Watch your bank account!

[Celeste 341]

Nation's Building News

The Official Online Newspaper of NAHB

Cyber Thieves Targeting Home Building Firms, Other Small Businesses

At a time when cyber thieves are increasingly targeting small- and medium-sized businesses, including home building firms, NAHB is urging its members to monitor their bank accounts closely and on a regular basis. Members should also review and understand the agreements they have with their financial institutions and know when they may be liable for fraudulent online banking activities.

A common criminal activity is tapping into a firm’s online banking system and transferring funds from its accounts.

Patco Construction Co. Inc., a Maine-based construction firm, was the victim of a major heist when its corporate bank account was raided over a one-week period in May of 2009. Cyber thieves gained access to the company’s online banking credentials and initiated a series of automated clearing house (ACH) transactions, netting the thieves more than $500,000 in fraudulent transfers. While the business was ultimately able to collect about $230,000 of the stolen funds, it was left on the hook for more than $345,000.

ACH transactions are electronic checks that are processed like paper checks, and they do not travel directly from one bank to another. It typically takes one or two days to credit and deduct amounts at the originating and paying banks.

When Patco was unable to work out a satisfactory resolution with its bank to recover its lost funds, the company then filed a lawsuit against its financial institution, Ocean Bank, a division of People’s United Bank of Bridgeport, Conn., for failing to protect its customers’ funds against theft.

“We want to get the word out to the home building community that cyber fraud is a growing threat and any business could fall victim to what happened to us,” said Mark Patterson, president of Patco Construction. “There needs to be a legislative solution so that firms can obtain similar legal protections that consumers enjoy, so that they won’t be forced to absorb losses when their online banking credentials are hijacked by cyber thieves.”

Most consumers who dispute any fraudulent charges on their bank account can generally receive a full refund if they notify their bank within 60 days of receiving their bank statement. However, businesses are not afforded the same legal protections, and have a much shorter time frame to detect and report any fraudulent activity if they hope to recover unauthorized transfers from their account. The problem is that it can sometimes take days or weeks to discover if any unauthorized transactions have taken place. And even if the theft is discovered promptly, there is no guarantee that the firm will be able to recover all or any of the fraudulent transfers.

Patco’s litigation case was featured last fall in a story in The Washington Post.

The company’s lawsuit claims that Ocean Bank did not detect and prevent the fraudulent transfers even though they were the largest ACH credit transfers ever made from Patco’s account; originated from an Internet protocol address that Patco never used; and sent funds to numerous individual accounts to which Patco never before had transferred funds. In addition, because Patco’s available funds in its account did not cover the fraudulent transfers, the bank drew more than $200,000 on the company’s line of credit to make up for the shortfall and then called on Patco to repay interest on the tapped credit line.

Small businesses tend to have fewer technical and financial resources to protect their computer systems against hackers. To help ward off attacks from cyber thieves, companies that use Microsoft Corp's Internet Explorer browser may want to consider using IE 8, which contains the most-up-to-date security features to guard against attack. Firms need to stay current with software patches and use the most current firewalls, virus protection and spyware removal software.

To protect accounts, it is recommended that companies ask their banks to set up “dual controls” on their account, where one person initiates a payment file creation while another approves it for release. Limiting administrative rights on users’ workstations will also help avoid the unintended downloading of “malware” — malicious software designed to infiltrate or damage a computer system — or other viruses.

Experts also say that companies should check their bank balances and scheduled payments at the end of every work day, rather than the beginning, and contact their bank immediately if they detect any discrepancies.

Additionally, companies are encouraged to review and understand their agreements with their financial institutions to know what rights they have in the case of cyber theft. Businesses should also urge their banks to provide the latest in online fraud protection and also consider adding insurance coverage to protect against fraud losses.

Builders seeking more information on defending against online bank fraud and on how to proceed if they fall victim, can contact Mark Patterson at mark@patco.com.