Financially minded cyber criminals are attempting to hijack corporate bank accounts at increasing rates, but they are finding less luck in actually getting money out of them, according to a Financial Services Information Sharing and Analysis Center (FS-ISAC) study released Thursday.
The study, conducted by the American Bankers Association (ABA), surveyed 100 financial services firms and covered 2009, 2010 and the first half of 2011. It found that while attempted account takeovers rose from 87 in 2009 to 239 in 2010 to an annualized estimate of 314 in 2011, banks and customers are feeling less financial pain.
That decline is especially apparent when comparing 2010, which saw actual dollar losses facing the respondents reach nearly $3.2 million, to 2011, when the number plummeted to just over $777,000. Customer losses also fell to around $490,000 in 2011, from a high of $1.1 million in 2010.
Hackers are finding it more difficult to get the money out. According to the survey, the percentage of unauthorized transfer attempts that went through dropped to 32 percent in 2011, down from 70 percent in 2009.
While the study didn't differentiate between bank accounts belonging to home users versus those operated by organizations, the business world, especially small and midsize players, have seen a tidal wave of account hacking attempts in recent years, costing them hundreds of millions of dollars and prompting numerous FBI investigations. Often times, the corporate customers -- and not the banks -- are on the hook for the losses because federal law does not cover fraud losses for businesses like it does for consumers.
Hackers typically gain control of the accounts by tricking an employee responsible for online banking into installing a data-stealing trojan, such as Zeus. This allows the swindlers to steal credentials used to access the accounts and initiate transfers to other accounts set up by "money mules."
But, judging from the numbers -- and fresh FFIEC guidance -- it's clear that both customers and financial institutions are warming up to the threat.
A second survey conducted by the ABA asked respondents to identify the solutions that have been most effective in reducing account takeover. Customer education, multifactor authentication, and monitoring and reacting to suspicious account activity topped the list.