UPPER CUMBERLAND – It only took a matter of minutes. More than a dozen transactions. And it was done. Just like that, one Upper Cumberland business found itself out $90,000 thanks to cyber thieves who successfully hacked an operations account.
Now, more than 60 days later, that business is still battling to recover its lost funds – and seems to have hit a brick wall when it comes to any type of investigation.
The attack occurred in February. Using the business’ own online credentials, hackers logged into an Automated Clearing House (ACH) account, which is used for electronic fund transfers like direct deposit payroll or repetitive bill-pay. And over the course of 15 credit creations, or payments to other financial institutions, most of them out of state, the money was siphoned away.
It’s likely some of the funds will never be recovered, business officials told the UCBJ. The business didn’t have any insurance that covers cyber fraud loss. And unlike unauthorized credit card charges, there’s no government-backed protection in this situation.
“Once (those funds) get out the door, they’re out the door. It’s like you gave them cash,” said an official with the targeted bank, who spoke on the condition of anonymity, since the case is ongoing. “The Internet calls them money mule schemes. I can try – and did try – to recall it, and if the (other) bank still has the money, they’ll return it. But they’re under no obligation to return the money if their customer has already walked out with it.”
Criminally, there seems to be little recourse as well. While the amount is enough to strap a lot of small UC businesses, possibly even closing their doors, it apparently fails to meet the threshold for serious investigation.
The FBI wouldn’t comment specifically on the case – or any case – but Agent Scott Ryan of the Cookeville office said there are general rules, be it fraud, robbery or theft, when it comes to the level of their involvement.
“There are a number of different of things that impact whether we can pursue it. Typically, the U.S. Attorney’s Office only pursues things when we’re talking about hundreds of thousands of dollars,” Ryan said. “A lot of times we see situations where someone’s lost $1,000 or a couple thousand dollars. Those are things we absolutely cannot pursue just because it’s so frequent, so common…that’s kind of the way we’ve had to prioritize things.”
Which is frustrating for both the business and the bank. Both have tried to gain traction with Ryan and others, they said, but have hit a dead end.
“We have this perception of the Federal Bureau of Investigation. And, sure enough, if our local branch were robbed at gunpoint, they would show up and do an investigation,” the bank official said. “I’m not saying they would arrest anyone; that’s a matter of chance. But they would at least show up and investigate. I guess that’s the most frustrating part.”
The bank is still actively working to recover the lost funds – and has implemented additional security measures to further protect their other ACH accounts. As of press time, a little more than half of the $90,000 had been put back. But the chance the business will recoup all its lost monies is slim. The banker said he has talked to others in the industry who have significantly beefed up fraud departments in response to similar fraud situations. It’s a growing concern, he added.
“For instance, we had more debit card fraud last year than we had loan loss. All our local competitors will probably tell you the same thing. That’s a paradigm change for us,” he said. “Cyber crime has really come to the forefront in the last 10 years. It’s not just banks. Everybody’s got networks, web servers now. We’re our own worst enemy because we have pushed everybody to the Internet.”
As for steps businesses can take for protection, Ryan said the FBI has different materials it distributes and presentations it can give. The organization urges virus scans be run prior to opening any e-mail attachments to provide an added layer of security against malware.
The FBI also recommends businesses use separate computer systems to conduct financial transactions. It’s also a good idea to review accounts regularly to quickly detect unauthorized activity.
The business in question, which also requested to remain anonymous, wanted to share its story to spread awareness. If it can happen to them, officials said, it can happen to anyone.
“It certainly does happen around here,” Ryan added.
“That’s the thing about cyber crime. It’s just as easy for someone overseas to steal something in the middle of nowhere Tennessee as it is in New York City, because of the Internet,” Ryan said. “It doesn’t matter where you’re located. They’re just looking for vulnerability.”