By Karen McCarthy
On February 15, 2010, my life was turned upside down. My commercial bank account at TD Bank was looted.
Eastern Europe-based cyber-thieves added my company to the list of victims of the epidemic of American commercial bank account takeovers that apparently started in late 2008.
Computer hackers successfully impersonated me to TD Bank’s online banking system and made $164,000 in fraudulent wire transfers out of my company’s account in a matter of minutes.
When I discovered the fraudulent transfers I notified TD Bank immediately. They said that they were not responsible, and that the fraud was “not related to any breach on their part.”
I had never made a single electronic payment from this account – much less $164,000 in a day. Yet TD Bank did not notify me of any unusual activity. The money was never recovered.
A little known fact: Most business, government and nonprofit bank accounts do not enjoy FDIC protection as do you and I as individuals. Had this account been a consumer account rather than a business account, TD Bank would have been forced to make good on the fraud losses it failed to prevent.
When an outside intruder hacks into an online corporate banking account and diverts funds away from an unsuspecting business, a Corporate Account Takeover (CAT) occurs.
Security experts who examined my computer told me that the hackers probably acquired my username and password by planting a virus on my computer.
Unfortunately, cyber-theft is still rampant and CAT is a real and ongoing threat to businesses, governments and nonprofits of all sizes who engage in online banking.
A recent CAT victim, TRC Operating Company, a small independent oil producer in Taft, Calif., consciously chose to maintain banking accounts at a local financial institution, United Security Bank of Fresno (USB).
That changed when over a period of five days; 12 fraudulent wires (totaling $3.45 million) were wrongfully processed through TRC’s accounts at USB in November 2011. Ultimately, despite efforts to claw back all the money from Ukrainian cyber thieves, $299,600.00 went missing from TRC’s accounts. USB – which also has a branch in Redlands – denied liability despite numerous “red-flag” indicators that wire transfers were fraudulent. Sound familiar?
Infuriated by treatment they received from USB, TRC hired a lawyer to negotiate the recovery of their missing money. When USB refused to budge, TRC was forced to file a lawsuit against USB on principle, knowing the law made it impractical to recover much more than $299,600.
In California, after a business is hit with CAT, one of its only options to recover missing funds is to sue its bank under the California Commercial Code which enables a business to recover only the missing amount, plus interest.
In May 2012, TRC filed a complaint for damages in Kern County Superior Court alleging that USB failed to offer a “commercially reasonable” security procedure to protect TRC’s funds and that USB failed to process the fraudulent wires transfers in “good faith.” Nearly two years after litigation began, USB agreed to pay $350,000 to TRC for its losses.
Most of us have antivirus software on our computer and mine is updated regularly, but the FDIC and others have said publicly that commercial antivirus software is not capable of detecting many of these threats. Thus, until the day I was robbed, I had no way to know that my computer was infected.
I am a businesswoman, not a computer security expert. I presumed that when TD Bank accepted my deposit, they were guaranteeing to do everything in their power to keep in safe. Little did I know, the money would have been safer under my pillow.
In much the same way USB treated TRC, TD Bank failed to institute any meaningful security measures to protect my account from unauthorized access – until it was too late.
Only when banks like TD Bank and United Security Bank of Fresno are required by law to reimburse commercial depositors for losses from preventable cyber-theft will they institute the security measures necessary to protect your money.
Karen McCarthy is a small businesswoman and the volunteer President of The Cyber Looting Awareness & Security Project (www.clasproject.org) lobbying Congress to extend Federal Reserve Regulation E to cover commercial accounts. Learn more at www.yourmoneyisnotsafeinthebank.org.