There's no money back if your account is drained by malware

Commentary - Phishing attacks on small and medium-sized businesses are on therise with thousands of organizations falling victim. If a cybercriminalgets on to a computer with access to your business' financial accounts theycan withdraw funds and your business is out of the money. That's it. Gone.See ya. Have a nice day.

Unlike consumer accounts that are subject to Federal Reserve Regulations Ewhich require banks to provide reimbursement for certain losses, business accounts are not covered by this statute and therefore not assured repaymentfor certain losses. So don't bank on getting your money back.

And it's not just big business being targeted any longer. According to theFBI, cybercriminals now have their sights set on the financial accounts ofsmall and medium-sized businesses, leading to significant disruption andsubstantial monetary loss due to fraudulent transfers from these accounts.

Online job postings could cost you more than you planned
Just last month, the FBI reported that cybercriminals had stolen more than $150,000 from a US business via an unauthorized wire transfer resulting froma malware infected email. In the latest phishing scams cyberthieves areembedding malware in email responses to job postings placed on employmentwebsites with the aim of obtaining the credentials of an employee authorizedto conduct financial transactions within the company. They then easily canchange account settings to send wire transfers -- which is just what theydid in the latest attack reported by the FBI.In its "New E-Scams & Warnings" the FBI identified the malware as aBredolab variant, svrwsc.exe, which is a malware connected to the ZeuS/ZbotTrojan and commonly used by cybercriminals to defraud US businesses.

If the cybercriminal can get a company employee to open an infectedattachment or click on a link that contains hidden malware they are in thedoor. The malware logs the key strokes and allows the thief to "see" andtrack the employee's activities across the business' internal network and onthe Internet - be it visits to a financial institution, and/or onlinebanking credentials. Using this information the thief can and does conductunauthorized transactions that appear to be legitimate.

What you don't know can cost you
While you read about the latest malware or Trojan what you may not behearing about are the financial losses that are hitting local businesses -like the NY marketing firm Little & King, LLC that reportedly facedbankruptcy last year, but apparently recovered, after $164,000 was drainedfrom its account.

While privacy laws may require a business to notify its customers of adatabase breach, a business checking account that gets robbed in cyberspace,does not necessarily require notification. After all it is the cash of thebusiness and not directly associated with customers. So the local businessgets robbed, their money wired to who knows where -- lost and never to berecovered -- and no one outside the business is the wiser.

This is an issue for the FBI which is hamstrung to deal with the matterbecause the money moves offshore without a trace as increments of less than$10,000 are not reported.

And with more small to medium-sized businesses conducting online bankingand with employees using the same computer they surf the net to check orstore business financial information things look set to only increase.

And if you assume that the credit card protection policies apply to yourbusiness checking account, they do not. This problem is ugly for the banksbecause the money is withdrawn from them but with your credentials capturedby the key-logger, so they avoid the liability.

This could change, but so far has not.

So what can you do?

1. Mind the cookie jar, because no one else is. Protect your business'computers that have access to financial accounts or information. After all,in addition to protecting your customers' privacy, without money to fundyour business you have no business.

2. Know your bank's policy on fraudulent business wire transfersbefore you are hit.

3. Don't rely on traditional reactive anti-virus solutions as theyclearly are not enough. Once you've been hit there is no turning back.

4. Implement proactive technologies like application whitelistingwhich stops these attacks.

5. Enforce business policies, if possible, to only allow dedicatedcomputers access to financial accounts (although for the small tomedium-sized business entrepreneur on the go this is often impractical).

6. Insist that your endpoint protection vendor deal with the problem.Symantec and McAfee are making billions on your annual subscriptionpayments, but are not providing protection from these threats. As a businessyou may be required to use these anti-virus vendors for PCI DSS and otherregulations and standards. They must be laughing all the way to their bank.

While many businesses have spent the past few years achieving compliance,overall small to medium-sized businesses have lost ground in keeping up withthe evolving malware and endpoint security threats. If something isn't donequickly your business may not only lose business you may lose the business.You can take that to the bank.

biography
Paul Paget is CEO of Savant Protection, an application whitelistingprovider for SMEs and MSPs. Based in Hudson, NH, Savant Protection'sautomated application whitelisting is being used by SMEs, including regionalbanks, credit unions and local governments, as well as MSPs to proactivelyand easily stop malware and safeguard endpoints. You can contact Paul atPaul.Paget@SavantProtection.com.