As small businesses continue to increase their use of technologyand mobile access to conduct transactions, the drawback is theshift may potentially widen the space for cyber thieves to strikeand drain commercial accounts in one fell swoop.

While consumers have stronger shields to protect their accountunder Federal Reserve Regulation E, which mandates that banks are required to providereimbursement for certain fraud losses, that same protection doesnot apply to business and commercial accounts.

At best, the Uniform Commercial Code offers some relief bypotentially holding a bank liable if it did not institute“commercially reasonable” security procedures to protect againstfraud. However, there has been some ambiguity on what is consideredcommercially reasonable and banks tend to have the upper hand inputting together procedures that may shorten fraud reportingtimelines.

For many business members at credit unions, what it boils downto is they have to be very proactive when it comes to protectingtheir accounts.

“The strongest method for protecting an online business bankaccount accessing authentication or any online account for thatmatter is to use two-factor authentication,” said MikeAngelinovich, CEO of OHVA Inc., a security service provider in SanJose, Calif. “That means having two of the three factors protectingyour account—something you know, have, or are.”

By this, Angelinovich said the user enters something a creditunion knows on a screen key pad to access what the same creditunion has, which is then automatically generated from the user'sclient a dynamic and encrypted response that is sent to theauthentication server for validation without humanintervention.

Layers of firewalled protection are getting thicker as hackerscontinue to come up with ways to breach business accounts.According to the 2013 Association of Financial ProfessionalsPayments Fraud and Control survey of 625 cash managers, analystsand directors, 61% of businesses reported fraud in 2012. Of thoseorganizations, 87% reported check fraud, followed by 29% reportingcorporate and commercial purchasing card fraud, 27% reporting ACHdebit fraud, 11% with wire transfer fraud and 8% with ACH creditfraud.

According to the AFP survey, the typical financial loss forpayments fraud was $20,300 in 2012. Fraudsters tended to targetlarge companies, the survey also reported. Sixty-seven percent ofthose victimized had annual revenues of more than $1 billion,compared to half of those with annual revenues less than $1billion.

Next Page: Common Vulnerabilities

Some of the most common vulnerabilities seen include compromisedor weak passwords, malware or virus infected PCs, data stolen fromemployees, account credential sharing, no internal audit orprocedures to minimize the effect of a rogue administrator as wellas data leakage when data is extracted and leveraged off premise,said Jon Freeman, president/CEO of Mycroft, a New York-basedprovider of IT security, identity, access management and regulatorycompliance services.

When asked if credit unions and other financial institutions canexpect business account breaches to increase, Freeman saidunfortunately, yes.

“Many institutions are not meticulous enough in their policiesas they neglect to balance user experience with security. As aresult, they'll lean heavily towards the overall user experience,”Freeman said. “The security is always an afterthought and there isa larger amount of data to be secured than amount of people who cando the securing.”

Some businesses are also slow in enacting a data sensitivitypolicy, meaning classifying what types of data requires what kindsof safeguards, Freeman explained.

“Security is a reaction to a breach, not to prevent a breach ofdata,” he offered.

The $1.4 billion Anheuser-Busch Employees' Credit Union and its division,American Eagle Credit Union, have used OHVA's services since 2007,according to David Gray, manager of electronic services at thecooperatives based in St. Louis. For security reasons, he did notgo into details about how accounts are protected but he did saymembers are offered the highest level of safety available.

The credit unions use an OHVA service that validates theauthentication server and is monitored at both the client andserver ends, Angelinovich said. Once validated, the service mustreturn a software token to the original source before grantingaccess into an online bank account, for instance.

“Without this level of multifactor authentication for businessaccounts, they are sitting ducks waiting to be hacked by today'sMalware carrying Trojan exploits that steal everything a userenters to access an account,” Angelinovich noted.

Freeman agreed, saying a good security practice is built on aframework that covers potential vulnerabilities. Some methods toapply include multifactor and risk based authentication, stringentpassword policies, account certification, firewall rules,separation of consumer and business data, audit tracing and strongdata encryption for data at rest, he suggested.

“While these are not in any particular order, these factorsalong with others should be incorporated within the securitypractice. Each scenario presents different challenges, thus, themethods deployed will vary,” Freeman said.

Having the necessary protections in place to thwart businessaccount attacks is one thing. Detecting fraud on a business accountcan be another challenge because the denomination of transactionscan, on average, be large, and the velocity of transactions arehigh, said John Walsh, president/CEO of SightSpan Inc., aMooresville, N.C.-based global management consulting group and amember of the Association of Certified Financial Crime SpecialistsTask Force on threat finance in Miami.

With more than 25 years of experience in the financial servicessector in the United States, the Middle East, Europe and LatinAmerica, Walsh is considered an industry leader in financial crimerisk management, financial institution and corporate security,anti-money laundering and combating terrorist financing.

“If a credit union sees an out-of-state transaction for 10flat-screen televisions on a bakery business account, that may besuspicious,” Walsh said. “Money wired to high-risk locations likeRussia or Eastern Europe may also be uncommon for domestic businessaccounts.”

A sophisticated transaction monitoring solution or a diligentbank manager at smaller credit unions has to fully understand eachindividual business account to be able to pick out a singleirregularity and potentially fraudulent activity from mountains oflegitimate transactions, Walsh said.

“Small business owners are often very busy running theirbusiness, not monitoring their accounts,” Walsh said. “They mayonly reconcile accounts on a monthly or quarterly basis. Analyzinghistorical behavior and scoring each transaction in real time isthe best way to determine the risk any individual transaction mayrepresent.”

Point-of-sale skimming devices and massive data breaches likethe ones seen at processors recently pose a difficult-to-detectrisk.

“The only way for an individual bank or credit union to detectthose types of breaches is, again, through the use of transactionmonitoring solutions that can analyze a massive amount of data tofind similarities between compromised accounts,” Walsh advised.

The most effective way to manage money laundering and threatfinancing risk is by properly educating and providing ongoingtraining to staff to make them aware of known techniques for theillicit transfer of funds, have well-documented policies andperiodically review procedures to ensure polices are being adheredtoo, Walsh suggested. The board of directors and CEO need to signoff on the overall approach and need to be engaged, he added.

As simple as it sounds, just ensuring that a business member isnot using the same passwords on different sites can go far inprotecting their accounts, said Anisha Sekar, vice president ofcredit and debit products at NerdWallet, a personal finance and credit card comparisonwebsite. Credit unions can also offer email alerts if transactionsgo over a certain, set amount, she advised.

In addition to being a member of a credit union, Sekar said shealso has accounts at a couple of banks. What she has noticed isthat all of the financial institutions are using the same securityquestions.

“Probably without realizing it, they're enabling their ownfraud,” Sekar said about credit unions and banks. “Users should beallowed to come up with the own security questions. Passwordsshould be changed every quarter or every half year.”

As an account comparison site that includes nearly 500 creditunions in its NerdWallet search engine, Sekar said the company'steam has seen a lot of traditional account hacks and employeefraud.

“Fraud is hard to prevent and has always existed. You just haveto stay one step ahead.”