Among the recent incidents: In mid-Sept., fraudsters siphoned $150,000 from a fuel company in Maine, while earlier this month hackers diverted approximately $77,000 from the group running a former air force base in NH.
"It's clear that a wide education campaign is needed on this [threat]," says Doug Johnson, Senior Policy Analyst at the American Bankers Association. "Community banks need to be aware it is attacking them as well as the large banks."
The Latest Victims
Over the past year, the FDIC says, it has detected an increase in the number of reports of losses resulting from unauthorized electronic fund transfers (EFTs), such as automated clearing house (ACH) and wire transfers.
In mid-Sept. Downeast Energy and Building Supply of Brunswick, Maine, found its banking account compromised by hackers from Eastern Europe in a sophisticated email scam. The heating fuel company says that 800 of its customers' checking accounts may have been exposed by the hackers, involving roughly $150,000. The hackers gained access to the bank account that the company uses to let customers pay for fuel with electronic transfers from their checking accounts.
The scam began with a spear phishing email to a Downeast employee that looked to be from the company's bank, KeyBank. A link in the email took the employee to a web site that was identical to the bank's. Once the company's user name and password were entered in the bogus site, the information was sent to the hackers, and the $150,000 was stolen from the bank's account.
Then, on Oct. 1, the Pease Development Authority (PDA), responsible for redeveloping the former Pease Air Force Base in Portsmouth, N.H., said hackers removed approximately $77,000 in 10 fraudulent transfers to eight different banking institutions.
"This stuff is happening all across the country," said Art Nickless, chairman of the PDA Board, to the Portsmouth, NH Herald. "But as far as we're concerned, over half the money has been returned, and the question now is how did it happen?"
The Need for Education
The message to banking institutions is: The threat is ongoing and real, and so is the need to further educate small-to-midsize businesses.
Elaine Dodd, head of the Fraud division at the Oklahoma Bankers Association, has crisscrossed her state for months, holding workshops for bankers and businesses on what steps they can take to prevent these attacks. And the efforts have started to pay off: A recent attempt to obtain a company's account ID and password was thwarted after an ACH transaction was stopped.
Dodd says she hears from her banks, "What can we do to limit exposure to ACH batch fraud?" Defense requires a multi-pronged approach, she says. "First, since the initial point of compromise resides with your customer (malware or virus on their computer), the first step should be education of your customers who make ACH batch payments," Dodd says.
Customers need to be aware of the hazards of clicking on hyperlinks in e-mails from unknown sources and of pop-up boxes purporting to be from their financial institution. "For this reason, staff should never open e-mails from anyone they do not know or have a reason to trust," she says.
Antivirus software alone is no protection in many instances. "Many of our banks are now doing training at the retail customer level to acquaint them with frauds of which they need to be aware," Dodd notes. She tells them they should also understand that these crimes are not a rarity and are occurring with regularity even in Oklahoma.
Dodd says one place for businesses to start is to have a dedicated computer for their online banking transactions. "[Then] there is no ability to surf the net or click on bad hyperlinks on that computer," she says. "I ask retailers, 'What's the price of a dedicated computer compared to thousands of dollars lost in a scam?'"
Banks that are the originating deposit financial institution (ODFI) should make every effort to protect their ACH batches. "Implementing a higher level of multi-factor authentication is a positive step. Explore with your software vendors reports that would show activity out of the norm for ACH customers," she says.
Malware such as the Zeus Trojan is being used in many theses attacks. "It is a troubling, nasty piece of malware," says the ABA's Johnson, "and this type of attack is not going away anytime soon."
The Need for Monitoring
The more proactive a bank is in monitoring commercial business accounts and transactions, the better off it will be when it comes to detecting and stopping fraudulent transactions. Banks also need to teach their commercial customers to monitor, says Nancy Atkinson, wholesale banking senior analyst at Aite Group, a Boston, MA-based research firm that focuses on the financial services industry.
"The smaller the business is, they probably don't have the staff to look at their online banking situation every day, except to see if a certain check has cleared," Atkinson says. Banks need "to convince them to look at their account information every day."
Banking institutions also should teach customers about "debit blocks" that can be placed on their accounts. A debit block is used to stop any transactions except those that are preauthorized from going through. Larger corporations have long used debit blocks to prevent unauthorized ACH transactions, says Atkinson. But many small-to-midsize businesses simply aren't aware of the practice, she says.
In most banks, large corporate accounts are covered by the treasury area, while smaller businesses fall under the retail or business bank area, "The retail or business banking areas of banks don't have the familiarity about ACH transactions and debit blocks," Atkinson says. Those two bank areas need to be educated about ACH transactions and the types of fraud that can occur.
The larger banks also have the monitoring systems in place to stop ACH fraud, but "A lot of small community banks have not spent the money to update their monitoring systems," Atkinson says. One solution: Turn to core processors to provide monitoring services.
An 'Arms Race'
These latest crimes are just the newest incidents in an escalating "arms race" between fraudsters and the forces aligned to stop them, says the ABA's Johnson. And there are encouraging signs for banking institutions and their customers. Among them, the recent arrest of 100 people in the United States and Egypt in 'Operation Phish Pry'.
"We've also seen an increased ability to share information from law enforcement and the financial services industry through the Financial Services Information Sharing and Analysis Center (FS-ISAC) and other industry trade groups," Johnson says. But this cooperation needs to grow. "We still need to have the trusted network and a greater level of trust between the organizations," Johnson says. "That benefits all entities from top to bottom."
In cases such electronic crimes against business and banking institutions, "We don't need to know who's doing it," Johnson says, "just what it looks like at an earlier phase, so we can alert our institutions and prepare them on what to look for."