Payment Fraud

The Target Is You!
by Scott Stevens
CliftonLarsonAllen LLP

In today’s world, a robber’s target is no longer the bank— it’s your online account.

We’ve all heard the famous quote attributed to Willie Sutton, the notorious bank robber who, when asked why he robbed banks, replied, “Because that’s where the money is.”

In today’s connected world, that assumption is no longer valid. The money that once sat in a bank is now accessible online and is being targeted as never before. Malicious attackers have discovered that improved defensive measures have made hacking banks very difficult and time-consuming, but its customers lack these protections and are much easier targets.

As a result, businesses that never before considered themselves targets are falling victim to credit card, automated clearing house (ACH) and wire fraud. The hackers, many from outside the country, attack the online cash management features that banks provide to their customers. Healthcare organizations, trade associations, construction contractors, Main Street retail shops and every other type of small business have found themselves the victims of these types of criminal activity.

Online Banking Malware
By far, the most common method of attack is the use of an email phishing message to deliver malicious software, or malware, that attacks online cash management on the recipient’s computer. Once the malware has been delivered, it can monitor and record system activity, stealing personal information and login credentials for the internet banking services. Attackers then use this login information to impersonate the account holder—they simply log in and create fraudulent ACH entries or wire transfers. More sophisticated malware can even be used to bypass multi-factor authentication tokens. This type of attack is often called a corporate account takeover.

Email Spear Phishing
Spear phishing is another common type of email attack that focuses on a single user or department within an organization, and appears to be sent from a business or person the recipient knows. The malware code is delivered either as a file attachment to the message or through a link inside the body of the email. If the recipient clicks on the link, their browser is directed to a rogue website and the malware attempts to install itself on the victim’s computer. Once a computer is infected, the malware may try to replicate to other computers attached to the local network. At the same time, it may be gathering banking or credit card login credentials, which are then sent to the hacker.

Spear phishing emails have become significantly more sophisticated and effective, and can be very difficult for users to identify as fraudulent. They often hide carefully crafted scripts to entice the user to click the link, and may include information posted on the Internet. In some cases, the phishing emails are even “spoofed,” that is, crafted to appear to come from someone inside the victim organization (e.g., the company president). In other cases, the emails appear to come from a legitimate business or organization, such as the United Parcel Service, American Express, Paypal or the IRS. Other email messages have attachments and appear to have been sent by a scanner or digital sender within the business. These spoofing tactics are designed to increase the likelihood that the recipient will act quickly, clicking on the link or opening the attachment with little thought.

Protecting Your Business
The prevention of payment fraud attacks is no small task and requires a multi-layered approach. The first line of defense is to educate all of the users in an organization, as people are the weakest link in any security system. As some varieties of malware will attempt to install onto all of the computers on a local network, one compromised computer can infect many other systems within an organization.

Before opening a suspect message, the recipient should contact the sender to validate that the message is legitimate or seek input from a coworker or outside source. Pay close attention to discrepancies between the sender name and email address, and if the message was sent to multiple recipients. Also, by hovering the mouse over a website link in an email (without clicking on the link), the destination website may show if the link is actually to the expected site or to some other rogue location.

Another component of a multi-layered defense involves installing and maintaining antivirus software on all systems and updating it frequently. Regular scans should be completed, and the results should be periodically reviewed. Email spam and antivirus filtering systems are also available. Many of the filtering solutions are cloud-based, do not require any capital investment, and are very cost-effective.

Businesses should also consider installing and configuring a unified threat management (UTM) device as their firewall. UTM devices, such as those from Fortinet, SonicWall and Cisco, can provide a range of traffic filtering protections that go far beyond the capabilities of a traditional firewall. These products inspect the content of all internet traffic and offer an additional layer of protection through their antivirus, intrusion prevention and content filtering capabilities.

Additionally, businesses should work proactively with their bank or financial institution to use the security tools that are available for online cash management. These tools may include daily and individual transaction limits, wire transfer callbacks, multifactor authentication, positive pay and others. It is important to monitor online accounts daily and to understand your agreements with your bank regarding online activity and liability. Businesses should also discuss payment fraud coverage with their insurance agent and understand the policy types and limits that are available or already in place.

The Target Is You!
Businesses that believe they would never be a target for hackers need to be aware of and take precautions against fraudulent online activities. Advances in malware and spear phishing techniques provide criminals with the ability to efficiently target even the smallest business and get to its money. Implement a multi-layered defense so that you do not become another victim. iBi

Scott Stevens is a partner with CliftonLarsonAllen LLP, one of the nation’s top 10 certified public accounting and consulting firms. He can be reached at scott.stevens@CLAconnect.com or (309) 495-8783.