Page 2 of 2   <      

European Cyber-Gangs Target Small U.S. Firms, Group Says

"The data is not quite where it could be, and we don't have a good benchmark in terms of determining the prevalence of this type of fraud," said Cliff Stanford, director of the Retail Payments Risk Forum at the Federal Reserve Bank of Atlanta. "As a result, banks and consumers might not fully understand where they need to best deploy additional security measures."

Businesses do not enjoy the same legal protections as consumers when banking online. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges.

In contrast, companies that bank online are regulated under the Uniform Commercial Code, which holds that commercial banking customers have roughly two business days to spot and dispute unauthorized activity if they want to hold out any hope of recovering unauthorized transfers from their accounts.

Avivah Litan, a fraud analyst with Gartner Inc., said few commercial banks have invested in back-end technologies that can detect fraudulent or unusual transaction patterns for businesses.

"The banks spend a lot of money on protecting consumer customers because they owe money if the consumer loses money," Litan said. "But the banks don't spend the same resources on the corporate accounts because they don't have to refund the corporate losses."

Swallowing the Losses

The incidents in many cases are pitting victims against their banks. In July, a public school district near Pittsburgh filed a lawsuit against ESB Bank, a subsidiary of Ellwood City, Pa.-based ESB Financial Corp., to recover funds lost to cyber-fraud. The Western Beaver school district charges that crooks used malicious software to siphon more than $700,000 from the school's account at ESB. According to the lawsuit, the funds were transferred in 74 separate transactions over a two-day period, to 42 different money mules.

In April, cyber-crooks stole $1.2 million from Unique Industrial Product Co., a Sugar Land, Tex.-based plumbing equipment supply company. Pankaj Malani, the company's operations manager, said a forensic analysis showed the attackers used malware planted on its computers to initiate 43 transfers out of the company's account within 30 minutes. The intruders sent some of the funds directly to Eastern Europe and funneled the remainder through people in the United States.

Malani said the FBI is investigating the case, but because the company spotted the fraud quickly, its bank was able to retrieve all but $190,000 of the stolen money. "This could have put us out of business," Malani said.

Other small to mid-sized companies have not fared so well. In February, fraudsters struck JM Test Systems, an electronics calibration company in Baton Rouge. According to Happy McKnight, the company's controller, on Feb. 19, an unauthorized wire transfer of $45,640 was sent from JM Test's account to a bank in Russia. The company's bank subsequently provided the company with new credentials. But less than a week later, $51,550 of JM Test's money was transferred to five money mules across the country. McKnight said her employer was able to recover just $7,200 of the stolen money, which was returned only because one mule who was to receive that transfer apparently closed his or her account before the transfer could be completed.

"The whole thing consumed us for about a month," McKnight said. "When we start looking at all of the investigation and the things we had to change as a result of this fraud, we estimate the soft costs to our company is already three times what our straight online banking loss was."

<       2

© 2009 The Washington Post Company