Alert : Business Identity Theft – What Every CFO and CEO Should Know

Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts. Often these funds may not be recovered.

To get an idea of the magnitude of this problem, take a look at some recent national news headlines from the likes of The New York Times, The Washington Post, Computer World, and Krebs on Security:

• “N.Y. Firm Faces Bankruptcy from $164,000 e-Banking Loss”
• “e-Banking Bandits Stole $465,000 From Calif. Escrow Firm”
• “La. Firm Sues [Bank] After Losing Thousands in Online Bank Fraud”
• “Cyber Attackers Empty Business Accounts in Minutes”
• “Firm Blames Bank for $50,000 Cyber Heist”

To obtain access to financial accounts, cyber criminals target employees – often senior executives or accounting personnel- and cause the targeted individual to spread malicious software (“virus” or “malware”) which in turn steals their personal information and log-in credentials. Once the online bank account is compromised, the criminal can then initiate funds transfers by ACH or wire transfer to the bank accounts of associates within the U.S. or directly overseas with wires.

Criminals employ various methods to obtain access to the legitimate banking credentials from businesses, including mimicking an institution’s website, using malware and viruses to compromise the business’ system. For example, a business’ systems may be compromised by:

• An infected document attached to an email
• Employees visiting legitimate websites – especially social networking sites – and clicking on the infected documents, videos, or photos posted there
• An employee using a flash drive that was infected by another computer
• A link within an email that connects to an infected website. For example, from:

– UPS (e.g., “There has been a problem with your shipment.”)

– Financial institutions (e.g., “There is a problem with your banking account, please reconfirm your ID and password.”)

– Better Business Bureaus (e.g., “A complaint has been filed against you.”)

– Court systems (e.g., “You have been served a subpoena.”)

Business Identity Theft can be perpetrated in a number of ways. It can also be mitigated in a number of ways. For example:

• Install and maintain real-time anti-virus and anti-spyware desktop firewall and malware detection and removal software. Use these tools regularly to scan your computer. Allow for automatic updates and scheduled scans.
• Install routers and firewalls to prevent unauthorized access to your computer or network.
• Perform IT Security evaluations periodically.

• Dedicating one highly secured computer exclusively to online banking and cash management activity
• Do not perform online banking and cash management activities in Wi-Fi hotspots, including airports or Internet cafes
• Initiating wire and ACH files using dual control – for example, file creation by one employee and file approval and release by another employee on a different computer with a different user id.
• Reviewing accounts regularly enhances the ability to quickly detect unauthorized activity and allows the business and the financial institution to take action to prevent or minimize losses.
• Discuss the options offered by your financial institution to help detect or prevent unauthorized payments or changes to your accounts.

If you have questions about the content of this alert, please contact:

• Jorge Rey (305.646.6076; jrey@kaufmanrossin.com)
• Or your Kaufman Rossin account professional.

FBI, IC3, FS-ISAC, Fraud Advisory for Businesses: Corporate Account Take Over