With new security measures in place that limit bank transfers and automatically send transaction notices to account holders, it's not so easy for hackers to empty victims' accounts. To stay under the radar, cyber thieves transfer smaller amounts of money each time victims log into their accounts. They focus on volume by targetting hundreds of victims to gain millions in stolen funds.
According to Tom Kellerman, vice president of cyber security for Trend Micro, in a recent interview for Time Moneyland magazine, "Ambitious criminals are embracing cybercrime, and thieves and the software they use are getting smarter, harder to combat, and easier to access online. Now anyone can download a cyber Kalashnikov, a cyber getaway car, and a cyber grenade from a myriad of sites."
An ATS uses malware plugins called 'webinjects' that can make it appear that everything is OK with your account. It can even use a 'balance replacer' feature that sends false information to the compromised account—so most users who are hacked won't know their account is compromised until long after their money has disappeared.
Operation High Roller, a cyber attack that targeted both individuals and businesses, stole about $78 million from bank accounts across Europe, Latin America, and the U.S. Once thieves get all that money into their account, there are a couple of ways they get their hands on it:
First, they can hire a money mule—someone who may or may not know the account is being illegally used. The money mule receives a small amount of money for assisting the thieves.
Second, criminals use alternative payment services, which are viewed by some as less legitimate versions of PayPal. According to Tom Kellerman, there are about 200 of these services online and they fall into two categories: services that don't require any personal information, and services that require little information and can be easily falsified. Cybercriminals can transfer funds to these services, and debit cards can often be linked to the accounts, giving them access to millions of dollars in stolen funds.
What can small businesses do to protect themselves?
"Until the financial services industry provides more security, this kind of attack cannot be thwarted," says Kellerman. On the other hand, small businesses can take some actions to stay protected, including changing passwords frequently, staying away from risky web sites, and conducting a mini audit of each month's bank statement.