14 DAY TRIAL // New cases of fraudulent banking transfers that affect companies and organizations across the U.S. continue to be uncovered. A new incident involves a Maine-based company called Patco Construction, whose account was emptied of over $500,000 by Eastern European cybercrooks.
The Washington Post reports that Patco's online banking credentials were stolen and then used to initiate batches of fraudulent transfers from its account to over thirty individuals with whom the company never had any previous business. Separate series of transfers were performed on a daily basis from May 7 until May 14 and totaled to around $588,000.
The company successfully recovered $243,000, but is missing the rest and the bank refuses to cover the loss. Under the law, business customers are treated differently from private persons when it comes to fraud. While regular consumers have 60 days to report fraudulent activity to their bank and will generally get reimbursed, businesses only have 24 hours to do it and without any guarantee that they will see their money back.
Financial institutions are, however, required by regulations to protect all of their customers' assets, business or otherwise, by enforcing "commercially reasonable security procedures." Patco feels that Ocean Bank failed to meet this obligation and filed a lawsuit against it in the York County Superior Court.
"The statute we deal with in Maine is very specific and mentions a whole host of factors that the bank needs to have in place, and in this case we don't think the bank had in place commercially reasonable security procedures," Daniel J. Mitchell, Patco's attorney, commented for Security Fix.
Reports about this complex type of fraud that targets small- and medium-sized U.S. businesses and public institutions have started piling up since the beginning of July. The scheme involves banking trojans, fraudulent transfers and unsuspecting people acting as money mules.
The cybercriminal gangs begin by infecting a computer belonging to an organization with a trojan that monitors online banking sessions and steals the login credentials. Separately, they create professionally looking websites and send out bogus e-mails to unsuspecting people posing as companies and offering them jobs that involve receiving and transferring funds to foreign employees or clients.
People who are tricked into accepting these fake jobs are actually used for laundering money obtained illegally and are referred to as "money mules." They are instructed to use their personal bank accounts or set up new ones in order to receive money and wire them out of the country, usually in Eastern Europe. Wire transfers are preferred because they cannot be reversed or traced.