Features - January/February 2010
Click Here to Destroy Your Business
Cyber criminals prey on unsuspecting targets: Could your small business be next?
by Emily McMackin
It can happen before you know it. One day, you have plenty of funds in your bank account; the next day, the money is gone. And the culprit isn’t a client you’ve lost, a bad economy or even a disgruntled employee; it’s a hacker who has found a way to sneak into your online bank account, view sensitive financial data and steal from your business. A scenario like this might sound far-fetched, but
it has become a cruel reality for
small business owners who have experienced it, and a risk for anyone who conducts business or keeps
financial records online.
Scammed by a Cyber Criminal
Like most business owners, Bob Gray, owner of Vickery, Ohio-based Homestead Interior Doors, had virus protection as well as a minimal firewall, but it wasn’t enough to keep hackers from accessing his computer and network, and swiping $100,000 from his online business bank account late last year. "I noticed a $50,000 transfer was posted on my account that didn’t look right," he says. "I didn’t remember doing anything like that. Then, right before my eyes, another $50,000 transfer popped up."
Gray eventually recovered half of the money, but it took several agonizing months working with his bank and lawyers to sort things out. "There were times that I was convinced I was going to lose my business over this," says Gray, whose cash flow and incoming customer payments were frozen after the attack. "I was lucky because it could have been worse. I could have been wiped out completely."
Though he’s more cautious now, he says "these hackers are learning new stuff every day; they’re staying one step ahead of the protections and will keep trying to figure out how to get into your computer if they think they can get money out of you. You’ve got to be vigilant. Nobody takes it seriously until it happens to them--but they need to because they could wake up one morning and have no money and no business."
Safeguarding Your Business
Even basic safeguards such as passwords, virus checkers and firewalls aren’t enough to keep some hackers out. From posing as customers to lure you into opening a tainted attachment that hijacks your computer to probing the shopping cart software on your site for a security hole, their tactics keep getting trickier. Your business doesn’t have to be Internet-based or have a huge online presence to attract hackers; all it takes is a Web site with an e-mail address.
"People are generally too trusting of data security--they don’t even think about it or aren’t aware of it," says Craig Kunitani, who owns Security Mentor Inc., a Pacific Grove, Calif.-based business that provides Web-based security awareness training to companies. "They underestimate the vulnerability of the security of everything, including their computers and networks."
Small business owners often make themselves more vulnerable to an attack because they don’t have the time or the IT resources to keep their hardware and software up to date, says Pat Davis, senior vice president and commercial banking director for River City Bank, a Sacramento, Calif.-based community bank.
"The No. 1 way small business owners can protect themselves is to stay on top of virus checkers and make sure they have the latest security patches and updates to their platforms," Davis says. "They have to protect themselves--that’s key. We can be there to facilitate, but we don’t have the ability to go into their computer systems."
Keys to Cyber Safety
You can take steps to keep hackers from raiding your coffers. Follow these security tips from our article’s experts to prevent a cyber crime.
Protect your passwords. Never use your birth date, Social Security number or anything else a hacker could easily find. Choose a long password with combination of upper- and lower-case numerals, letters and special characters. Change your password every three to six months. Keep passwords in an encrypted file on your computer, or memorize them.
Scrutinize messages. Delete e-mails that look suspicious, or are addressed in a peculiar, non-personal way. Ignore any content warning you to do something to avoid a dire consequence (e.g., if you don’t change your bank password your account will be closed) or promising something too good to be true. Avoid clicking on embedded links in a message from an unfamiliar source--or you could find yourself on a site designed to steal your information.
Browse carefully. Bookmark URLs that you visit frequently or type addresses in by hand to make sure you’re going to the right site. Keep social network browsing to a minimum; these are popular places for malware attacks.
Stay updated. Keep anti-virus, anti-ad and anti-spy software licenses renewed. Watch for red flags, like a slower moving computer, that indicate a virus. Keep software updated, especially core programs on your operating system and any browsers, multimedia players and PDF programs that allow downloading. Hire an IT consultant to check your firewalls and evaluate your system to see what needs to be updated.
Know who’s responsible. Unfortunately, if it’s a data security issue, it’s usually the business owner’s responsibility to recover any lost data or funds. If you catch the ruse in time, your bank might help you try to recover your money or be able to convince the banks receiving the transfers to freeze the accounts, but you will be left with the liability. You can also ask for a clause in your business insurance to cover such a situation.
Anatomy of a Scam
How hackers can access your sensitive business data
Most business owners know not to check their bank account while using a wireless hotspot at a cafe or airport, but what about in the privacy of your home or office? Getting hacked can happen there, too.
Hackers start by gaining control of your computer through a virus that comes to you via e-mail, or gets loaded onto your computer as you browse an infected site. This malware runs undetected, tracking everything you type into your computer--including usernames and passwords that protect sensitive business information.
With your information at their fingertips, a hacker can log into your account, create a direct deposit batch for "employees"--people they have "hired" through job-searching sites for what seems like a legitimate job--and transfer money into those accounts, allowing accomplices to take out a small percentage before wiring the bulk overseas.