Cyber-Gangs Raid Small Businesses

CU360
October 5, 2009 | COMMENTS

Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size U.S. businesses, setting off a multimillion-dollar online crime wave.

A task force representing the financial industry sent out an alert in August outlining the problem and urging its members to implement many of the precautions now used to detect consumer bank and credit card fraud.

“In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds-transfer fraud involving the exploitation of valid banking credentials belonging to small and medium-sized businesses,” the confidential alert says.

Because the targets tend to be smaller, the attacks have attracted little of the notoriety that has followed larger-scale breaches at big retailers and government agencies. But the industry group said some companies have suffered hundreds of thousands of dollars or more in losses.

Many have begun to come forward to tell their tales. In July, a school district near Pittsburgh sued to recover $700,000 taken from it. In May, a Texas company was robbed of $1.2 million. An electronics testing firm in Baton Rouge, La., said it was bilked of nearly $100,000.

In many cases, the advisory warned, the scammers infiltrate companies in a similar fashion: They send a targeted e-mail to the company's controller or treasurer, a message that contains either a virus-laden attachment or a link that—when opened—surreptitiously installs malicious software designed to steal passwords. Armed with those credentials, the crooks then initiate a series of wire transfers, usually in increments of less than $10,000 to avoid banks' anti-money-laundering reporting requirements.

These scams typically rely on help from “money mules”—willing or unwitting individuals in the U.S. —often hired by the criminals via popular Internet job boards. Once enlisted, the mules are instructed to set up bank accounts, withdraw the fraudulent deposits and then wire the money to scammers, the majority of which are in Eastern Europe, according to the advisory.

The Financial Crimes Enforcement Network—a Treasury Department division that tracks suspected cases of fraud reported by banks—said wire-transfer fraud rose 58% in 2008. But reliable figures about losses from commercial online banking fraud are hard to come by, and many incidents go unreported.

“The data is not quite where it could be, and we don't have a good benchmark in terms of determining the prevalence of this type of fraud,” said Cliff Stanford, director of the Retail Payments Risk Forum at the Federal Reserve Bank of Atlanta. “As a result, financial institutions and consumers might not fully understand where they need to best deploy additional security measures.”

Businesses do not enjoy the same legal protections as consumers when banking online. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges.

In contrast, companies that bank online are regulated under the Uniform Commercial Code, which gives commercial banking customers roughly two business days to spot and dispute unauthorized activity if they want to try to recover unauthorized transfers from their accounts.

“Few commercial banks have invested in back-end technologies to detect fraudulent or unusual transactions for businesses,” says Avivah Litan, a fraud analyst with Gartner. “Financial institutions spend a lot of money protecting consumers because they owe money if consumers lose money,” Litan said. “But institutions don't spend the same resources on corporate accounts because they don't have to refund corporate losses.”

In April, after cyber-crooks stole $1.2 million from a plumbing equipment supply company in Sugar Land , Texas , a forensic analysis showed the attackers used malware planted on its computers to initiate 43 transfers out of the company's account within 30 minutes. The intruders sent some of the funds directly to Eastern Europe and funneled the remainder through people in the U.S. Because the company spotted the fraud quickly, its bank was able to retrieve all but $190,000 of the stolen money.