Cyber attackers empty business accounts in minutes

Money moves fast and can be gone for good in ACH fraud

The criminals knew what they were doing when they hit the Western Beaver County School District.

They waited until school administrators were away on holiday, and then during a four-day period between Dec. 29 and Jan. 2, siphoned $US704,610.35 out of two of the school district's bank accounts.

Western Beaver's financial institution, ESB Bank, managed to reverse some of the transfers, but the Pennsylvania school district was out more than $US441,000.

On July 9, Western Beaver sued ESB to try and recover the money, but security experts say that it's just one of many organizations that have been hit in recent months by a disturbing new type of financial fraud that can often leave the victim holding the bag.

Fraudsters are taking advantage of the widely used but obscure Automated Clearing House (ACH) Network in order to pull off their attacks.

This financial network is used by financial institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals.

In April, ACH fraudsters moved $US1.2 million out of a Sugar Land, Texas, importer called Unique Industrial Products, according to a report in the Houston Chronicle.

They did this by hacking into the company's computers and then authorizing 39 transfers to move the money out of Unique Industrial's account. Although the bulk of the money was recovered, scammers made $US150,000 from the attack -- not bad for 30 minutes of work.

"ACH fraud continues to grow, especially in this current economic downturn where unemployment is at very high levels," said Jeffery Dertz, a partner in the insurance practice group with Blackman Kallick, a Chicago-based accounting and consulting firm.

Criminals can make millions of dollars per day with ACH fraud, investigators say. And while consumers are protected from this type of fraud, the rules for corporations and organizations are not as clear-cut, so sometimes victims like Western Beaver find themselves having to pay.

The fraud typically starts with a targeted phishing e-mail, aimed at whomever is in charge of the company's checkbook. By tricking the victim into running software, opening a harmful attachment or visiting a malicious Web site, the criminals are able to install keylogging software and steal bank account passwords.

"If I can get a hold of their credentials then I can have some fun," said Robert West, the former chief information security officer at Fifth Third Bank, who is now CEO of security intelligence consultancy Echelon One. He agrees that ACH fraud is a growing problem

Western Beaver's attorney, Alfred Steff, declined to comment for this story, but in court filings the county said that fraudsters used a computer virus to hack into the school board's computer system.

Often the malicious software lies right inside the browser, waiting for the victim to log into a bank site before springing into action.

Then, once the victim has logged in, the software sets up new payees and transfers money to them -- once the victim's accounts have been hacked, all the attacker needs is a routing number and an account number to send the cash to a money mule. If two people must sign off on the transfer, the hackers hit both of them.

The mules are victims too. They typically think they are doing legitimate payroll work for international companies. After being recruited on sites such as, they're told they get to keep a 5 percent commission if they move money out of the country. Often when the bank reverses the transaction, they have to pay.

Some security experts believe that the fact that mules are difficult to recruit is the only thing keeping this type of fraud from skyrocketing right now. Security vendor Trusteer estimates that 3 percent of consumers are already infected with financial fraud software.

"The bottleneck is getting the money out of the accounts," said Amit Klein, Trusteer's chief technology officer.

The fraud works, in part, because fraudulent ACH activity doesn't always trigger red flags with the banks, especially when smaller regional banks are involved, according to one investigator, who asked not to be identified because he is working on active cases.

"There's a very serious problem going on," he said of the ACH fraud. "It's a very old system and there are potentially not a lot of controls in the underlying transfer system."

In Western Beaver's case, red flags should have been raised when the school board suddenly added 42 individuals to its payroll in places as far away as California and Puerto Rico during its Christmas break, and then started to pay them far more than most other people on the payroll, he said.

According to court filings ESB received 74 transfer requests during the four-day period, another red flag.

In its lawsuit, Western Beaver faults its bank for failing to "red flag" unauthorized requests. An ESB bank spokesman could not be reached for comment.

One reason that banks have a hard time spotting fraudulent ACH transactions is because the volume of money moving through the network is simply overwhelming. The ACH network processed nearly 9 billion payments in 2002, valued at more than $US24.4 trillion dollars.

"The last couple of banks I worked at, we would go through the equivalent of our net assets in a couple of days," West said.

As lucrative as it may be, this type of ACH fraud is not widespread, according to Mary Gilmeister, president of WACHA, a nonprofit organization that provides information relating to ACH to financial organizations.

"It's important, but it's not affecting a large number of financial institutions," she said. "Financial institutions are paying more attention to it," communicating with each other and sending up warning flags when the fraud occurs, she said.

For consumers who have their bank accounts emptied by an ACH scam, federal banking regulations cap liability at $US50, so long as the fraud is reported in a timely manner.

But for corporations and other entities, things are a lot more complicated, and whether the victim has to pay can vary from bank to bank.

That could seriously erode the public's trust in Internet banking, the investigator said: "We're talking about small businesses, the lifeblood of the U.S., that are getting hit for five or six figures because they've embraced online banking."

Join the PC World newsletter!

Error: Please check your email address.

Tags cyber attacksbanksonline bankingfraud

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?