Online financial fraud and business accounts:
According to Federal law enforcement agencies, (see sources below), cyber criminals are targeting the financial accounts of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transactions. Often, these funds may not be recovered.
In light of these risks, business owners should be aware that while federal law affords certain protections to consumer bank accounts against fraudulent losses, business accounts, including small business "DBA" accounts, are not afforded these same protections.
Corporate Account Take-Over Fraud
In a document titled "Fraud Advisory for Businesses: Corporate Account Take Over," (see sources below) Federal law enforcement agencies describe "Corporate Account Take-Over" as a widespread form of targeted online fraud impacting businesses, non-profits, schools and public sector entities, which utilize commercial web banking services. Perpetrators of this crime gain control of business customers’ computers and attempt to transfer money out of bank accounts using wire transfers and ACH transactions.
From the fraud advisory:
"To obtain access to financial accounts, cyber criminals target employees– often senior executives or accounting and HR personnel and business partners and cause the targeted individual to spread malicious software (or "malware") which in turn steals their personal information and log-in credentials. Once the account is compromised, the cyber-criminal is able to electronically steal money from business accounts. Cyber criminals also use various attack methods to exploit check archiving and verification services that enable them to issue counterfeit checks, impersonate the customer over the phone to arrange funds transfers, mimic legitimate communication from the financial institution to verify transactions, create unauthorized wire transfers and ACH payments, or initiate other changes to the account. In addition to targeting account information, cyber criminals also seek to gain customer lists and/or proprietary information - often through the spread of malware - that can also cause indirect losses and reputational damage to a business."
The fraud advisory recommends these risk mitigation techniques, among others:
- Educate Employees:
- "Don't respond to or open attachments or click on links in unsolicited e-mails."
- "Be wary of pop-up messages claiming your machine is infected and offering software to scan and fix the problem […]"
- Enhance computer and network security:
- "Conduct online banking and payments activity from at least one dedicated computer that is not used for other online activity."
- "Install routers and firewalls to prevent unauthorized access to your computer or network."
- "Keep operating systems, browsers, and all other software and hardware up-to-date."
- Enhance the security financial business processes:
- "Initiate ACH and wire transfer payments under dual control using two separate computers. For example: one person authorizes the creation of the payment file and a second person authorizes the release of the file from a different computer system. This helps ensure that one person does not have the access authority to perform both functions, add additional authority, or create a new user ID."
- "If, when logging into your account, you encounter a message that the system is unavailable, contact your financial institution immediately."
Sources & Resources
- The contents of this page, including the recommendations for mitigating fraud risks, are based Information and recommendations from: "Fraud Advisory for Businesses: Corporate Account Take Over," developed jointly by the FBI, US Secret Service and others. (www.ic3.gov)
- Computer and online security for small business. (www.onguardonline.gov)