Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/4/2011
02:23 PM
50%
50%

75% Of SMB Banking Fraud Occurs Online

Most scams involved online account takeover or theft, according to a study commissioned by security vendor Guardian Analytics and conducted by Ponemon Institute.

Three out of four small and midsize businesses that encountered banking fraud during the past year were victimized online, according to a new study.

Well over half -- 56% -- of those companies experienced some form of banking-related scam during the previous 12 months, according to the report. About 75% of those cases involved online account takeover or other Web-based fraud. Some 61% of SMBs that fell prey to bank fraud were victimized more than once.

The 2011 Business Banking Trust Study, commissioned by security vendor Guardian Analytics and conducted by Ponemon Institute, included 533 businesses with fewer than 200 employees and average annual revenue of $21.6 million. All respondents were owners or senior executives with access to their company's corporate bank accounts. Guardian Analytics CEO Terry Austin noted that the current fraud numbers -- particularly in the online security arena -- showed remarkably little change from the 2010 version, the first year that Guardian sponsored the study. Last year's study found the same rate of Web-based fraud -- 75% of all cases occurred online.

"What we highlighted in 2010 was that the fraud problem was bigger than we expected and having a pretty substantial impact on businesses and the banks that serve them, and it hasn't gotten any better," said Guardian Analytics CEO Terry Austin. "In some cases it has gotten worse, but it certainly hasn't improved over the [last] 12 months."

Small and midsize businesses that manage their money with smaller banks aren't any more likely to run into fraud -- it occurred just as often at midsize or large financial institutions. The study also found that 78% of bank scams involving SMB accounts weren't discovered until after funds were transferred outside of the institution.

"The banks have not stepped up and adopted the techniques and the technology that is available to them in a broad enough fashion to make any material difference," Austin said. He added that some banks are doing a better job combating online crime than others, but the segment overall is losing the fight with fraudsters. "As an industry, the needle hasn't really moved."

Some 31% of the victimized SMBs included in the study said their bank didn't compensate them for fraud-related losses, while another 29% were only partially paid back. Just 8% of those surveyed said their bank fully covered their fraud-related losses.

Austin said the real onus in online banking security lies with the institutions rather than businesses that may not have the resources or expertise to contend with fallout from the Zeus botnet and other threats. While Austin's company recommends SMBs take certain steps to protect their company accounts online, he acknowledges that some of the practices -- such as designating a dedicated PC to be used only for banking -- may not be realistic for the smallest of businesses. He also notes that the technique most commonly used by SMBs in the study -- 78% perform monthly account reconciliations to check for fraud -- correlates closely to the finding that banks are only uncovering scams after the money is stolen.

"Businesses expect their banks to take responsibility for this," Austin said, adding that the banks themselves usually have deeper resources and better technology access than their small business customers. "Expecting [SMBs] to become security experts and adopt a wide array of techniques is pretty unrealistic."

Adding another potential wrinkle in online banking security for SMBs: More than one-third (38%) of respondents said they access their company's accounts on a tablet or smartphone, up from 23% in the 2010 version of the study.

"[Mobile] is a new and pronounced vulnerability, primarily because it's more frequent access and more variability in the endpoint device being used to access the system," Austin said. Mobile adoption further fuels Austin's view that banks need to focus on account protection from a server and back-end perspective, rather than worrying about every potential endpoint. "They need to be examining all of the information about the individual user as they access online banking -- that is the best and most effective way of protecting against fraudulent activity."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.