Online banking allows you to streamline financial transactions, but it also puts you in the crosshairs of cybercriminals intent on plundering the accounts of small to mid-sized businesses.

Hackers are zeroing in on smaller enterprises as attractive targets for banking fraud, attempting to drain more than $100 million from the accounts of small and mid-sized businesses and other modest-sized organizations such as school boards and non-profits in the last two years. The trend has prompted warnings from the FBI and the American Banking Association (ABA).

Small and mid-sized businesses "have become much more targeted in the wild," says Tom Kellerman, a Commissioner on The Commission on Cybersecurity for the 44th Presidency and vice president of security awareness for ethical hacking firm Core Security. "Everyone's doing web 2.0 with the assumption that the Internet is a pacific environment, when, in fact, it's hostile."

How the attacks work

Criminals use malicious programs known as banking Trojans to gain access to your online accounts. Click on an unfamiliar link or a malicious attachment, and the crook installs keylogging software onto your computer, gaining access to your online banking credentials.

The hackers send Automated Clearing House (ACH) and wire transfers, authorizing transactions. Money mules are used to transfer the funds, which eventually wind up in the hands of European or Russian crooks. Criminals have successfully made off with $40 million out of $100 million in attempted transfers, according to the FBI.

Why your business may be a target

A number of factors make American small businesses attractive targets, say security experts. Quite often, small businesses don't have the security controls or expertise of a large organization, yet their accounts yield more lucrative paydays for hackers than personal banking accounts would. Small and mid-sized businesses may also tend to frequent smaller, regional banks and credit unions, which might not be as prepared to recognize and to fight online attacks.

"Any story on small business and online threats has to be a very sad story," says Anton Chuvakin, who writes the "Security Warrior" blog. Small businesses "have no dedicated and skilled security professionals on staff, but they connect to the same Internet and thus still face the same threats as large enterprises."

While certainly some small businesses take online security into account, a pair of surveys by Panda Security underscores Chuvakin's point. Last year, a Panda Security survey of 1,400 small and mid-sized businesses found 52 percent employed no Web filtering, while 29 percent lacked anti-spam protection. A survey of more than 300 small business executives earlier this year revealed that 52 percent had little or no familiarity with banking Trojans.

A Panda Security white paper on the small business online banking survey noted that small businesses "are sitting ducks." Small businesses might not be taking the proper precautions when it comes to this threat because they have a false sense of security, the paper noted. More than 60 percent of the executives believed that banks would cover any fraudulent losses. In reality, you are not afforded the same protections as an individual consumer when it comes to banking.  Some organizations are attempting to recover losses by suing their banks, citing inadequate protections and actions against fraud.

How to fight online banking fraud

The FBI and ABA strongly recommend that small businesses dedicate a computer for financial transactions as the best defense against online banking fraud. However, security experts doubt most small businesses will be able to do so. "I'm not sure this is practical," says Amit Klein, chief technology officer of Trusteer, which makes Rapport, a browser security product that defends against financial malware. "It requires maintenance and ongoing monitoring to make sure it's not being contaminated by other software."

Instead, security experts recommend taking these precautions:

  • Consider cyber insurance. Your bank is unlikely to make you whole in the event of a loss, says Kellerman, so protection makes sense.
  • Review your bank's security policy and practices. Take time to read your bank's policy and to understand its obligations to you in the event of fraudulent activity. Shop for a bank that follows good security practices. Some banks offer free or heavily discounted security products such as Trusteer's Rapport.
  • Manage regular security updates. Designate an employee to manage regular patches and security updates on a weekly business, advises Kellerman. It's a good idea to do so every Tuesday night, he says, since Microsoft releases its updates every Tuesday. Don't forget to update laptops in the field.
  • Use a USB or live CD. Download a free Linux operating system onto a USB drive or CD, then boot it on your regular PC when you conduct banking activities. "In this way, all your viruses stay on the regular PC, and your environment is effectively isolated," Chuvakin says.
  • Follow good online practices. Educate your employees about clicking on links and attachments in emails, particularly when the e-mails appear to be from your financial institution. Know that crooks are using social engineering to craft increasingly sophisticated attacks. An email might refer to your treasurer by name, for instance, and appear to have originated with your IT department.
  • Monitor account activity. Scrupulously review activity on your financial accounts on a daily basis. Be aware that cybercriminals have added fictitious names to payroll accounts, so review those lists as well. Promptly report suspicious activity to your financial institution and authorities.

Understanding you are indeed at risk is critical, says Chuvakin. "Being aware is very important here."