A Publication of WTVP

With the right strategy and implementation, you can conduct business securely in a threatening environment.

While high-profile breaches at Target, Home Depot and Sony dominate the headlines, breaches at small businesses fly under the radar. Yet these disruptions are often more devastating, even to the point of business failure.

Churches and other organizations in central Illinois that never considered themselves targets are becoming victims of credit card fraud, automatic clearing house (ACH) fraud and wire fraud. These crimes are often perpetrated from outside the country by attacking the online cash management features that banks provide their customers.

You can take steps to protect your entity, but before taking action, you must first understand and acknowledge this growing threat. The attacks fall into three main categories:

Theft of Personal Financial Information
Organized crime groups (primarily in Russia, Eastern Europe and China) have created a high demand for personal financial information, including name, address, Social Security number, driver’s license number, bank account number and credit card details. Hackers steal this information, then sell it to criminals who use it to commit various forms of identity theft. Payroll databases, customer sales records and supplier/accounts payable records are common targets for this type of attack.

This was the driving force behind the breaches at Target, Neiman Marcus, the University of Maryland and many others. Indeed, as the price being paid to hackers escalates, smaller businesses are being targeted.

Online Banking Malware
Zeus, Citadel, Spyeye and Gozi are just a few examples of the new breed of sophisticated online banking malware. Once a network is infected with this type of malware, the online banking credentials (user ID, password, challenge questions) are harvested by the attacker, who then logs into the online banking server and executes fraudulent wires or ACH transactions. More sophisticated malware can bypass multifactor authentication tokens.

Malware code is often delivered via email, either by a file attached directly to the message, or more commonly, by use of a link to a rogue webpage. In the latter case, the malware returns with the webpage and installs itself on the victim’s computer.

These emails have improved significantly in their sophistication and effectiveness, and can be very difficult for users to identify as fraudulent. They often use carefully-crafted scripts to entice the user to click the link. In some cases, the emails are even “spoofed”; that is, they are crafted to appear to come from someone inside the victim organization (e.g., the company president). In other cases, the emails are designed so they appear to come from a legitimate business or organization, such as UPS, American Express, PayPal or the IRS. These spoofing tactics are designed to increase the likelihood that the recipient will act quickly, clicking on the link without much thought.

Ransomware is a type of malware that encrypts virtually all data and files that it can find, both on the local machine and on every network device that it can connect to. This renders the data unusable by the victim organization. Typically, the hacker requests payment (the ransom) in exchange for decrypting the affected data. This is how the hacker hopes to make his money.

Having working backups that are regularly tested allows victims to wipe the affected machines clean and reinstall both systems and data. However, for companies with high reliance on technology, even the downtime required to wipe and reinstall can result in costly losses and reputational damage.

Protecting Your Business
Preventing these attacks is no small task. It requires a multilayered approach. Organizations should consider each of these tactics. To properly defend:

For relationships, communication and training:

Reliance on technology is a reality for even the smallest organization. But you can conduct business securely in this threatening environment with the right strategy and implementation to help protect your entity against online attacks. iBi

Mark Eich and Matt Smutz are principals with CliftonLarsonAllen. They can be reached at [email protected] and [email protected].