Cyber thieves robbing U.S. businesses

Oct. 10, 2012

By Katy Grimes


Crooks are breaking into banks and stealing money. But it’s not Baby Face Nelson or Jesse James doing the robberies. Today’s thieves and crooks don’t have cool sounding names. These are nameless, faceless, anonymous cyber thieves.

There is a growing epidemic of online financial transaction theft from American banks and financial institutions.  Just since 2008, cyber thieves have stolen millions of dollars from small businesses, school districts, churches, public libraries, municipalities, water districts and nonprofits.

If your personal bank account is hacked and money is taken, your money is safe from cyber theft. But that’s not the case with commercial accounts as they are not protected from cyber theft by the FDIC.

Corporate Account Takeover

Identity fraud and financial theft via electronic fund transfers by cyber thieves is called “Corporate Account Takeover.” Americans think our banks are safe and our money is protected, but not all banks are equal.

Many banks with authoritative, secure sounding names are not secure, nor are they taking the responsibility for protecting commercial accounts.

According to a recent victims’ survey by cyber security giant Symantec, “Corporate Account Takeover” attacks against small businesses doubled in 2012, reported Krebs on Security. While many financial institutions make good on depositors losses from Corporate Account Takeover fraud and theft, many more disclaim any responsibility for such losses.

While private businesses are the most common targets of cyber theft, counties, towns, municipal governments, schools, water districts, public libraries, churches, colleges and universities, nonprofit organizations, and even the Roman Catholic Diocese of Des Moines, Iowa have all been victims.

Most cyber attacks are launched by foreign cyber criminals based in Ukraine, Bylorussia, Moldova and other Eastern European nations, according to the EU Observer.

Cyber theft is a nasty crime, and unfortunately under the radar of most Americans. But the crime is growing, and will touch nearly everyone at some point.

Oil producer targeted

TRC Operating Company, an independent oil producer located in Taft, Calif., sued its bank to recover $299,600 that very well-organized cyber thieves stole last November from the company accounts.

It wasn’t until three wire transfers, totaling $587,360, were successfully completed, and nine additional transfers were simultaneously attempted, that United Security Bank of Fresno contacted TRC to find out what the payments were for.

Because banks are not required to reimburse commercial accounts for cyber theft, TRC had to turn to the courts and file a lawsuit to get its money back.

Even the federal government has gotten involved legally, filing an official written agreement with United Security Bank, to strengthen bank oversight.

The FBI and cyber theft

In September 2011, FBI Assistant Director Gordon M. Snow testified before the U.S. House Committee on Financial Services that the FBI had been investigating more than 400 cases of cyber theft, representing nearly $255 million in losses from small business accounts.

Ukrainian cybercriminals gained access to TRC’s bank account and used the information to attempt to make the unauthorized wire transfers totaling more than $3.4 million to offshore bank accounts in Ukraine.  Unfortunately, because United Security Bank of Fresno allowed more than $500,000 to be transferred out of TRC’s account without the approval of TRC company officials, TRC sued the bank.

Not all of the transfers went through, but the Ukranian cyber thieves still managed to steal nearly $300,000 from TRC’s bank account.

Commercial versus personal banking

According to, federal regulations compel banks to make good on losses to personal accounts, however they occur. But the same is not true of commercial accounts that are accessed online.

Small and medium sized banks do not run online banking systems themselves; they outsource it to one of 13 “processors,” to whom the Federal Financial Institutions Examination Council does not directly apply, according to .

Problem Bank List

The Federal Deposit Insurance Corporation maintains a Problem Bank List, containing the names of banking institutions most likely to have weak capital positions that can lead to failure.

The FDIC does not publicize the list for fear of causing a run on the banks involved. The unofficial Problem Bank List, published by, contains the names of financial institutions that have been issued federal enforcement actions by banking regulators.

The unofficial Problem Bank List currently lists 898 institutions, as opposed to the 732 on the FDIC Problem Bank List.

Recent legal decisions

Three recent court decisions in Maine, Michigan and California established important precedents in favor of CAT victims, requiring banks to reimburse losses.

In Michigan, a judge ruled in favor of Experi-Metal in a lawsuit against regional banking giant Comerica. The judge determined that Comerica’s negligence had permitted astonishing numbers of unauthorized electronic fund transfers over a period of almost a week before taking action.

In Maine, the lawsuit of Patco Construction Company against Ocean Bank, which a Maine circuit court judge originally determined in favor of Ocean, was over-ruled on appeal.  In overriding the circuit court decision, the appellate judge ruled that Ocean had not implemented adequate security protection for depositors.

In California, a judge’s decision in favor of cyber victim Village View Escrow Company in Redondo Beach required the bank to reimburse all lost deposits and awarded enough damages to cover extensive legal costs.

Professional Business Bank agreed to settle a wire transfer fraud litigation matter relating to a cyber-theft of more than $393,000 from Village View Escrow’s trust account at the bank, according to the Silicon Valley Law Group, which represented Village View Escrow.  The escrow company recovered more than the full amount of the funds taken from the account plus interest.

What’s next?

Congress has done nothing yet to address the growing epidemic of international financial terrorism of cyber theft.

“In 2009, President Obama recognized the need to increase education and dialogue about cybersecurity,” the Department of Homeland Security website states. “Recognizing the importance of cybersecurity, President Obama designated October as National Cyber Security Awareness month,” the Homeland Security agency announced.

Ever the useful agency, the brain trust at Homeland Security reminds us that “being safer and more secure online is a shared responsibility,” and “Together, we can maintain a cyberspace that is safer and more resilient, and that remains a source of tremendous opportunity and growth for years and years to come.”

Put that in your bank account and spend it.


Write a comment
  1. The Africanized Swarm of Ted Steele System
    The Africanized Swarm of Ted Steele System 10 October, 2012, 20:39

    I just have no comment on the very well written piece.

    Reply this comment
  2. Rex the Wonder Dog!
    Rex the Wonder Dog! 10 October, 2012, 22:18

    I doint beleive it, Teddy is slilent, hell HAS frozen over 😉

    Reply this comment
  3. The Confiscators
    The Confiscators 11 October, 2012, 08:04

    This is an issue that no one wants to talk about. Community banks want to sweep these incidents under the rug, the victims rarely speak out because they don’t want others to know they’ve been victimized and the big banks who already have these protections in place don’t want to be bothered. Who suffers? Small businesses. Where are the small business advocates on this?

    Reply this comment
  4. BobA
    BobA 11 October, 2012, 15:48

    Cyber security is a corporate responsibility. The onus is on companies to stay one step ahead of cyber thieves. There are many ways to thwart cyber thieves if companies invest the the time and money in the right equipment and personnel. 24 hour real time monitoring, network partitioning and controlled access to their networks are just some of the ways companies can protect themselves.

    Cyber thieves work 24/7 trying to breach network security measures and companies that don’t do the same in protecting thing networks will eventually get hacked.

    I recall from the late 1990s, the engineering R&D company I worked for had a growing intranet and one incident caused them to rethink network security.
    Without giving out specifics, what they did do is hire a then colleague’s son who had previously gotten into some serious trouble with the feds by hacking certain networks.

    The kid was giving free range to hack any internal network and then point out to the IT engineers the various network vulnerabilities and worked with them to correct the problems. Today that same kid is a highly paid cyber security expert and a partner in a cyber security firm.

    Reply this comment

Write a Comment

Leave a Reply

Related Articles

Anti-gun lawmakers lead gun hearing today

Jan. 29, 2013 By Katy Grimes Jumping on the anti-gun movement in the country, two of California anti-gun lawmakers will

ALRB taking months to resolve UFW decertification vote

It took more than one year of doing battle with the California Agricultural Labor Relations Board and the United Farm

CA editorial boards cool to anti-Uber power play

The editorial pages of the state’s largest newspapers largely agree about Tom Torlakson’s being undeserving of a second term as