Client description
A small property management company in the Mid-Atlantic region
Challenge
- The company was notified that a new user had been added to their Internet banking account. Because the senior auditor knew that only two users were authorized for that account, she immediately called the bank. She then discovered that a series of wire transfers, all below the alert threshold of $10,000, had been sent to various accounts across the US. In one night, the amount of fraudulent transfers was over $90,000.
- The company’s bank was able to halt some of the fraudulent transfers, due primarily to time zone differences, but the company had to absorb a loss of over $50,000. Perhaps more costly than the financial toll was some very unpleasant publicity, in both local and national press.
- The CEO was inclined to assign responsibility to the bank’s website for a data breach, but they quickly determined that whoever had logged in to perpetuate the fraud and add a user had utilized one of the company-authorized administrative IDs and passwords. Consequently, the bank had no way to know that it was not a legitimate user.
- Unfortunately, because they didn’t initially call in outside experts, the senior auditor and the other staff auditor continued to use their computers for several days after the fraud. After a few days, the senior auditor’s computer stopped working. The company’s part-time computer technician removed the hard drive and tried, without success, to run an antivirus scan.
- At that point, company executives decided to work with BerryDunn’s forensic team to figure out what had happened, mitigate further damage, and recommend steps to prevent future problems.
Solution
BerryDunn’s forensic data team performed a forensic analysis of the CEO's and senior auditor's hard drives. When the hard drives were analyzed, BerryDunn identified the problem and the type of attack:
- The computer was infected with three different Trojans, a form of malware that is installed silently on a computer without alerting the user.
- Trojans gave the hacker remote access to the company’s computer system. At least two out of the three Trojans were specifically programmed to capture banking information such as IDs, passwords, and screenshots.
- The Trojan was able to turn off the anti-virus functions and the Windows firewall on the computer.
The forensic data team recovered the deleted files and determined that one of the two computers was the source of the breach.
The team recommended that the company:
- Strengthen IT support to a full-time IT administrator who was familiar with the core processes required of the company’s software and hardware
- Upgrade firewall and anti-virus software
- Use only dedicated machines for the purpose of doing company banking
- Immediately institute a process to monitor the company’s banking activity on a daily basis
Outcomes
- Although the company was liable for the amount of funds not recaptured from the wire transfer scheme, the BerryDunn team was able to help the company put internal controls in place to prevent future fraud.
- Working with BerryDunn meant the company was able to mitigate the publicity and reputational damage done and bring the matter to a swift close.