It’s a chilling moment when a small business owner discovers hackers have stolen thousands of dollars from the company checking account.
Cybercriminals took an average $32,000 from small business accounts, according to a December survey of owners by the advocacy group National Small Business Association. And businesses don’t have the same legal protection from bank-account fraud consumers have.
The Electronic Funds Transfer Act, passed in 1978, protects individual consumers from bank-account theft but does not mention businesses. Whether a business is protected depends on the agreement it signs with a bank, said Doug Johnson, a senior vice president with the American Bankers Association, an industry group. If the business hasn’t complied with any security measures required by the pact, it could be liable for the stolen money, he said.
Any business is vulnerable, but small companies are less likely to have security departments and procedures to guard against online theft than do big corporations. They also don’t have big revenue streams that are better able to absorb losses from a theft. And even if they get the money back, they still have to spend time and money dealing with the hassles of closing accounts and opening new.
Sandy Marsico’s company accounts were attacked — twice. Her bank contacted her in December, 2014, saying a transfer of more than $50,000 to Mexico had been requested from her checking account. The thieves had obtained the account information; Ms. Marsico, owner of Sandstorm Design, a Chicago-based marketing company, still doesn’t know how. The bank did an inquiry but didn’t share its findings with her.
Ms. Marsico didn’t approve the transfer, the account was closed, and another opened. But the next November, someone began withdrawing money from the new account in increments ranging from $1,000 to $4,000, $20,000 during one month. Ms. Marsico didn’t discover it until she got her monthly statement.
“My stomach dropped when I wasn’t able to identify these as our charges,” she said.
The bank, which investigated again but didn’t tell Ms. Marsico the results, again reimbursed Sandstorm. She moved some of her accounts to another bank.
Cybercriminals are creative, changing methods as companies and banks find ways to thwart attacks.
Thieves are using realistic-looking emails to trick companies into transferring money from their accounts with what’s known as wire transfers, said Avivah Litan, a security analyst with Gartner, a research company. Often, an employee receives an email purportedly from a company executive asking them to transfer the money from the company’s account into a specific external one. If employees don’t check to be sure the request is legitimate, they might authorize a withdrawal.
The first attack on Ms. Marsico’s account was a wire transfer but not through an email to her company.
The FBI reported last August that more than 7,000 U.S. companies of all sizes had been victimized in emailed attacks since late 2013, with losses of more than $740 million. The government said the number of identified victims had surged 270 percent between January and August of last year. Most of the thieves are believed to be in organized crime groups in Eastern Europe, the Middle East, and Africa, the FBI said.
Criminals can implant malicious software known as malware on a company computer, often via an email that has a link or attachment. If the computer is used to log into a bank account, the malware can record the login and password and send it back to the criminals, who withdraw funds. But many banks have procedures designed to protect against stolen logins. If bank computers don’t recognize a device trying to log in, the bank will send a one-time access code to the account holder on a separate device, such as a phone. A fraudster can’t log in without the code.
Using a computer or smart phone in a public place that has a Wi-Fi environment can be risky too, said Kevin Watson, CEO of Netsurion, a Houston-based firm that provides cybersecurity for small businesses. Some Wi-Fi spots may have weak security, and savvy hackers know how to steal information that someone keys into their device.
And some thieves do it the old-fashioned way, by copying account numbers and routing information from checks and then printing phony drafts and depositing them. One thief made two withdrawals from the checking account at Mark Waring Ventures two months ago, one for $800 and another for $1,000.
“Someone can just look at a check, and they’re a good part of the way to hacking into your account,” said Dave Waring, managing partner of the New York-based company that provides financial and other services to small businesses.
The bank reimbursed Mr. Waring, the account was closed, and he now makes payments electronically.
At Neil Palache’s company, the culprit used a counterfeit debit card. Two thefts totaling $1,400 took place while Mr. Palache was online, looking at his account. The card was immediately canceled. The bank refunded his money, and he received a new card.
“I was thinking, ‘they’re going to wipe me out if this keeps going,’ ” said Mr. Palache, owner of the Wealth Creator Co. for Women, a Westlake Village, Calif., firm that teaches women how to manage their money.
Business accounts are safer at banks that use what’s known as two-factor authentication, requiring unfamiliar account users or devices to supply additional information such as one-time access codes, said Timothy Ryan, a managing director with the security company Kroll in New York. Sophisticated banks also have software that flags emails or attempted logins from unfamiliar Internet service providers, he said.
Additional steps to take:
● Everyone in the company must be hypervigilant about emails, being wary about clicking on links and attachments, and checking the addresses of emails. Criminals may create email addresses that look familiar but that might have an extra letter like an “I” or “i” not apparent at first glance.
● In the case of wire transfers, put procedures in place so several managers must sign off before a transfer can made.
● Keep a close eye on accounts. If you can’t check your balance daily, get text alerts whenever there’s a withdrawal.
● Don’t log into your bank from an airport, hotel lobby, coffee shop, or other public space with free Wi-Fi. Wait until you’re home or in your office.
“It’s a simple protection for a complex problem, but it takes discipline, and that’s where people fall down,” said Mr. Watson, the Netsurion CEO.
First Published March 20, 2016, 4:00 a.m.
