Corporate bank accounts are under attack from cybercriminals who are using targeted phishing e-mails to steal funds. The threat is likely to be one of the biggest trends in 2010, according to the Anti-Phishing Working Group (APWG).
"There is already a shift away from consumer to corporate banks accounts, which we expect to intensify in the coming year," said David Jevans chairman of the APWG and chief executive of security firm Ironkey.
Phishing attacks are becoming increasingly targeted at people working in financial departments within organisations, such as chief financial officers, he said.
Cybercriminals are using new versions of common Trojans like those in the Zeus family to steal information that enables them to steal millions of dollars from corporate bank accounts.
"Recently in the US we have seen cybercriminals attempt to steal $100m from corporate accounts, with $40m being irrecoverable," said Jevans.
Cybercriminals are increasingly able to use victims' computers to log in to corporate bank accounts, which makes it difficult to defend against these attacks because it gets around safeguards such as one-time-passwords and IP recognition, he said.
The only way companies can guard against these attacks is to isolate all computers used for financial transactions, but this is not easy to do, said Jevans.
"Enforcing this can be difficult, but these computers should be locked down and not used for any general e-mail or internet activity," he said.
Businesses can also adopt a more proactive approach by checking and reconciling all fund transfers every day and following up any anomalies.
"This is a tough one and it is going to be a big problem. It is probably already much bigger than we know because many thefts are unreported," said Jevans.
Now that the bigger cybercriminal organisations have pioneered effective ways of raiding corporate bank accounts, this problem is likely to increase rapidly in the coming months as smaller groups follow suit, he said.
Many organisations are still not covering the basics of security, such as keeping software updated, because they are not fully aware of the risk, said Jevans.
"An increase in the number and size of attacks on corporate bank accounts may be the catalyst that is needed to get all businesses to take security seriously," he said.