The FBI is opening new cases every week on average, the IC3 said. "As of October 2009, there has been approximately $100 million in attempted losses."
The NCFTA is tracking between $1 million and $1.5 million in losses each week to this type of fraud, according to Ron Plesco, the NCFTA's executive director. "That's just from the folks we deal with. We're thinking it's larger than that," he added.
Smaller banks are being hit with this fraud because, unlike the larger national banks, they tend to not have the controls in place to block fraudulent ACH transfers, Plesco said. "It's strategic targeting of what is perceived to be a weakness in controls, whether it's at the small corporation [or at] the small-to-medium bank level."
Banks are covering some ACH losses, but all too often it's the online customer who's left holding the bag.
Karen Earhart found out just how quickly money can vanish on the morning of Oct. 15. Earhart, the administrator of the Plainview Christian Academy in Plainview, Texas, arrived at work that Thursday morning to discover that $43,000 had been moved out of the school's bank account overnight via ACH transfers to eight accounts.
"The hackers added themselves to our payroll," she said. Some of the new payees were real people, but some were at newly opened bank accounts with fake "Russian"-sounding names. The names included words such as "gotcha," "skunk" and "prank," she said.
Typically, when new employees are added to the school's payroll, they must provide a voided check and fill out a payroll authorization form. Earhart was amazed that the hackers were able to add payees online without this documentation -- and that the bank was willing to pay them. "They were willing to send out $10,000 a pop to people who were not authorized to be on our payroll," she said.
Earhart contacted the school's bank immediately, and although it reversed most of the transactions, Plainview Academy is still out $16,000 from the fraud. That's a significant amount of money for a small school with an annual budget in the $1 million range, Earhart said.
Other victims have sued, saying their banks should never have authorized the fraudulent transfers. On July 9, the Western Beaver County School District sued ESB Bank, after criminals moved $704,610.35 out of the school's bank accounts over the 2008 Christmas holidays. Some of the money was recovered, but the Pennsylvania school district lost more than $441,000 at the end of the day.
Plainview has now bought a new laptop computer that it is using only for online banking -- no e-mail, no Web browsing. Earhart hopes that will be enough to prevent further fraud. "I don't know what else we can do beside hand out paper checks and use cash."
Sign up for Computerworld eNewsletters.