The outgoing transfer request-$760k from Duanesburg Central School District's account-looked suspicious. Officials at New York-based NBT Bank put in a call to district executives who quickly identified the transaction as rogue. Further investigation found that more than $3 million had been siphoned out of the school's account in the preceding days. The bank was able to recover $2.5 million, leaving the district on the hook for about half a million in lost funds.
The district's reaction? Call the FBI, close those accounts, restrict online access, and "request that all payments be sent and received via paper check until further notice," Superintendent Christine Crowley wrote in a letter to constituents.
Back to paper checks? That's not good. And while no lawsuit has been mentioned, it wouldn't be without precedent. Western Beaver County School District (PA) is persevering in its case against ESB Bank for $442k that couldn't be recovered after unauthorized transfers.
The FBI and bank regulators have been sounding the alarm about the vulnerability of business banking accounts to spear phishing and malware, and more than a half dozen school districts have been targeted in the last six months. The breaches may technically be the districts' fault, but it's clear that banks have to do more on the front and back end to protect these customers and the relationships.
Somerset Hills Bank of New Jersey took that step after a news article alerted the bank's chairman to the risk of Trojans, says Mark Schirm, svp and CTO at $300-million asset bank, Somerset recently joined ING Direct, Royal Bank of Scotland, BBVA Compass and others in offering customers Trusteer's desktop browser security plug in to lock-down the browser. "Most of these Trojans are so sophisticated, I think smaller banks have been lucky if they haven't been targeted so far," Schirm says.
That luck may not last much longer. Trusteer says the number of attacks against U.S. banks, and the sophistication of variants, increased dramatically in late 2009. As a result, it expects to sign deals with a major online banking service provider and several large U.S. institutions soon. "In the second half of 2009 we had a lot of projects where the technology is being piloted or evaluated by some of the very big banks in the U.S.," says Mickey Boodaei, CEO of Trusteer.
And though the Trusteer plug in promises protection against phishing and malware attacks, Somerset Bank isn't taking chances, adding RSA OTP tokens to its business-banking security mix. "We are happy we are ahead of the curve on this one," Schirm says, begging the obvious question: Where is your bank on this curve?