Online banking security related risks have received more attention from me then any other information security topic and rightfully so! Not many other business related risks can quickly put a company out of business, but the fraudulent theft of an entire bank account could force closure if invoices and payroll can not be paid. After analyzing a lot of recent frauds the FBI has acknowledged that online banking is risky for businesses and has issued a fraud advisory detailing typical fraud methods and ways to protect your business from becoming a victim.
The fraud advisory begins by mentioning that cyber criminals are targeting financial accounts of owners and employees of small and medium sized businesses and that the result has been significant disruption and often unrecoverable lost funds (as we have mentioned previously here since regulations do not adequately protect businesses right now). Several examples are also provided very similar to other cases we have previously highlighted. The highlighted method of compromise is targeted phishing emails that either have an infected attachment or link the victim’s click that sends them to a malicious site that compromises their machine. Once their machine is compromised key logging software is installed to record keystrokes and online banking credentials are obtained when the victim logs into their account on the compromised machine. The cyber thieves then strike at an opportune time to drain the accounts of their contents often in increments of $10,000 or less to avoid suspicion.
What does the FBI Advisory recommend to avoid becoming a victim?
1. Educate your users to not respond to unsolicited emails and to never open up documents or click on links. If it appears to come from a financial institution or government agency and you feel it is legitimate engage that institution directly and avoid the suspicious files or links.
3. Enhance the security of your business banking processes. The FBI recommends dual control where it requires one person to authorize a payment creation and another to authorize the release of the payment from a separate system. This is a good protection to segregate the duties and also helps to mitigate typical non cyber fraud but you should be warned that often times multiple accounts at a given company are targeted so it is not a full proof control (but a useful additional security step). The FBI also recommends SMS text payment notifications or direct phone notifications which can help detect a fraud early in the process and limit the damage.
4. Monitor accounts daily – The sooner you detect a problem the sooner you can work on correcting it and recovering your losses.
5. Pay attention to any warning signs that your machine may be compromised including anti virus system warnings, pop up alerts, sluggish response, or if you can not shutdown or restart properly.
6. Understand your responsibilities and liabilities – This recommendation is useful because many businesses have a false sense of security and believe that personal banking laws also apply to their business. They often do not so find out now so you can make an informed decision if the risks of online banking are worth the risks that it entails.