FBI released a warning for local governments and small businesses to be on the lookout for ACH fraud.
The FBI issued a press release concerning a significant increase in the last few months of fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts. The scam is a type of phsihing attack, whereby the unsuspecting finance person is lured into installing malicious software. The malicious software hides itself and records everything the person does on their computer. The malicious software will record user names and password used for everything including online banking and ACH. The software will then forward the usernames and passwords to the bad guys who will promptly use the information to transfer funds out of the organization’s bank account.
This new news is there is an increase in incidents, not the method of attack. In April of 2007, the City of Carson California was a victim of the same type of attack. The hackers were able to transfer $498,000 before the bank froze the account.
Local municipalities and small businesses are easy targets for hackers. Hackers know local municipalities and small businesses have little or no IT security budgets or staff with the necessary skills.
How do you protect your organization?
The Federal Government has recommended that state, local and tribal governments adopt National Institute and Standards and Technology (NIST) security guidelines. Recently NIST added guidance for small businesses as well, including video tutorials.
Following these guidelines and standards will not make an organization 100% secure. However, they go a long way in preventing these types of attacks. In fact, if an organization followed these NIST guidelines they would most likely will not fall victim to these attacks.
For more information:
FBI Press Release
Small Business IT Security Guide
NIST Special Publications
Donald E. Hester
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.