Protect Your Organization from Online Fraud

by Mark Eich and Matt Smutz

With the right strategy and implementation, you can conduct business securely in a threatening environment.

While high-profile breaches at Target, Home Depot and Sony dominate the headlines, breaches at small businesses fly under the radar. Yet these disruptions are often more devastating, even to the point of business failure.

Churches and other organizations in central Illinois that never considered themselves targets are becoming victims of credit card fraud, automatic clearing house (ACH) fraud and wire fraud. These crimes are often perpetrated from outside the country by attacking the online cash management features that banks provide their customers.

You can take steps to protect your entity, but before taking action, you must first understand and acknowledge this growing threat. The attacks fall into three main categories:

  • Theft of personal financial information;
  • Online banking malware (the so-called corporate account takeover); and
  • Ransomware attacks, the most common being CryptoLocker.

Theft of Personal Financial Information
Organized crime groups (primarily in Russia, Eastern Europe and China) have created a high demand for personal financial information, including name, address, Social Security number, driver’s license number, bank account number and credit card details. Hackers steal this information, then sell it to criminals who use it to commit various forms of identity theft. Payroll databases, customer sales records and supplier/accounts payable records are common targets for this type of attack.

This was the driving force behind the breaches at Target, Neiman Marcus, the University of Maryland and many others. Indeed, as the price being paid to hackers escalates, smaller businesses are being targeted.

Online Banking Malware
Zeus, Citadel, Spyeye and Gozi are just a few examples of the new breed of sophisticated online banking malware. Once a network is infected with this type of malware, the online banking credentials (user ID, password, challenge questions) are harvested by the attacker, who then logs into the online banking server and executes fraudulent wires or ACH transactions. More sophisticated malware can bypass multifactor authentication tokens.

Malware code is often delivered via email, either by a file attached directly to the message, or more commonly, by use of a link to a rogue webpage. In the latter case, the malware returns with the webpage and installs itself on the victim’s computer.

These emails have improved significantly in their sophistication and effectiveness, and can be very difficult for users to identify as fraudulent. They often use carefully-crafted scripts to entice the user to click the link. In some cases, the emails are even “spoofed”; that is, they are crafted to appear to come from someone inside the victim organization (e.g., the company president). In other cases, the emails are designed so they appear to come from a legitimate business or organization, such as UPS, American Express, PayPal or the IRS. These spoofing tactics are designed to increase the likelihood that the recipient will act quickly, clicking on the link without much thought.

Ransomware is a type of malware that encrypts virtually all data and files that it can find, both on the local machine and on every network device that it can connect to. This renders the data unusable by the victim organization. Typically, the hacker requests payment (the ransom) in exchange for decrypting the affected data. This is how the hacker hopes to make his money.

Having working backups that are regularly tested allows victims to wipe the affected machines clean and reinstall both systems and data. However, for companies with high reliance on technology, even the downtime required to wipe and reinstall can result in costly losses and reputational damage.

Protecting Your Business
Preventing these attacks is no small task. It requires a multilayered approach. Organizations should consider each of these tactics. To properly defend:

  • Keep current on technical defensive measures such as firewalls, intrusion detection systems and spam filters.
  • Keep up-to-date on the antivirus software on each device, and complete regular scans to keep them clean.
  • Keep all network servers and PC workstations current with the latest security updates and patches.
  • Limit the number of PCs used to conduct online cash management. If possible, isolate them from the rest of the network.
  • Encrypt sensitive data, such as intellectual property and personal financial information.
  • Utilize bank security tools for online cash management, including multifactor authentication, ACH blocks and filters, daily and individual transaction limits, wire callback features and positive pay systems to reduce check fraud.
  • Make regular backups of key data and systems and store them in a secure, off-site location.
  • Monitor activity and balance online accounts daily.
  • Perform periodic vulnerability or penetration assessments to validate that controls believed to be in place are functioning as intended.

For relationships, communication and training:

  • Educate users to spot fake emails and to be wary of website links and file attachments.
  • Read and thoroughly understand your agreements with your bank related to online activity.
  • Identify the primary contact at your bank who will be your first call for help in the event of a breach.
  • Develop an incident response plan so users know who to contact immediately if they suspect malicious activity on their computer.
  • Establish a relationship with local law enforcement agencies that are familiar with online crimes.

Reliance on technology is a reality for even the smallest organization. But you can conduct business securely in this threatening environment with the right strategy and implementation to help protect your entity against online attacks. iBi

Mark Eich and Matt Smutz are principals with CliftonLarsonAllen. They can be reached at and