In the past few years, we have become increasingly aware of the potential threat in cyberspace that that our personal banking information could be obtained by so called “cybercriminals.” Most likely, if it has happened to you or someone you know, they were reimbursed for the fraudulent transaction from their bank as consumers. However, unlike consumers, business under the Uniform Commercial Code (UCC) could make it difficult to recover funds stolen from bank accounts leaving the victim (the business) to suffer the loss. One of the largest areas of concern, for businesses is the threat of a fraudulent electronic funds transfer (EFT). These thieves are mainly targeting small to medium sized business because of the ease of accessibility due to weak or non-existent controls. On August 26, 2009, the Federal Deposit Insurance Corporation (FDIC) issued an alert warning (FDIC SA-147-2009) that there has been an increase in reports of fraudulent EFT transactions resulting from compromised login credentials. The statement issued by FDIC specified how the cyber thieves maybe able to access accounts.
“Web-based commercial EFT origination applications are being targeted by malicious software, including Trojan horse programs, key loggers and other spoofing techniques, designed to circumvent online authentication methods. Illicitly obtained credentials can be used to initiate fraudulent ACH transactions and wire transfers, and take over commercial accounts. These types of malicious code, or "crimeware," can infect business customers' computers when the customer is visiting a Web site or opening an e-mail attachment. Some types of crimeware are difficult to detect because of how they are installed and because they can lie dormant until the targeted online banking session login is initiated. These attacks could result in monetary losses to financial institutions and their business customers if not detected quickly.” FDIC SA-147-2009
Generally, a business must notify the bank within two days of a fraudulent ACH transaction or the business may be liable for the loss. Identifying risks are key to understanding how vulnerable your business is to EFT fraud. Once the risks are accessed, the business can determine the appropriate steps (implementation of controls) to limit the risk.
Assessing your Business’ Risk for ETF Fraud?
Here are a few key items to consider when evaluating general fraud prevention: 1. Is your business in compliance with the bank’s recommended security procedures to facilitate a recovery of funds in the event of a fraudulent transaction? 2. What is the maximum dollar amount the entity could lose in a wire transfer, and does the business have insurance to cover that amount for fraud? 3. Has the business given proper education and/or training to key employees with online access so they understand the risks, how the fraud is perpetrated and the precautions they should take? 4. Does the business have security settings on computers to prevent malicious code (malware) from being installed into its systems?
Establishing Controls to Mitigate the ETF Fraud
Once you have determined the Company’s risks, a system of controls needs to be developed in order to limit that risk. The following is a list of potential controls in which might limit the risk: 1. Dedicate a computer or system for online banking, especially for EFT. If significant risk, use a computer that is not used for e-mail, web browsing, or other high-risk online activities associated with contracting malware infections. 2. Use an authentication with independent mechanism. For example, require login credentials and a temporary PIN sent to a pre-determined cell phone or a security code device (provided by the bank). This method makes attack more difficult because the authentication factor is not communicated through the compromised computer. 3. Segregate EFT controls so that one person performs online EFT functions, and a second person approves the transfer or verifies/reconciles that transaction. 4. Review bank accounts on a daily basis in order to detect unauthorized transactions timely. 5. Dedicate clearing accounts using “just-in-time” deposits. For instance, make deposits into a separate designated “EFT transfer” account from a different computer into that account just before a wire transfer. 6. Use “run as needed” bootable CD (such as the Ubuntu operating system) that cannot be contaminated by a virus or malware for the computer accessing online EFT. This is an FDIC recommendation.
There are many prevention and detection controls in which a business can implement into its day-to–day operations to protect from EFT fraud. However, selection of such controls is a tricky process. Too many controls can cause inefficiencies and have a negative impact on the business. Don’t hesitate to give dbbmckennon a call or email today, to discuss your particular business’ risks and potential internal controls in which you may implement to mitigate such risks.