Six Steps to Help SMBs Avoid Online Fraud, Financial Loss

November 6, 2012 by Mike Byrnes     No Comments

Another easily preventable cyber heist on small business (SMB) was reported this week by Brian Krebs. Primary Systems Inc. had $180,000 stolen from their coffers after thieves compromised their online banking by adding 26 “new” employees to the payroll and transferring funds ranging from $5,000-$9,000 per individual.Education

In reading the article, I find it simply fascinating that so many processes and controls that should have been in place were simply were overlooked, avoided or not understood at all. It made me immediately thing of the sinking of the Titanic and how it wasn’t just one issue (an iceberg in the ocean), but rather a series of unfortunate and avoidable events.

For Primary Systems and their bank, St. Louis-based Enterprise Bank & Trust, there are some simple, clear lessons that all small business owners AND banks need to understand.

  1. Train employees to be aware of phishing attacks. The attacks started when a Primary Systems employee clicked on a malware-infected email.
  2. Confirm IT staff has up-to-date cybersecurity training. Primary Systems staff relied on firewalls and antivirus systems to protect their corporation — a basic first defense, but hardly a proper layered security effort.
  3. Ensure banks have implemented advanced transaction-monitoring systems and the ability to detect unusual account activity. Enterprise Bank & Trust should have had systems that:
    1. Realized adding 26 new employees to the payroll, and executing a transaction in the middle of a Tuesday night, was not a typical transaction for Primary Systems (they execute payroll on Fridays)
    2. Flagged virtually every one of the new employees who had different out-of-state addresses; all Primary Systems employees were located in-state
  4. Inquire about a bank’s audit status with the FFIEC compliance standards. Enterprise Bank & Trust allows customer to transfer up to $200,000 with only username and password as security control. This seems to fly in the face of both the 2011 AND 2007 FFIEC guidance for online banking.
  5. Take advantage of positive pay or dual security controls offered by your bank. Unfortunately, Primary Systems declined to use the service offered by their bank.
  6. Understand your financial risk and liability as a small-business owner. Primary Systems assumed they were covered by EFTA Regulations “E” where banks are liable for losses due to fraud. Unfortunately, Reg. “E” only covers retail customers.

While I know that small-business owners wear many hats and are pulled in many directions, I hope they can take 15 minutes to do a little “homework” and benefit from the lesson Primary Systems learned the hard way.

Mike Byrnes


Entrust product manager Mike Byrnes has more than 20 years’ experience in product management and technology marketing with a focus on internet security and business communication systems. Mike drives product marketing for the Entrust IdentityGuard authentication platform with a significant focus on mobile solutions. In addition to mobile, his background covers identity and access management, fraud detection, malware protection, and email encryption solutions. Mike serves as vertical market prime for Entrust financial services segment, working with large banks across the globe to roll out solutions to their consumer- and corporate-banking client base.

Add to the Conversation