When Shereen Greene recently scanned her bank statement, she found a $139 charge from a company she had never heard of -- Pharmacycards.com.
The Atlanta paralegal dug out her canceled check and easily saw it was fake. The name on it was her maiden name, which she had not used in seven years. The address was five years old and her signature was missing. In its place, was a brief message: "Authorized by your customer. No signature required."
Still, the numbers at the bottom of the check belonged to Greene's bank account, and in the increasingly automated world of check processing, that was all that mattered.
Greene is one of the latest victims of checking-account fraud. In her case, it was a large-scale scam that tried to extract $12 million from 90,000 bank accounts, according to a lawsuit filed by the Federal Trade Commission in May.
"This is the e-commerce equivalent of a mugging," said Howard Beales, director of the FTC's consumer protection division.
Such scams are on the rise, partly riding the huge increase in the volume of automated checking account withdrawals and deposits as part of the nation's wide acceptance of online banking. The system that processes all these requests is now clearing 10 billion electronic transactions a year as consumers abandon paper checks to have their payroll or Social Security funds deposited directly to their accounts or have many of their bills -- such as their mortgage, monthly gym fee or telephone bill -- automatically debited from their accounts.
Regulators at the Federal Reserve issued a warning to banks last year citing "alarming changes" in the automated check-clearing process, in which "dishonest persons are using the automated clearing house to originate unauthorized debits."
Some scammers are also using sophisticated and cheap technology to print checks and take advantage of a banking practice that allows companies to write unsigned, paper checks on a consumer's behalf for one-time transactions, such as when a consumer wants to pay a bill at the last minute or buy from a telemarketer.
Through these unsigned checks and automated withdrawals, thieves can seed thousands of bogus payment requests into that huge system, which was built on the underlying belief that the money in an individual's account is not available without the customer's permission. Crooks who find their way into that flow can walk away with millions without having so much as a phone conversation with the people they are defrauding.
Banks are supposed to refund any unauthorized withdrawals, but there are fewer consumer protections than there are for fraudulent credit card charges. It is not always easy to convince a bank that a charge is fraudulent, since banks often argue that using the correct account number is proof it was authorized, consumer advocates say.
There are no federal rules instructing banks what to do when a depositor challenges an unsigned paper check. Practices differ among states, including whether it is the merchant's bank or the customer's bank that is liable for the loss. For electronic debits, Federal Reserve Board rules require banks to promptly investigate consumer complaints, and put any money back in a customer's account if the probe takes longer than 10 days. If the bank decides the charge is valid, it can take out the money again.
By contrast, credit card companies are liable for fraudulent charges and customers do not have to pay until charges are proven to be valid.
It took Greene a few weeks and multiple calls to her bank before she was able to recover the $139 taken from her account. Still, she had to shell out $70 for new checks with the new account number she was given because of the fraud.
The days are long gone when only banks had access to account numbers. On the front line, there are the merchants who traditionally have not been held to the same kind of strict security rules for managing sensitive customer information as have banks, said Rick Fischer, a District attorney who advises financial institutions on their security systems.
"That's the gap and it is being exploited" by criminals, Fischer said.
Behind the scenes are third-party processing firms that handle many of the transactions for merchants, depositing customer checks into banks or processing the customer's electronic account information. These companies weaken the connection between the bank, which is obligated under law to "know the customer," and the merchant who is generating the payment request.
"Third-party processors play a pretty major role in the payments business," said Elliott C. McEntee, president and chief executive of NACHA, the electronic payments association. "When a bank permits a third party to process transactions on behalf of a merchant, it's putting a lot of confidence in the third party" to make sure that the merchant is legitimate.
"Unfortunately in a few cases," McEntee added, "banks have not exercised their fiduciary responsibilities and they have allowed third parties to enter payments" that are not valid.
Banking industry officials said that is what appears to have happened with Pharmacycards.com. The phony company convinced three third-party processing firms it was a legitimate business that offered consumers a discount prescription card, according to the FTC complaint. The company created a Web site where it promised the card would be accepted by most major pharmacies, including those at Wal-Mart Stores and Target. It gave processors business references and a balance sheet. But, the FTC complaint added, "the processors did not initially ask for more information. Indeed, they did not even insist on complete application information."
Two of the processors involved, InterBill and Universal Processing Inc., declined to comment. The third firm, Payment Resources Inc., did not return phone calls.
FTC officials say that the size of the fraud suggests that Pharmacycards.com obtained a list of names and account numbers, but from where -- a merchant, a telemarketer, a list broker, a financial processing firm -- is still in question. The FTC believes that the list is a few years old; nearly 70 percent of the attempts to take $139 from individual accounts were canceled or returned because of bad account numbers, fraud protection measures at the banks or vigilance on the part of bank customers who noticed the fraud and reported it.
But enough transactions were made to allow more than $3.5 million to be debited from checking accounts, mostly through unsigned paper checks. The operation was shut down within about three months of its start after customers reported the fraud to their banks or to fraud watchdog groups, the FTC said.
Law enforcement officials say it has been surprisingly easy for crooks to win a consumer's confidence and convince them to give out their checking account numbers over the telephone or on the Internet. The officials suspect thieves have also obtained bank account numbers from checks sent to unscrupulous mail-order suppliers that offer goods that either are never delivered or are valued at far less than what was promised. Lists of these customers are then sold to other firms, some operating legally, some not.
Increasingly, officials worry that thousands of consumers have been tricked into giving out bank information by responding to bogus e-mail messages that appear to come from banks, or Web sites like eBay or PayPal. The tactic, called "phishing," has become so widespread that one technology consultant estimated that at least 57 million Americans have received these e-mails.
As reports increased of unauthorized electronic debits, the electronics payment association tightened its rules last summer, requiring banks that use its automated clearing system to more vigorously question companies that had high rates of consumer charge-backs. Now, if more than 2.5 percent of a company's monthly transactions are rejected by consumers, a bank is required to investigate. And if the charge-backs remain high, banks should stop processing that firm's automated payments.
The Federal Reserve Board is considering rules that would require a merchant's bank to be liable for unauthorized customer charges made through the unsigned checks, called demand drafts, such as the one posted to Greene's account. Currently, it is up to the consumer's bank to refund the money if it decides the draft is unauthorized.
Twelve states now say the merchant's bank should be liable for any unauthorized demand draft. But the Fed wants to make that a national rule, on the premise that that will force banks to be more diligent in policing their customers.
The FTC's Beales does not believe that tougher rules would deter checking account fraud. "I don't disagree that this is a threat the financial system needs to respond to. But whatever you do, thieves are going to look for ways around it," he said. "The people we're talking about don't pay a whole lot of attention to the rules."