Cyberthieves steal hundreds of millions of dollars a year from the bank accounts of U.S. businesses. And many business owners are surprised to find out their bank is not obliged to make them whole.
Dr. David Krier's Volunteer Voyages is one of the victims. Krier says he lost over $14,000 through fraudulent withdrawals from his business account, and he says his bank "refused to cover any of my losses."
Individuals are pretty well-protected when it comes to fraudulent transfers from their bank accounts. Regulation E of the Electronic Fund Transfer Act requires banks to bear the burden in most circumstances. That's not the case for small businesses, even if they're owned by a single person, like Volunteer Voyages.
Krier's company, in Wilsonville, Ore., leads volunteer trips to developing countries for humanitarian projects. After he returned from a trip to Peru in 2013, his bookkeeper told him his bank account was overdrawn. Krier says he told her, "Well, that has to be nonsense because there's thousands of dollars in there."
It turned out a cyber crook had commandeered the debit card he used to cover the costs of foreign trips. Krier expected that his bank would reimburse him.
At first, he says, the staff at the local bank said, "Not a problem." But later, Krier says, that bank told him, "It's a business account, so you're out of luck."
That's despite the fact that Krier had, in advance, given the bank the dates of his trip to Peru, and the fraudulent withdrawals occurred after his return date, but the bank didn't notify him. Krier says he considered suing West Coast Bank, but was advised he'd spend much more on legal fees than he'd recover. West Coast Bank was later bought by another bank.
For Stuart Rolfe, a Seattle businessman, the stakes were much higher and the scam much more sophisticated. Cyberthieves hacked his email account, impersonated him and transferred more than $1 million through U.S. domestic accounts to an account in China.
He was stunned. "Any time you have a theft, certainly one of this dollar amount, it is shocking and very disturbing," he says.
Rolfe's firm, Wright Hotels, invests in and develops hotel properties. (In the interest of full disclosure, Rolfe and his wife have made substantial contributions to NPR.)
Rolfe says one of the most unsettling things was realizing that once the cyberthieves had accessed his email, they had vast and intimate knowledge of his life and business practices.
"They knew exactly how I had communicated with our bookkeeper," he says. "They knew exactly what kinds of things that I said" in emails to her authorizing transfers. He made another disturbing discovery: When he looked back at the transfers, he found that when they were authorized he always seemed to be in business meetings.
That's because the thieves also had access to his Outlook calendar. It meant the cyber crooks could safely impersonate Rolfe and write emails telling his bookkeeper to transfer funds to their bank accounts. The thieves could respond to any questions from Rolfe's bookkeeper and then delete all those communications from the account before Rolfe returned from his meetings and checked his email again.
The most recent FBI data show a huge growth in this kind of fraud. More than 8,000 companies have been victimized over the past two years. Their losses total nearly $800 million.
In Rolfe's case, the scam went on for several weeks before he discovered it. Since the transfers were fraudulent, he says, he requested and fully expected reimbursement from his bank, JPMorgan.
"The response was that they were terribly sorry for our loss, but that they could not accept any responsibility nor offer any reimbursement to us for the loss," he says.
JPMorgan declined to be interviewed but provided a written response saying it regrets Rolfe's loss. The bank said it had followed exactly the procedure Rolfe had agreed to for transferring funds.
Rolfe says the bank should be held liable because the size, frequency and destination of the fraudulent transfers were completely out of character for his account.
"There should have been 15 or 20 different red flags that would have gone up in our account if the bank had been paying any attention to these requests," Rolfe says. He argues there's a flaw in the legal system if banks are not responsible for providing that type of protection.
The law does require banks, under the Uniform Commercial Code, to offer business customers a "commercially reasonable" security protocol. If the bank follows that protocol, it can refuse to reimburse businesses that are victims of fraudulent money transfers.
Mark Patterson is now very familiar with the rules. A few years ago, his company, PATCO Construction, based in Sanford, Maine, was the victim of cyber fraud. He described it in detail as he inspected work on some townhouses his company is building in Kennebunk, Maine.
He said that over consecutive nights, about $100,000 a night was taken out of PATCO's checking account. By the time his chief financial officer discovered it, Patterson says, "we were down about $545,000."
Patterson thought his bank, Ocean Bank, would reimburse him. It refused, and he sued. Patterson says the bank threw a huge amount of resources at the case. He says he discovered in mediation that the bank had spent "in excess of $1.2 million fighting this, when we offered to settle this for $200,000."
PATCO lost the first round but won on appeal when a panel of judges concluded Ocean Bank's security had not been commercially reasonable.
Patterson thinks the law should be changed to make banks shoulder more responsibility for cybercrime losses at small businesses.
Stuart Rolfe agrees. "I think it's as simple as saying that banks are in the best position to be able to provide this type of protection," he says.
Doug Johnson, a senior vice president who oversees cybersecurity policy at the American Bankers Association, rejects the idea that banks should bear greater responsibility.
"If we gave small businesses that now have to abide by the Uniform Commercial Code those additional protections, then what we do is we take away some of the incentives that they have to have the proper levels of security within their organizations," Johnson says.
Mark Patterson says that logic runs both ways. "Let's just say they don't necessarily put the same amount of effort in if it's your nickel that might be lost," he says.
Patterson has been to Washington several times to try to convince members of Congress to shift more responsibility to the banks in these cyber fraud cases. He says he hasn't had any luck.
Johnson says the best way forward is for banks to inform their customers about the dangers they face so they can work together to beat the bad guys. He offers these tips to businesses: educate your employees, change passwords often, require two-person approval for fund transfers, and dedicate a single computer to be used only for financial transactions.