CLEARWATER, Fla. (Press Release – October 10, 2011) – IT security expert Stu Sjouwerman, founder and CEO of the Internet Security Awareness Training (ISAT) firm KnowBe4, warns that small and medium enterprises (SMEs) are likely to find themselves on the hook for phishing-related cyberheist losses when financial institutions deny responsibility for the incursions. Sjouwerman (pronounced “shower-man”) cited a recent Bloomberg news article that reported cybercriminals are looting as much as $1 billion per year from small and mid-sized bank accounts, while banks are blaming the victims for allowing unauthorized access.
“Many cybercriminals operate from foreign countries and wire stolen funds overseas. This makes it difficult for authorities to track down and prosecute the thieves, so there is little chance of recovering the money,” explained Sjouwerman. “And because the FDIC does not offer the same protection to business accounts as it does for personal accounts, that leaves one of two parties to cover the losses: the bank or the business owner. So it’s little wonder that banks are blaming SMEs for allowing cybercriminals to infiltrate their networks in the first place.”
Sjouwerman noted that cybercriminals often use phishing emails and other similar tactics to trick employees into clicking a link, which then automatically downloads malware to the user’s system. “Using keystroke loggers and other tools, cyberthieves are able to steal account information and passwords while the user remains completely unaware of the network breach. The hackers then initiate a series of wire transfers using the business owner’s credentials. In many cases, by the time the bank or business notice the unusual activity, the money is long gone and untraceable. As a result, the bank faults the SME for allowing cybercriminals to steal the company’s online banking credentials, while the SME accuses the bank of having insufficient fraud detection and anti-theft measures in place.”
Recent court cases have shown that the verdict can go either way. As detailed in court filings, a phishing attack allowed cybercriminals to access the business accounts of Experi-Metal, Inc., at Comerica Bank, culminating in 97 wire transfer orders that totaled more than $1.9 million, plus a $5 million overdraft. Comerica was able to recover all but $561,399 of the stolen funds, which Experi-Metal pursued in a lawsuit against the bank (Experi-Metal, Inc., v. Comerica Bank). In his bench opinion, the judge found Comerica at fault for failing to detect or stop the fraudulent activity earlier, and for allowing a $5 million overdraft on what is usually a zero-balance account.
However, in another similar case, the court ruled in favor of the bank. According to court documents, Patco Construction was the victim of a $588,851 cyberheist, which appeared to result from a Zeus/Zbot trojan that allowed cybercriminals to steal the company’s online banking credentials. Patco’s financial institution, Ocean Bank, was able to block some of the transfers, but more than $345,000 was not recovered, leading Patco to sue the bank for the loss (Patco Construction Company, Inc., v. People’s United Bank d/b/a/ Ocean Bank). After weighing the arguments presented by each side, the judge upheld the magistrate’s recommended decision, which was to grant the bank’s motion for summary judgment and deny Patco’s cross-motion.
“Since businesses cannot rely on FDIC protection or case precedents to ensure reimbursement of stolen funds, the onus is on SMEs to prevent cybercriminals from accessing their systems and stealing their banking credentials,” said Sjouwerman. “Many business owners complacently believe that their anti-virus software and IT team are sufficient protection against hackers, but the fact is that cybercriminals can bypass all of those measures by luring a single employee to click a link in a phishing email.”
Sjouwerman asserts that the best way to counter this weak link is through Internet security training. “KnowBe4 conducted a case study among several of our clients, and compared the percentage of employees who were Phish-prone™ – or susceptible to phishing attempts – both before and after implementing our Internet Security Awareness Training. We found that between 26% and 45% of employees were Phish-prone prior to training; however, the overall total was immediately reduced by 75% after the first training session. After four weeks of additional testing and retraining, the Phish-prone percentage was at or near zero in every company. When your employees know what to watch out for, they’re less likely to fall prey to phishing tactics. This can help keep cybercriminals out of your network and bank accounts, and help keep you out of court.”
KnowBe4 invites SMEs to take advantage of a free phishing security test, which will reveal how many employees are currently Phish-prone. The company also offers an array of free cybercrime education resources on its website. Those who seek additional advice on combating cyber attacks will find a wealth of information in Sjouwerman’s book, Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.
For additional details on KnowBe4’s Internet security training services, visit http://www.knowbe4.com. For an overview of Cyberheist, or to order the paperback or e-book edition, visit http://www.cyberheist.com.
About Stu Sjouwerman and KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Internet security awareness training. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.