating their computer systems (see last page). The tools banks are providing, however, round out the anti-fraud arsenal.
In some cases, these tools were already available, such as the entitlement engines built into banks' cash management systems. Now banks are starting to educate all customers--not just the big ones--about how to use them.
Banks are also providing customers with software to harden their desktop defenses against malevolent intruders. And many financial institutions have adopted applications to monitor customers' activity, so when something unusual does occur, the bank can require additional authentication to prevent fraudulent electronic money transfers.
Small business customers are wise to inquire about the tools their banks offer to deter online fraud, because they face highly sophisticated adversaries. Once fraudsters' malware has gotten onto a computer, it can lie in wait until an employee begins an online banking transaction, then record security information and hijack the browser to use that information to empty out the company's accounts.
Mickey Boodaei, CEO and founder of Trusteer, a company that sells software to harden browsers and block malware, says the most widespread malware, Zeus, is sold to criminal gangs that can then modify it. "What's unique about Zeus is you can build models on top of it and enhance it with various capabilities," Boodaei says.
Hard data on the number of business bank accounts affected by online fraud are scarce, mainly because banks are loath to reveal such information. What numbers have emerged are not reassuring.
Guardian Analytics, one of many vendors providing solutions to curb online fraud, teamed up earlier this year with the Ponemon Institute, a research center that focuses on information and privacy management practices, to survey small and midsize businesses. It found that 55% of the 500 survey respondents had experienced a fraud attack in the prior 12 months, 58% of which stemmed from online banking activities. In 80% of the cases, the survey found, banks failed to discover the fraud prior to the transaction, and 87% of the time, they were unable to recover the funds.
Banks compensated customers only partially for their losses 57% of the time, and provided no compensation at all in 26% of cases. Banks suffered as well, since in 40% of the cases, companies took their business elsewhere.
"We moved banks and went to Chase," says Gary Evans, president of Hi-Line Supply, a Dallas-based telephone equipment company that employs 18 people.
Cyber thieves stole $50,000 from Hi-Line's accounts at local Community Bank, with which the company recently settled litigation over the stolen funds. Evans said the experience made him "almost paranoid" about banking online. "We're avoiding ACH transfers altogether," he says.
The time may come when such transfers become necessary, Evans adds. But for now, "I do not open that portal up to my account," he says. "The only way to get into the account is when I write a check or initiate a wire transfer with our letterhead, and the bank calls to verify" the transaction.
If more businesses adopt Evans' newly conservative approach to making payments because of concerns about online fraud, many of the efficiency gains that have bolstered banks' profits over the last few decades could erode. Some banks are clearly aware of that danger and have taken more steps to protect small and midsize business customers.
SunTrust, for example, recently began offering small businesses more control over automated clearing house (ACH) payments through its online cash-management portal.
Customers have had access to SunTrust's positive pay service, where the bank checks payment requests against a list of regular payees, then confirms the payment with the customer. The same service is now available for ACH payments, giving clients control over which entities can debit or credit their accounts and for how much.
Keri McKinney, a group vice president at SunTrust, says the bank is also pushing customers to adopt dual approvals for payments, as well as entitlements to control which employees can authorize payments and the types and sizes of those payments.
In May, SunTrust implemented Trusteer Rapport, browser-hardening software that customers can download from the bank's Web site.
Boodaei explains that malware residing on a computer must enter the browser to perform fraudulent transactions. Trusteer's software, which costs banks about $1 per user, aims to block those entryways when the bank's customer is engaged in online banking transactions. "It's much more convenient than having a second computer" dedicated only to banking transactions, Boodaei says.
However, fraudsters are devious and continually seek new ways to penetrate the browser, or even infect a dedicated computer. "In terms of security, there's no silver bullet," Boodaei says, adding that Trusteer's software automatically pushes upgrades out to users in the ongoing effort to counter new malware tactics.
For software such as Trusteer's to work, however, banks' customers must be persuaded to download it. As of mid-November, SunTrust saw an adoption rate of 10% for online treasury users, McKinney says.
SunTrust and other banks, large and small, are also taking a very different approach by implementing software that monitors corporate customers' online banking behavior patterns. When the software spots unusual activity, it alerts the bank, which can then take action.
The First Data unit that caters to financial services companies--mostly community banks--plans to integrate its ACH services with software from Laru by the first half of 2011. The Laru software will monitor a bank's customer transaction files sent by First Data, developing profiles of each bank client.
NICE Actimize offers a similar solution, mostly to large global banks. The software continuously adds data to the profiles so they remain current.
"A small business may be undergoing significant growth, resulting in payments to new parties," says Ben Knieff, the company's director of product marketing. "But it doesn't want fraud alerts just because it's growing."
Community banks, typically with simpler business models and technology infrastructures, are also taking the initiative to implement behavior-monitoring software. For example, Pacific Continental Bank, with just over $1 billion in assets concentrated in the Portland and Seattle metro areas, since mid-November has been using Guardian's FraudMap behavioral analytics software to monitor individual online banking users for unexpected activity.
Mellani Ocampo, the bank's business banking education officer, says other solutions Pacific Continental considered tended to be rules-based, requiring the bank to define problematic activity and essentially predict fraudsters' next moves. Guardian's software instead maintains a dynamic profile of each customer, and so it more accurately spots unusual activity.
In October, the Federal Bureau of Investigation announced that a cyber-crime ring had stolen $70 million from U.S. banks. The announcement came a day after the FBI and overseas authorities made dozens of related arrests in the U.S., Britain and the Ukraine. In addition to stepping up enforcement, which may act as a deterrent, agencies such as the FBI and the Federal Deposit Insurance Corp. have recently issued warnings about the increase in online fraud.
Greater vigilance on the part of law enforcement and regulators, however, doesn't mean banks and their customers can let down their guard. "It takes all these layers to keep this type of fraud under control," SunTrust's McKinney says.
Some Basic Steps to Deter Malware
Timely "patches"--updating software--are critical for businesses to safeguard online access to their bank accounts from malicious malware used cyber thieves to hijack computers and pilfer corporate bank accounts.
"Unpatched systems are probably the main way in which malware gets on to your computer," says Mickey Boodaei, CEO and founder of Trusteer. "In [securing databases], we realized one of the biggest weaknesses is the customer desktop."
To install malware, fraudsters look for vulnerabilities in a computer's operating system or other software working with the browser, such as Java or Adobe Flash, so updating those applications is key.
"Microsoft employs hundreds of people to look for [malware], and it releases at least monthly new versions with updated security," says Asaf Greiner, vice president for products at Comm-touch, which analyzes online transactions in real time to identify threats.
Updated anti-virus software on each desktop computer and the gateway to a company's server is also a necessity, Boodaei says, adding that Microsoft Security Essentials performs as well as any other anti-virus software, and it's free.
Filters to block company employees from problematic URLs help to enforce company Internet policies, Greiner says, adding that those filters typically come in bundled security packages from firms such as WatchGuard and Barracuda Networks.
Avivah Litan, a Gartner Group analyst, suggests doing banking using a non-Windows operating system from an external drive. "Don't use the browser on your PC to do online banking, especially if it's a Microsoft browser," Litan says, adding that "hardening" the PC's browser is another alternative.
Keri McKinney, group vice president at SunTrust, recommends that businesses segregate duties, making one person responsible for initiating transactions and another for approving them?each with their own pass codes.
Sole proprietors can create two user IDs, one to create the payment and one to approve it. "So you have this extra layer of security," says George Ravich, chief marketing officer at FundTech, which provides transaction-processing services.
And tell employees to avoid clicking links in e-mails, since that's one of the main ways computers become infected, says Boodaei. If the e-mail appears to be from the company's bank, "type the address into the browser and go to the Web site directly," he says.