Hacked! Business bank accounts vulnerable to cybercriminals

The Electronic Funds Transfer Act, passed in 1978, states that it's intended to protect individual consumers from bank account theft, but makes no mention of businesses.

Whether a business is protected depends on the agreement it signs with a bank, says Doug Johnson, a senior vice president with the American Bankers Association, an industry group.

The thieves had obtained the account information; Marsico, owner of Sandstorm Design, a Chicago-based marketing company, still doesn't know how.

Thieves are increasingly using realistic-looking emails to trick companies into transferring money from their accounts with what's known as wire transfers, says Avivah Litan, a security analyst with the research company Gartner.

Using a computer or smartphone in a public place that has a Wi-Fi environment can also be risky, says Kevin Watson, CEO of Netsurion, a Houston-based company that provides cybersecurity for small businesses.

"Someone can just look at a check and they're a good part of the way to hacking into your account," says Dave Waring, managing partner of the New York-based company that provides financial and other services to small businesses.

Business accounts are safer at banks that use what's known as two-factor authentication, requiring unfamiliar account users or devices to supply additional information like one-time access codes, says Timothy Ryan, a managing director with the security company Kroll in New York.

Sophisticated banks also have software that flags emails or attempted logins from unfamiliar Internet service providers, he says.

— Don't log into your bank from an airport, hotel lobby, coffee shop or other public space that offers free Wi-Fi.