Small Business Cyber Attacks that Stole Thousands

Small Business Cyber Attacks that Stole ThousandsA cyber attack at a small business rarely makes headlines. This can lull your clients into a false sense of security. They might think only big firms are targeted.

The truth is that small business cyber attacks are a major problem. Why? Because small businesses have two things:

  1. Bank accounts with thousands of dollars
  2. A false sense of security

Even if your clients realize a data breach is possible, they might not realize that their bank will not reimburse them for stolen funds (more about that below).

3 small business cyber attacks

Three small business data breaches were described in a recent article by John Ydstie at NPR. In each case, the small company lost thousands. The banks willingly repaid $0.

Share these examples with your clients if they still do not believe that the threat of a data breach is real.

Small Business Cyber Attacks that Stole Thousands 2Wright Hotels attacked via email

This real estate investment and development firm lost over $1 million after cyber thieves drained its bank funds. It all began with a hacked email account.

Once attackers had access to the owner’s email, they could see a long history of correspondence with his book keeper.

They had everything they needed to commit wire fraud. They impersonated the owner and convinced the book keeper to wire money from the firm’s accounts to their own in China.

The attackers also accessed the owner’s Outlook calendar. This helped them schedule transactions while he was busy in meetings, so they had plenty of time to grab the money, delete all communications, and run.

PATCO Construction attacked via trojan

This Maine-based construction firm lost about $588,000 to a cyber attack. Thieves added a Trojan to one of the company’s systems. This allowed them to capture online banking credentials and make a series of ACH transfers from the company’s accounts.

The money was gone in just seven days. PATCO’s bank was able to reclaim some of it, cutting the firm’s net loss to $345,445.

However, PATCO also had to pay interest on hundreds of thousands of dollars in over-draft loans from the bank, according to reporting from Brian Krebs.

PATCO eventually sued the bank for failing to provide a “commercially reasonable” security process for the ACH transfers. The firm lost, but later won on appeal. Some have called the case a victory for victims of small business cyber attacks.

Volunteer Voyages attacked via stolen debit card

This single-owner small business lost over $14,000 due to a stolen debit card. The company leads humanitarian volunteer trips abroad, and after returning from a trip to Peru, the owner was surprised to find his account overdrawn.

Someone had stolen the company’s card number and emptied the account. Despite notifying his bank of the trip abroad, the bank refused to reimburse him.

This case underlines the point: small businesses will not be reimbursed if their accounts are compromised in a cyber attack. Even though Volunteer Voyages is owned by a single person, the bank claimed it was not responsible to repay the owner.

Small Business Cyber Attacks that Stole Thousands 3Banks don’t repay small businesses after cyber attacks

If a thief breaks into your personal bank account and drains your funds, then the bank is likely to reimburse you for the loss – but not if you’re a small business.

Consumer accounts and business accounts are treated differently by banks. Banks do not have to repay funds stolen from a business account if “commercially reasonable safeguards” are in place.

What is “commercially reasonable”? That’s an open question. If a small business cyber attack results in a lawsuit, the question will be answered in court.

According to the law firm Manning Fulton & Skinner, whether a bank’s security is “commercially reasonable” will depend on several factors:

  • The customer’s wishes with regard to security
  • The customer’s transaction activity
  • Security procedures generally used in similar situations

Banks can also cover themselves if a business customer refuses a commercially reasonable security procedure and agrees in writing to accept an alternative.

Small businesses have big risks

Small and large businesses are targeted for cyber attacks, but smaller firms are less capable of surviving one.

Small businesses are more likely to have a small number of bank accounts (all their eggs in one basket). An attack that drains thousands of dollars will eliminate a greater percentage of a small business’ net worth. And small businesses have far fewer resources to block cyber attacks and recover.

Since banks do not return funds that are stolen from business accounts, the risk to small businesses is huge.


Related resources

Wire Fraud: How an email password can cost you $100,000

Marketing Tools: 10 Small Businesses Hit by Hackers

3 Simple Rules to Stop Malware

Malvertising is growing fast – here’s how to avoid it

Written by Calyptix

 - September 22, 2015

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram