IT Value

Don’t Click That Link

Malware lurking in e-mail can enable hackers to loot corporate bank accounts.
David McCannJuly 1, 2010

An in-vogue form of electronic bank fraud targeting corporations relies on a sophisticated scheme but starts with a mundane activity: an employee checking e-mail.

In what is often called a corporate account takeover, someone who accesses e-mail from the computer that a company uses to execute online banking transactions unwittingly clicks on a link or attachment that contains malware, such as a keylogging virus. A keylogger records all the keystrokes made from the computer, thus passing banking credentials and passwords to a hacker.

The fraud perpetrator then spoofs (or impersonates) the IP address of the computer so that the bank doesn’t recognize the imposter. Then, typically, the money is wired to accounts at other banks set up by unwitting “money mules,” notes Michael Law, fraud prevention manager at Superior Bank, a regional institution in the Southeast.

The mules’ role is to wire the money overseas, where most of the thieves are located. In one common scenario, Law says, people become money mules by answering vaguely worded classified ads offering the opportunity to work flexible hours from home as, say, a bookkeeper or funds-transfer agent. They are instructed to open a bank account to handle transactions for the supposed employer, into which the stolen money is deposited, and then to wire it to an overseas account from a commercial wire service such as Western Union.

Banks are dealing with a surge of such scams, according to Law. “It’s very hot, because it can be very lucrative,” he says.

Often banks detect the phony transactions and contact the mules’ banks before the money is wired out of the country. “I have seen situations in the past where customers’ accounts have been hacked into with tens of thousands of dollars wired to money mules at different banks across the country,” says Law. “In some of those cases, the money has already been wired out to sophisticated criminals in other countries.”

The thieves generally keep transactions under $10,000 because a withdrawal of that amount or higher requires the bank to file a currency transaction report with the IRS, and banks carefully scrutinize each day’s CTRs, Law says.

To prevent this type of fraud, a company should disable e-mail access from its banking computer, create clear policies for handling unsolicited e-mails, and consider requiring multiple officers using different computers to approve bank wires, says Ron Box, CFO and CIO of Joe Money Machinery, a dealer of heavy-construction equipment.

Box notes that in addition to using Joe Money’s treasury workstation, as a practical matter he also performs online transactions from his own computer. Corporate firewalls generally cannot prevent some of the more sophisticated keylogger e-mails from reaching the computer of an officer with access to online accounts, says Box, who frequently conducts educational sessions on data security and electronic fraud prevention for the American Institute of Certified Public Accountants.

Banks have been held liable for losses created by this kind of fraud in a number of recent decisions on lawsuits filed by victimized companies, though there are legal gray areas. “Failure to take advantage of appropriate online security offered by your bank may shift the burden of liability for a preventable technology-based fraud back to your company,” says Box.

4 Powerful Communication Strategies for Your Next Board Meeting