I was very happy to see that NPR has jumped on a story I have been trying to get out for a while. John Ydstie has a new example, where he shows the incredible hassle and disappointment that comes with a sophisticated cyberheist which cost Dr. David Krier's Volunteer Voyages a whopping $14,000 in fraudulent withdrawals from his business account, which his bank refuses to cover.
In the past I have talked a lot about Patco construction, as they are the poster child of a cyberheist gone really bad, with the banks taking no responsibility and legal costs skyrocketing. Mark Patterson, owner of Patco makes an appearance in Ydstie's story, you see him here to the right.
Here are some excerpts, and you can also listen to the story at NPR, which I highly recommend if you need ammo for IT security budget. This is great to forward to C-level execs.
"Cyberthieves steal hundreds of millions of dollars a year from the bank accounts of U.S. businesses. And many business owners are surprised to find out their bank is not obliged to make them whole. Individuals are pretty well-protected when it comes to fraudulent transfers from their bank accounts. Regulation E of the Electronic Fund Transfer Act requires banks to bear the burden in most circumstances. That's not the case for small businesses, even if they're owned by a single person, like Volunteer Voyages.
"For Stuart Rolfe, a Seattle businessman, the stakes were much higher and the scam much more sophisticated. Cyberthieves hacked his email account, impersonated him and transferred more than $1 million through U.S. domestic accounts to an account in China.
He was stunned. "Any time you have a theft, certainly one of this dollar amount, it is shocking and very disturbing," he says. Rolfe's firm, Wright Hotels, invests in and develops hotel properties. (In the interest of full disclosure, Rolfe and his wife have made substantial contributions to NPR.)
Rolfe says one of the most unsettling things was realizing that once the cyberthieves had accessed his email, they had vast and intimate knowledge of his life and business practices.
"They knew exactly how I had communicated with our bookkeeper," he says. "They knew exactly what kinds of things that I said" in emails to her authorizing transfers. He made another disturbing discovery: When he looked back at the transfers, he found that when they were authorized he always seemed to be in business meetings.
That's because the thieves also had access to his Outlook calendar. It meant the cyber crooks could safely impersonate Rolfe and write emails telling his bookkeeper to transfer funds to their bank accounts. The thieves could respond to any questions from Rolfe's bookkeeper and then delete all those communications from the account before Rolfe returned from his meetings and checked his email again.
And then there is Mark Patterson. A few years ago, his company, PATCO Construction, based in Sanford, Maine, was the victim of cyber fraud. He described it in detail as he inspected work on some townhouses his company is building in Kennebunk, Maine.
He said that over consecutive nights, about $100,000 a night was taken out of PATCO's checking account. By the time his chief financial officer discovered it, Patterson says, "we were down about $545,000."
Patterson thought his bank, Ocean Bank, would reimburse him. It refused, and he sued. Patterson says the bank threw a huge amount of resources at the case. He says he discovered in mediation that the bank had spent "in excess of $1.2 million fighting this, when we offered to settle this for $200,000."
PATCO lost the first round but won on appeal when a panel of judges concluded Ocean Bank's security had not been commercially reasonable. Patterson thinks the law should be changed to make banks shoulder more responsibility for cybercrime losses at small businesses."
In a majority of these cases, email accounts and personal computers were hacked using phishing or spear phishing attacks that could have been prevented with security awareness training. Today, all employees need to be stepped through effective user education and sent frequent simulated phishing attacks. Find out how affordable this is for your organization, you will be pleasantly surprised.