Bangalore: Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules.

In the last few months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts. The FBI is seeing, on average, several new victim complaints and cases every week, according to a report prepared by the Internet Crime Complaint Center and linked to in the FBI release.

FBI puts losses from online fraud involving malware and money mules at around $40 million. Here is how the typical scam works. The criminals may find contact information and an organizational chart of a business online, as well as information about who handles the financial transactions for the company or agency. So-called 'spear phishing' e-mails are sent to the employees who can initiate funds transfers, either wire transfers or transfers through the Automated Clearing House (ACH) system.

The e-mails contain either an infected file or a link to a web site hosting malware. Once the file or link is opened, the malware containing a key logger is installed on the recipients' computer. The key logger harvests the user's corporate online banking user name and password and creates another account using that information or initiates a fund transfer masquerading as the authorized user.

The money is typically transferred into accounts opened by willing or unwitting people, known as "money mules," who then forward the deposits overseas. Usually, increments of less than $10,000 are transferred to avoid currency transaction reporting. The money mules are recruited through "work from home" ads or contacted after placing resumes on employment web sites.

"In several cases, banks did not have proper firewalls or antivirus software to protect against such attacks," said the FBI.

Last week, the Federal Deposit Insurance (FDIC) issued a warning to banks and financial institutions about the increased use of money mules in unauthorized electronic funds transfers. According to the statement released by FDIC, money mule activity is essentially electronic money laundering.

Amit Klein, Chief Technical Officer of Trusteer said, "Criminals are shifting their focus to stealing online bank credentials from businesses instead of consumers because there is more money in the corporate bank accounts to plunder. Therefore, criminals can transfer larger sums of money, with a lower risk of raising red flags and being detected by a bank's anti-fraud systems which look for anomalous or unusually large withdrawals or wire transfers. Unfortunately, small-medium businesses do not have any better browser security mechanisms than consumers to protect their banking credentials from being stolen."