It’s a chilling moment when a small business owner discovers hackers have stolen thousands of dollars from the company checking account.
Cybercriminals took an average $32,000 from small business accounts, says a December survey of owners by the advocacy group National Small Business Association. And businesses don’t have the legal protection consumers do from bank account fraud.
The Electronic Funds Transfer Act, passed in 1978, states that it’s intended to protect individual consumers from bank account theft, but doesn’t mention businesses. Whether a business is protected depends on the agreement it signs with a bank, says Doug Johnson, a senior vice president with the American Bankers Association, an industry group. If the business hasn’t complied with security measures required by the agreement, it could be liable for the stolen money, he says.
Any business is vulnerable, but small companies are less likely to have security departments and procedures to guard against online theft. They also don’t have big revenue streams that are better able to absorb losses. And even if they get the money back, they still have to spend time and money dealing with the hassles of closing and opening accounts.
Thieves are increasingly using realistic-looking emails to trick companies into transferring money from their accounts with what’s known as wire transfers, says Avivah Litan, a security analyst with the research company Gartner. Often, an employee receives an email purportedly from a company executive asking them to transfer the money from the company’s account into a specific external account. If employees don’t check to be sure the request is legitimate, they might go ahead and authorize a withdrawal.
Business accounts are safer at banks that use what’s known as two-factor authentication, requiring unfamiliar account users or devices to supply additional information like one-time access codes, says Timothy Ryan, a managing director with the security company Kroll in New York. Sophisticated banks also have software that flags emails or attempted log-ins from unfamiliar Internet service providers, he says.
Some additional steps:
■Everyone in the company must be hypervigilant about emails, being wary about clicking on links and attachments and checking the addresses that emails came from. Criminals may create email addresses that look familiar but that might have an extra letter like an “I’’ or “i’’ not apparent at first glance.
■In the case of wire transfers, put procedures in place so several managers must sign off before a transfer can made.
■Keep a close eye on accounts. If you can’t check your balance daily, get text alerts whenever there’s a withdrawal.
■Don’t log into your bank from public spaces offering free Wi-Fi. Wait until you’re home or in your office.
Copyright 2016 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.