Businesses Reluctant to Report Online Banking Fraud

By Brian Krebs
Washington Post Staff Writer
Wednesday, August 26, 2009; 2:04 PM

A confidential alert sent on Friday by a banking industry association to its members warns that Eastern European cyber gangs are stealing millions of dollars from small to mid-sizes businesses through online banking fraud. Unfortunately, many victimized companies are reluctant to come forward out of fear of retribution by their bank.

According to the alert, sent by the Financial Services Information Sharing and Analysis Center (FS-ISAC), the victims of this type of fraud tell different stories, but the basic elements are the same: Malicious software planted on a company's Microsoft Windows PC allows the crooks to gain access to the victim's corporate bank account online. The attackers wire chunks of money to unwitting and in some cases knowing accomplices in the United States who then wire the money to the fraudsters overseas.

As grave as that sounds, the actual losses from this increasingly common type of online crime almost certainly are far higher. Those estimates were based on figures reported by the banks to federal regulators and law enforcement. But part of the problem, as Security Fix has found firsthand, is that many businesses are extremely wary about acknowledging that they've been victimized at all, even to federal investigators.

In July, Security Fix highlighted the plight of Gainesville, Ga.-based Slack Auto Parts, which lost nearly $75,000 when fraudsters used malware to steal the company's online banking credentials and distribute the funds to six money mules around the country. When the company's story was retold in a USA Today feature, Slack Auto co-owner Tennent Lee Slack told me she began hearing from other businesses that had lost tens of thousands of dollars in eerily similar attacks, including another small company based in Gainesville that lost $63,000.

Slack said few victims that contacted her are willing to come forward to tell their stories.

"All of the people who have called us are very angry with their respective banks," Slack said. "Most have retained attorneys and I think they are afraid of publicity."

I spoke with one victim in California whose company had lost more than $50,000 after finding malware on the firm's systems, but the man ultimately decided he didn't want his company or bank to be named. Another gentleman, the owner of appliance sales and servicing company in Maine, also declined to tell his story for the record or contact law enforcement.

JM Test Systems, an electronics calibration company in Baton Rouge, La., lost almost $100,000, after thieves used malicious software to send a series of sub-$10,000 payments to at least five co-conspirators around the country, who then wired the money on to fraudsters in Russia. Happy McKnight, the company's controller, agreed to talk to Security Fix on the condition that we not publish the name of her employer's bank. JM Test is still considering whether to try to settle the matter in court.

Avivah Litan, a fraud analyst with Gartner, said many victims don't want to talk because they fear it will endanger their ability to recoup the losses from their bank.

"Nobody wants to talk about it. The banks certainly aren't going to talk about it," Litan said. "It's like a rape victim. The victims are scared of retribution by their bank, scared that they're not going to get their money back. But in most cases they're not going to get it back anyway."

© 2009 The Washington Post Company