The likes of the WikiLeaks, Anonymous and online nation-state attacks have populated the news in recent years, and in all likelihood similar stories will continue to do so for some time to come. While online threats like these could impact certain mid-sized businesses—perhaps those dealing in political affairs or harboring intellectually sensitive capital—the greatest, most pressing threat remains overseas fraud schemes for financial gain.
Here are some important things you need to know about online fraud schemes—and how to protect your business from falling prey to them.
The simple truth about phishing schemes
When companies fall victim to online fraud schemes, they want to believe it was only possible through the work of an expert, says Matthew Harper, head of client security management and group vice president at SunTrust. Yet, this often isn’t the case.
“People ask us how they broke the firewall—but they didn’t break the firewall or anything like that. Unfortunately, a fraudster sent a phish, and an employee clicked on a link and malware was installed on the machine,” Harper says. “It’s not exciting, but that’s what happens.”
The dangers of malware
Malware, short for malicious software, is a term used to describe a variety of attacks and is by far the biggest threat in regard to online fraud, Harper says.
When installed, malware can be used to steal sensitive information. Once those credentials are stolen, perpetrators can start diverting funds from your business’s bank accounts.
One such execution of malware fraud, called a man-in-the-middle attack, can happen once you log in to your bank account. The hacker, or the person in the middle of you and the bank, will send you to a legitimate-looking Web page. That page will say something to the effect of: The bank can’t process your transaction at this time, so please try again in 10 minutes. Meanwhile, the hacker has taken over the session you authenticated and is setting up wire transfers and Automated Clearing House (ACH) withdrawals to steal money.
Ways to help limit risk
The good news is that with internal controls, a lot of these attacks are preventable. To guard against malware, the most important step is to maintain good “computer hygiene.” Harper recommends drafting a checklist that may include the following:
- Maintain cautious online behavior: Don’t open email or links from unknown people, only visit trusted sites, and don’t give away sensitive information to unsecure sources
- Keep up to date with security patches from software providers
- Use your bank’s malware protection tools
- Limit how much access employees have to payment systems, including setting up dual control/approval and segregating responsibilities for transaction initiation and approval
- Ask your bank to set wire limits; if you need to send a larger wire, call it in
- Manage your banking from a single computer and/or mobile device that is solely used for that purpose
- Strengthen online passwords by making them complex and long, in addition to changing them frequently and not using them for other logins
“A lot of times we get calls from clients asking about what we can do to stop a specific type of threat,” Harper says. “And our answer is this: By the sheer fact that you’re paying attention to this and reading about it, you’re better off than 98 percent of the companies. The fact that you ask your bank about security threats, you’re probably doing the right thing.”