A community bank based in the Midwest recently intercepted an elaborate ACH fraud scheme involving unwitting mules and multiple financial institutions. With $1B in assets and eight branches, this bank's case proves sophisticated fraudsters aren't solely targeting the nation's largest institutions, and banks of all sizes should consider additional fraud prevention strategies to counter today's evolving threats.

Founded in the early 1900s, this community bank (let's call it "CB" for short) knows that customer trust and its reputable brand must be actively guarded against cybercrime. Accordingly, it takes a proactive approach to cooperating with anti-fraud teams at other banks and federal law enforcement to aid criminal investigations. However, this case provides two lessons: all financial institutions - and their customers - should closely monitor online account activity and not rely entirely on multiple layers of authentication to protect them, and catching suspicious online access early prevents fraud from materializing later in other channels.

The victim in this case was nonprofit organization that was a small business customer. Most likely using key logging malware, the fraudster(s) obtained the online account credentials of a fully authorized individual from the nonprofit. CB has three layers of online banking security that all failed: username/password, a challenge question, and the customer's unique PIN are required to execute transactions. On the first day of the compromise, session logs revealed the fraudster got oriented and tested privileges - looking at account balances, transaction history, and even modifying a pending ACH transaction. If this unusual account reconnaissance activity had been flagged, that might have been the end of the attack, but it wasn't.

The next day, the fraudsters executed an ACH batch file containing 16 separate debit transfers - each less than $9,000 to stay undetected - for a total withdrawal of $142,000. The transfers were sent to accounts at eight banks, all larger institutions, in states throughout the U.S. The post-event investigation utilized IP geolocation tools to uncover nearly simultaneous fraudulent access to the compromised account from Oklahoma and Ohio - again unusual for the account holder.

Here's where this case gets interesting: Recipient account owners were unwitting mules who thought they had been hired via the Internet to do legitimate jobs. One thought she had been hired by a firm providing a moving allowance for her relocation out of state; the other thought he was employed by an insurance company based in Switzerland. Mules were instructed to empty the funds from their accounts the day they arrived, to use Western Union to send the money to (bogus) beneficiaries at locations in Texas and Florida, but to keep 5 percent of the amount as "commission." Many of the mule accounts were new and had been opened online.

Investigators obtained the phony "employee manual" that the criminals provided to mules. One look reveals the level of sophistication of this scam as well as the great lengths taken to recruit and train unwitting participants. The manual explains that Prime Insurance, a firm based in Switzerland, is encountering "business and strategic obstacles" to being able to operate in the U.S. The mules are called "regional clerks" who help the company by distributing "reimbursements to policy holders" via wire transfer. Mules are "under evaluation" for two months before being offered "full employment," perhaps allowing for rapid turnover.

In this case, the victimized nonprofit had opted in to CB's online banking alerting feature for debit activity, so an e-mail was triggered automatically. Unfortunately it was not read immediately, so the funds were already gone. CB scrambled to execute an ACH reversal file that same day. Quick action, luck and direct follow up with the eight receiving institutions resulted in blocking 12 out of the 16 transfers. Two of the fraudster's mules were actually in their banks at the time trying to withdraw the funds, but were intercepted.

Ultimately, the customer realized a $35,000 loss, not insignificant for a nonprofit and it sought to prosecute the mules for their part in the scheme. To avoid CB's fate, and any potential damage to customer retention resulting from cases like this, follow these guidelines:

1. Bolster online account security measures. As implemented, CB's login, challenge and PIN layers essentially amounted to three passwords easily compromised. Thresholds for challenges were based on simple geolocation rules that didn't trigger with the domestic access. Device ID cookies were subverted. Monitoring online accounts for suspicious behavior after the login is a best practice for complementing authentication technologies.

2. Don't wait for actual transactions to detect fraudulent activity. Account reconnaissance occurred a day before the crime and the entire scheme could have been shut down immediately if detected. Today's behavior-based account monitoring technologies can detect benign-looking reconnaissance activities that don't involve financial transactions.

3. Beware of new retail accounts created online that immediately start moving large amounts of money. Cooperate and collaborate with peers on known and suspected mules, who should be tracked. Mules often handle multiple fraudulent transactions at multiple institutions, and can flip from victim to criminal if they suddenly keep stolen funds for themselves.


Craig Priess is founder and vp of marketing at Guardian Analytics.


For more Perspectives columns, visit www.americanbanker.com/btn

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.