CFO
Menu
  • Accounting & Tax
  • Banking & Capital Markets
  • Growth Companies
  • Human Capital & Careers
  • Risk & Compliance
  • Strategy
  • Technology
  • Sign InSign Up
CFO
  • Conferences
  • Webcasts
  • Research
  • White Papers
  • Jobs
  • Training
  • Newsletters
  • Magazine
CFO
The Ongoing Evolution of FP&A
Global Survey Identifies 7 Key Insights
How to Spot a Fraudulent M&A Target
Here are some of the red flags of fraud that CFOs…
Does Diversity Pay Off?
CFOs Look to Quantify Inclusion Initiatives
  • Accounting & Tax
  • Banking & Capital Markets
  • Risk & Compliance
  • Human Capital & Careers
  • Growth Companies
  • Strategy
  • Technology
Banking & Capital Markets

Don’t Click That Link

Malware lurking in e-mail can enable hackers to loot corporate bank accounts.

David McCann
July 1, 2010 | CFO.com | US
share
Tweet
Print

Email this article

An in-vogue form of electronic bank fraud targeting corporations relies on a sophisticated scheme but starts with a mundane activity: an employee checking e-mail.

In what is often called a corporate account takeover, someone who accesses e-mail from the computer that a company uses to execute online banking transactions unwittingly clicks on a link or attachment that contains malware, such as a keylogging virus. A keylogger records all the keystrokes made from the computer, thus passing banking credentials and passwords to a hacker.

Recommended Stories:
  • Firewall of Silence
  • As the Economy Sinks, Data Breaches Rise
  • Are Your Payment Systems Secure?

The fraud perpetrator then spoofs (or impersonates) the IP address of the computer so that the bank doesn’t recognize the imposter. Then, typically, the money is wired to accounts at other banks set up by unwitting “money mules,” notes Michael Law, fraud prevention manager at Superior Bank, a regional institution in the Southeast.

The mules’ role is to wire the money overseas, where most of the thieves are located. In one common scenario, Law says, people become money mules by answering vaguely worded classified ads offering the opportunity to work flexible hours from home as, say, a bookkeeper or funds-transfer agent. They are instructed to open a bank account to handle transactions for the supposed employer, into which the stolen money is deposited, and then to wire it to an overseas account from a commercial wire service such as Western Union.

Banks are dealing with a surge of such scams, according to Law. “It’s very hot, because it can be very lucrative,” he says.

Often banks detect the phony transactions and contact the mules’ banks before the money is wired out of the country. “I have seen situations in the past where customers’ accounts have been hacked into with tens of thousands of dollars wired to money mules at different banks across the country,” says Law. “In some of those cases, the money has already been wired out to sophisticated criminals in other countries.”

The thieves generally keep transactions under $10,000 because a withdrawal of that amount or higher requires the bank to file a currency transaction report with the IRS, and banks carefully scrutinize each day’s CTRs, Law says.

To prevent this type of fraud, a company should disable e-mail access from its banking computer, create clear policies for handling unsolicited e-mails, and consider requiring multiple officers using different computers to approve bank wires, says Ron Box, CFO and CIO of Joe Money Machinery, a dealer of heavy-construction equipment.

Box notes that in addition to using Joe Money’s treasury workstation, as a practical matter he also performs online transactions from his own computer. Corporate firewalls generally cannot prevent some of the more sophisticated keylogger e-mails from reaching the computer of an officer with access to online accounts, says Box, who frequently conducts educational sessions on data security and electronic fraud prevention for the American Institute of Certified Public Accountants.

Banks have been held liable for losses created by this kind of fraud in a number of recent decisions on lawsuits filed by victimized companies, though there are legal gray areas. “Failure to take advantage of appropriate online security offered by your bank may shift the burden of liability for a preventable technology-based fraud back to your company,” says Box.

Post navigation

← Can Innovation Curb Rising Health Costs?
The Cost of Social Media Phobia →

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Advertisement

Popular Articles

  1. 10 Habits of Highly Effective CFOs
  2. No Mystery How to Restrain Health Costs
  3. Zero-based Budgeting Is Surging
  4. Pay Ratio Disclosures Mislead Investors
  5. No More Tax Deductions for Bad Actions
Advertisement
 

Topics

  • Accounting & Tax
  • Banking & Capital Markets
  • Human Capital & Careers
  • Growth Companies
  • Risk & Compliance
  • Strategy
  • Technology

Media

  • Videos
  • Whitepapers
  • Research
  • Magazine

Events

  • Conferences
  • Argyle Events
  • Webcasts

Services

  • Reprints
  • Back Issues
  • Mobile
  • Widgets
  • RSS

About CFO

  • About CFO
  • Editorial Staff
  • Press
  • Advertise
  • Contact Us

Want the Magazine?

Relax and unplug with our award-winning coverage.

Subscribe Now
Follow Us