Efficient Escrow of California was forced to close its doors and lay off its entire staff when cybercriminals nabbed $1.5 million from its bank account. The thieves gained access to the escrow company’s bank data using a form of “Trojan horse” malware.
Once the hackers broke in, they wired $432,215 from the firm’s bank to an account in Moscow. That was followed by two more transfers totaling $1.1 million, this time to banks in Heilongjiang Province in China, near the Russian border.
The company recovered the first transfer, but not the next two. They were shocked to discover that, unlike with consumer accounts, banks are under no obligation to recoup losses in a cyber-theft against a commercial account. That meant a loss of $1.1 million, in a year when they expected to clear less than half that. Unable to replace the funds, they were shut down by state regulators just three days after reporting the loss.
Net result? The two brothers who owned the firm lost their nine-person staff and faced mounting attorneys’ fees nearing the total amount of the funds recovered, with no immediate way to return their customers’ money.
Avoid Getting Blindsided
While hacks against the big boys like Target, Home Depot and Sony get more than their share of public attention, cyberattacks on small and medium-sized companies often go unreported, and rarely make national headlines.
Don’t let this lull you into a false sense of security. The number of crippling attacks against everyday businesses is growing. Cybersecurity company Symantec reports, for example, that 52.4 percent of phishing attacks last December were against SMEs – with a massive spike in November. Here are just a few examples out of thousands that you’ll probably never hear about:
• Green Ford Sales, a car dealership in Kansas, lost $23,000 when hackers broke into their network and swiped bank account info. They added nine fake employees to the company payroll in less than 24 hours and paid them a total of $63,000 before the company caught on. Only some of the transfers could be canceled in time.
• Wright Hotels, a real estate development firm, had $1 million drained from their bank account after thieves gained access to a company email account. Information gleaned from emails allowed the thieves to impersonate the owner and convince the bookkeeper to wire money to an account in China.
• Maine-based PATCO Construction lost $588,000 in a Trojan horse cyberheist. They managed to reclaim some of it, but that was offset by interest on thousands of dollars in overdraft loans from their bank.
Why You’re a Target – And How to Fight Back
Increasingly, cyber thieves view SMEs like yours and mine as easy “soft targets.” That’s because all too often we have:
1. Bank accounts with thousands of dollars
2. A false sense of security about not being targeted
3. Our customers’ credit card information, social security numbers and other vital data that hackers can easily sell on the black market
If you don’t want your company to become yet another statistic in today’s cyberwar against smaller companies, and your business doesn’t currently have a bullet-proof security shield, you must take action without delay – or put everything you’ve worked for at risk. The choice is yours.
Here are three things you can do right away:
1. Remove software that you don’t need from any systems linked to your bank account.
2. Make sure everyone with a device in your network never opens an attachment in an unexpected email.
3. Require two people to sign off on every transaction.
Clients of MIS can rest easy knowing that we are proactively looking out for the security of your technology environment. But if you are concerned about the security of your network or would like to learn more about advanced security measures to keep your data safe, contact your client account manager.