The FBI’s IC3 issued a warning this week about ACH fraud targeting businesses across the US. The targets of these attacks are companies that have recently posted on job search sites. So what’s the connection? If you’ve posted a job opening, then it’s only logical that someone at the targeted business is expecting a resume or curriculum vitae (CV). They are, after all, trying to fill a vacant position. This means an email with an attached resume isn’t really “unsolicited email”, making it more likely to be opened by the recipient.
At the core of this “resume” attack is the Zeus aka “Zbot”… a data-theft Trojan that’s responsible for stealing large sums of money from companies across the nation. The IC3 warning highlights one recent case: a US business lost $150,000 when cyber criminals were able to nab the online banking credentials from the person that handles financial transactions. Money was fraudulently sent in three transactions to accounts in the Ukraine and the US. The FBI advises clients to ensure all email is scanned by an anti-virus solution. This is certainly a good start, but technology alone won’t protect your personal or business bank account.
- Anticipate unauthorized access. Just assume your system(s) or PC will be broken-in to. When this happens your financial and personal data will be targeted, so make it harder for data thieves to take it. Based on my experience as an ethical penetration tester, I know it’s all too easy for a hacker to “leapfrog” from one system to another once they’re on the network. This is especially true if PCs are un-patched, easily guessed or blank passwords are used, and sensitive data like bank account numbers and passwords, etc., are saved to the “desktop” (or elsewhere) without encryption. Take inventory of what sensitive information you’ve saved and whether you really need it. If you do, store it on a secure/encrypted thumb drive.
- Buy USB thumb-drive that supports encryption. I personally use a 2GB S200 from IronKey. My IronKey securely stores my credentials (login & password) for every important website I use. I do not keep login names, accounts, and password on my laptop in clear text. When I need to login to these sites, I plug-in my IronKey and use the “secure” Firefox version that comes with it. This adds an additional layer of web browser security. IronKey makes both a personal and enterprise version, so this is a solution that works well for consumers and businesses alike.
- Use a separate system for banking and only for banking. Even with encryption, a patched OS, anti-virus, firewalls, and a secure browser, I still believe that using the same PC to surf the web and manage your money is dangerous. So buy a netbook – it’ll cost you less than $300. Only turn it on when you have bills to pay, money to transfer, etc. Turn it off when you’re done. Keep it in a safe place, away from your spouse, kids, roommate, or whoever might take it for a spin on the information superhighway. Don’t check your email, Facebook page, eBay account, do Internet research, or IM your friends from this system. Have I made this clear? This is no ordinary, casual, web-surfing laptop — this is your banking system — your “banktop” — keep it safe. Use it for banking only.
- Enable alerts on key banking activities. And finally, it wouldn’t hurt to know when an unexpected banking transaction happens. My business bank lets me enable about 16 different alerts that can be sent over SMS or email. I receive an alert for every successful or failed login, deposits, and transactions over a certain dollar amount. I know within seconds if something has happened. So far, so good.
All this protect your hard-earned cash? You bet. Your other choice is to use the drive-up teller or in-person banking. There’s certainly nothing wrong with that. But if you’re going to use Internet banking, please take it seriously — mighty Zeus is only a few clicks away.