Church Latest Victim of ACH Fraud

Diocese of Des Moines Loses $600,000 to Fraudsters
Church Latest Victim of ACH Fraud
Over a weekend in August, the Catholic Diocese of Des Moines, Iowa, fell victim to a $600,000 ACH fraud theft and becomes another in the growing list of businesses and entities that have suffered huge losses as a result of these crimes.

The church says it was victimized by criminals who illegally obtained its banking information in order to transfer funds to numerous "money mule" recipients across the United States on Aug. 13 and 16.

The Diocese is but the latest of many such incidents to have hit the nation's businesses and government entities over the past year. The Federal Bureau of Investigation estimates that 205 separate businesses have reported incidents of corporate account take-over since 2004 -- the bulk of them in the past year, with estimated fraud losses topping $40 million.

The increasing trend for criminals attacking mid-level targets is disturbing, but expected, says Chris Roberts, managing director at One World Labs, who has seen similar attacks recently in his investigations. "[The victims] don't have the same level of scrutiny that the major organizations go through, and they are less protected, less aware of the dangers."

How Diocese Theft Happened

Anne Marie Cox, spokeswoman for the Diocese of Des Moines, says the church was informed of the theft by Bankers Trust of Des Moines on the morning of Aug. 17. The bank shut down all relevant bank accounts. Cox says the diocese instructed the bank to start the process of recovering funds, where possible. To date, approximately $180,000 has been recovered, Cox says. How the criminals got the diocese's banking credentials is still not fully known.

As the diocese was alerted, the FBI and Treasury Department were both notified, says Cox. The FBI started its investigation and took several computers from the diocese for forensic evaluation.

Cox says the diocese's insurance carrier and lawyer also have been notified of the crime. Law enforcement officials say the diocese "seems to have been the victim of a highly sophisticated operation, most likely based overseas, which engages participation of individuals who unknowingly act as intermediaries of the funds obtained by theft," says Cox.

At this point, none of the staff is suspected of being involved in the incident. "While the Diocese of Des Moines is protected by insurance and anticipates the restoration of the funds, we have been advised that such criminal activity is rampant," says Bishop Richard Pates, the Bishop of Des Moines. The Diocese of Des Moines has banked with Bankers Trust for more than 27 years.

In a prepared statement, Bankers Trust says it takes security very seriously, and its systems are federally regulated, tested and approved. The bank says its Internet system was not breached and "continues to be secure."

Common Themes

The diocese is the latest victim in a spree of corporate account take-over incidents, including:

  • Hillary Machinery vs. PlainsCapital Bank -- the recently settled case in which a bank sued its own customer;
  • Experi-Metal Inc. vs. Comerica Bank -- the case headed to trial of a customer suing its bank over fraud losses;
  • PATCO vs. Peoples Bank -- one of the more recent cases to emerge nationwide, impacting banks and businesses of all sizes;
  • Village View Escrow -- a case in California caused when Professional Business Bank's e-mail verification service was disabled by cybercriminals.
  • Hi-Line Supply -- a business telephone equipment company in Rockwall, Texas, is in court trying to force Community Bank Inc. to settle a liability claim for $50,000 over an alleged incident of corporate account take-over.

Every business is a target in the ACH fraud realm, says Roberts of One World Labs. He's dealt with property management companies that were hit in the same way. "These companies had their cash taken directly out of their accounts, all nicely removed 'above board' through wire transfers."

The last case Roberts dealt with traced the inbound connections from both China and Turkey. The criminals ultimately took both the money and the client information to Estonia, Germany and China.

Gartner security analyst Avivah Litan says this latest attack against the church just demonstrates that the fraudsters clearly have the upper-hand and are resorting to all sorts of devious social engineering schemes in order to successfully loot bank accounts.

The response by law enforcement and regulators is sorely lacking, Litan says. "Certainly, there are competent, dedicated individuals among them, but they are not getting anywhere near the priority attention and resources they need to beat this thing," she says. "And until they do, the looting will continue to escalate." Roberts says that the fight against the ACH fraudsters has been less than stellar. "I'm going to say that we are not very good at the moment, given this 'looked' like a series of somewhat legitimate (although thankfully someone at the bank appeared to be awake) transfers, which don't often raise suspicion." Litan's advice for businesses and other entities: "Bank with a bank that refunds all stolen money due to unauthorized access."

Layered Defense

This latest incident comes just as a working group of the Financial Services Information Sharing and Analysis Center prepares to release best practices for institutions and their customers to help fight corporate account take-over. Meanwhile, Bill Nelson, president and CEO of FS-ISAC, recommends an integrated layered defense strategy that includes the following risk control measures:

  • Initiate ACH and wire transfer payments under dual controls;
  • Online commercial banking customers should execute all online banking activities from a dedicated, stand-alone and completely locked-down computer system from where e-mail and Web browsing are not possible;
  • Limit administrative rights on users' workstations to prevent inadvertent downloading of malware;
  • Reconcile all banking transactions on a daily basis;
  • Implement appropriate fraud detection and mitigation best practices, including transaction risk profiling/predictive analytics;
  • Use manual or automated out-of-band authentication systems in concert with fraud detection systems. Such OOB solutions many include manual client callback or automated solutions SMS/text messaging, interactive voice-response-system callback to a known phone number with a PIN code, as well as similar solutions.

In terms of determining the cause of these attacks and to ensure that they have been completely wiped off their network, Nelson says, "Companies should hire an independent forensics company to perform that evaluation. Relying on just law enforcement for that forensics evaluation is not sufficient."

Nelson also recommends that all companies subscribe to positive pay services to protect their checks from being counterfeited by cybercriminals. A new attack vector now is being seen exploiting remote deposit capture services and vendors, "And this could increase check fraud at business accounts," Nelson says.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network