The Washington Post reported yesterday that there is an increase in "funds transfer fraud" being perpetrated by organized crime groups from Eastern Europe against small and medium U.S. businesses.
It's hard to know the extent of this type of crime because there is no breach notification requirement since no customer information is disclosed. However, many companies are reporting these crimes to the FBI and of course to their banks.
The risk of funds transfer fraud to businesses is much higher than to consumers for the following reasons:
- Dollar amounts are higher.
- Under the Uniform Commercial Code, businesses only have two days to dispute charges they feel are unauthorized. Consumers have 60 days from the time they receive their statements.
- Because banks are liable for the consumer losses and less so for the business losses, they invest more resources in protecting consumers.
The complete article in the Washington Post is well worth reading.
In a previous post, I highlighted one of the techniques used by cyber criminals where they surreptitiously install the Clampi trojan on a PC in order to get the login credentials needed for online banking.
Recommended actions:
- Install anti-virus/anti-malware agents on all workstations and keep them up-to-date
- Use an end-point configuration management system to discover all workstations, to assure the above mentioned agents are installed and up-to-date, and to assure that unauthorized software is not installed
- Implement firewall policies to (1) assure that only authorized people (i.e. people in authorized roles) using only authorized workstations can connect to financial institutions to perform funds transfer transactions, (2) assure that people not authorized cannot connect to financial institutions, (3) generate alerts when there are attempts to violate these policies
- Implement a process where funds transfer transactions are reviewed on a daily basis by someone other than the person or people who perform the transactions