Many cybercriminals operate from foreign countries and wire stolen funds overseas
Clearwater, FL (PRWEB) October 10, 2011
A new study by the Ponemon Institute revealed the cost of dealing with cybercrime in the U.S. is significantly higher than last year. In terms of dealing with threats, the study found that the average time to address one is 18 days, resulting in an average price tag of $416,000; that’s up from an average 14-day period and $250,000 per attack last year.
IT security expert Stu Sjouwerman, founder and CEO of the Internet Security Awareness Training (ISAT) firm KnowBe4, warns that small and medium enterprises (SMEs) are likely to find themselves on the hook for phishing-related cyberheist losses when financial institutions deny responsibility for incursions. Sjouwerman cited a recent Bloomberg news article that reported cybercriminals looting as much as $1 billion per year from business bank accounts, while banks blame victims for allowing unauthorized access.(1)
“Many cybercriminals operate from foreign countries and wire stolen funds overseas. This makes it difficult for authorities to track down and prosecute them, leaving little chance of recovering funds,” explained Sjouwerman. “Because the FDIC does not offer the same protection to business accounts, that leaves one of two parties to cover the losses—bank or business owner. It’s little wonder banks are blaming SMEs for allowing cybercriminals to infiltrate their networks in the first place.”
Sjouwerman noted that cybercriminals often use phishing emails and other tactics to trick employees into clicking links, which then downloads malware to the user’s system. “Using keystroke loggers and other tools, cyberthieves can steal account information and passwords while the user remains unaware of the network breach. Hackers then initiate a series of wire transfers using the business owner’s credentials. In many cases, by the time the bank or business notice the unusual activity, the money is long gone and untraceable. As a result, the bank faults the SME for allowing cybercriminals to steal the company’s online banking credentials, while the SME accuses the bank of having insufficient fraud detection and anti-theft measures in place.”
As detailed in court filings, a phishing attack allowed cybercriminals to access the business accounts of Experi-Metal, Inc., at Comerica Bank, culminating in 97 wire transfer orders that totaled more than $1.9 million, plus a $5 million overdraft. Comerica was able to recover all but $561,399 of the stolen funds, which Experi-Metal pursued in a lawsuit against the bank (Experi-Metal, Inc., v. Comerica Bank). In his bench opinion, the judge found Comerica at fault for failing to detect or stop the fraudulent activity earlier, and for allowing a $5 million overdraft on what is usually a zero-balance account.(2)
However, in another case, the court ruled in favor of the bank. According to court documents, Patco Construction was the victim of a $588,851 cyberheist allowing cybercriminals to steal the company’s banking credentials. Patco’s financial institution, Ocean Bank, was able to block some transfers, but over $345,000 was not recovered, leading Patco to sue the bank. After weighing the arguments presented by each side, the judge upheld the magistrate’s recommended decision to grant the bank’s motion for summary judgment and deny Patco’s cross-motion.(3)
“Many business owners complacently believe that their anti-virus software and IT team are sufficient protection against hackers, but the facts are otherwise as cybercriminals bypass all of those measures by luring just one employee to click a link in a phishing email,” said Sjouwerman.
Sjouwerman asserts that the best way to counter this weak link is through Internet security training. “KnowBe4 conducted a case study among clients, and compared the percentage of employees who were Phish-prone™ – susceptible to phishing attempts – before and after implementing our Internet Security Awareness Training. We found between 26% and 45% of employees were Phish-prone prior to training; however, the total was reduced by 75% after one training session. After four weeks of additional training, the Phish-prone percentage was at or near zero in every company. When employees know what to watch out for, they’re less likely to fall prey to phishing tactics. This can help keep cybercriminals out of your network and bank accounts, and help keep you out of court.”
KnowBe4 invites SMEs to take advantage of a free phishing security test, which will reveal how many employees are currently Phish-prone. The company also offers an array of free cybercrime education resources on its website. Those who seek additional advice on combating cyber attacks will find a wealth of information in Sjouwerman’s book, Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.
About Stu Sjouwerman and KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Internet security awareness training. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.
(1) Farrell, Greg, and Michael A. Riley. “Hackers Take $1 Billion a Year as Banks Blame Their Clients.” Bloomberg.com, August 4, 2011.
(2) Experi-Metal, Inc., v. Comerica Bank; United States District Court, E.D. Michigan, Southern Division, case no. 2:09-cv-14890. Bench Opinion.
(3) Patco Construction Company, Inc., v. People’s United Bank d/b/a Ocean Bank; United States District Court, District of Maine, case no. 2:09-cv-503-DBH. Magistrate’s Recommended Decision.
# # #