Through this method, cybercriminals have attempted to steal over $255 million and have actually stolen around $85 million, Gordon Snow, assistant director of the FBI’s cyber division, told a House subcommittee on financial institutions and consumer credit.

Snow explained that these cyberattacks are usually carried out through targeted phishing emails that contain either malware or a link to a malware-laden website. The phish targets a person within the company who can initiate fund transfers on behalf of the business or institution.

“Once the recipient opens the attachment or navigates to the website, malware is installed on the user’s computer, which often includes a keylogging program that harvests the user’s online banking credentials. The criminal then either creates another account or directly initiates a funds transfer masquerading as the legitimate user. The stolen funds are often then transferred overseas”, Snow explained.

The targets of these phishing attacks are small and medium-sized businesses, local governments, school districts, and healthcare providers, he noted.

Snow cited the example of a New York school district that had $3 million transferred out of its bank account as the result of a 2009 phishing attack. The bank was able to recover some of the stolen funds, but $500,000 had already been withdrawn and was unrecoverable.

In March 2010, an Illinois town was the victim of a cyberattack resulting in unauthorized ACH transfers totaling $100,000, Snow related. When an authorized individual logged into the town’s bank account, she was redirected to a site alerting her that the bank’s website was experiencing technical difficulties. During this redirection, the cybercriminal used the victim’s authorized credentials to initiate transactions. The town was able to recover only $30,000, he noted.