Small businesses, like boat dealerships, have become prime targets for cyber criminals that are now successfully ripping off commercial bank accounts to the tune of more than $1 billion a year. And, if you think your bank will cover any such losses, think again. Banks are under no obligation to reimburse commercial accounts raided by cyber crooks, and most don’t.
Today, Bonnie and Clyde don’t have to keep the getaway car running! They can just sit at the nearby hotel pool with their laptop. Well, while not quite that simple, the facts are that the losses of $43 million annually from good old fashioned “bank stick ‘em ups” looks like petty theft next to today’s cyber heists, according to FBI reports.
Why have small business accounts in the U.S. become prime targets of overseas cyber robbers? Simple: commercial accounts at small community and regional banks are usually protected only by rudimentary security measures, claims Dell SecureWorks. Moreover, unlike individual accounts that are covered by banking Regulation E, commercial accounts are not covered by fraud insurance, thus leaving small businesses stuck with the losses.
Cyber crooks have used software like ZeuS, a Trojan Horse to steal a firm’s online banking passwords. They then can initiate funds transfers to money mules who will launder the funds to Eastern Europe, for example.
Wouldn’t it, then, be a good move by banks to extend protection from cyberfraud to their commercial clients? Apparently not, as Bloomberg News reporters Greg Farrell and Michael Riley found out when they put that question to the America Bankers Association. The response was that businesses might get lax about security if they knew fraud losses would be covered. According to Doug Johnson, senior policy analyst for ABA: “The goal is to . . . have a partnership between a business and a bank and recognize that every one of those partners has a responsibility to secure the environment. If you put in a provision that takes away any responsibility, it gives the commercial customer no motivation to be active partners with the bank."
Not surprising, not everyone agrees. Some examples Farrell and Riley uncovered included Sen. Chuck Schumer’s, D-N.Y., introduction of a bill last year to make banks extend cyberfraud protection to small business clients (the bill went nowhere.) Or, James R. Woodhill, co-founder of cybersecurity firm Authentify, while having a pecuniary interest, wants Congress to require banks to warn commercial clients explicitly of the dangers of cyberfraud. Or, Karen McCarthy whose small business account was hacked for $70,000 last February. She says the bank stopped returning her calls once it became clear the funds were stolen. So much for those partnerships.
Lots of lawsuits has come up, with banks suing their clients and clients counter suing, or vice versa, but there are few decisions, to date, which address what responsibility a bank has to protect its customers. In one recent case, the court ruled the bank was at fault; in another the client.
So what can be done? Short of Congressional or regulatory action, or some great awakening in the banks, all dealers need to clearly understand their accounts could be vulnerable and will likely have to eat any loss if their accounts are hacked. But it’s also reasonable and responsible to ask your banker to provide information about the extent of the protections being employed by the bank, about any prior incidents of hacking and, if any, how they were resolved. Moreover, ask your banker for specific protections the bank recommends you, as a small business customer, should undertake at your dealership.