In May, a small business received an email from UPS. It advised them that an expected shipment was being held in transit pending verification of confidential information from the company. Trusting in the veracity of the communication, an employee downloaded the attached form, filled it out and sent it in.
The next day, the shipment arrived as anticipated, but a surprise awaited the unsuspecting business owner. By clicking the attachment on what turned out to be a phishing email, the employee had unknowingly released malware to the company server. Hackers were able to access company bank accounts and initiate a series of ACH transactions into foreign accounts.
While the story above is a fictitious event, it could easily be true. According to Verizon’s Data Breach Investigations Report, more than 92 percent of malware was delivered via email in 2018, and the use of stolen credentials remains the leading method for gaining access to business accounts.
The biggest danger with cyber criminals is that they can strike anywhere at any time, even when you’re asleep. To keep your business protected from online thieves, it’s essential that you take advantage of every available precaution to safeguard your financial accounts.
Adding up the Cost of Cyber Crime
According to Verizon, 71 percent of cyber attacks are financially motivated, meaning the attacker is looking for monetary gain.
Unfortunately, businesses lose big when cyber criminals come calling. Juniper Research predicts that the cost of cyber attacks could be as high as $5 trillion by 2024. However, when summing up cybercrime, there is more to be considered than stolen funds. Over $1 million was spent by companies to detect and escalate cyber attacks in 2019, and Accenture reveals that business interruption costs resulting from cyber attacks add up to $4 million a year.
Because of the high dollar values associated with cyber attacks, many small and medium businesses (SMBs) mistakenly believe they aren’t a target for money-seeking cyber criminals. Statistics, unfortunately, prove this theory wrong. According to Ponemon Institute, nearly 70 percent of SMBs were impacted by cyber attacks in 2018.[i]
Cyber criminals typically gain access to private data in a variety of ways, but phishing for confidential information, such as login details, is a prominent approach. In fact, Verizon reports that nearly 80 percent of hacking attacks involved the use of stolen credentials.
Unfortunately, it’s all too easy for criminals to gain access to a business’ confidential information due to employee negligence. Ponemon Institute revealed that 60 percent of cybercrimes can be traced back to a negligent employee or contractor.[ii]
However, even if you’re diligent with email security, attackers could still find you. Cisco’s 2018 Annual Cyber Security Report indicates that cyber criminals are finding new ways to gain access to private information and accounts. For example, some have been known to gain access by exploiting vulnerabilities in new technology advancements, such as IoT devices.
While, there is no doubt that the threat of cybercrime is ever-evolving, businesses can take simple but effective steps to protect their bank accounts from criminals who do their work online.
Protecting Against Cyber Criminals
Cybercrime remains one of the top concerns with businesses. However, we find that too few business owners take advantage of the simple tools available to safeguard their financial accounts.
Dual control is one easy and effective way to thwart cybercrime and protect your hard-earned cash. With dual control protocols in place, financial transactions need the approval of two business stakeholders before they are released by the bank.
Businesses determine the level of security they need and when dual control should be necessary, making it a highly adaptable and effective method for deterring cybercrime. You probably already have this enabled for ACH batch transactions or when submitting wire transfers, but dual control has many uses when it comes to fraud prevention. Consider enabling dual control to ensure proper authorization for all transactions and to verify changes to payment instructions as well.
Additional bank-related services, such as Check Positive Pay and ACH Positive Pay, make it easier than ever to monitor transactions and stop fraud before money leaves your account.
With Check Positive Pay, businesses submit a daily list of checks that have been written. Then, when a check is presented for payment, the financial institution attempts to match it against the information provided on the list.
The system is robust and requires checks to agree with the provided information in terms of check number, account number, issue date, and dollar amount. Checks that don’t match all checkpoints are declined.
ACH Positive Pay works in a similar manner to guard your accounts against unauthorized ACH debits and credits. You provide a list of authorized trading partners and associated transactions. Any ACH requests are then electronically matched before the transaction is authorized. If a match is not found, the request is declined, and you are notified of the exception.
Protecting Your Business Accounts Is Ultimately up to You
With 6.4 billion fake emails sent each day and the average cost of a data breach adding up to over $3 million last year, it’s vital for you to protect your business against cyber threats.
I recently witnessed a case where a business was bilked out of hundreds of thousands of dollars. A hacker, believed to be a foreign national, gained access to the company’s servers and watched email traffic for four to six months.
Once the CEO was out of the country, hackers briefly took control of his company email account to send a request to the CFO, indicating that a large dollar wire should be sent abroad as the first payment in a newly launched project. Since it was not unusual for the CEO and CFO to work privately together, the CFO didn’t check the validity of the wire request.
By the time the company realized the error, and the FBI traced the funds to an account at a Chinese bank, the hacker’s account was closed, and the company had lost a significant sum.
This story illustrates the importance of even simple safeguards. Had the company instituted dual control or ACH Positive Pay, it is far less likely that the crime would have taken place. Others in the chain of authorization may have requested more information, alerting the CEO to the fake request and subverting the hackers’ attempt.
When it comes to stopping cyber criminals and protecting company accounts, businesses need to take every precaution. Your bank’s treasury services advisor is a valuable resource when it comes to gaining information on cybercrime and helping you to protect both your accounts and your business profitability.
About the Author
Jason Hagan leads Wholesale payments strategy and product development for First National Bank of Omaha. He joined the bank in 2013 to develop and implement the bank’s payments and partnership strategy. Jason also leads the Wholesale Bank Investment process.