Pub. 2 2013 Issue 4

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 26 A crook purchased a spyware program available on the internet. He then sent official looking e-mails to a large company claiming the e-mail was from the Better Business Bureau regarding a reported claim against the company. To read the claim and respond to it, the e-mail asks the company to click on the response button. This took the company to an official-looking Better Business Bureau website. The company was then required to load a program to see the details about the claim against them. Once loaded, the company was told the claim had been withdrawn. However, the website downloaded the spyware program to the business computer. Later when the company logged on to their bank’s internet banking site, the crook learned the ID and password of the company. About 3:30 pm that afternoon, the crook, using the spyware program, actually took control of the business computer, logged on to the internet banking system, and sent an ACH payroll file to the bank’s computer to be processed. This company’s bank had a policy of verifying all ACH files directly with the company before processing the ACH file. The bank was told that the ACH file was fraudulent. It took several weeks of investigation before the company understood how they had been hacked. In the meantime, the crook sent other e-mails to other large business customers of other banks. One of those banks did not have a verification process in place and upon receiving the ACH file through the Internet banking system, the bank automatically processed the file sending their customer’s funds to various accounts across the country. A total of $278,000 in funds was ACH’d from the account. The customer received an e-mail from the bank confirming the ACH transactions had been processed. The customer notified the bank early the next morning that the transactions were fraudulent. It is difficult if not impossible to reverse an ACH credit transaction. The bank was able to reverse about 10% of the ACH transactions. The bank reviewed its internet banking contract and found that it did not address the issue of someone hacking into a customer’s computer and using the internet banking system. The liability of the bank was unclear. Other banks have internet banking contracts that hold the customer liable when someone uses the business customer’s computer or information obtained from the business customer to fraudulently enter internet banking transactions. Every bank should consider whether they want to take the risk of completely automating large ACH or wire transactions. A bank should consider implementing a process where ACH or wire transactions or any transaction over certain dollar limits can only be finalized after bank personnel verify the transactions with the customer. The possibility that some customer’s computers may be hacked and someone may use information to do fraudulent internet banking transactions is real. The bank must consider how convenience for customers and bank employees can be balanced with the risk of large fraudulent transactions. Also, banks should consider how much liability the bank wants to accept and how much liability a business customer should have when fraudulent internet banking transactions result from the business customer’s computer lacking the appropriate security. A bank’s internet banking contract with its business customers should address this matter. Internet banking risk is something a bank will want to evaluate regularly to avoid large losses as crooks come up with more schemes to steal money from bank customers. For more information, please give us a call at (785) 228-0000. SECURITY OFFICER’S BY-WORD INTERNET ACH FRAUD By Charles M. Towle, Senior Vice President Kansas Bankers Surety Company