Online bank frauds—in which hackers use employees' bankpasswords to transfer funds out of a company's accounts—don't seemto be letting up. In fact, criminals keep coming up with newvariations on the frauds.

“We're just in a constant cat and mouse game,” said GeorgeTubin, senior security strategist at security software firmTrusteer, a unit of IBM. “The banking industry has gotten better ingeneral at improving their defenses, and the criminals have alsogotten better at improving their attack methods.”

“A lot of the fraud is moving to the call center,” said AvivahLitan, a vice president and distinguished analyst at GartnerResearch. “As the online channel gets more controls, bad guys arestarting to move into using the [bank's] call center.”

Criminals will phone the call center pretending to be the ownerof the bank account and asking to change information on theaccount, such as adding a signatory or changing an address, Litansaid. They may also try to extract information about theaccount.

“The trend is really social engineering of employees,” she said.“That's where it's moving—more social engineering of nice peopletrying to help out their customers.

“People are really the weakest link, and that's where you seethe attacks going,” she added.

Hackers are also leveraging the relationship between companiesand their suppliers. In December, the FBI's Seattle office issued awarning about a “man-in-the-email” fraud that it said had hitat least three companies in Washington state, resulting in totallosses of $1.65 million. Hackers would intercept emails between acompany and its suppliers. Then they'd send the company an email,supposedly from one of its suppliers, asking it to send payments toa new bank account, one controlled by the criminals.

Greg Litster, president of SafeCheck, cited a related fraud he'sbeen hearing about recently in which hackers access a company'saccounts receivable database to identify vendors that are due toreceive a big payment. Then the hackers will notify the companythat vendor has changed its bank and provide a new accountnumber.

Password Protection?
Jason Hart, a vice president of cloud solutions at informationsecurity company SafeNet and a former ethical hacker, sayscompanies put too much faith in passwords.

“Generally there's a misconception that because they have apassword they're secure, and even more of a misconception that ifthe password is long and complicated, it can't be breached,” Hartsaid.

Criminals have many ways to uncover or elicit passwords, many ofthem involving social engineering, Hart said.

“They can physically email an individual saying, 'I'm XYZ Bank.Please click on this link,'” Hart said. “They're doing it via phonecalls, ringing [companies] up and posing to be the bank. They'redoing it via text message as well.”

The information people post on social media helps hackers figureout passwords, he said.

Hackers may also harvest employees' bank passwords by plantingmalware on company computers. Businesses can minimize this risk bycompleting all online banking transactions on a dedicated PC thatisn't ever used for email or accessing the Internet, Litan said.But few companies have adopted that practice, she said. “It's tooinconvenient.”

Companies should be using dual authentication, Hart said. “Youneed true two-factor authentication where you're using a device orapp that generates a random one-time password.”

Trusteer's Tubin argued that the solution to fraud is “a layeredsecurity framework,” rather than any single security safeguard.

“There's no such thing as a silver bullet,” he said. “The morelayers an institution has, the better off they're going to be. Ifthe criminal finds a way to bypass the first and second and third[layers of security], you have a fourth and fifth to help you.”

Larger banks, because of their financial resources and know-how,are better equipped to put together such layered security thansmaller banks, Tubin said. “I think we are seeing fraud move downmarket, to the smaller and midsize banks that haven't caught up towhere the largest banks are now,” he added.

Suing over Fraud Losses
Online bank fraud, which is most often aimed at small and midsizecompanies, is particularly devastating because corporate bankaccounts don't have the same protection under the law as consumeraccounts. The company whose account has been raided may end upeating the loss.

Some organizations that have lost money via such frauds havesued their banks, but the results of those lawsuits have beenmixed. In 2011, a court ordered Comerica Bank to repay Experi-Metal $561,000 that fraudsters had wired out of thecompany's account.

But in 2013, a court ruled that BancorpSouth wasn't liable forthe $440,000 wired out of Choice Escrow's account because despitethe bank's recommendation, Choice Escrow refused to use dualauthorization on wire transfers, and that played a role in thefraud. Choice Escrow is appealing the verdict, but Tubin saidbusinesses should take note.

“It's a kind of warning to business customers,” he said, “Ifyour bank offers you something and you decline, that could be thestraw that breaks the camel's back.”

Companies that aren't willing to follow their bank's securityrecommendations should consider switching banks, Tubin said. “Ifit's something you don't want to do, go to a different bank thatdoesn't require it,” he said. “At that bank, you've given up anyright to a claim if fraud does happen.”

Joseph Burton, a partner in the San Francisco office of law firmDuane Morris, cited other issues involved in the Choice Escrowappeal, including the question of how to weigh any negligence onthe part of the customer. Very often, online bank frauds occurafter the company's computer system has been infected through aphishing attack, he noted.

“There's an open question as to what actions of the customercould, in effect, outweigh the bank's own negligence,” Burton said.“Even if we found the bank's actions weren't commerciallyreasonable, could we find that because of a certain level ofcustomer negligence, it's outweighed and the bank's not going to beliable?”