Cybercrooks preying on small businesses

Filed Under: Data loss, Law & order, Vulnerability

Cyber criminal, courtesy of ShutterstockSmall businesses might think they are little enough to escape cybercrooks' attention, but they're increasingly wrong.

Case in point: thieves in May took a mere few hours to vacuum $1.2 million out of the bank account of a mannequin maker and importer, according to the Wall Street Journal.

The cybercrooks used online transactions to fraudulently transfer the money from the bank account of Lifestyle Forms & Displays Inc., a 100-employee company in Brooklyn, NY.

The mannequin maker's problems started when the head of finance couldn't get a routine online payment to a foreign vendor to go through.

Repeated attempts to log into the company's banking site with a secure ID token password only resulted in error messages.

The bank said it wasn't a problem on its end. The three-person IT team at Lifestyle Forms & Displays suspected a virus, even though the anti-virus software was up to date.

By the next morning, after IT had cleaned up the computers, they discovered that the thieves had wired the $1.2 million through nine transactions of about $150,000 each to three major U.S. banks and one Chinese bank, the WSJ reports.

CEO Lloyd Keilson tried to claw that money back.

He was partly successful: within five days, the company's bank, New York-based Signature Bank, managed to recover nearly $800,000 from two recipients of the stolen funds: Wells Fargo and J.P. Morgan Chase.

Keilson didn't have such luck with Bank of America and Agricultural Bank of China, the latter of which the WSJ couldn't even manage to reach for comment.

Lloyd Keilson. Image credit: Sarah E. Needleman/The Wall Street Journal

So Keilson set out to make a nuisance of himself: a productive strategy, it turns out.

He pulled the strings of his network. That got him in touch with the secretary to the CEO of one of the US banks.

Using such tactics, he regained a total of about $1.04 million of the stolen money within 15 days of the robbery.

Keilson told the WSJ that he's now trying to figure out if his company's bank is legally responsible for making up the balance of the funds, which are now unaccounted for.

Signature Bank has denied that the security vulnerability was on its part, however.

If the bank is truly without blame, Mr Keilson can likely kiss those funds goodbye, barring the FBI and/or New York Police's success in tracking it down.

George Tubin, a senior security strategist for Trusteer Inc., a provider of cybercrime prevention technology, told the WSJ that courts don't often hold banks liable in cybercrime cases that involve security breaches of their customers' computers:

It comes down to what type of security a bank has in place to detect fraud and what the small business did for the hackers to be able to access its accounts. … As long as the bank provides commercially reasonable security, then the bank's not liable.

The WSJ reports that the theft is indicative of a growing trend wherein criminals are increasingly targeting small businesses.

That trend can be seen in figures from Verizon Communications, which found that about 72% of 855 data breaches analyzed in its 2012 Data Breach Investigations Report [PDF] were at companies with 100 or fewer employees, up from 63% of 761 data breaches analyzed in 2010.

Since the theft, Keilson has instituted a few important safeguards to protect Lifestyle Forms & Displays: 1) no more outbound bank transactions without verbal clearance from an authorized company executive, and 2) a $1 million insurance policy that costs $13,000 a year and will cover losses from cyber fraud.

Cyber criminal cartoon, courtesy of ShutterstockGood moves. Not many businesses, small or large, have realized what a good deal cybercrime damage insurance currently is.

At the SOURCE:Boston security conference in the spring, Jake Kouns, director of cyber security and technology risks underwriting for Markel Corporation, noted that most companies assume their general liability or professional liability insurance will cover them in the case of cyber attack.

They, most likely, don't.

Sony, for one, found that out following its huge PlayStation Network breach.

Sony's insurer, Zurich American Insurance Co., contested any obligation to cover costs related to lawsuits filed over the breach, arguing that its policy only covered claims for bodily injury, property damage, or personal and advertising injury.

So, is $13,000 a lot for an insurance policy?

Think of the potential costs of a data breach:

  • Lawsuits, including fines and penalties
  • Transmission of malicious code to other networks
  • Loss of the use of your network
  • Cost to notify affected individuals
  • Credit monitoring for customers
  • Identity restoration services
  • Security consultants
  • Legal notices
  • Restoration of system and data
  • Extra expenses to remain functional, including new hardware and/or services
  • Payment of extortion demands
  • Lost time, lost monies, lost business
  • Liability from defamatory content maliciously posted on your site, intensified by the search potential of the internet

That list is just for starters.

Is $13,000/year a lot to cover such costs?

Mr Keilson evidently thinks not. Perhaps other small businesses - and large ones too, for that matter - should follow his lead.

Cyber criminal photo and cartoon courtesy of Shutterstock.

Lloyd Keilson image: Sarah E. Needleman/The Wall Street Journal.

, , , ,

You might like

5 Responses to Cybercrooks preying on small businesses

  1. Machin Shin · 787 days ago

    "Is $13,000/year a lot to cover such costs?"

    Well, for a small business in a tough economy $13,000 is a LOT of money to loose from your budget. I guess part of my issue is that I just find almost all forms of insurance to be really shady.

    In a office of 100 or less people how far could $13,000 go towards improving information security? The biggest security hole is generally poorly trained people, so lets take a look.

    $13,000/100 = $130 Per person Per year for training. I think maybe, just maybe, for $13,000 a company could actually secure their systems enough to deter an attack instead of spending it on insurance. Insurance is like betting against yourself, you are giving a company money and betting you will screw up and they will have to pay out more than you paid them. I would much rather bet on myself and use the money to fix problems.

    Also, before you start coming down telling me how it is impossible to make something perfectly secure, stop and think about this. It is a small business with limited money, the crooks know this. You do not have to build a fort Knox. All you have to do is make it secure enough they will move of to an easier target. I think that for a small business investing $13,000 purely into computer security would more than make that goal.

  2. When money is only a collection of binary digits stored memory ("persistent" or otherwise), this is just waiting to happen.

  3. Richard Steven Hack · 784 days ago

    Ah...hacking insurance! Let me tell how that will go...

    1) Computer crime is a "conflict", i.e., WAR... Insurance companies do not insure people who are in a war.

    2) What will happen is that more and more companies will buy "hacking insurance" - and thus ignore their real IT security requirements.

    3) So more and more companies will get pwned...

    4) Driving up insurance company losses...

    5) Until insurance companies get smart and:

    a) Raise premiums to the level that would have paid for proper corporate security processes in the first place... OR

    b) Refuse to issue such insurance until such proper corporate security practices are actually in place;

    6) Whereupon companies will be paying not only for proper security policies but ALSO the PREMIUMS!

    7) You are not going to win that game...

  4. Nelia Norris · 672 days ago

    Maybe a little help from axa professional indemnity insurance be of help during the rise of these new born businesses.

  5. AbbyPlew · 620 days ago

    I am a member of cooperative in our town and it was an idea of our town mayor to conduct training and seminars on how to start small business especially for house wives.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.