Over the past nine months, I have spent a substantial amount of time investigating and detailing the plight of dozens of small businesses that have had their bank accounts cleaned out by organized criminals. One of the most frequent questions I get from readers and from my journalist peers is, “How many of these stories are you going to tell?”
The answer is simple: As many as I can verify. The reason is just as plain: I’m finding that most small business owners have no clue about the threats they face or the liability they assume when banking online, even as the frequency and sophistication of attacks appears to be increasing.
I am now hearing from multiple companies each week that have suffered tens of thousands or hundreds of thousands of dollar losses from a single virus infection (last week I spoke with people from four different companies that had been victimized over the past two months alone). In each of these dramas, the plot line is roughly the same: Attackers planted malicious software on the victim’s PC to steal the company’s online banking credentials, and then used those credentials to siphon massive amounts of money from the targeted accounts. The twists to the stories come in how the crooks evade security technologies, how the banks react, and whether the customers are left holding the (empty) bag.
In most cases I’ve followed, the banks will do what they can to reverse the fraudulent transactions. But beyond that, the bank’s liability generally ends, because — unlike consumers — businesses do not have the same protection against fraud that consumers enjoy. Indeed, most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them.
Earlier this month, I spoke with the CEO of Eskola LLC, a Treadway, Tenn. roofing firm that had $130,000 stolen from its online bank accounts in a series of five unauthorized wire transfers in late January. The bank was able to reverse most of those transfers, but Eskola was unable to recover more than $30,000 of the stolen money.
“It really took our bank by surprise and triggered a whole series of internal reviews, because they told me they’ve been hit several other times since then,” Jon Eskola said. “They said so far this year, it’s been the number one thing that’s come across their plate, and that this type of crime had increased 500 to 600 percent over a year ago.”
Even in rare cases where the victim’s bank eats the loss, the company hit by the fraud often goes a month or two without the operating capital. In the waning days of January and the beginning of February, thieves hit Orange Family Physicians, a medical practice in Orange, Va., stealing $46,000 and sending it in sub-$8,000 chunks to a half-dozen money mules around the United States. The practice later found that the controller’s PC had been infected with the ZeuS Trojan, a prolific and powerful family of malware used to steal banking credentials and control infected PCs from afar.
Donna Diaz, the controller for Orange Family Physicians, said their bank was only able to reverse $6,000 of the total stolen. For several weeks, it appeared that the bank had no intention of reimbursing Orange for the loss. About the same time that a reporter started snooping around on their behalf, however, the bank refunded all of the missing money.
Diaz said she first learned about the fraudulent payments when the bank sent her an overdraft notice. She said the bank should have flagged the fraudulent transactions as unusual, since they were initiated from four different Internet addresses — none of which were previously associated with the practice.
“When I first talked to the bank, my question to them was, ‘We’ve always done the same five payroll transactions a month, this was outside the norm, so why didn’t you flag them?’” Diaz recalled. “They told me because [the thieves] answered the secret questions correctly and because the amount was under $10,000 and their daily limit, they let it go just based on the amount.”
Jon Eskola said his company had “completely revamped” its in-house process for moving money: While two people from Eskola Roofing have always had to sign off on a payment, that informal dual approval was separate from the bank’s online system, which only required that customers provide the correct user name, password, and answers to secret questions.
Now, when Eskola’s company needs to move money electronically, the bank won’t approve the payment unless it receives confirmation from the company via an out-of-band form of communication, such as a phone call, fax or text message, he said, although he declined to specify which mode his company was using going forward.
Eskola said the banks could do a better job educating customers about the risks they face with banking online, but he allowed that business owners also need to take their share of responsibility.
“The banks need to raise this issue front of mind for small businesses, but the guy who runs that small business really needs to step up and be responsible for his end, too,” Eskola said.
Diaz said she’s all about being responsible, and that she’s learned a great deal from the episode. She said she recently purchased a new laptop, which she uses only for checking her bank’s Web site and for managing the company’s books. “Other than that, it gets locked up in my desk, and I don’t use it for browsing the Web or checking e-mail. I pay my bills on it, do my Quickbooks stuff, and that’s it.”
Still, Diaz said, most small businesses owners likely don’t have a clue about the sophistication of today’s threats online, or what they stand to lose if they are not hyper-vigilant.
“It’s really kind of sad because it doesn’t seem like there’s much awareness out there by the general public or businesses about how big a deal this can be,” Diaz said. “People think everything is safe in banking online, when it’s really not.”
Indeed, too many company owners remain ignorant of this type of crime and their exposure to it until they become a victim, said Marc F. Quince, special agent for the Virginia State Police‘s Bureau of Criminal Investigation.
“There are no simple answers,” Quince said. “Law enforcement, financial institutions, and computer users need to do a better job all the way around preparing themselves for this type of attack.”