In the past 10 years, online banking has exploded, with millions of customers checking their balances and moving money around through Web browsers.
Such activity has created a goldmine for cybercriminals, who hack into online bank accounts and transfer large sums to accounts they control.
Under federal law, private, or "retail," customers in the United States are largely insured against such fraud. But no such protections apply to commercial clients, whose huge losses can lead to bankruptcy.
Yet many owners of small and medium-size businesses are unaware of the risks of online banking. Stories of businesses being cleaned out by cybercriminals, and then not recompensed by their banks, rarely make it beyond local newspapers.
Here's how to avoid being the next victim.
Understand the risks
Cybercriminals target small and medium-size businesses for two important reasons.
First, many business owners often have a limited understanding of Web-based threats and hence fail to implement the necessary protections.
Second, small and medium-size businesses generally have far more money in their bank accounts than consumers do.
Limited protection, combined with high account balances, makes such businesses an attractive target for cybercriminals.
Small and medium-size businesses are generally unaware of three key points regarding to online banking, said George Tubin, senior security strategist for Israeli banking-security company Trusteer and former industry analyst for the banking community.
Highly sophisticated malware, often in the form of banking Trojans, is being used to compromise hundreds, if not thousands, of business bank accounts; the measures many banks have in place don't effectively protect businesses against these types of attacks; and in many cases, banks will hold business customers liable for online fraud losses.
How to guard against risks
There are several large risks for businesses that use online banking services.
— Phishing scams, particularly those related to the email account tied to the online business bank account;
— "Man-in-the-middle" attacks that can intercept, redirect or reformat communications between the customer and the bank, without either party's knowledge;
— Fraudulent or corrupted websites, which can silently infect Web browsers; and
— Public or unsecure Wi-Fi networks, which can result in banking-session hijacks.
To best protect business owners from potential online-banking dangers, Dan Ingevaldson, chief technology officer of Sunrise, Fla.-based transaction-security firm EasySolutions, provided the following tips.
Manage your risks: Small and medium-size businesses need to move beyond the mindset that they are too insignificant to be targeted by criminals.
Business accounts are perfect targets for criminals because the cash balances are higher than those of retail banking accounts.
Nearly half of small-business owners have no protocols in place for securing data, and have no one directly responsible for managing data security.
To better protect themselves against financial theft, businesses should understand how cybercriminals work, the techniques they use and the tools at their disposal.
Use a browser that's not on the hard drive: Extending fraud prevention to the computer in the form of a secure browsing platform can dramatically reduce fraud-related losses and is relatively inexpensive and easy to set up.
Such a hardened browser, typically stored and run from on a USB drive, creates a protected connection to the financial institution's website.
Since transactions can only take place via the hardened browser and a secure proxy server, any malware that exists on the user's computer is "blind" to the exchange of customer information.
Essentially, the device turns the user's computer into a dedicated machine for online banking that isolates critical data from the cybercriminal's prying electronic eyes.
Such an approach is effective, yet does not place an excessive or unrealistic compliance burden on the customer.
For serious security, boot the computer from a "live" Linux distribution burned to a CD and use the included browser to access the online account. Malware can't write to or otherwise alter a burned CD.
Choose your bank wisely: Financial institutions are among the most sophisticated organizations in the world when it comes to deploying advanced security technology, but not all are equal.
Select your bank based upon the security features it offers to commercial customers. Many banks provide additional account-security features above and beyond what is offered to retail banking users.
Keep your software updated: Many forms of malware can sneak into a computer through old or unpatched Web browsers, which present a serious risk to users.
Even when a software vendor has issued a fix for a vulnerability, the end user will often need to be reminded to install it. Take the guesswork out of the equation: Set up your PC and its applications to automatically load and install software updates.
Dedicate a computer to online banking: To prevent online fraud, the FBI and the American Bankers Association recommend designating a single computer that handles only online banking activities.
Because emailing and Web surfing account for nearly all infections, those activities should not be allowed on that machine.
A dedicated PC is not a practical recommendation for retail banking, but in the commercial sector, it's a powerful technique used to prevent or mitigate the risks associated with online banking.
If your business can't spare the space or the hardware, consider booting a PC from a live CD, using a USB-based browser or setting aside a seldom-used browser, such as Opera or Maxthon, to be used only to access online bank accounts.