When cyber crooks stole nearly $35,000 this year from Brookeland Fresh Water Supply District in East Texas, the theft nearly drained the utility’s financial reserves. Fortunately for the 1,300 homes and businesses it serves, Brookeland had purchased cyber security insurance, and now appears on track to recoup all of the unrecovered funds in exchange for a $500 deductible.
As this attack and a related case study I wrote about last month show, cyber theft insurance can be a reasonable and effective investment in an era when ultra-sophisticated cyber thieves increasingly are defeating the security that surrounds many commercial online banking accounts.
The attack on Brookeland’s Internet banking account began on Friday, April 9, about the time that General Manager Trey Daywood had authorized the utility’s payroll transfer — just a half hour before the 2 p.m. the bank’s cutoff time. A few minutes later, unidentified hackers went in and deleted Daywood’s payroll batch and set up their own payroll, sending sub-$10,000 payments to seven individuals across the United States who were recruited to help launder the money through work-at-home job scams.
Daywood soon heard from his financial institution, Texas based First National Bank, which thought the $34,038 amount was quite a bit higher than the organization’s regular payroll total. But the bank only called after it had finished processing the fraudulent transfers, and most of the unauthorized payments still were sent out the following Monday.
“It was only after I signed affidavits of forgery and had them notarized that our financial institution began the process of trying to retrieve the money,” Daywood said. “It was very clear from the beginning that their attitude was, ‘Hey, it’s not our problem.’ Which was professionally disappointing to me.”
I contacted First National multiple times for a comment on this story, but have yet to hear back from them. I will update this story if that changes.
Financial institutions are required to use “commercially reasonable” security measures to deter fraudulent attacks, but experts say just how far banks need to go for their security to be considered reasonable is a standard that is ill-defined, and is likely to be decided by several ongoing lawsuits filed in state courts. Banking regulators also encourage institutions to use so-called “multi-factor authentication,” or a user name and password in addition to some other type of authentication mechanism. However, according to Daywood, First National Bank allowed commercial customers to access their accounts online with nothing more than a user name and password.
When consumers lose money due to cyber fraud, retail banks are required by law to refund the money — provided the victim doesn’t wait too long in reporting the unauthorized charges. Commercial banks, however, are under no such obligation, although they usually will work with the victim customer to try to reverse as many of the fraudulent transfers as possible.
According to Brookeland, First National Bank managed to reverse a little less than half of the bogus transfers — $15,338 to be precise.
Daywood said the attackers also evaded procedural security measures the company put in place to ensure that two employees signed off on every transaction. Prior to the attack, another Brookeland employee was responsible for initiating payments — including payroll batches — but that employee had no authority to approve the transactions.
“They went in and changed the authority of that employee to make it possible for her to create and initiate the fraudulent batch under her login name,” Daywood said. “It’s a mystery as to how they could do that, because I am supposed to be the only one who has authority to do that through my admin account.”
Daywood said he expects Brookeland will recover the remaining lost funds through its insurance program. But he said the incident has consumed most of his time for the past several months.
“I’ve lived, breathed, ate and slept this since it happened,” Daywood said. “You’re looking at hundreds of hours of research, on and on.”
Further reading:
The Case for Cybersecurity Insurance, Part I
Avoid Windows Malware: Bank on a Live CD
E-banking on a Locked Down (non-Microsoft) PC
Target: Small Businesses