One day this past January, Joy Graham happened to check her company's bank accounts in the afternoon, instead of during her normal morning routine. The delay was serendipitous for Graham, managing director with LG Martin, a consultancy that develops community initiatives for businesses, individuals and nonprofits. Several purchasing-card charges raised her suspicions -- including orders for home electronics, and tickets to a Boston Celtics basketball game. LG Martin has offices in Atlanta, Houston and New York.
Graham immediately called her bank, the retailer through which the orders had been placed -- and the police. The payoff for her quick work: Almost all the charges could be voided before the transactions were completed. (The thieves were able to keep the game tickets.)
But the problem wasn't solved. A few months later the company's accounts were found to have been compromised again -- this time when the bank noticed several transactions originating from outside the U.S. Again, most of those charges were rescinded because they were caught early. At the recommendation of her bank, Graham changed the company's bank accounts, and re-set all computers. That meant re-installing the software and requiring employees to change their passwords, according to Graham. "You have to remain diligent," she says.
Unfortunately, Graham's experience isn't unusual. And, in fact, since in most such cases there isn't such early detection, the impact usually is more severe. More than half --- 56% --- of small- to medium-sized businesses experienced fraud in the last year, according to the Business Banking Trust Study conducted by Guardian Analytics Inc., a Los Altos, Calif.-based provider of online banking security products, and Traverse City, Mich.-based Ponemon Institute LLC, a firm that conducts research on data protection, among other services. More than 60% were victimized more than once. These figures are nearly unchanged from the 2010 Study.
What's more, in late April the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center, and the Internet Crime Complaint Center issued a fraud alert. "Between March 2010 and April 2011, the FBI identified 20 incidents in which the online banking credentials of small-to-medium sized U.S. businesses were compromised and used to initiate wire transfers to Chinese economic and trade companies," the alert read. As of April, victim losses totaled $11 million.
Several factors contribute to the stubbornly high occurrence of fraud involving small business bank accounts. For starters, many small business executives, including those heading finance, juggle multiple roles, with the result that no one person is dedicated to watching for fraudulent activities, says Larry Ponemon, chair and founder of the Ponemon Institute. In addition, "smaller businesses often lack the resources to implement higher level security," such as fraud filters, Ponemon says.
Software to the Rescue
At the same time, the banks don't always do their part, says Terry Austin, CEO of Guardian Analytics. To be sure, most large banks have implemented tools that can thwart would-be fraudsters. However, small businesses often can't get the attention they need from the mega-banks, and prefer working with community banks, whose budgets are more modest, as well. "The small institutions haven't had the ability until recently to get sophisticated technology in place to stop the problem," says Austin.
That's slowly changing, as more fraud-fighting applications now are available as SaaS, or software-as-a-service, which tends to lower the initial investment. Austin provides an example: software that monitors the behavior of people using online banking applications, looking for actions that fall outside the norm. (In the interests of disclosure, Austin's firm provides such applications.)
Even as more banks implement tools to hamper criminals' efforts to compromise others' accounts, CFOs can take a few steps on their own to protect their funds:
* Ask your bank what fraud-fighting tools it has implemented. "Does the bank have procedures in place that under reasonable conditions would alert the company to fraud?" is a good question to keep in mind, said Ponemon. The priority placed on security, he adds, can vary dramatically from one bank to another.
* As Graham does, monitor your account regularly -- at least daily. The more quickly you catch a fraudulent transaction, the better the chances that you can rescind it, or at least prevent others.
* Educate your employees. Some types of cyber-fraud are fairly easy to recognize, and employees should know to steer clear of them, Austin says. Case in point: phishing schemes, or supposedly official emails that ask for sensitive information, such as an individual's computer password or credit card number.
* Take care when transmitting confidential information via mobile devices. "The bad guys are focusing on these technologies," given how popular they're becoming, Ponemon says. In addition, smart phones and the like are easier to misplace than desktop computers, boosting the potential for fraud, he adds.
* Don't forget that appropriate manual procedures, such as separating responsibility for initiating purchase orders and approving payment, can go a long way to reducing the incidence of fraud. "The majority of criminals are low-tech," Ponemon says.
* Finally, understand your firm's responsibilities should a loss occur. Regulation E, which is part of the Electronic Fund Transfer Act, provides protection to individual consumers engaging in electronic fund transfers. "It doesn't extend to commercial accounts," says Austin. Instead, the extent of your firm's liability, as well as your bank's, should be covered in the contract between the two organizations, says Doug Johnson, vice president for risk management policy with the American Bankers Association.
What's more, even if the bank takes on some responsibility to cover a loss, it may hinge on your company instituting reasonable security procedures. "By contract, the business generally agrees to abide by reasonable security procedures," Johnson says. If your company experiences a loss and it becomes apparent that its security policies were sub-par, the bank may not be liable for any losses.