Banks should help educate their business customers about PC security in light of the increase in fraudulent wire and ACH transfers, said the Federal Deposit Insurance Corporation's cyber fraud chief.
Just as consumers are advised to have antivirus and firewall protection on their computers, banks' business customers need to be educated about the importance of security software and safe computing practices, according to Michael Benardo, chief of the cyber fraud and financial crimes section at the FDIC. The educational effort is one step financial institutions can take to help thwart the increase of fraudulent electronic funds transfers (EFTs), Benardo said.
Last week, the FDIC issued an alert to financial institutions that provide Web-based payment origination services to business customers, citing increased reports of fraudulent EFTs such as automated clearing house (ACH) and wire transfers. According to the FDIC, most of the fraudulent transfers involved business customers whose online banking software credentials were compromised; the trend has been occurring over the past year.
The alert, Benardo said, was intended as a general notice to ensure the financial institutions that the FDIC supervises were aware of the problem. Similar alerts were reportedly issued by the Financial Services Information Sharing and Analysis Center (FS-ISAC) and NACHA, the electronic payments association that oversees the ACH network.
Criminals are targeting Web-based commercial EFT origination applications with malware that can infect a business customer's computer via a website or an email attachment, the FDIC said. The malware can be very difficult to detect and can stay dormant until a customer initiates a specific online banking session.
Commercial bank accounts aren't covered by the same protections as consumer accounts, Benardo added. "That could be one reason crooks are going after them. Also, they might have a larger balance than a consumer account, which could be a more attractive target."
In addition to recommending security awareness training for business customers, Benardo referred financial institutions to the FFIEC's guidance on authentication for online banking and its booklets on information security and retail payment systems.
"Crime always tends to follow the path of least resistance and look for the easiest or more profitable targets," Benardo said.
Industry experts reported earlier this summer that ACH fraud was on the rise.
Craig Priess, co-founder and vice president of marketing at Guardian Analytics Inc., an online banking security technology provider based in Los Altos, Calif., said fraudsters typically are targeting small businesses and use social engineering or malware to steal the credentials of the controller or other employee with access to the online banking application.
"This pattern is being repeated a lot. A business banking customer's account is compromised, the fraudster has lined up a bunch of mules; most of them are unwitting in this whole thing," he said. "Once everything is in place, the fraudster will log into this account and set up a big batch of ACH transfers to these mules, which will all be under $10,000. All the mules are standing by to receive the money and immediately withdraw the money from their account and wire it using Western Union to the criminals."
Priess said fraudsters go through a lot of trouble to learn how to compromise a specific banking platform; some banks build their own, but many license online banking software. "Once they've cracked the nut with one platform or one bank, they'll try to get it for all its worth. They'll try to figure out all the banks that use the platform," he said.
Jacob Jegher, senior analyst in the banking group at Celent LLC, a Boston-based financial research and consulting firm, wrote in a blog post Monday that the FDIC's alert was of particular concern since more banks are trying to increase use of the online channel for payments. Banks are offering small businesses and even some consumers the ability to send wires online, he said.
He recommended banks take several steps, including: implementing a transaction-monitoring system; adopting out-of-band authentication solutions; considering the offering of mobile soft tokens; and emphasizing new customer education tools.