US electronic payments association Nacha has warned of a new e-mail scam designed to dupe small businesses into inadvertently downloading malicious password-stealing software in the guise of an ACH transaction report.
The subject line of the e-mail states: 'Rejected ACH Transaction' and includes a link which redirects the recipient to a bogus Nacha Web page where users are instructed to download a 'transaction report' detailing the unauthorised transfer.
The link in fact harbours a copy of the Zeus/Zbot Trojan, a sophisticated piece of malware which has been responsible for a wave of successful online banking assualts on US small businesses over the past several months.
The latest attack comes less than a fortnight after the FBI warned of a "significant increase" in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts.
The upsurge in fraud at the ACH has led to calls for small businesses to use dedicated machines for conducting online banking transfers or to transfer their business banking accounts to personal accounts which offer better online protection and liability guarantess.