When Cyberfraud Hits Businesses, Banks May Not Offer Protection

Sep 15, 2015
Originally published on October 7, 2015 6:12 pm

Cyberthieves steal hundreds of millions of dollars a year from the bank accounts of U.S. businesses. And many business owners are surprised to find out their bank is not obliged to make them whole.

Dr. David Krier's Volunteer Voyages is one of the victims. Krier says he lost over $14,000 through fraudulent withdrawals from his business account, and he says his bank "refused to cover any of my losses."

Individuals are pretty well-protected when it comes to fraudulent transfers from their bank accounts. Regulation E of the Electronic Fund Transfer Act requires banks to bear the burden in most circumstances. That's not the case for small businesses, even if they're owned by a single person, like Volunteer Voyages.

Krier's company, in Wilsonville, Ore., leads volunteer trips to developing countries for humanitarian projects. After he returned from a trip to Peru in 2013, his bookkeeper told him his bank account was overdrawn. Krier says he told her, "Well, that has to be nonsense because there's thousands of dollars in there."

It turned out a cybercrook had commandeered the debit card he used to cover the costs of foreign trips. Krier expected that his bank would reimburse him.

At first, he says, the staff at the local bank said, "Not a problem." But later, Krier says, that bank told him, "It's a business account, so you're out of luck."

That's despite the fact that Krier had, in advance, given the bank the dates of his trip to Peru, and the fraudulent withdrawals occurred after his return date, but the bank didn't notify him. Krier says he considered suing West Coast Bank, but was advised he'd spend much more on legal fees than he'd recover. West Coast Bank was later bought by another bank.

For Stuart Rolfe, a Seattle businessman, the stakes were much higher and the scam much more sophisticated. Cyberthieves hacked his email account, impersonated him and transferred more than $1 million through U.S. domestic accounts to an account in China.

He was stunned. "Any time you have a theft, certainly one of this dollar amount, it is shocking and very disturbing," he says.

Rolfe's firm, Wright Hotels, invests in and develops hotel properties. (In the interest of full disclosure, Rolfe and his wife have made substantial contributions to NPR.)

Rolfe says one of the most unsettling things was realizing that once the cyberthieves had accessed his email, they had vast and intimate knowledge of his life and business practices.

"They knew exactly how I had communicated with our bookkeeper," he says. "They knew exactly what kinds of things that I said" in emails to her authorizing transfers. He made another disturbing discovery: When he looked back at the transfers, he found that when they were authorized he always seemed to be in business meetings.

That's because the thieves also had access to his Outlook calendar. It meant the cybercrooks could safely impersonate Rolfe and write emails telling his bookkeeper to transfer funds to their bank accounts. The thieves could respond to any questions from Rolfe's bookkeeper and then delete all those communications from the account before Rolfe returned from his meetings and checked his email again.

The most recent FBI data show a huge growth in this kind of fraud. More than 8,000 companies have been victimized over the past two years. Their losses total nearly $800 million.

In Rolfe's case, the scam went on for several weeks before he discovered it. Since the transfers were fraudulent, he says, he requested and fully expected reimbursement from his bank, JPMorgan.

"The response was that they were terribly sorry for our loss, but that they could not accept any responsibility nor offer any reimbursement to us for the loss," he says.

JPMorgan declined to be interviewed but provided a written response saying it regrets Rolfe's loss. The bank said it had followed exactly the procedure Rolfe had agreed to for transferring funds.

Rolfe says the bank should be held liable because the size, frequency and destination of the fraudulent transfers were completely out of character for his account.

"There should have been 15 or 20 different red flags that would have gone up in our account if the bank had been paying any attention to these requests," Rolfe says. He argues there's a flaw in the legal system if banks are not responsible for providing that type of protection.

The law does require banks, under the Uniform Commercial Code, to offer business customers a "commercially reasonable" security protocol. If the bank follows that protocol, it can refuse to reimburse businesses that are victims of fraudulent money transfers.

Mark Patterson is now very familiar with the rules. A few years ago, his company, PATCO Construction, based in Sanford, Maine, was the victim of cyberfraud. He described it in detail as he inspected work on some townhouses his company is building in Kennebunk, Maine.

He said that over consecutive nights, about $100,000 a night was taken out of PATCO's checking account. By the time his chief financial officer discovered it, Patterson says, "we were down about $545,000."

Patterson thought his bank, Ocean Bank, would reimburse him. It refused, and he sued. Patterson says the bank threw a huge amount of resources at the case. He says he discovered in mediation that the bank had spent "in excess of $1.2 million fighting this, when we offered to settle this for $200,000."

PATCO lost the first round but won on appeal when a panel of judges concluded Ocean Bank's security had not been commercially reasonable.

Patterson thinks the law should be changed to make banks shoulder more responsibility for cybercrime losses at small businesses.

Stuart Rolfe agrees. "I think it's as simple as saying that banks are in the best position to be able to provide this type of protection," he says.

Doug Johnson, a senior vice president who oversees cybersecurity policy at the American Bankers Association, rejects the idea that banks should bear greater responsibility.

"If we gave small businesses that now have to abide by the Uniform Commercial Code those additional protections, then what we do is we take away some of the incentives that they have to have the proper levels of security within their organizations," Johnson says.

Mark Patterson says that logic runs both ways. "Let's just say they don't necessarily put the same amount of effort in if it's your nickel that might be lost," he says.

Patterson has been to Washington several times to try to convince members of Congress to shift more responsibility to the banks in these cyberfraud cases. He says he hasn't had any luck.

Johnson says the best way forward is for banks to inform their customers about the dangers they face so they can work together to beat the bad guys. He offers these tips to businesses: educate your employees, change passwords often, require two-person approval for fund transfers, and dedicate a single computer to be used only for financial transactions.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.

Transcript

DAVID GREENE, HOST:

We have news this morning that questions whether banks are doing one of their most basic jobs. You deposit money in the bank, and the bank is supposed to keep it safe.

STEVE INSKEEP, HOST:

It turns out that basic agreement does not always apply to many business owners who put their money in the bank. If cyber criminals gain access to the accounts, the business owners are out of luck.

GREENE: And the bank may take no responsibility at all. NPR's John Ydstie reports on just how exposed some people are.

JOHN YDSTIE, BYLINE: Individuals are pretty well-protected when it comes to fraudulent transfers from their bank accounts. Regulation E of the Electronic Fund Transfer Act requires banks to bear the burden in most circumstances. That's not the case for small businesses, even if they're essentially one-person affairs, like David Krier's company, Volunteer Voyages, based in Oregon.

DAVID KRIER: I lost over $14,000 through fraudulent withdrawals from my account by unknown individuals, and the bank refused to cover any of my losses.

YDSTIE: Krier is a medical doctor who runs a company that leads volunteer trips to developing countries for humanitarian projects. After he returned from a trip to Peru in 2013, his bookkeeper told him his bank account was overdrawn.

KRIER: And I said, well, that has to be nonsense because there's thousands of dollars in there.

YDSTIE: It turned out a cyber crook had commandeered the debit card he used to cover the costs of foreign trips. Krier expected his bank would reimburse him.

KRIER: At first, everyone locally said, not a problem. And then the bank said, oh, no, we looked at it and it's a business account, so you're out of luck.

YDSTIE: That's despite the fact that Krier had, in advance, given the bank the dates of his trip to Peru and the fraudulent withdrawals occurred after his return date. But the bank didn't notify him. Krier says he considered suing West Coast Bank but was advised he'd spend much more on legal fees than he'd recover. West Coast Bank was later bought by another bank.

For Stuart Rolfe, a Seattle businessman, the stakes were much higher and the scam was much more sophisticated. Cyberthieves hacked his email account, impersonated him and transferred more than a million dollars through U.S. domestic accounts to an account in China.

STUART ROLFE: Any time you have a theft, certainly one of this dollar amount, it is shocking and very disturbing.

YDSTIE: Rolfe's firm, Wright Hotels, invests in and develops hotel properties. In the interest of full disclosure, he and his wife have made substantial contributions to NPR. Rolfe says one of the most unsettling things was realizing that once the cyberthieves had accessed his email, they had vast and intimate knowledge of his life and business practices.

ROLFE: They knew exactly how I had communicated with our bookkeeper. They knew exactly what kinds of things that I said or did, even to the disturbing realization that when these transfers were made, the authorizations happened during times where I was in business meetings.

YDSTIE: That's because the thieves also had access to his Outlook calendar. That meant the cyber crooks could safely impersonate him and write emails telling his bookkeeper to transfer funds to their bank accounts. The thieves even responded to questions from the bookkeeper and then deleted all those communications from the account before Rolfe returned from his meetings and checked his email again.

The most recent FBI data show a huge growth in this kind of fraud. More than 8,000 companies have been victimized over the past two years. Their losses total nearly $800 million. In Stuart Rolfe's case, the scam went on for several weeks before he discovered it. Since the transfers were fraudulent, he says he requested, and fully expected, reimbursement from his bank, JPMorgan.

ROLFE: But the response was that they were terribly sorry for our loss, but that they could not accept any responsibility nor offer any reimbursement to us for the loss.

YDSTIE: JPMorgan declined our request for an interview but provided a written response saying it regretted Rolfe's unfortunate loss, but said it had followed exactly the procedure Rolfe had agreed to for transferring funds. Rolfe argues the bank should be held liable because the size, frequency and destination of the fraudulent transfers were completely out of character for his account.

ROLFE: There should have been 15 or 20 different red flags that would have gone up in our account if the bank had been paying any attention to these requests. And so it's a flaw in the legal system right now that there is not liability on the banks to provide that type of protection.

YDSTIE: What the law does require of banks, under something called the Uniform Commercial Code, is that they offer business customers a commercially reasonable security protocol. If the bank follows that protocol, it can refuse to reimburse businesses that are victims of fraudulent money transfers.

MARK PATTERSON: In this first unit, we have guys insulating this house before we drywall, getting it all weather-tight and insulated.

YDSTIE: Mark Patterson is very familiar with the rules, at least he is now. A few years ago, his company, PATCO Construction, based in Sanford, Maine, was the victim of cyber fraud.

PATTERSON: Over the period of five consecutive nights, excluding weekends, $100,000 a night had been taken out of our checking account, and we were down about $545,000.

YDSTIE: Patterson thought his bank, Ocean Bank, would reimburse him. It refused, and Patterson sued.

PATTERSON: Unfortunately, the bank just threw everything at this case. We discovered in mediation that the bank had spent in excess of a 1.2 million fighting this when we offered to settle for 200,000.

YDSTIE: PATCO lost the first round but won on appeal when a panel of judges concluded Ocean Bank's security had not been commercially reasonable. Patterson also believes the law should be changed to make banks shoulder more responsibility for cybercrime losses in small businesses. Stuart Rolfe agrees.

ROLFE: Well, I do think banks should bear responsibility. And I think it's as simple as saying that banks are in the best position to be able to provide this type of protection. Consumers are just not in a position to be able to do that.

YDSTIE: Doug Johnson, a senior vice president who oversees cybersecurity policy at the American Bankers Association, disagrees.

DOUG JOHNSON: If we gave small businesses that now have to abide by the Uniform Commercial Code those additional protections, then what we do is we take away some of the incentives that they have to have the proper levels of security within their organizations.

YDSTIE: Mark Patterson says that logic runs both ways.

PATTERSON: Let's just say they don't necessarily put the same amount of effort in if it's your nickel that might be lost.

YDSTIE: Patterson has been to Washington several times to try to convince members of Congress to shift more responsibility to the banks in these cyber fraud cases. He says he hasn't had any luck so far. Doug Johnson says the best way forward is for banks to inform their customers about the dangers they face so they can work together to beat the bad guys. Johnson offers these tips - educate your employees, change passwords often, require two-person approval for fund transfers and dedicate a single computer to be used only for financial transactions. John Ydstie, NPR News, Washington. Transcript provided by NPR, Copyright NPR.