FRAMINGHAM, MA, USA, JUNE 6, 2011—One day this past January, Joy Graham happened to check her company's bank accounts in the afternoon, instead of during her normal morning routine. The delay was serendipitous for Graham, managing director with LG Martin, a consultancy that develops community initiatives for businesses, individuals and nonprofits. Several purchasing-card charges raised her suspicions -- including orders for home electronics, and tickets to a Boston Celtics basketball game. LG Martin has offices in Atlanta, Houston and New York.
Graham immediately called her bank, the retailer through which the orders had been placed -- and the police. The payoff for her quick work: Almost all the charges could be voided before the transactions were completed. (The thieves were able to keep the game tickets.)
But the problem wasn't solved. A few months later the company's accounts were found to have been compromised again -- this time when the bank noticed several transactions originating from outside the U.S. Again, most of those charges were rescinded because they were caught early. At the recommendation of her bank, Graham changed the company's bank accounts, and re-set all computers. That meant re-installing the software and requiring employees to change their passwords, according to Graham. "You have to remain diligent," she says.
Unfortunately, Graham's experience isn't unusual. And, in fact, since in most such cases there isn't such early detection, the impact usually is more severe. More than half --- 56% --- of small- to medium-sized businesses experienced fraud in the last year, according to the Business Banking Trust Study conducted by Guardian Analytics Inc., a Los Altos, Calif.-based provider of online banking security products, and Traverse City, Mich.-based Ponemon Institute LLC, a firm that conducts research on data protection, among other services. More than 60% were victimized more than once. These figures are nearly unchanged from the 2010 Study.
What's more, in late April the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center, and the Internet Crime Complaint Center issued a fraud alert. "Between March 2010 and April 2011, the FBI identified 20 incidents in which the online banking credentials of small-to-medium sized U.S. businesses were compromised and used to initiate wire transfers to Chinese economic and trade companies," the alert read. As of April, victim losses totaled $11 million.
Several factors contribute to the stubbornly high occurrence of fraud involving small business bank accounts. For starters, many small business executives, including those heading finance, juggle multiple roles, with the result that no one person is dedicated to watching for fraudulent activities, says Larry Ponemon, chair and founder of the Ponemon Institute. In addition, "smaller businesses often lack the resources to implement higher level security," such as fraud filters, Ponemon says.
Software to the Rescue
At the same time, the banks don't always do their part, says Terry Austin, CEO of Guardian Analytics. To be sure, most large banks have implemented tools that can thwart would-be fraudsters. However, small businesses often can't get the attention they need from the mega-banks, and prefer working with community banks, whose budgets are more modest, as well. "The small institutions haven't had the ability until recently to get sophisticated technology in place to stop the problem," says Austin.
That's slowly changing, as more fraud-fighting applications now are available as SaaS, or software-as-a-service, which tends to lower the initial investment. Austin provides an example: software that monitors the behavior of people using online banking applications, looking for actions that fall outside the norm. (In the interests of disclosure, Austin's firm provides such applications.)
Even as more banks implement tools to hamper criminals' efforts to compromise others' accounts, CFOs can take a few steps on their own to protect their funds:
* Ask your bank what fraud-fighting tools it has implemented. "Does the bank have procedures in place that under reasonable conditions would alert the company to fraud?" is a good question to keep in mind, sayd Ponemon. The priority placed on security, he adds, can vary dramatically from one bank to another.
Sign up for MIS Asia eNewsletters.