FDIC Does Not Protect Business Accounts From Cyber Fraud
Your Company Bank Account Is A Sitting Duck
Business owners across the United States are going about their everyday lives thinking the Federal Deposit Insurance Corporation (FDIC) has their company’s bank account federally insured should cyber criminals attack. Others simply believe that if their bank account is hacked and a string of large withdrawals were to occur, there has to be some form of federal law in place to force their bank to reimburse them for any funds withdrawn. THE SHOCKING TRUTH IS NEITHER OF THE ABOVE IS TRUE!
The Reality of FDIC Protection for Commercial Bank Accounts
The FDIC was created to protect consumer and business deposits up to $250,000 should their bank become insolvent. The words cyber and fraud appear nowhere in that sentence. And, while many business owners blindly believe their bank or the government will come to their rescue if their commercial account is emptied by fraudulent withdrawals, they’ll be very disappointed when they realize their bank has no obligation to assist them and no federal laws are in place to bail them out.
Another common area of confusion involves the Electronic Funds Transfer Act (REG E). Many business owners believe REG E covers their electronic fund transfers, but the law is strictly vast fraud protection for consumers only. Regulation E is the federal law that establishes the basic liabilities and responsibilities for consumers who use electronic transfer services and for financial institutions that offer these services. The term “electronic fund transfer” means any transfer of funds, other than a transaction originated by check, draft, or similar paper instrument, which is initiated through an electronic terminal, telephonic instrument, or computer or magnetic tape so as to order, instruct, or authorize a financial institution to debit or credit an account. Such term includes, but is not limited to, point-of-sale transfers, automated teller machine transactions, direct deposits or withdrawals of funds, and transfers initiated by telephone.
In contrast for businesses, the Uniform Commercial Code (UCC) was created to standardize the laws for commercial transactions across all 50 states. Beyond FDIC deposit protection, withdrawal transactions for business accounts are governed by the UCC. Generally, this means you must notify your bank within 24 hours of noticing a fraudulent withdrawal (via wire transfer, debit card, or online banking) to recover transferred funds. To make matters worse, each state and state counties may adopt different terms for UCC protection (See Oklahoma UCC Banking). Plus, your bank may have it’s own terms listed specifically in your commercial banking agreement.
Matrixforce recommends contacting your bank to enable withdrawal alerts on your commercial accounts and debit cards, as well as two signature authorization for wire transfers.
The 5 Billion Dollar Cybercrime Scam
Cyber crime against business has become so prolific the FBI issued a Public Service Announcement (actually it’s an update to several previous PSAs) in May of this year addressing business bank account fraud. They call this type of fraud Business Email Compromise (BEC) and Email Account Compromise (EAC) and they are so similar they’re now classified as the same crime. BEC is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. EAC attacks target the individuals who perform wire transfer payments.
This scam continues to grow and evolve with small, medium, and large businesses increasingly reporting attacks. Between January, 2015 and December, 2016 there was a reported 2,370% increase in identified exposed losses. In fact, the FBI stated in its PSA that international complaint filings between October, 2013 and December, 2016 numbered 40,203, which equated to $5, 302,890,448!
It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam. The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive phishing emails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).
Some individuals reported being a victim of various ransomware cyber intrusions immediately preceding a BEC incident. These intrusions can initially be facilitated through a spear phishing scam in which a victim receives an email from a seemingly legitimate source that contains a malicious link. The victim clicks on the link, and it downloads malware, allowing the criminal unfettered access to the victim’s data, including passwords or financial account information.
Cyberfraud Self-Protection Strategies For Your Business
Businesses with an increased awareness and understanding of the BEC/EAC scam are more likely to recognize when they have been targeted by BEC/EAC cyber criminals, and are therefore more likely to avoid falling victim and sending fraudulent payments.
The following list includes self-protection strategies as recommended by the FBI:
- Avoid free web-based email accounts: Establish a company domain name and use it to establish company email accounts in lieu of free, web-based accounts.
- Be careful what you post to social media and company websites, especially job duties and descriptions, hierarchical information, and out-of-office details.
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Consider additional IT and financial security procedures, including the implementation of a two-step verification process. For example: 1) Out-of-Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this two-factor authentication early in the relationship and outside the email environment to avoid interception by a hacker. 2) Digital Signatures: Both entities on each side of a transaction should utilize digital signatures. This will not work with web-based email accounts. Additionally, some countries ban or limit the use of encryption.
- Immediately report and delete unsolicited email (spam) from unknown parties. DO NOT open spam email, click on links in the email, or open attachments. These often contain malware that will give subjects access to your computer system.
- Do not use the “Reply” option to respond to any business emails. Instead, use the “Forward” option and either type in the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.
- Consider implementing two-factor authentication for corporate email accounts. Two-factor authentication mitigates the threat of a subject gaining access to an employee’s email account through a compromised password by requiring two pieces of information to log in: (1) something you know (a password) and (2) something you have (such as a dynamic PIN or code).
- Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been through company email, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
- Create intrusion detection system rules that flag emails with extensions that are similar to company email. For example, a detection system for legitimate email of abc_company.com would flag fraudulent email from abc-company.com.
- Register all company domains that are slightly different than the actual company domain.
- Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
- Confirm requests for transfers of funds. When using phone verification as part of two-factor authentication, use previously known numbers, not the numbers provided in the email request.
- Know the habits of your customers, including the details of, reasons behind, and amount of payments.
- Carefully scrutinize all email requests for transfers of funds to determine if the requests are out of the ordinary.
A complete list of self-protection strategies is available on the United States Department of Justice website http://www.justice.gov in the publication titled “Best Practices for Victim Response and Reporting of Cyber Incidents.”
What To Do If Your Business Becomes A Victim
If you notice any business funds being transferred to a fraudulent account it is important to act quickly:
- Contact your financial institution immediately upon discovering the fraudulent transfer.
- Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent.
- Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds.
- File a complaint, regardless of dollar loss, with The Federal Bureau of Investigation Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.
Again, your bank has no obligation to pay you back the lost money, and suing them won’t be much help because they’ll fight it. In one case, it was discovered in mediation that a bank had spent in excess of $1.2 million fighting a business owner, even though the owner had offered to settle the case for $200,000. There have been instances where companies have appealed these decisions to higher courts, and after further investigation banks have been ordered to settle because they were grossly negligent and simply didn’t have anything in place that could have triggered an alert-but these are very rare occurrences.
When contacting IC3 it’s recommended you identify your incident as “BEC/EAC” and providing the following information: Originating business name, originating financial institution name and address, originating account number, beneficiary name, beneficiary financial institution name and address, beneficiary account number, correspondent bank if known or applicable, dates and amounts transferred, IP and/or email address of fraudulent email.
And, that’s not all. To be as helpful as possible it’s a good idea to include: Date and time of incidents, incorrectly formatted invoices or letterheads, requests for secrecy or immediate action, unusual timing, requests, or wording of the fraudulent phone calls or emails, primary phone numbers of fraudulent phone calls, description of any phone contact, foreign accents of callers, poorly worded or grammatically incorrect emails, and reports of any previous email phishing activity.
Contact us today for an annual risk assessment, employee data breach training, top 10 cybersecurity policies and procedures, device management, and ransomware prevention – all for just $29 per user per month!