Large enterprises and consumers have been dealing with sophisticated phishing scams, online extortion plots and other assorted theft schemes for years, but now attackers are turning their attention to the huge population of small businesses and non-profits in the U.S. And they are finding a gold mine.
The SMB market represents a huge untapped opportunity for online criminals who have been going hard after the consumer market for more than a decade now. Their online banking, PayPal, eBay and 419 scams have been tremendously successful and profitable, but the public has caught on to many of the scams at this point. There are still new victims for those scams, but the attackers are coming to the realization that it’s much more efficient for them to score $10,000 or $20,000 from one or two small businesses that it is to steal $100 from 100 or 200 individuals.
The latest targets for these scams appears to be health care providers. As Brian Krebs writes in the Washington Post, several health care organizations have fallen prey to scammers for fairly large sums recently.
On Sept. 9, crooks stole $30,000 from the Evergreen Children’s Association (currently doing business as Kids Co.), a non-profit organization in Seattle that provides on-site childcare for public schools.
Kids Co. chief executive and founder Susan Brown said the attackers tried to send an additional $30,000 batch payment out of the company’s account, but that her bank blocked the transfer at her request.
“Now we’re in this battle with our bank, because my staff accountant checks the account every day, and we notified the bank before this money was stolen and the transfer still went out,” Brown said.
Non-profits and SMBs are attractive targets for attackers for several reasons, most notably the fact that their security defenses may not be as sophisticated as those in a large enterprise. Many small businesses do not have dedicated security staffs and instead depend on general IT workers or, increasingly, outsourcing providers for security support.
And SMBs and non-profits also may not have the financial resources to go after the thieves, either. Many of these scams are the work of organized groups of criminals that have specialized malware such as the Clampi Trojan at their disposal and face almost no risk of being caught, thanks to the difficulty of tracking online attacks. And even if they are found, prosecutions and convictions can be difficult, depending on the countries involved.
That leaves these businesses in a tough spot.