Thieves rob $1.3 million from a property-management firm by initiating debits against its accounts using banking information pilfered from a painting company. Banking credentials stolen at a small veterinary office in Ohio lead to theft from a large New Jersey corporation. A series of bogus wire transfers help topple a Pittsburgh savings and loan.
As these incidents from 2009 illustrate, payments fraud against corporations is on the rise, particularly in the area of electronic transactions that take place through the Automated Clearing House (ACH) network. In December the Electronic Payments Assn. (NACHA) issued a warning to banks about a cybercrime called corporate account takeover — when thieves gain control of a bank account by stealing a finance department’s online banking passwords and possibly other credentials. Just prior to that, the FBI’s Internet Crime Complaint Center reported there was an escalation of thievery related to ACH and wire transfers.
Such electronic theft has cost some small and midsize businesses tens of thousands of dollars, although it represents only a fraction of the millions of transactions that go through the ACH system every day. Concern over the trend is evident in discussions with customers, say bankers. “The biggest difference from 18 months ago is our clients’ awareness of risk in payment systems and their desire to have payments processes that enable them to manage risk,” says Cathy Bessant, head of global technology and operations at Bank of America.
In a corporate account takeover, the perpetrators can review the account details of the business, including account activity and patterns, as well as ACH and wire-transfer origination parameters (such as file size and frequency limits). The thieves use the session to initiate funds transfers, by the ACH or wire transfer, to bank accounts opened by accomplices or unwitting persons (“money mules”) within the United States, says the NACHA warning letter. The accomplices or money mules then withdraw the funds and remit them out of the country to their “employers,” says the NACHA.
In another scam, fraudsters obtain paper checks disbursed by a company and use the account and routing numbers (which appear at the bottom of the checks) to buy goods online from Web merchants that offer electronic debit or e-check payment options. The victimized business has its account debited.
“The bottom of a paper check contains the keys to the kingdom,” says Alex Romeo, a product manager at the Electronic Payments Network (EPN), the private-sector ACH operator. If a company shares the account information with a trading partner, the information “could easily be left on a desk or a sticky note and fall into the wrong hands.”
What exacerbates the problem of fraud for business users of the ACH is that they are not protected by Regulation E, which governs electronic funds transfers for consumer bank accounts. Under that law, consumers have 60 days to inform their banks that an electronic debit is unauthorized. But corporations only have until midnight of the next day to do so, says Romeo. “The idea is that corporates are reconciling their accounts at least every day,” he explains.