Smaller companies are unlikely to have dedicated IT employees, making it less likely they would notice a breach, or that employees with follow security policies (if they are put in place at all). On the other hand, a company's bank account is likely to hold more money than a random private person's.
Many small businesses have fallen victim to cyber theft, and some of them have tried to recoup their losses by suing the bank that didn't detect and stop the fraudulent wire transfer requests initiated by the crooks. Sometimes these lawsuits are successful, other times not.
One of the latter cases has just been concluded in Missouri, when the Court of Appeals for the Eighth Circuit decided to uphold the decision of a Missouri district court that ruled that BancorpSouth is not responsible for the losses sustained by Choice Escrow Land Title LLC, as it had implemented and recommended "commercially reasonable security measures" to the company, but the company failed to avail itself of them.
The theft in question happened in 2010, when attackers succeeded in compromising the username and password for the company's online bank account and used them to transfer $440,000 to an account in Cyprus.
But the judges sided once again with the bank, as the company had previously refused to implement the bank's recommended security precautions for wire transfers - dual control process, daily wire transfer amount limits, detection of wire transfers initiated from unrecognized devices - because it was likely inconvenient for them.
"The court found no problem with the bank's acceptance of the payment order because it was 'not so unusual that it should have raised eyebrows,'" attorney Dan Mitchell commented for Bank Info Security. "It was not the largest payment order that Choice ever had submitted and its wire transfers did not follow a general pattern and varied in size from a few thousand dollars to a few hundred thousand dollars."
The court also decided that Choice Escrow has to pay BancorpSouth's attorneys' fees.