There's no money back if your account is drained by malware

Commentary - Phishing attacks on small and medium-sized businesses are on the rise with thousands of organizations falling victim. If a cybercriminal gets on to a computer with access to your business' financial accounts they can withdraw funds and your business is out of the money. That's it. Gone. See ya. Have a nice day.

Unlike consumer accounts that are subject to Federal Reserve Regulations E which require banks to provide reimbursement for certain losses, business accounts are not covered by this statute and therefore not assured repayment for certain losses. So don't bank on getting your money back.

And it's not just big business being targeted any longer. According to the FBI, cybercriminals now have their sights set on the financial accounts of small and medium-sized businesses, leading to significant disruption and substantial monetary loss due to fraudulent transfers from these accounts.

Online job postings could cost you more than you planned
Just last month, the FBI reported that cybercriminals had stolen more than $150,000 from a US business via an unauthorized wire transfer resulting from a malware infected email. In the latest phishing scams cyberthieves are embedding malware in email responses to job postings placed on employment websites with the aim of obtaining the credentials of an employee authorized to conduct financial transactions within the company. They then easily can change account settings to send wire transfers -- which is just what they did in the latest attack reported by the FBI. In its "New E-Scams & Warnings" the FBI identified the malware as a Bredolab variant, svrwsc.exe, which is a malware connected to the ZeuS/Zbot Trojan and commonly used by cybercriminals to defraud US businesses.

If the cybercriminal can get a company employee to open an infected attachment or click on a link that contains hidden malware they are in the door. The malware logs the key strokes and allows the thief to "see" and track the employee's activities across the business' internal network and on the Internet - be it visits to a financial institution, and/or online banking credentials. Using this information the thief can and does conduct unauthorized transactions that appear to be legitimate.

What you don't know can cost you
While you read about the latest malware or Trojan what you may not be hearing about are the financial losses that are hitting local businesses - like the NY marketing firm Little & King, LLC that reportedly faced bankruptcy last year, but apparently recovered, after $164,000 was drained from its account.

While privacy laws may require a business to notify its customers of a database breach, a business checking account that gets robbed in cyberspace, does not necessarily require notification. After all it is the cash of the business and not directly associated with customers. So the local business gets robbed, their money wired to who knows where -- lost and never to be recovered -- and no one outside the business is the wiser.

This is an issue for the FBI which is hamstrung to deal with the matter because the money moves offshore without a trace as increments of less than $10,000 are not reported.

And with more small to medium-sized businesses conducting online banking and with employees using the same computer they surf the net to check or store business financial information things look set to only increase.

And if you assume that the credit card protection policies apply to your business checking account, they do not. This problem is ugly for the banks because the money is withdrawn from them but with your credentials captured by the key-logger, so they avoid the liability.

This could change, but so far has not.

So what can you do?

1. Mind the cookie jar, because no one else is. Protect your business' computers that have access to financial accounts or information. After all, in addition to protecting your customers' privacy, without money to fund your business you have no business.

2. Know your bank's policy on fraudulent business wire transfers before you are hit.

3. Don't rely on traditional reactive anti-virus solutions as they clearly are not enough. Once you've been hit there is no turning back.

4. Implement proactive technologies like application whitelisting which stops these attacks.

5. Enforce business policies, if possible, to only allow dedicated computers access to financial accounts (although for the small to medium-sized business entrepreneur on the go this is often impractical).

6. Insist that your endpoint protection vendor deal with the problem. Symantec and McAfee are making billions on your annual subscription payments, but are not providing protection from these threats. As a business you may be required to use these anti-virus vendors for PCI DSS and other regulations and standards. They must be laughing all the way to their bank.

While many businesses have spent the past few years achieving compliance, overall small to medium-sized businesses have lost ground in keeping up with the evolving malware and endpoint security threats. If something isn't done quickly your business may not only lose business you may lose the business. You can take that to the bank.

biography
Paul Paget is CEO of Savant Protection, an application whitelisting provider for SMEs and MSPs. Based in Hudson, NH, Savant Protection's automated application whitelisting is being used by SMEs, including regional banks, credit unions and local governments, as well as MSPs to proactively and easily stop malware and safeguard endpoints. You can contact Paul at Paul.Paget@SavantProtection.com.