Cyber attackers empty business accounts in minutes

Money moves fast and can be gone for good in ACH fraud

The criminals knew what they were doing when they hit the Western Beaver County School District.

They waited until school administrators were away on holiday, and then during a four-day period between Dec. 29 and Jan. 2, siphoned $US704,610.35 out of two of the school district's bank accounts.

Western Beaver's financial institution, ESB Bank, managed to reverse some of the transfers, but the Pennsylvania school district was out more than $US441,000.

On July 9, Western Beaver sued ESB to try and recover the money, but security experts say that it's just one of many organizations that have been hit in recent months by a disturbing new type of financial fraud that can often leave the victim holding the bag.

Fraudsters are taking advantage of the widely used but obscure Automated Clearing House (ACH) Network in order to pull off their attacks.

This financial network is used by financial institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals.

In April, ACH fraudsters moved $US1.2 million out of a Sugar Land, Texas, importer called Unique Industrial Products, according to a report in the Houston Chronicle.

They did this by hacking into the company's computers and then authorizing 39 transfers to move the money out of Unique Industrial's account. Although the bulk of the money was recovered, scammers made $US150,000 from the attack -- not bad for 30 minutes of work.

"ACH fraud continues to grow, especially in this current economic downturn where unemployment is at very high levels," said Jeffery Dertz, a partner in the insurance practice group with Blackman Kallick, a Chicago-based accounting and consulting firm.

Criminals can make millions of dollars per day with ACH fraud, investigators say. And while consumers are protected from this type of fraud, the rules for corporations and organizations are not as clear-cut, so sometimes victims like Western Beaver find themselves having to pay.

The fraud typically starts with a targeted phishing e-mail, aimed at whomever is in charge of the company's checkbook. By tricking the victim into running software, opening a harmful attachment or visiting a malicious Web site, the criminals are able to install keylogging software and steal bank account passwords.

"If I can get a hold of their credentials then I can have some fun," said Robert West, the former chief information security officer at Fifth Third Bank, who is now CEO of security intelligence consultancy Echelon One. He agrees that ACH fraud is a growing problem

Western Beaver's attorney, Alfred Steff, declined to comment for this story, but in court filings the county said that fraudsters used a computer virus to hack into the school board's computer system.

Often the malicious software lies right inside the browser, waiting for the victim to log into a bank site before springing into action.

Then, once the victim has logged in, the software sets up new payees and transfers money to them -- once the victim's accounts have been hacked, all the attacker needs is a routing number and an account number to send the cash to a money mule. If two people must sign off on the transfer, the hackers hit both of them.

The mules are victims too. They typically think they are doing legitimate payroll work for international companies. After being recruited on sites such as Monster.com, they're told they get to keep a 5 percent commission if they move money out of the country. Often when the bank reverses the transaction, they have to pay.

Some security experts believe that the fact that mules are difficult to recruit is the only thing keeping this type of fraud from skyrocketing right now. Security vendor Trusteer estimates that 3 percent of consumers are already infected with financial fraud software.

"The bottleneck is getting the money out of the accounts," said Amit Klein, Trusteer's chief technology officer.

The fraud works, in part, because fraudulent ACH activity doesn't always trigger red flags with the banks, especially when smaller regional banks are involved, according to one investigator, who asked not to be identified because he is working on active cases.

"There's a very serious problem going on," he said of the ACH fraud. "It's a very old system and there are potentially not a lot of controls in the underlying transfer system."

In Western Beaver's case, red flags should have been raised when the school board suddenly added 42 individuals to its payroll in places as far away as California and Puerto Rico during its Christmas break, and then started to pay them far more than most other people on the payroll, he said.

According to court filings ESB received 74 transfer requests during the four-day period, another red flag.

In its lawsuit, Western Beaver faults its bank for failing to "red flag" unauthorized requests. An ESB bank spokesman could not be reached for comment.

One reason that banks have a hard time spotting fraudulent ACH transactions is because the volume of money moving through the network is simply overwhelming. The ACH network processed nearly 9 billion payments in 2002, valued at more than $US24.4 trillion dollars.

"The last couple of banks I worked at, we would go through the equivalent of our net assets in a couple of days," West said.

As lucrative as it may be, this type of ACH fraud is not widespread, according to Mary Gilmeister, president of WACHA, a nonprofit organization that provides information relating to ACH to financial organizations.

"It's important, but it's not affecting a large number of financial institutions," she said. "Financial institutions are paying more attention to it," communicating with each other and sending up warning flags when the fraud occurs, she said.

For consumers who have their bank accounts emptied by an ACH scam, federal banking regulations cap liability at $US50, so long as the fraud is reported in a timely manner.

But for corporations and other entities, things are a lot more complicated, and whether the victim has to pay can vary from bank to bank.

That could seriously erode the public's trust in Internet banking, the investigator said: "We're talking about small businesses, the lifeblood of the U.S., that are getting hit for five or six figures because they've embraced online banking."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags fraudonline bankingcyber attacksbanks

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?