Business Accounts Are Vulnerable Targets for Cyberattacks

Business accounts are vulnerable targets for cyberattacks. The owner of a small business discovers someone has stolen thousands of dollars from the company checking account. Turns out it was a hacker. Unfortunately, it’s a scenario that happens every day.

According to a survey of owners by the National Small Business Association, cybercriminals took an average $32,000 from small business accounts. Sadly, unlike consumers, businesses don’t have the same legal protection from bank account fraud.

Passed in 1978, the Electronic Funds Transfer Act is designed to protect individual consumers from bank account theft, but is silent about businesses. A business’ protection depends on the agreement it signs with a bank which generally requires strict compliance with the banks’ security requirements.

Small companies are usually more vulnerable because of a lack of internal safeguard and seldom have resources to recover from such an unprotected theft. Not to mention the time and money spent installing new safeguards.

How it happens
As quickly as companies and banks change their practices, cybercriminals find new ways to infiltrate bank accounts. A popular scam is to trick companies into bogus wire transfers where an unwitting employee responds to an email from another employee to make a payment via wire transfer to an external account. Too often employees comply without checking the legitimacy of the request.

According to the government there has been a 270% increase in such activity in the first 8 months of 2015 and organized crime groups in Eastern Europe, the Middle East and Africa are most often responsible.

Planting malicious software or “malware” on a company computer, often via an email containing a link or attachment that, when opened, embeds a program that can record the company’s bank login and password and send it back to the criminals, who then can withdraw funds. Using a computer or smartphone in a public place that has a Wi-Fi environment can also be risky, Some Wi-Fi spots may have weak security, and savvy hackers know how to steal information that someone keys into their device.

Thankfully many banks today have procedures designed to protect against stolen logins. If bank computers don’t recognize a device trying to log in, the bank will send a one-time access code to the account holder on a separate device like a phone. Without that code, a fraudster can’t log in.

What you can do
Sophisticated banks have software that flags emails or attempted logins from unfamiliar Internet service providers and use what’s known as two-factor authentication, requiring unfamiliar account users or devices to supply additional information like one-time access codes.
Additional steps owners can take:

* Everyone in the company must be hypervigilant about emails, being wary about clicking on links and attachments and checking the addresses that emails came from. Criminals often create email addresses that look similar to your companies’ format but have an extra character like an “I” or “i” which is not readily apparent.

* Initiate or strengthen procedures so several managers must sign off before a transfer can made.

* Check your bank balance daily and initiate a text alert system whenever there’s a withdrawal.

* Avoid logging into your bank from public spaces like coffee shops, airports, hotel lobbies, basically anywhere that offers free Wi-Fi. It is a sound practice to safely log in when you have access to a secure Internet connective such as in your home or office.

Update: Scam – Requests for Information Returns

There are multiple phishing scams being reported of requests of employees, employers, and HR departments to submit copies of information returns (W-2s and 1099s) by email to resolve tax issues. The Department of Revenue (DOR) does not make requests for copies of information returns by email and does not request that information returns be submitted to it via email due to the personally identifiable information they contain.

DOR is currently reconciling millions of information returns (e.g., W-2s, 1099s) it received in January and February with the withholding reported by payers on Form WT-7 and individuals on income tax returns. In doing so, DOR may request copies of information returns it has not received or needs to verify. DOR makes such requests by letter though the U.S. Mail – not by email.

DOR is currently reconciling millions of information returns (e.g., W-2s, 1099s) it received in January and February with the withholding reported by payers on Form WT-7 and individuals on income tax returns. In doing so, DOR may request copies of information returns it has not received or needs to verify. DOR makes such requests by letter though the U.S. Mail – not by email.

For more information on this and other topics affecting your finances and taxes, please contact a member of our staff at (414)352-3200 or at info@mrsc.com.