As the Patco case demonstrates, companies often have no recourse when cybercriminals drain their accounts. Since banks won’t offer protection, business owners need to protect themselves by providing Internet security training to their employees...
Clearwater, Florida (PRWEB) September 01, 2011
After finding itself the victim of a $588,000 cyberheist, Patco Construction suffered another loss when a Maine district court judge ruled in favor of the bank and denied Patco’s suit to recover its losses (Patco Construction Company, Inc., v. People’s United Bank d/b/a Ocean Bank).(1) The outcome of this case underscores the warnings made by IT security expert Stu Sjouwerman (pronounced “shower-man”), founder and CEO of Internet Security Awareness Training (ISAT) firm KnowBe4, who has cautioned small and medium enterprises (SMEs) that financial institutions often do little to protect businesses when cybercriminals raid their accounts.
As outlined in the court filings, Patco’s ordeal began in May 2009, when a series of unauthorized transfers were made from its account at Ocean Bank. An outside IT consultant ran anti-virus scans that quarantined and deleted a Zeus/Zbot trojan, which Patco maintains was used to steal the company’s online banking credentials. While there are no published details as to how the malware came to be on Patco’s system, Sjouwerman notes that cybercriminals often rely on phishing emails and other social engineering tactics to trick employees into clicking a link, which enables the perpetrators to bypass antivirus software and load malware directly onto corporate systems. The facts of the case revealed that unknown third parties began issuing a series of transfers from Patco’s commercial account at Ocean Bank, sending the money to dozens of different co-conspirators over a seven-day period.
The court records note that by the time Patco became aware of the theft and notified the bank, $588,000 had been transferred. Ocean Bank was able to block or recover a portion of the fraudulent transfers, but Patco was still out some $345,000. Furthermore, because Patco didn’t have the available funds to cover the transfers, Ocean Bank drew from the company’s line of credit – which meant Patco had to pay interest to avoid defaulting on the loan. Patco’s subsequent lawsuit against Ocean Bank claimed that the bank didn’t do enough to protect its commercial accounts. In May 2011, a magistrate recommended that the court deny Patco’s summary judgment and grant the bank’s motion. On August 4, the district court judge approved the magistrate’s decision.(2)
“As the Patco case demonstrates, companies often have no recourse when cybercriminals drain their accounts. Since banks won’t offer protection, business owners need to protect themselves by providing Internet security training to their employees so that cyber thieves can’t access their systems in the first place,” asserted Sjouwerman. “Anyone can potentially be taken in by cybercriminals’ sophisticated ploys if they haven’t been trained to recognize and avoid them. All it takes is one click of a phishing email by an unwitting employee, and an entire network can be compromised. Patco learned the hard way that one wrong click can have very costly repercussions.”
According to Sjouwerman, while federal regulations require banks to make good on losses from personal accounts, commercial accounts do not have the same protection, which is why Patco had to take Ocean Bank to court to try to recover its losses. He noted that the judge’s decision in the Patco case may set a precedent that will make it even more difficult for businesses to recover stolen funds. “Ultimately, business owners are responsible for protecting their bank accounts – and their networks. Internet security training can pay for itself many times over if it helps SMEs avoid a cyberheist.”
KnowBe4’s own client research revealed that 26% to 45% of employees were Phish-prone™ – or susceptible to phishing attacks – before receiving training. Upon implementation of ISAT, the Phish-prone percentage was immediately reduced by 75%. In just four weeks, additional testing and retraining shrunk that figure close to zero.
To help SMEs determine what percentage of their staff is Phish-prone, KnowBe4 offers a free phishing security test. “The test can prove invaluable to managers and IT specialists who are interested in ISAT, as the results may be the ammo they need to shake loose the funds for training,” said Sjouwerman. “Our ISAT system is very affordable, and I think most companies would find it to be the best possible use of their security budget. That’s why I urge businesses take advantage of our free phishing security test – it can be a very effective first step toward protecting their network, as well as company assets.”
Other steps companies can take include reviewing KnowBe4’s free cybercrime education resources and case studies to learn about cybercriminals’ tools and tactics. Sjouwerman also published a trove of cybercrime knowledge in Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008. Cyberheist examines the business of cybercrime, explores a number of case studies and offers proven tips for cybercrime prevention.
For more information on KnowBe4 – including the free phishing security test and other valuable cybercrime prevention tools – visit http://www.knowbe4.com. To read more about Cyberheist, or to order the paperback or e-book edition, visit http://www.cyberheist.com.
About Stu Sjouwerman and KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Internet security awareness training. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.
(1) Patco Construction Company, Inc., v. People’s United Bank d/b/a Ocean Bank; case no. 2:09-cv-503-DBH. http://docs.ismgcorp.com/files/external/Order-MSJ-052811.pdf
(2) Kitten, Tracy. “ACH Fraud: Judge Denies Patco Motion.” Bank Information Security; August 9, 2011. http://ffiec.bankinfosecurity.com/articles.php?art_id=3939