Cyber bandits are finding new ways into bank vaults

Time was when bankers couldn’t stop wringing hands over counterfeit bills.

Or they’d lose sleep worrying a borrower provided false documentation to get a loan ripe for default. Others dread a bank employee’s embezzling from customer accounts.

The perennial fraud schemes remain, but can pale in comparison to the potential losses arising from a so-called “corporate account takeover.”

Account takeovers usually involve a hacker’s gaining access to a business client’s computer system to siphon money from its bank accounts.

“Now, with one click of a mouse, they can take millions,” said Joe DeHaven, CEO of the Indiana Bankers Association.

Although a corporate account takeover has yet to garner big headlines locally, hundreds of electronic thefts from bank accounts have been documented around the country. So concerned are regulators that, in June, the Indiana Department of Financial Institutions issued a supervisory memo outlining minimum steps state-chartered banks must take to educate their corporate customers on ways to minimize the risks of account takeovers.

“The vast majority of cases are compromises that occur somewhere other than the financial institution,” said Jim Rechel, a former FBI agent and former Fifth Third Bank security director who now operates Cincinnati-based Rechel Group Inc. “The weak link appears to be at the customer level.”

As such, as long as a bank has implemented reasonable security measures, it’s probably not liable for a security breach on

the business customer’s end of the circuit. But banks could incur legal costs to defend themselves, such as Mississippi-based BancorpSouth, which was sued by Missouri customer Choice Escrow and Land Title after hackers lifted $440,000 from its bank account in 2010.

Earlier this year, U.S. District Court for the Western District of Missouri ruled in the bank’s favor, saying the title firm didn’t adhere to the bank’s recommended security measures. But such theft might not be covered by the financial institution’s insurance, Indiana Department of Financial Institutions Director David Mills warned bankers in June.

Potentially more costly: Along with the financial impact, “There is also a very high level of reputational risk for financial institutions,” Mills added.

A bank client of Lafayette-based technology risk firm Infotex Inc. was targeted by an attempt to grab $300,000 from its bank account and wire it to another bank. In that case, a bank employee trained to look out for such schemes prevented the transfer.

Such efforts have banks nervous, especially those with more than $10 billion in assets. In a recent Grant Thornton LLP survey of bankers in the group, 90 percent cited cyber security risk as their top concern—ahead of even margin compression issues bankers have been obsessed with in recent years.

“The whole corporate account takeover is such a frightening scenario,” said Dan Hadaway, founder and CEO of Infotex.

The method

A favorite method of the cyber thief is to convince an employee of a company to click on a malicious attachment or link. That installs key-logging software that harvests the passwords of a bank account accessible via online banking or other electronic link with the bank.

One would think most computer users would no longer fall for this old trick. Indeed, most people these days know better and close such an email, Rechel said.

But cyber criminals have countered by becoming more clever. They often customize their messages after learning more about a company and even about particular employees who handle electronic transactions. Thieves may, for example, learn about professional organizations in which the employee and the company participate so as to tailor an email one is more likely to open.

They may also invite an employee to accept a fake friend request on a social networking site.

“You think, ‘Huh … that must be someone I met at a previous conference or something’” and click on it, Rechel said.

Cyber criminals also send companies emails pretending to be from the local courts, from UPS or from the company’s bank.

Bloomfield State Bank, based in Greene County, has seen all the tricks.

On the bank’s website are numerous emails its customers have received from cyber crooks pretending to be from the bank, from the FDIC and from electronic payment networks typically used by companies.

One, addressed to “business customers” and claiming to be from the FDIC, declares: “We have important information about insurance coverage of your business accounts” and then asks Bloomfield customers to click on a link that no doubt is pregnant with malicious software.

Besides alerting customers to the scheme de jour, Bloomfield has counseled businesses on preventive measures such as the need to change passwords often, said Mark Barkley, chairman of Bloomfield State Bank.

Playing defense

Indianapolis-based First Internet Bank had been perhaps more sensitive to the perils that exist on the Internet, conducting virtually all its business online since its founding in the 1990s.

Its multi-layered approach to foiling cyber thieves includes a requirement firms use a fob loaded with authentication software when conducting wire and Automated Clearing House network transactions.

To mitigate risk of complete loss in an account, First Internet sets transaction limits based on a company’s expected transaction volumes.

“We offer extensive consulting to our commercial customers before we let them loose in the online banking system,” said Connie Shepherd, senior vice president of commercial banking at First Internet.

The bank also does something Rechel strongly recommends to clients: dedicates a computer to online banking only. That computer is not to be used to surf the Web or to check email—the source of many of the data-extracting viruses.

Some banks now require that two employees sign off on electronic transactions, as an added safety measure.

Regulators are trying to stay on top of the schemes, as well.

The DFI has been hosting webinars to get the word out. And Mills said the state’s bank examiners are being kept aware of the latest guise and are drilling home to bankers that they need to reach out to corporate clients to take precautionary measures.

“A bank has a vested interest in making sure its customers are aware of the threat,” said Tom Fite, deputy director of the department. “You have to stop this crime before it happens.”

Beyond commercial accounts

Cyber thieves aren’t targeting only a bank’s corporate customers. They’re also looking at schools and government agencies.

One of the ugliest cases documented occurred four years ago when thieves drained more than $700,000 from the accounts of Western Beaver County School District, near Pittsburgh.

The school district’s bank was able to reverse some of the transfers, but more than half the money was gone. Investigators said the school had some early warnings, had it noticed that dozens of new employees had been added to its payroll outside the country.

Whereas a decade ago a cyber criminal might have been a kid in his basement, the threat now comes from sophisticated hacker farms, in some cases terrorist groups or government-sponsored efforts of hostile nations, said DFI’s Fite.

“We need to do a better job of recognizing the risk.”•