Basically, a small, 15 employee fuel distribution company in North Carolina suffered an $800,000 loss due to changes that their bank made to the security of the online banking system. The old system required a user to log in from a known and approved IP address, enter a password and a secret PIN number, and then the bank would call back using an automated dialer. The online transaction would be connected only if every step completed successfully. In this way, online financial transactions could only originate from computers inside the company’s building. This, actually, is quite secure and almost impossible to spoof.
The bank had recently changed their system to allow users to logon from any IP address, certainly more convenient, but less secure.
The thieves attacked their payroll account, removing amounts below $5000 and $10,000 and sending the money via ACH to money mules who laundered the funds and sent them on to the ringleaders. The theft continued for 5 days before it was detected.
Bi-weekly payroll for the company is typically about $30,000, so the lost funds amount to about a years wages and salaries for the company. The company’s insurance policy covered some of the loss, but not much, due to low limits in the policy. The bank, of course, is not taking any responsibility for the losses. According to the CEO, this is a significant and painful loss for the company.
So the lessons here? Longer, harder to crack passwords for starters, but you ought to have your online banking system reviewed by a computer and network security specialist, who can advise you about how well your bank is protecting your accounts from online attacks. Just remember, if it is easy and convenient for you to use their system, it’s easy for the bad guys, too. Also, take a look at your business general liability policy. It is unlikely that there are any significant protections for cyber-crime and financial fraud of this sort. you may have to invest in a separate policy or a special rider in order to be covered from this sort of theft.Share