All Bethany Moore did was open an e-mail that appeared to be from UPS and click on an attachment about a supposed lost package. Now she’s fighting to save her small escrow company in Southern California from financial ruin.
The cause of her company’s sudden misfortune? A cyber scam in which fraudsters used a phony e-mail message to insert a virus into her computer system. They nabbed her online banking password and helped themselves to more than $400,000 of her company’s money through a series of wire transfers.
The story is a lesson to other small businesses—including real estate companies—which are increasingly targets for this type of cyber crime, often called a “corporate account takeover.” The Federal Deposit Insurance Corp. says such fraud has resulted in millions of dollars in losses, frayed business relationships, and countless legal battles between banks and businesses.
Smaller companies make particularly attractive targets because they don’t typically have sophisticated technology staff to keep watch on things. And banks have had little incentive to upgrade online banking security because they’re not liable for losses in the case of a breach, as they are with consumer accounts.
Under the 1978 Electronic Funds Transfer Act, banks are responsible for keeping consumer accounts safe from online fraud, says James Woodhill, chairman and founder of Washington, D.C.-based Authentify Inc., which helps weed out fraudulent transactions. But no similar laws are on the books for business accounts. “The thinking is, those who are sophisticated enough to manage a business account are sophisticated enough to manage their own security,” says Thomas Tauzin, vice president of Capitol Hill Consulting Group.
Fortunately, that thinking is starting to change. In California, a proposed bill would require banks with online banking services to boost security, in part by requiring them to use “out-of-band” verification that uses a channel other than the Web—most typically, the phone—to approve wire transfers.
The federal government is waking up to the problem as well. A proposed bill would extend banks’ liability under the Electronic Funds Transfer Act to include public entities such as schools and municipalities. That would be an important first step for small businesses because it acknowledges that banks share responsibility for fraudulent wire transfers.
Some banks do offer online fraud protection as part of their service package to small businesses. If your bank doesn’t offer that, major insurance carriers offer protection. Travelers, for instance, combines coverage for electronic funds transfer fraud with coverage for computer fraud. Check with your existing provider or contact an insurance broker.
Moore (which is not her real name; she asked to remain anonymous) is currently in litigation with her bank to seek some repayment.
“I was floored that the bank wasn’t accountable at all,” she says. “Once I alerted them, they cut down all communication with me. I couldn’t access the account. They just said, ‘I hope you have insurance.'”
Reduce Your Risks: Expert Tips for Avoiding Online Fraud
Talk to your bank. Especially before opening a new account, ask the bank how it prevents cyber theft and whether it will cover losses for business clients. If yes, ask your banker to sign an agreement to that effect, Tauzin says. “That kind of proactive stance is what will help motivate banks to get serious about cyber theft of their business customers.”
Keep tabs on your account. Check your online bank account daily, regardless of whether you performed banking activity. And change your banking passwords on a regular basis.
Think before you click. Attachments loaded with malicious software can steal online banking credentials from your computer. Be cautious about opening any attachment, clicking on links, or downloading files from an e-mail.
Confirm that your security software is active and current. At a minimum, your computer should have antivirus and antispyware software and an active firewall. If you suspect your computer is infected, stop shopping, banking, and other online activities that involve user names, passwords, and other sensitive information.
Visit www.onguardonline.gov, a site maintained by the Federal Trade Commission that provides advice on avoiding Internet fraud and securing your computer.