Javascript is currently disabled. This site requires Javascript to function correctly. Please enable Javascript in your browser!


Cyber Crime | Business Identity Theft

Cyber Crime & Bank Fraud

Businesses have little protection against cybercrime and business bank account fraud


Business%20bank%20accounts%20are%20targets%20for%20cyber%20crime%20and%20victimized%20businesses%20suffer%20huge%20losses. Bookmark and Share


Beware - Your business has increased risks and liability for bank fraud losses

Cyber crime

While consumer banking accounts are covered under Federal Reserve Regulation E (12 C.F.R. Part 205), which requires banks to provide reimbursement for certain fraud losses, Regulation E does not apply to business accounts. Instead, business and commercial bank accounts are covered by the Uniform Commercial Code (UCC).

Under the UCC, business account holders have shorter reporting timelines, less protections, and significantly higher liability for fraud than consumer banking customers. Additionally, individual banks can elect to shorten the fraud reporting timelines even further, or even disclaim certain obligations altogether, through amendments to their commercial banking agreements.1

In short, this means much of the responsibility for protection of your business bank account from cyber crime and other fraud rests squarely on you and your business. This responsibility, and liability, particularly extends to safeguarding against ACH and wire transfer fraud, check fraud, account takeover, and protecting your business' banking credentials. Also see Prevention and Victim Assistance for additional information.

Doesn't my bank protect my business bank account?

Not necessarily.  While many banks offer "zero-fraud liability" protection to their consumer banking customers (in addition to the protections under Regulation E), businesses do not commonly enjoy this same benefit. Also, unlike major credit card companies, many banks do not have sophisticated fraud detection systems that can detect and alert business owners to suspicious or unusual activity in their business bank accounts. For example:

“If you go two states over and use your credit card to buy gas, the credit card company calls you to say it’s out of the norm, but most banks have no idea,” said Mark Patterson, whose construction company, Patco, in Sanford, Maine, was robbed of $588,000 in 2009 by ZeuS Trojan, a form of malware. “Our bank had no alarms to say, hey, over five consecutive nights, Patco’s wiring money all over the country — to California, Florida, places we don’t normally send money, and definitely not from an I.P. address outside the U.S.”2

Businesses are frequent victims of bank fraud and cyber crime. In its "2012 Business Banking Trust Study", the Ponemon Institute surveyed business owners and executives of 998 small and medium sized businesses nationwide regarding such commercial banking fraud losses. The results were revealing:

  • 74% of the respondents stated their business had experienced online banking fraud.
  • 52% reported their business bank accounts had been targets of both successful and unsuccessful fraud incidents in the preceding 12 months.

According to the study, of those businesses that experienced fraud:

  • 85% suffered credit or debit card fraud
  • 85% suffered unauthorized account access
  • 19% suffered unauthorized wire transfers
  • 36% also reported that information stolen from their online banking account was used to commit check fraud

When the study specifically addressed the issue of fraud losses and reimbursement, of those who reported suffering fraud incidents, only 16% of the businesses reported that their banks detected and completely stopped the fraud before money was stolen.

Of those cases in which money was stolen:

  • 12% reported that their banks were able to recover all of the stolen money
  • 20% of the businesses reported that their bank provided full reimbursement of unrecovered funds
  • 21% of the businesses reported that their bank provided "some" reimbursement of unrecovered funds
  • 59% of the defrauded businesses suffered losses without reimbursement

Cyber thieves can strike fast and hard

In just 20 separate cyber crime incidents reviewed by the FBI, the actual losses to victimized companies totaled $11 million. 3

Some examples:

  • The Western Beaver public school district in Pennsylvania filed a lawsuit against its bank after cyber-thieves used malicious software to siphon more than $700,000 from the school's account at ESB. According to the lawsuit, the funds were transferred in 74 separate transactions over a two-day period.

  • Cyber-crooks stole $1.2 million from Unique Industrial Product Co., a Sugar Land, Texas-based plumbing equipment supply company. The company's operations manager said a forensic analysis showed the attackers used malware planted on its computers to initiate 43 transfers out of the company's account within 30 minutes.

  • Fraudsters struck JM Test Systems, an electronics calibration company in Baton Rouge. According to the company's controller, an unauthorized wire transfer of $45,640 was sent from JM's account to a bank in Russia. The company's bank subsequently provided the company with new credentials. But less than a week later, another $51,550 of JM Test's money was transferred to five money mules across the country. The company was able to recover only $7,200 of the stolen money, which was returned only because one mule who was to receive that transfer apparently closed their account before the transfer could be completed. 4

In his September 2011 Congressional testimony before the House Financial Services subcommittee, Assistant Director Gordon M. Snow of the FBI's Cyber Security Division stated: "The FBI is currently investigating over 400 reported cases of corporate account takeovers in which cyber criminals have initiated unauthorized ACH and wire transfers from the bank accounts of U.S. businesses. These cases involve the attempted theft of over $255 million and have resulted in the actual loss of approximately $85 million."

"The potential economic consequences are severe. The sting of a cyber crime is not felt equally across the board. A small company may not be able to survive even one significant cyber attack. On the other hand, companies may not even realize that they have been victimized by cyber criminals until weeks, maybe even months later. Victim companies range in size and industry. Often, businesses are unable to recoup their losses, and it may be impossible to estimate their damage. Many companies prefer not to disclose that their systems have been compromised, so they absorb the loss, making it impossible to accurately calculate damages."

   Business Warning:

Heartbleed bug ravages Internet security worldwide, affecting millions
of websites, networks, and devices.

Learn about the Heartbleed Bug


Popular in Business ID Theft Schemes:
Other Popular Content:


Business Owner RisksPersonal Risks for Business Owners
Business identity theft poses increased personal risks that can turn your business dream into a nightmare.


Stolen business EIN used for tax fraudStolen Business EINs used for Tax Fraud
How criminals can use your business EIN in tax fraud and tax identity theft schemes.


Personal credit protectionPersonal Credit Protection
7 essential tools to protect your personal credit


Business Identity Theft PreventionBusiness Identity Theft Prevention Guide
What you need to do to protect your business and yourself from identity thieves


News and AlertsNews and Alerts
The latest business identity theft articles, recent news, and alerts

Victim Checklist Business ID Theft Victim Checklist
Know what to do if you are a victim


State Resources
State Business Identity Theft Resources Find business ID theft resources, victim assistance information, and instructions for your state or U.S. territory


Federal Resources
Federal government resources U.S. Federal Government agencies and resources for identity theft and business identity theft victims


Forms and GuidesForms and Reports
Find forms, guides, videos, and other helpful resources


Professional Resources
Professional ResourcesFind professional assistance, employee training, personal and business services, and other solutions

N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss

A New York marketing firm that was preparing to be acquired is facing bankruptcy after a computer infection by the Zeus Trojan cost the company more than $164,000. When the company discovered that the firm’s business bank account had been emptied the previous Friday, the owner immediately called her bank and learned that between Feb. 10 and Feb. 12, unknown thieves had made 5 wire transfers out of the account to 2 individuals and 2 companies with whom the firm had never conducted business.

"We don’t see the error on our side”

“They [the bank] feel that because [the thieves] compromised my computer that it’s my responsibility and that I should look into my insurance, but I don’t have insurance,” McCarthy said. “I had a company that was interested in purchasing us, but they’re not going to do that now. I’m basically looking at bankruptcy, because I have very little money to operate on now.”

Source: Krebs, Brian. "N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss," Krebs on Security, February 24, 2010.

Training new money mules

Cyber-fraud is serious business. How serious? The training video below was professionally created by cyber-criminals to train and prepare new money mules and "re-shippers". Click the video to watch it.


"Almost 40 percent of the over 1 billion cyberattacks Symantec prevented in the first three months of 2012 targeted companies with less than 500 employees. And for the small, poorly protected companies that suffer an attack, it's often fatal to their business."

Brian Burch
Vice President of Americas Marketing for SMB

Inside a cyber-theft ring

The following graphics, produced by the FBI, provide insight into the hierarchy and operations of common cyber-theft rings.

Click the graphics below to enlarge.

Account takeover through phishing and pharming


Phishing is the common name given to a prolific scam wherein a fraudster or scam artist sends an e-mail purporting to be from a financial institution or other organization. The message includes a claim that due to “security concerns”, “too many attempted log-ins”, an urgent need to “comply with anti-terrorist financing provisions under the USA Patriot Act”, or other such reasons, the recipient must confirm their personal and account information immediately to avoid some negative consequence - such as imminent account closure. The e-mails look and sound official, and often contain graphics stolen from the company or organization from which the message claims to originate.

Cyber criminals typically send out thousands of these phishing emails at once, hoping that some percentage of unsuspecting recipients will “take the bait”.

The e-mail generally contains a link to a spoofed website that contains stolen graphics, logos, and information taken from the legitimate organization’s website in order to give the appearance of being the actual site. If you attempt to log in, you have just provided the criminals your log-in credentials to the real website. A variation of this tactic takes the user to a page that, in addition to log-in credentials, also requests a significant amount of detailed personal and financial information.

The website addresses used in these scams are frequently very close to the real organization’s website address, though they often contain an additional series of letters or numbers such as or

In other cases, it may be deceptively established as a sub-domain of another website address, such as In this example, “vwxyz” is the actual domain, and “yourbankname” is a subdomain that may either be the specific portion of the website with the bogus web pages used to perpetrate the scam, or the machine name of a special server that was set up to host the bogus pages. By utilizing sub-domains in this manner, thieves take advantage of the fact that many unsuspecting victims merely glance at the address bar, see their financial institution’s name first, and simply assume they are visiting the correct website.

Think before you click. Web addresses and links can also be easily masked in phishing emails, wherein the address link that is visibly displayed to the reader appears to be legitimate, but in actuality, it is merely hiding or masking the real link to the bogus site. This is one reason why you should not blindly click on links in emails sent to you by unknown persons. Drive-by downloads are another.

Identity thief phishing

That's a lot of phish

The Anti-Phishing Workgroup's "APWG Phishing Activity Trends Report" reported that in the 4th Quarter of 2012, it received 76,123 reports of new and unique phishing scams - an average of 25,374 new phishing scams per month. The group also detected 142,862 new and unique phishing websites during the same three month period.

Employee Information Security Training Made Easy
Employee online training 

Learn about employee training

Online employee information security, privacy, & compliance training that's easy and affordable for every organization




(Also Domain Spoofing and DNS Poisoning)

Pharming, a term derived from “phishing”, is the common name given to a scam wherein a cyber criminal exploits a vulnerability in a user’s computer HOSTS file or “poisons” an Internet Service Provider’s Domain Name Server (DNS) software to trick a user’s computer into visiting a seemingly legitimate, yet entirely bogus website. The intent is to cause the user to believe that he or she is visiting the legitimate web site and then attempt to log in or unknowingly provide personal and confidential information that can then be used by the criminal to commit fraud or identity theft.

The term “pharming” is occasionally also used to refer to the actual spoofed website (i.e. a “pharming site” ) that is ultimately used to capture personal and account information from those mis-directed there by a HOST or DNS exploit. The spoofed website typically contains stolen graphics, logos, and information taken from the legitimate organization’s website in order to give the appearance, at least on the surface, of being the actual site. Pharming sites are usually not very deep, often consisting only of two to three pages. If visitors attempt to navigate through the site they will find numerous broken links, site errors, and many non-existent pages. The site only needs to appear legitimate just long enough to convince the visitor to attempt to log in or provide information.

Those who perpetrate these scams can be difficult to catch because the average length of time that a given phishing / pharming site is live is often no more than 1 to 2 days, after which the site is taken down and moved to a new domain.


FBI Warning:
Nov 2011 - DNSChanger malware has infected millions of computers

Learn more and how to find out if your computers are infected

Learn more

Learn how to protect your business from business identity theft

Need help? Find resources and assistance

1 Uniform Commercial Code Article 3 (Negotiable Instruments) , Article 4 (Bank Deposit), and Article 4A (Funds Transfer)
2 Ryckman, Pamela. "Owners May Not Be Covered When Hackers Wipe Out A Business Bank Account," The New York Times, June 13, 2012.
3 FBI Fraud Alert. "Fraud Alert Involving Unauthorized Wire Transfers to China," April 26, 2011.
4 Krebs, Brian. "European Cyber-Gangs Target Small U.S. Firms, Group Says," Washington Post, August 25, 2009.
Hierarchy of a cyber-theft ring
How cyber-fraud works
Drive-By Downloads
Drive-By Downloads

Drive-By Downloads

Some web pages and pop-up ads exploit weak computer security to automatically download an unwanted or malicious program without the user’s permission or knowledge. Drive-by downloads, as they are called, can download and install themselves simply by virtue of your having visited a website, clicking a link, or attempting to close an annoying pop-up window.

"Scareware" is a recent trend and a perfect example of this tactic. While you are surfing the Internet, you may receive a pop-up that says your computer has been infected with spyware. The pop-up is coming from the website, but appears to be system-generated, and prompts you to click to remove the program that was "detected". Any user action is an affirmative response and will initiate an attempt to install a malicious program on your computer, whether you actually click the removal link or merely attempt to close the pop-up. (If you encounter this, do not click on the pop-up. Instead, close down your Internet browser program entirely. On Windows-based computers, use Ctrl + Alt + Del to launch Windows Task Manager and end the Internet browser process. When restarting the browser program, be certain to not "restore" the previous browser session if you are prompted to do so. )

Gaming, music, gambling, and pornographic sites frequently contain spyware and adware that is installed as a drive-by download. Similarly, files obtained through public file-sharing and peer-to-peer network programs may also include additional unwanted or malicious programs. If you allow your employees to surf the Internet or use your business computers for non-business Internet activities, there is a significant risk that your computers may become infected.

HOST Files and DNS
HOST Files and DNS

HOST Files and Domain Name System / Server (DNS)

Perhaps you have never wondered how your computer finds an Internet address and connects to another computer or website, but you should know that the manner in which it does is a far more important computer security risk than many computer users realize.

Similar to telephone networks, computers connected to a network or to the Internet are assigned a unique identifying number, or Internet Protocol (IP) address, that uniquely identifies that computer or website from all other computers. This identifier is written as four numbers, separated by dots, with each number consisting of a value between zero and 255. For example, an IP address might appear as: Obviously, this is not easy for someone to remember, so common names are associated with the numeric address.

In the simplest of terms, when you manually type a website name into your Internet browser, such as “”, your computer must first find the numeric IP address assigned to that website from among the millions of other computers on the Internet, similar to using a phone book to find someone’s telephone number. If you have visited the website before, the address is already saved in your computer’s HOSTS file. Your computer finds the record, obtains the address, and connects you to the site. If not, your computer must then call on your Internet Service Provider’s Domain Name Server (DNS) server to find the website’s numeric address, similar to calling directory assistance when you are attempting to find a telephone number. All of this happens behind the scenes, usually within micro-seconds, without you realizing it.

Cyber criminals can create malicious programs that, once installed, will add or modify entries to a computer’s HOSTS file in order to misdirect the user to spoofed websites, redirect them to other sites or DNS servers under their control, or prevent access to certain designated websites.

Other attackers will hack directly into an Internet service provider's DNS server to enter false address information, known as DNS poisoning. If an address is changed, victims' computers do not know the difference because they simply rely on the information received from the DNS server. The result is that, no matter how many times you may type the address into your browser's address bar, you will always be taken to the wrong website if the DNS record has been changed.

Because IP addresses, HOSTS files, and DNS servers are the backbone of Internet navigation, this type of attack is particularly dangerous. If your computer HOSTS file or your ISP’s DNS server has been exploited, you may be unknowingly connected to a fraudulent website even after manually entering the correct website address.

Asset 1