The Wall Street Journal
Back in 2009 PATCO construction, a small Maine-based company, was targeted by hackers who took $588,851.26 from the company's checking account and sent it to an Eastern European account.
PATCO was a victim of "ACH fraud," or fraud arising from use of the Automated Clearing House network. The ACH network provides the foundation of online banking transfers. Any individual or business that transfers money for purposes including direct deposit, contract payments, debit transfers, insurance premiums, and other payments relies on the ACH system to carry out that transaction.
"If you have a bank account and transfer money online, you use the ACH network," said Avivah Litan, a fraud analyst at research firm Gartner. "It's a background protocol most users aren't even aware of."
It was also in 2009 that U.S. law enforcement and regulators began issuing warnings about fraud in electronic banking, and the risk has risen since then. The Association of Certified Fraud Experts said in a 2016 survey that 72% of all businesses were targeted by ACH fraud attempts in 2015, the most recent figures available. The ACFE also determined fraudsters are more likely to commit fraud using wire transfers, checks, or commercial credit cards than ACH fraud.
Small government agencies around the country have been hit with ACH fraud in recent months, including one instance where suspected Chinese hackers bilked the town of Farmington, Conn. out of more than $2 million by siphoning money intended for a government contractor.
In a traditional ACH fraud scheme, thieves don't hack or manipulate the ACH network.
PATCO owner Mark Patterson said he receives calls from small business owners who were victimized in similar schemes and find him online. His advice is to avoid banking online whenever possible, to the extent that PATCO physically deposits the necessary funds into the bank each payroll period to minimize the risk.
"I tell people don't do ACH transactions unless you fully read your agreement with the bank and decide you want to take on the risk," Mr. Patterson said. "As the business owner, you also need to open up the bank statements every single month and look at every check. That's how you catch the fraud. If you think you're a small business and you haven't been the victim of fraud, you just don't know it."
PATCO reinforced its firewall and trained his employees not to click on links from people they don't know.
Mr. Patterson also sued his bank over the transfers. A U.S. District Court ruled in the bank's favor before the U.S. Court of Appeals reversed that decision in 2012, determining the bank's security measures were not "commercially reasonable."
Gartner's Ms. Litan said small and medium sized business often only recognize the risk of ACH fraud after it's happened to them. By then, it's too late.
"The only thing someone can do is build fraud prevention into the ACH contract before they sign up because the terms of the contract override the ACH rules," she said. "It's really a terrible loss. I tell my friends not to keep their money in a business account because if it's in a consumer account, it's more protected. But that can be a big hassle."
The National Automated Clearing House Association, which develops and oversees the ACH system, did not respond to a request for comment.
(Jeff Stone writes exclusively for WSJ Pro Cybersecurity. He previously covered privacy, international hacking groups, bug bounties, and a range of related topics at media outlets including the Christian Science Monitor and the International Business Times. Write to Jeff at email@example.com)
This article was licensed through Dow Jones Direct.
Dow Jones & Company, Inc.
Tagged in: industry news
Learn how FIS can help you stay on top of industry trends and address your business challenges.Contact us