Cybercrime is on the rise with a particularly strong interest in stealing from small business and non-profits, like your local church. Often these organizations are run by inexperienced financial and computer users or volunteers. With ever-stretched budgets, small business is often strapped to invest in security measures or training for their staff, so mistakes are made. And cybercriminals who are always looking for new targets are training their sights on the online financial transactions of such small groups. Salaries, customer payments, investments, wire transfers - it's all under attack.
The methods used by the cybercriminals are the same used for the general populations but with twists. Some use a version of "phishing" called "spear phishing" where information about the members of the organization or staff of the company enables the crooks to craft a more sophisticated email that includes more convincing data. For example, the email with the dangerous links might be addressed to the company's administrator and include the name of the company. Getting that information is as easy as using a search engine like Google or Bing or reviewing the company's own website. I've received some crafty phishing emails disguised to be from Symantec's own IT department.
What really struck me in reading USA Today's story on the topic was the surprising recommendation from the banking industry on how to manage this. It's not in the original story but in a follow up report. The alert was issued by the Financial Services Information and Analysis Center and sent only to banks. The recommendation is for small businesses to set up a dedicated and restricted computer that is only to be used for financial transactions. So while the consumer population is told over and over again that online banking and trading is safe, there's a different message being sent to the banks themselves. There's also an implication of liability being passed from the banking industry to the users themselves.
Few people I know have the ability to set up a "clean machine" for their online banking so we're never go to hear this kind of recommendation for the end user. The small businesses and non-profits I'm familiar with won't be able to follow this advice either.
I know many people who have avoided online banking for fear of fraud, but I can also show you many fraud victims who were done in by lower tech schemes such as skimmers used on ATM machines at the local bank. I've had my own good and bad experiences with online financial transactions and despite the occasional problems, I still feel online banking is a big positive experience. One of the reasons I can overlook the problems is that I've always felt confident the banks would help me rectify any fraud or theft and in fact, they always have. It's a hassle to be sure but I've never lost money to ID theft, only time and effort. If the banks begin assigning blame to the end user in addition to telling us what steps we need to take to ensure their systems aren't abused, I fear it's only a matter of time before the protections they offer to counter fraud won't come free as they do today.
So until then, here are the basic security tips for safe online financial transactions:
Use complete and up to date security software on the computer
Ensure your operating system and browser software are up to date; many patches include security improvements
Never click a link in an email to access a transaction or finance site. Type the url in yourself.
Monitor your online accounts regularly, set up fraud alerts and other safety measures from the bank or investment company. I receive a daily balance from my bank sent as email.
Never use a shared or public computer for financial transactions or even to check a balance.
When you complete your transaction, log out fully from the site.
Using a password manager such as Norton Identity Safe can defeat a keystroke logger by automatically filling in webpage passwords with encrypted data, bypassing the keyboard entirely.
Other tips include advanced measures such as having a dedicated PC for online transactions, using special browsers that launch from a memory or USB stick, and using additional security measures from your bank to authenticate you at each session. It's a best practice to ask your bank for their recommendations and select your bank and trading partners by the security features and technology they offer.