Think a cyber-heist won’t hit your business? Think again. Cyber criminals are not always looking to clear six figure transfers from under your nose. Dr. David Krier’s business only had $14,000 in fraudulent withdrawals, but it was his bank’s response that proves a most important point.
Some cyber fraud horror stories were recently discussed on NPR…
Cyber thieves steal hundreds of millions of dollars a year from the bank accounts of U.S. businesses. And many business owners are surprised to find out their bank is not obliged to make them whole.
Dr. David Krier’s Volunteer Voyages is one of the victims. Krier says he lost over $14,000 through fraudulent withdrawals from his business account, and he says his bank “refused to cover any of my losses.” The crooks were able to get his debit card info and once the bank learned it was a business account, they changed their stance on refunding his money from “not a problem” to “you’re out of luck.”
That’s despite the fact that Krier had, in advance, given the bank the dates of his trip to Peru, and the fraudulent withdrawals occurred after his return date, but the bank didn’t notify him. Krier says he considered suing West Coast Bank, but was advised he’d spend much more on legal fees than he’d recover.
For Stuart Rolfe, a Seattle businessman (Wright Hotels), the stakes were much higher and the scam much more sophisticated. Cyberthieves hacked his email account, impersonated him and transferred more than $1 million through U.S. domestic accounts to an account in China.
Rolfe says one of the most unsettling things was realizing that once the cyberthieves had accessed his email, they had vast and intimate knowledge of his life and business practices.
“They knew exactly how I had communicated with our bookkeeper,” he says. “They knew exactly what kinds of things that I said” in emails to her authorizing transfers. He made another disturbing discovery: When he looked back at the transfers, he found that when they were authorized he always seemed to be in business meetings.
That’s because the thieves also had access to his Outlook calendar. It meant the cyber crooks could safely impersonate Rolfe and write emails telling his bookkeeper to transfer funds to their bank accounts. The thieves could respond to any questions from Rolfe’s bookkeeper and then delete all those communications from the account before Rolfe returned from his meetings and checked his email again.
In Rolfe’s case, the scam went on for several weeks before he discovered it. Since the transfers were fraudulent, he says, he requested and fully expected reimbursement from his bank, JPMorgan.
“The response was that they were terribly sorry for our loss, but that they could not accept any responsibility nor offer any reimbursement to us for the loss,” he says.
Mark Patterson is now very familiar with the rules. A few years ago, his company, PATCO Construction, based in Sanford, Maine, was the victim of cyber fraud. He described it in detail as he inspected work on some townhouses his company is building in Kennebunk, Maine.
He said that over consecutive nights, about $100,000 a night was taken out of PATCO’s checking account. By the time his chief financial officer discovered it, Patterson says, “we were down about $545,000.”
Patterson thought his bank, Ocean Bank, would reimburse him. It refused, and he sued. Patterson says the bank threw a huge amount of resources at the case. He says he discovered in mediation that the bank had spent “in excess of $1.2 million fighting this, when we offered to settle this for $200,000.”
The moral of these stories is to make sure your employees are trained with ongoing security awareness and to enhance your company’s IT security. You are not likely going to recoup fraudulent transfers from the bank so stop them before they happen. Most of the cases were hacked via phishing attacks that can be prevented. The budget spent on security and staff training (“change passwords often, require two-person approval for fund transfers, dedicate a single computer to be used only for financial transactions”) will be a fraction of what you could lose if a cyberheist targets you.