What looked like a run-of-the-mill error message on an online banking site turned out to be part of a scam to rob businesses of thousands of dollars. Clarke Collision Center of Hudson, Ohio, lost $200,000 from its accounts with Fifth Third Bank recently, simply by logging into its bank account online.
An employee of the collision center logged in to the shop’s online bank account, entering a username, password and a special passcode generated by the site to increase online security. However, after the information was entered, a page appeared saying the bank’s site was temporarily unavailable. When the employee called a customer service number provided on the page, she discovered it was out of service and became suspicious, according to online security blog Krebs on Security.
It turns out that malicious software, or malware, had been installed on Clarke Collision’s computer without the shop’s knowledge, enabling a hacker to access the shop’s bank account information online while displaying a phony error page on the shop’s computer. After finding the bank’s real customer service phone number, the shop employee discovered that $200,000 had been wired out of the shop’s bank accounts to accounts in the U.S. and overseas.
“She reported it to the bank at 9 a.m. that morning,” security consultant Craig Kintz, who assisted the shop with the case, told Krebs on Security. “By 11:30 a.m., the bank had frozen all of the company’s accounts, but by that time those accounts had all been emptied.”
Luckily, Fifth Third Bank was able to stop payment on many of the pending transfers and refunded the shop the rest of the stolen money. However, the bank says many other businesses were also targeted that day.
Blog author and computer security expert Brian Krebs noted in a subsequent post that small business takes on a huge liability when banking online because banks aren’t legally obligated to reimburse funds lost to fraudulent activity.
“Businesses do not have the same protection against fraud that consumers enjoy,” Krebs wrote. “Indeed, most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them.”
In the third quarter of 2009 alone, more than $25 million was stolen from small to mid-sized businesses in online banking scams similar to what Clarke Collision experienced.
More information:
Krebs on Security archives on online threats to small businesses