Cyber thieves robbing U.S. businesses

Oct. 10, 2012

By Katy Grimes


Crooks are breaking into banks and stealing money. But it’s not Baby Face Nelson or Jesse James doing the robberies. Today’s thieves and crooks don’t have cool sounding names. These are nameless, faceless, anonymous cyber thieves.

There is a growing epidemic of online financial transaction theft from American banks and financial institutions.  Just since 2008, cyber thieves have stolen millions of dollars from small businesses, school districts, churches, public libraries, municipalities, water districts and nonprofits.

If your personal bank account is hacked and money is taken, your money is safe from cyber theft. But that’s not the case with commercial accounts as they are not protected from cyber theft by the FDIC.

Corporate Account Takeover

Identity fraud and financial theft via electronic fund transfers by cyber thieves is called “Corporate Account Takeover.” Americans think our banks are safe and our money is protected, but not all banks are equal.

Many banks with authoritative, secure sounding names are not secure, nor are they taking the responsibility for protecting commercial accounts.

According to a recent victims’ survey by cyber security giant Symantec, “Corporate Account Takeover” attacks against small businesses doubled in 2012, reported Krebs on Security. While many financial institutions make good on depositors losses from Corporate Account Takeover fraud and theft, many more disclaim any responsibility for such losses.

While private businesses are the most common targets of cyber theft, counties, towns, municipal governments, schools, water districts, public libraries, churches, colleges and universities, nonprofit organizations, and even the Roman Catholic Diocese of Des Moines, Iowa have all been victims.

Most cyber attacks are launched by foreign cyber criminals based in Ukraine, Bylorussia, Moldova and other Eastern European nations, according to the EU Observer.

Cyber theft is a nasty crime, and unfortunately under the radar of most Americans. But the crime is growing, and will touch nearly everyone at some point.

Oil producer targeted

TRC Operating Company, an independent oil producer located in Taft, Calif., sued its bank to recover $299,600 that very well-organized cyber thieves stole last November from the company accounts.

It wasn’t until three wire transfers, totaling $587,360, were successfully completed, and nine additional transfers were simultaneously attempted, that United Security Bank of Fresno contacted TRC to find out what the payments were for.

Because banks are not required to reimburse commercial accounts for cyber theft, TRC had to turn to the courts and file a lawsuit to get its money back.

Even the federal government has gotten involved legally, filing an official written agreement with United Security Bank, to strengthen bank oversight.

The FBI and cyber theft

In September 2011, FBI Assistant Director Gordon M. Snow testified before the U.S. House Committee on Financial Services that the FBI had been investigating more than 400 cases of cyber theft, representing nearly $255 million in losses from small business accounts.

Ukrainian cybercriminals gained access to TRC’s bank account and used the information to attempt to make the unauthorized wire transfers totaling more than $3.4 million to offshore bank accounts in Ukraine.  Unfortunately, because United Security Bank of Fresno allowed more than $500,000 to be transferred out of TRC’s account without the approval of TRC company officials, TRC sued the bank.

Not all of the transfers went through, but the Ukranian cyber thieves still managed to steal nearly $300,000 from TRC’s bank account.

Commercial versus personal banking

According to, federal regulations compel banks to make good on losses to personal accounts, however they occur. But the same is not true of commercial accounts that are accessed online.

Small and medium sized banks do not run online banking systems themselves; they outsource it to one of 13 “processors,” to whom the Federal Financial Institutions Examination Council does not directly apply, according to .

Problem Bank List

The Federal Deposit Insurance Corporation maintains a Problem Bank List, containing the names of banking institutions most likely to have weak capital positions that can lead to failure.

The FDIC does not publicize the list for fear of causing a run on the banks involved. The unofficial Problem Bank List, published by, contains the names of financial institutions that have been issued federal enforcement actions by banking regulators.

The unofficial Problem Bank List currently lists 898 institutions, as opposed to the 732 on the FDIC Problem Bank List.

Recent legal decisions

Three recent court decisions in Maine, Michigan and California established important precedents in favor of CAT victims, requiring banks to reimburse losses.

In Michigan, a judge ruled in favor of Experi-Metal in a lawsuit against regional banking giant Comerica. The judge determined that Comerica’s negligence had permitted astonishing numbers of unauthorized electronic fund transfers over a period of almost a week before taking action.

In Maine, the lawsuit of Patco Construction Company against Ocean Bank, which a Maine circuit court judge originally determined in favor of Ocean, was over-ruled on appeal.  In overriding the circuit court decision, the appellate judge ruled that Ocean had not implemented adequate security protection for depositors.

In California, a judge’s decision in favor of cyber victim Village View Escrow Company in Redondo Beach required the bank to reimburse all lost deposits and awarded enough damages to cover extensive legal costs.

Professional Business Bank agreed to settle a wire transfer fraud litigation matter relating to a cyber-theft of more than $393,000 from Village View Escrow’s trust account at the bank, according to the Silicon Valley Law Group, which represented Village View Escrow.  The escrow company recovered more than the full amount of the funds taken from the account plus interest.

What’s next?

Congress has done nothing yet to address the growing epidemic of international financial terrorism of cyber theft.

“In 2009, President Obama recognized the need to increase education and dialogue about cybersecurity,” the Department of Homeland Security website states. “Recognizing the importance of cybersecurity, President Obama designated October as National Cyber Security Awareness month,” the Homeland Security agency announced.

Ever the useful agency, the brain trust at Homeland Security reminds us that “being safer and more secure online is a shared responsibility,” and “Together, we can maintain a cyberspace that is safer and more resilient, and that remains a source of tremendous opportunity and growth for years and years to come.”

Put that in your bank account and spend it.

Related Articles

Sacramento Stimulus Arena

April 4, 2012 Katy Grimes It’s getting tiring pointing out that while Sacramento burns, the City Council is fiddling. At

Greenlining Series: Targeting private foundations

This is the sixth part of a series produced by CalWatchdog and the Examiner regarding the Berkeley-based Greenlining Institute, a