Every financial institution would be wise to consider these recommendations. Another factor looming over the ongoing cybercrime wave is the commercial customer himself. 

The Financial Services Information Sharing and Analysis Center, NACHA and the FTC have published a wealth of material about commercial account takeovers since 2009. These groups have long recognized that many safeguards against these threats fall under the control of the commercial customer. 

Many of the Zeus infections that resulted in corporate account takeovers stem from the improper use of the customer's PC for online banking. To combat these risks, FS-ISAC and NACHA released a joint publication on August 24, 2009 titled "Account Hijacking of Corporate Customers – Recommendations for Customer Education."

This document lists 24 recommendations for business and corporate customers that the authors believed would help reduce the risk of corporate account takeover that are still valid today. Among them are using a dedicated, stand-alone, hardened PC for all online banking. Email and general internet browsing should not be conducted on this PC. The idea here is to prevent a Zeus infection, thereby significantly lowering the risk of fraud.

Another recommendation is to reconcile all banking transactions on a daily basis. Early detection of fraudulent transactions provides a better chance for the firm to recover stolen funds.

The publication also suggests implementing a dual-control process for all financial transactions. Businesses should set up their employees within the system so that one employee has rights to enter a transaction and a different employee must approve the transaction before it occurs.

Make use of the dual-factor authentication options offered by the financial institution, according to the guidance from FS-ISAC and NACHA. If these options include a dynamic password token or something similar, implement that immediately.

Other recommendations are taking advantage of transaction limits to curb financial losses should criminals begin to initiate fraudulent transactions.

Install antivirus on the online banking PC and keep it up to date. Although some Zeus variants have yet to be identified, a number of variants have already been recognized by the leading antivirus vendors.

Limit administrative rights on the online banking PC. The ID that employees use to access the online banking PC should not have administrative rights.  This will make it more difficult for malware to get installed.

There are many more recommendations in the FS-ISAC document to be considered by your commercial customer or member. One way to get those recommendations into their hands might be to convert them into a questionnaire that your commercial bankers can bring to their customers on a site visit.

Community banks and credit unions regularly pride themselves on their personal attention and proactive service. Visiting your commercial customer with a questionnaire, such as the one suggested above, might do more than showcase your personal touch and commitment to their well-being: they might actually help these customers avoid a cyber attack. 

Many security articles today focus on technical and regulatory approaches to combating the latest security challenges. Fewer articles focus on the customer's role in preventing a malware infection from occurring in the first place.  Experience tells us that an ounce of prevention is worth a pound of cure. 

Kevin Hamel is vice president and security officer at COCC Inc. 
Contact 888-678-0444 or [email protected]