DETROIT – If you are a small business and do any of your banking online these days (and who doesn’t), you need to be aware of a very pervasive new scam that targets small businesses in particular. The FBI recently released a warning to small business stating that if they are using ACH money transfers, especially with smaller banks, they are at significant risk of having their bank accounts robbed.
How can this happen? According to most security studies that look at the forensics of cyber crime, most malicious attacks today are financially motivated, and most are specifically targeted at weaknesses that are discovered in systems in widespread use.
Once a weakness is discovered, a process is developed that helps the attacker to maximize the return on exploiting the weakness. In the case of ACH transfers, the weakness that has been discovered lies mostly on the side of the financial institution, and consists of weak controls related to adding new payees to an ACH account. This weakness, the FBI has found, is more prevalent with smaller financial institutions than with large ones, who usually have some strict controls in place before a new payee can be added for ACH transfers.
If you do business with any financial institution with insufficient controls in place, you are at risk. The first thing to do is to determine what controls your bank has in place to allow a new payee to be added to your ACH account. If new adds must be authenticated by a separate person by phone, email or other two factor process, you are probably not going to be a target. If you are able to add someone to your ACH payee list without a second authorization being required, you need to look into things further.
On your side of the equation, the perpetrators have to get login information from you to gain access your ACH account. They are going to try some ploy to get your account info like using a keyboard logger, diverting you to a look-alike site, or a phishing scam to get you to give away what they need. They can then use that info to add a new payee and start moving your hard earned cash to the Caymans. The ways they use to get your account information are what you need to guard against. The less vulnerable you make yourself to someone loading malicious software on a computer used for ACH, the better off you are.
Here are some specific steps you can take to minimize your risk:
1. Check out your banks controls to see how new payees are added to your account. Look for two factor authentication being used and ask for it if it is not already being used.
2. Dedicate one computer or one specific user ID for ACH and finance transaction activity. Make sure that user ID doesn’t have admin rights.
3. Don’t use the web, chat clients, email or any internet service on a finance terminal.
4. Have someone regularly log in with an admin ID and do windows, anti-virus and other updates.
5. Apply these safeguards to online transaction accounts like Paypal / Verisign.
For additional information on the FBI notification, click on ComputerWorld.Com
a>>
