Pub 2 2013 Issue 7

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 14 C omputers can automate transactions and make things very convenient for banks and cus- tomers. Electronic scammers from everywhere around the world are also taking advantage of the convenience a bank provides to its customers. These electronic thieves obtain login credentials by using viruses and spyware to infiltrate your customers’ unprotected computers and then impersonate your customers to steal from the customer’s account. Below is one of many incidents that are happening almost daily. A bank customer reported that three large debits to his account in the previous two days totaling over $400,000,00 were not authorized. The bank looked at the transactions and explained that the three debits were for ACH payroll transactions which the customer had initiated through his internet banking account. The customer explained that his computer had malfunctioned and had not even been turned on for the past week. He also explained that he had taken the computer to get it cleaned from viruses the previous month. Upon investigation, the bank found that someone using the customer’s login credentials had logged in to the internet banking site the prior month from a computer that appeared to use an internet provider in Brooklyn, NY and had authorized that IPAddress as a new additional authorized IP address for the customer. Then over a two day period about a month later, someone had, again using the customer’s login credentials, logged in from that same IP address and initiated the three fraudulent ACH payroll transactions. The ACH transactions resulted in the customer’s account being deb- ited for over $400,000 and credited 80 different person’s accounts in 35 different banks across the U.S. in amounts ranging from $4,000 to $7,000 each. The bank attempted to reverse the ACH transactions, but was only able to recover funds from 12 of the accounts totaling approximately $60,000. The bank suffered a net loss of over $350,000. Some of the more cooperative recipients of the funds explained that they had each responded to an ad on the Web or in an e-mail for a “New Part Time Job Opening” working as an FS Agent for just a few hours each day. The ad said that most transactions will be finalized by 2:00 pm. Further, the job offered a one-month paid training period and promised $45,000 to $75,000 a year in pay. The recipients were required to pro- vide detailed information, IDs and other information similar to what an employee would provide to a legitimate employer. The recipients were also required to provide their bank account information. Then the recipients were told they would receive funds in their bank account and they were to send the funds by Western Union and Mon- eyGram to foreign countries. They would receive $250 fee for each transaction and a $100 bonus if they could have the money sent within two hours of receipt. The people who are behind this scam are in other countries and they exploit flaws in customer’s computer protection together with the ACH system to steal money. They then spread it to multiple places where these “employees,” hired over the internet, send the funds in in- crements of less than $2,000 at a time by Western Union and Money- Gram out of the country to various recipients. Additional crooks have copied this scam, so the scam is coming from many different places and in various forms. This scam is being repeated over and over again against various businesses who have their computer taken over and login credentials compromised. Losses often range between $200,000 and $1,000,000 stolen from a single customer’s account. Some banks have added an additional control of requiring a fax confirmation each time a customer uses the internet banking system to initiate an ACH or wire transfer. However, many customers use the same computer to send fax transmissions as they use to initiate legiti- mate ACH transactions. So the crook that has taken over a customer’s computer can also cause the fax confirmation to be sent. To prevent this type of scam from causing loss to a bank’s customers, many banks are now implementing a verbal call back to a pre-verified customer voice phone number before allowing each large dollar ACH transaction file or large dollar wire transfer request to be processed. Also, the same control is implemented if a customer initiates multiple small ACH or wire transfer requests over a short period. Some customers have objected to the added inconvenience of having the bank contact them at a predetermined phone number for a verbal confirmation. Most customers, however, will agree to such procedure once they understand it is protecting them from the potential of a large loss. The Uniform Commercial Code (UCC) 4A-202(b) provides that if a bank and customer agree to a commercially reasonable security proce- dure and the bank follows the security procedure, the bank can enforce the transaction as authorized if the bank accepted the transaction in good faith and in accordance with written agreements and instructions. In cases where a customer chooses a lesser security procedure, the UCC 4A-202(c) deems such security procedure to be commercially reasonable if the bank offered and the customer refused a commer- cially reasonable security procedure and the customer expressly agrees in writing to be bound by the transaction orders, whether or not authorized, if the bank followed the security procedure chosen by the customer. (Please read the actual law.) Banks should work with their bank’s attorney to make sure they implement a commercially reasonable security procedure and that the customer agrees to be liable when the bank follows such procedure. In cases where the bank offers a commercially reasonable security procedure and a customer chooses a lesser security procedure, the bank needs to make sure its contract is used to protect the bank as allowed by UCC 4A and that the bank actually follows all agreed upon security procedures. For more information, please give us a call at (785) 228-0000. SECURITY OFFICER’S BY-WORD INTERNET ACH FRAUD RESULTING FROM A CUSTOMER’S COMPROMISED COMPUTER By Charles M. Towle, Senior Vice President Kansas Bankers Surety Company