Church Latest Victim of ACH FraudDiocese of Des Moines Loses $600,000 to Fraudsters
The church says it was victimized by criminals who illegally obtained its banking information in order to transfer funds to numerous "money mule" recipients across the United States on Aug. 13 and 16.
The Diocese is but the latest of many such incidents to have hit the nation's businesses and government entities over the past year. The Federal Bureau of Investigation estimates that 205 separate businesses have reported incidents of corporate account take-over since 2004 -- the bulk of them in the past year, with estimated fraud losses topping $40 million.
The increasing trend for criminals attacking mid-level targets is disturbing, but expected, says Chris Roberts, managing director at One World Labs, who has seen similar attacks recently in his investigations. "[The victims] don't have the same level of scrutiny that the major organizations go through, and they are less protected, less aware of the dangers."
How Diocese Theft HappenedAnne Marie Cox, spokeswoman for the Diocese of Des Moines, says the church was informed of the theft by Bankers Trust of Des Moines on the morning of Aug. 17. The bank shut down all relevant bank accounts. Cox says the diocese instructed the bank to start the process of recovering funds, where possible. To date, approximately $180,000 has been recovered, Cox says. How the criminals got the diocese's banking credentials is still not fully known.
As the diocese was alerted, the FBI and Treasury Department were both notified, says Cox. The FBI started its investigation and took several computers from the diocese for forensic evaluation.
Cox says the diocese's insurance carrier and lawyer also have been notified of the crime. Law enforcement officials say the diocese "seems to have been the victim of a highly sophisticated operation, most likely based overseas, which engages participation of individuals who unknowingly act as intermediaries of the funds obtained by theft," says Cox.
At this point, none of the staff is suspected of being involved in the incident. "While the Diocese of Des Moines is protected by insurance and anticipates the restoration of the funds, we have been advised that such criminal activity is rampant," says Bishop Richard Pates, the Bishop of Des Moines. The Diocese of Des Moines has banked with Bankers Trust for more than 27 years.
In a prepared statement, Bankers Trust says it takes security very seriously, and its systems are federally regulated, tested and approved. The bank says its Internet system was not breached and "continues to be secure."
Common ThemesThe diocese is the latest victim in a spree of corporate account take-over incidents, including:
- Hillary Machinery vs. PlainsCapital Bank -- the recently settled case in which a bank sued its own customer;
- Experi-Metal Inc. vs. Comerica Bank -- the case headed to trial of a customer suing its bank over fraud losses;
- PATCO vs. Peoples Bank -- one of the more recent cases to emerge nationwide, impacting banks and businesses of all sizes;
- Village View Escrow -- a case in California caused when Professional Business Bank's e-mail verification service was disabled by cybercriminals.
- Hi-Line Supply -- a business telephone equipment company in Rockwall, Texas, is in court trying to force Community Bank Inc. to settle a liability claim for $50,000 over an alleged incident of corporate account take-over.
Every business is a target in the ACH fraud realm, says Roberts of One World Labs. He's dealt with property management companies that were hit in the same way. "These companies had their cash taken directly out of their accounts, all nicely removed 'above board' through wire transfers."
The last case Roberts dealt with traced the inbound connections from both China and Turkey. The criminals ultimately took both the money and the client information to Estonia, Germany and China.
Gartner security analyst Avivah Litan says this latest attack against the church just demonstrates that the fraudsters clearly have the upper-hand and are resorting to all sorts of devious social engineering schemes in order to successfully loot bank accounts.
The response by law enforcement and regulators is sorely lacking, Litan says. "Certainly, there are competent, dedicated individuals among them, but they are not getting anywhere near the priority attention and resources they need to beat this thing," she says. "And until they do, the looting will continue to escalate." Roberts says that the fight against the ACH fraudsters has been less than stellar. "I'm going to say that we are not very good at the moment, given this 'looked' like a series of somewhat legitimate (although thankfully someone at the bank appeared to be awake) transfers, which don't often raise suspicion." Litan's advice for businesses and other entities: "Bank with a bank that refunds all stolen money due to unauthorized access."
Layered DefenseThis latest incident comes just as a working group of the Financial Services Information Sharing and Analysis Center prepares to release best practices for institutions and their customers to help fight corporate account take-over. Meanwhile, Bill Nelson, president and CEO of FS-ISAC, recommends an integrated layered defense strategy that includes the following risk control measures:
- Initiate ACH and wire transfer payments under dual controls;
- Online commercial banking customers should execute all online banking activities from a dedicated, stand-alone and completely locked-down computer system from where e-mail and Web browsing are not possible;
- Limit administrative rights on users' workstations to prevent inadvertent downloading of malware;
- Reconcile all banking transactions on a daily basis;
- Implement appropriate fraud detection and mitigation best practices, including transaction risk profiling/predictive analytics;
- Use manual or automated out-of-band authentication systems in concert with fraud detection systems. Such OOB solutions many include manual client callback or automated solutions SMS/text messaging, interactive voice-response-system callback to a known phone number with a PIN code, as well as similar solutions.
In terms of determining the cause of these attacks and to ensure that they have been completely wiped off their network, Nelson says, "Companies should hire an independent forensics company to perform that evaluation. Relying on just law enforcement for that forensics evaluation is not sufficient."
Nelson also recommends that all companies subscribe to positive pay services to protect their checks from being counterfeited by cybercriminals. A new attack vector now is being seen exploiting remote deposit capture services and vendors, "And this could increase check fraud at business accounts," Nelson says.