Cyber attackers empty business accounts in minutes

Money moves fast and can be gone for good in ACH fraud

The criminals knew what they were doing when they hit the Western Beaver County School District.

They waited until school administrators were away on holiday, and then during a four-day period between Dec. 29 and Jan. 2, siphoned $US704,610.35 out of two of the school district's bank accounts.

Western Beaver's financial institution, ESB Bank, managed to reverse some of the transfers, but the Pennsylvania school district was out more than $US441,000.

On July 9, Western Beaver sued ESB to try and recover the money, but security experts say that it's just one of many organizations that have been hit in recent months by a disturbing new type of financial fraud that can often leave the victim holding the bag.

Fraudsters are taking advantage of the widely used but obscure Automated Clearing House (ACH) Network in order to pull off their attacks.

This financial network is used by financial institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals.

In April, ACH fraudsters moved $US1.2 million out of a Sugar Land, Texas, importer called Unique Industrial Products, according to a report in the Houston Chronicle.

They did this by hacking into the company's computers and then authorizing 39 transfers to move the money out of Unique Industrial's account. Although the bulk of the money was recovered, scammers made $US150,000 from the attack -- not bad for 30 minutes of work.

"ACH fraud continues to grow, especially in this current economic downturn where unemployment is at very high levels," said Jeffery Dertz, a partner in the insurance practice group with Blackman Kallick, a Chicago-based accounting and consulting firm.

Criminals can make millions of dollars per day with ACH fraud, investigators say. And while consumers are protected from this type of fraud, the rules for corporations and organizations are not as clear-cut, so sometimes victims like Western Beaver find themselves having to pay.

The fraud typically starts with a targeted phishing e-mail, aimed at whomever is in charge of the company's checkbook. By tricking the victim into running software, opening a harmful attachment or visiting a malicious Web site, the criminals are able to install keylogging software and steal bank account passwords.

"If I can get a hold of their credentials then I can have some fun," said Robert West, the former chief information security officer at Fifth Third Bank, who is now CEO of security intelligence consultancy Echelon One. He agrees that ACH fraud is a growing problem

Western Beaver's attorney, Alfred Steff, declined to comment for this story, but in court filings the county said that fraudsters used a computer virus to hack into the school board's computer system.

Often the malicious software lies right inside the browser, waiting for the victim to log into a bank site before springing into action.

Then, once the victim has logged in, the software sets up new payees and transfers money to them -- once the victim's accounts have been hacked, all the attacker needs is a routing number and an account number to send the cash to a money mule. If two people must sign off on the transfer, the hackers hit both of them.

The mules are victims too. They typically think they are doing legitimate payroll work for international companies. After being recruited on sites such as, they're told they get to keep a 5 percent commission if they move money out of the country. Often when the bank reverses the transaction, they have to pay.

Some security experts believe that the fact that mules are difficult to recruit is the only thing keeping this type of fraud from skyrocketing right now. Security vendor Trusteer estimates that 3 percent of consumers are already infected with financial fraud software.

"The bottleneck is getting the money out of the accounts," said Amit Klein, Trusteer's chief technology officer.

The fraud works, in part, because fraudulent ACH activity doesn't always trigger red flags with the banks, especially when smaller regional banks are involved, according to one investigator, who asked not to be identified because he is working on active cases.

"There's a very serious problem going on," he said of the ACH fraud. "It's a very old system and there are potentially not a lot of controls in the underlying transfer system."

In Western Beaver's case, red flags should have been raised when the school board suddenly added 42 individuals to its payroll in places as far away as California and Puerto Rico during its Christmas break, and then started to pay them far more than most other people on the payroll, he said.

According to court filings ESB received 74 transfer requests during the four-day period, another red flag.

In its lawsuit, Western Beaver faults its bank for failing to "red flag" unauthorized requests. An ESB bank spokesman could not be reached for comment.

One reason that banks have a hard time spotting fraudulent ACH transactions is because the volume of money moving through the network is simply overwhelming. The ACH network processed nearly 9 billion payments in 2002, valued at more than $US24.4 trillion dollars.

"The last couple of banks I worked at, we would go through the equivalent of our net assets in a couple of days," West said.

As lucrative as it may be, this type of ACH fraud is not widespread, according to Mary Gilmeister, president of WACHA, a nonprofit organization that provides information relating to ACH to financial organizations.

"It's important, but it's not affecting a large number of financial institutions," she said. "Financial institutions are paying more attention to it," communicating with each other and sending up warning flags when the fraud occurs, she said.

For consumers who have their bank accounts emptied by an ACH scam, federal banking regulations cap liability at $US50, so long as the fraud is reported in a timely manner.

But for corporations and other entities, things are a lot more complicated, and whether the victim has to pay can vary from bank to bank.

That could seriously erode the public's trust in Internet banking, the investigator said: "We're talking about small businesses, the lifeblood of the U.S., that are getting hit for five or six figures because they've embraced online banking."

Join the PC World newsletter!

Error: Please check your email address.

Tags cyber attacksbanksonline bankingfraud

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Best Deals on PC World

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?