Online Fraud: Who's Looking Out for Businesses?
But who knows about Unique Industrial Product Co., a Sugar Land, Tex.-based company that lost $1.2 million to fraudsters this last April?
Who's heard of the West Beaver, PA. school district, which had more than $700,000 siphoned electronically from its bank account?
All that is necessary for fraudsters to triumph is for good banks to do nothing.
These two cases came to light this week through the efforts of Brian Krebs, a sharp writer with The Washington Post, who wrote a piece about the threat of Eastern European cyber gangs that are increasingly targeting small and mid-size companies in the U.S. Through malware, these gangs are pirating the businesses' online banking credentials, then systematically pilfering their bank accounts. The individual hits don't achieve the notoriety of a TJX or a Heartland, but in sum they can prove devastating to organizations such as Unique and West Beaver.
Krebs wrote his piece following an alert by the Financial Services Information Sharing and Analysis Center (FS-ISAC), which on Aug. 21 sent a members-only notice detailing the fraud and urging financial institutions to help businesses take precautions.
Just yesterday, the Federal Deposit Insurance Corporation (FDIC) issued its own public alert, warning financial institutions about a noted increase in electronic funds transfers (EFT) fraud. "Over the past year, the FDIC has detected an increase in the number of reports and the amount of losses resulting from unauthorized EFTs, such as automated clearing house (ACH) and wire transfers," the agency warns. "In most of these cases, the fraudulent transfers were made from business customers whose online business banking software credentials were compromised."
So, good. FS-ISAC and the FDIC are looking out for the financial institutions. My question is: Who's looking out for the financial safety of these institutions' business customers? Are banking institutions passing along these alerts to their customers? If so, are they conveying the same weight carried in the alerts by FS-ISAC and the FDIC? Are they increasing awareness efforts or even discussing security measures?
I think we all know what the answer is - and I'd be delighted to be proven wrong. The truth is: No one - especially financial institutions - wants to discuss the inherent vulnerabilities of the Internet. No one wants to confront a valued business customer about their own insecure systems or practices. And certainly no one wants to explain to a business that it isn't afforded the same legal protection as a consumer. The average joe has roughly two months to dispute unauthorized charges against an account. The average business has about two days. Which is why organizations such as Unique and West Beaver take it on the chin when fraudsters strike.
It all comes back to confidence. Banking, more than any other industry, survives purely on the confidence of its customers, who need to know that their financial and informational assets are safe. This confidence has been tested over the past year by the recession and the resulting procession of bank failures. But banks and regulators have been always been quick to point out re: bank failures, "No consumer has ever lost a dime in an FDIC-insured institution."
Well, you can't say the same for businesses and fraudulent transactions, can you?
It's a tough situation, I know. No banking institution wants to walk down Main Street with a message about how bad things can happen to good businesses. But what's the alternative?
The FDIC especially has done a good job of publicly conveying the seriousness of this threat to the institutions it regulates. But the regulators don't have a direct communications line to the business customers. That's the banking institution's role, and my fear is that it's being seriously underplayed.
I've always fancied a famous quote attributed to philosopher Edmund Burke: "All that is necessary for the triumph of evil is for good men to do nothing."
One might paraphrase that to say: All that is necessary for fraudsters to triumph is for good banks to do nothing.
What is your institution doing to fight evil?