* There has been an increase in electronic funds transfer (EFT) fraud being perpetrated on small to medium-size businesses in the past year.
* Victim entities have their bank login credentials stolen by cybercriminals, who then take remote and unauthorized control of the victim organization's computer, and proceed to transfer all available funds from accounts via wire transfers or Automated Clearing House (ACH) transactions.
* It is possible that a victim of this fraud will be unable to recover lost funds.
* There are controls to mitigate the risk associated with this fraud and the related losses, including appropriately designed policies and procedures, awareness/education, information security controls and banking procedures.
* CPAs in public accounting should be aware of this fraud so they can advise potentially affected clients.
* CPAs in business and industry have an even greater interest in understanding this fraud to mitigate potential risk for their employer.
A type of fraud has come into the public eye in the past year in which the criminal surreptitiously obtains financial banking credentials, hijacks a corporate computer, and steals money from the victim's bank accounts.
In this scenario, referred to as a fraudulent electronic funds transfer (EFT) transaction, a cybercriminal uses a software tool to gain control of the victim's computer from a remote computer. The criminal then uses an EFT to move most, if not all, of the money in the victim's bank account to one under his or her control, often costing the victim tens, if not hundreds, of thousands of dollars. The increasing scope of this fraud prompted the FDIC to issue an alert warning about it last year (available at tinyurl. com/2cz9sto).
According to the FDIC alert, the number of frauds has increased, as well as the size of losses, resulting from cyberthieves' stealing login credentials and using them to carry out unauthorized EFTs, which include Automated Clearing House (ACH) transactions and wire transfers.
Many small to medium-size businesses (SMBs) face some risk related to this fraud. The Washington Post reported a case in November 2009 in which cyberthieves tried to steal $1.3 million from a large property management firm by initiating debits against it with credentials stolen from a painting company.
What makes this type of fraud a widespread concern for CPAs is that, rather than targeting large banks, criminals are targeting businesses that may be clients of public accounting firms. Additionally, CPAs who work in business and industry are often in a key accounting position or are the finance officer, and thus are in positions of responsibility related to this type of fraud.
This article describes how these crimes are perpetrated, the associated risks and some preventive measures.
A TYPICAL SCENARIO FOR EFT FRAUD
In a legitimate setting, a bank's customer who has established the ability to conduct online EFT transactions connects to a financial institution to execute a wire transfer or ACH transaction. The expectation is that the customer's system, once authenticated by the bank, is authorized to conduct the activity However, in the case of this particular EFT fraud, a cybercriminal compromises the originating system. There are many types of EFT fraud, but this article is limited to the specific scheme described in this section, primarily wire transfer fraud, but also ACH transaction fraud.
Time is of the essence in discovering and responding to unauthorized EFT transactions. Unlike the case with consumers, who enjoy strong federal protection in cases of ACH fraud, a business must notify the bank within two days of a fraudulent ACH transaction or the business may be liable for the loss. But a fraudulent wire transfer demands detection within hours--less than two days. …