Businesses vulnerable to cyber attacks

Most of us think cyber crooks cast their phishing lines mostly to try to hook everyday consumers. But some businesses across the country have seen hundreds of thousands of dollars vanish from their bank accounts after cyber attacks.

"These e-mails look legitimate," said Terry Thornton, senior vice president of fraud services for Dallas-based Comerica Bank. "People are falling for it because they look so good."

Business owners, as well as managers of school districts and government entities, need to be aware that cyber attacks have hit online banking accounts of others. They must be diligent about updating antivirus software, as well as training their staff to avoid giving specific account numbers in response to an e-mail that looks like it actually came from the bank.

What's essential for business owners to understand is that they do not have the same protections offered to a consumer in such cyber attacks.

"In these types of small-business accounts, the customer loses the money," Thornton said.

While bankers will attempt to rescue the funds, business owners could be out a lot more money than a typical consumer who is hit by a cyber attack. This applies to business accounts of all sizes, small and large.

So it's key that businesses look for warning signs.

Cyber attacks typically run in waves, Thornton said. Things can be quiet for a while and then suddenly small businesses report fraudulent e-mails.

Criminals who often live overseas are crafting ways to plant malicious software on a company's computers and enable the crooks to construct wire transfers to send money to dozens of operators who then launder the money and wire it back to the cyber crooks.

For businesses, the fraud becomes more difficult because business owners do not have protections similar to consumers.

Consumers who bank online in the United States are protected by Regulation E, which generally holds that consumers are not liable for unauthorized transactions against their bank accounts, but the consumer cannot go more than 60 days without reporting suspicious or unauthorized charges or debits.

But if hackers pull out money from the small business' or community's bank account, the bank does not have an obligation to cover that stolen money. That doesn't mean a legal battle won't take place.

The Bullitt County Fiscal Court in Kentucky ended up suing First Federal Savings Bank over an online theft.

Bullitt officials discovered $415,989 missing from its account on June 29. They contend hackers used a malicious code called ZeuS, which allowed them to steal the county's user name and passwords from a county computer and log on through a county Internet connection, according to a report in the Courier-Journal in Louisville.

Less than $10,000 was withdrawn at a time, and payments were deposited in banks outside of Kentucky.

The suit, which was filed in Bullitt Circuit Court, claims the Elizabethtown-based bank could have prevented the theft if it had not ignored irregularities in Bullitt's payroll account.

The bank disagrees and says its online system is not at fault.

Both consumers and business owners must carefully review their accounts regularly, even daily, to try to spot fraud early on.

Everyone could use yet another lecture on why we all need to be extremely careful about e-mails, text, or instant messages that appear to come from your bank, a government agency, an online seller or another organization that you might recognize.
___

(c) 2009, Detroit Free Press.
Visit the Freep, the World Wide Web site of the Detroit Free Press, at www.freep.com
Distributed by McClatchy-Tribune Information Services.