New fees levied by financial institutions are likely to push many small businesses into banking online, whether or not they are aware of and prepared for the types of sophisticated cyber attacks that have cost organizations tens of millions of dollars in recent months.

On the way home from the store last week I caught a Public Radio/Marketplace story in which the radio show interviewed a small business owner who was nudged into banking online after discovering a $9.99 fee had been added to her business banking account for the privilege of continuing to receive paper statements each month.

The angle of the story was the unfairness of the new fees, considering the estimated 12 million people in the United States who have no or only slow access to the Internet. In the following snippet from that program, Marketplace’s David Brancaccio interviewed a woman from Northern New Hampshire:

“The bank with her personal account still sends monthly statements printed on paper, through the mail, for free. Old school. But this year, one of her business accounts started charging money for paper statements.

Johnson: That’s right.

Brancaccio: How much?

Johnson: $9.99 a month.

Brancaccio: Really?

Johnson: Yes.

Brancaccio: When did you actually notice?

Johnson: My bank statement, my paper bank statement! is how I found it!

“It’s a growing trend in banking. For instance, Bank of America has something called the E-banking account where paper statements and routine visits to a human teller cost money. It’s now in more than three dozen states. B of A says techno-savvy customers seem fine with online-only in exchange for no minimum cash balances in the account.”

Johnson didn’t say which bank her commercial account was at.  And for its part, BofA’s eBanking plan only applies to consumer accounts, not businesses. But if this type of trend becomes more mainstream among commercial banking customers, more and more small businesses will be pushed into banking online without knowing how to protect themselves from organized cyber thieves that have stolen at least $70 million from small to mid-sized organizations over the last few years.

Banks using fees to push customers away from traditional offline banking will at least be a boon to companies offering security services to the banks, said Dave Jevans, chairman of the Anti-Phishing Working Group, an industry consortium.

“You’re going to see a lot more unsophisticated users entering the channel,” Jevans said.

Avivah Litan, a fraud analyst with Gartner Inc., said banks should not be pushing more businesses into online banking without adequately informing them of the risks.

“It’s not a good time to be forcing people online unless you’re protecting their rights, or at least making sure they’re fully aware of the risks,” Litan said. “This is happening at the same time the banking industry groups are urging businesses to bank online only from locked down, dedicated systems. But the individual banks don’t want to talk about this with their customers.”

What does it take to harden your network, computers, and employees against this type of attack? Apparently, that’s a difficult question to answer succinctly. Last week, the FBI, the Secret Service, the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center jointly issued a nine-page fraud advisory (PDF) for businesses that warned of high-dollar losses from commercial account takeovers.

“Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts,” the advisory begins. “Often these funds may not be recovered.”

The section on how to protect, detect and respond to these attacks spans five pages of bullet-pointed dos and don’ts. The entire paper should be required reading for every business owner who banks online, but based on interviews with dozens of victims, I’d say that a majority of these attacks could have been stopped had the victims observed the following precautions:

-Use a dedicated computer for online banking — if possible, one that does not run Microsoft Windows (emphasis on non-Windows usage mine).

-Reconcile your accounts daily.

-Talk to your financial institution about Positive Pay and other “out-of-band” services such as SMS texting, call backs, and batch limits to help protect against altered or counterfeit checks and unauthorized transactions.

The financial and law enforcement group that issued the report also issued a separate alert for consumers (PDF), which warns consumers to stay away from work-at-home job schemes and to avoid phishing scams. The consumer version of the alert is much smaller because business owners do not enjoy the same legal protections as consumers when things go wrong with online banking. As a result, a business that suffers an account hijacking is likely to lose any money from fraudulent transfers that their bank cannot reverse.

Easily the most-viewed post at krebsonsecurity.com so far has been the entry on a cleverly disguised ATM skimmer found attached to a Citibank ATM in California in late December. Last week, I had a chance to chat with Rick Doten, chief scientist at Lockheed Martin‘s Center for Cyber Security Innovation. Doten has built an impressive slide deck on ATM fraud attacks, and pictured below are some of the more interesting images he uses in his presentations.

According to Doten, the U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts for more than 80 percent of ATM fraud, Doten said.

Click the individual images below for an enlarged version.