When cyberfraud isn't covered by banks

[IIOY]

More on one of my favorite topics.  I had to bold a portion of this because it manages to be simultaneously horrifying and not surprising. From NPR:

Cyber thieves steal hundreds of millions of dollars a year from the bank accounts of U.S. businesses. And many business owners are surprised to find out their bank is not obliged to make them whole.



Dr. David Krier's Volunteer Voyages is one of the victims. Krier says he lost over $14,000 through fraudulent withdrawals from his business account, and he says his bank "refused to cover any of my losses."



Individuals are pretty well protected when it comes to fraudulent transfers from their bank accounts. Regulation E of the Electronic Fund Transfer Act requires banks to bear the burden in most circumstances. That's not the case for small businesses, even if they're owned by a single person, like Volunteer Voyages.



Krier's company, in Wilsonville, Ore., leads volunteer trips to developing countries for humanitarian projects. After he returned from a trip to Peru in 2013 his bookkeeper told him his bank account was overdrawn. Krier says he told her, "Well, that has to be nonsense because there's thousands of dollars in there."



It turned out a cyber crook had commandeered the debit card he used to cover the costs of foreign trips. Krier expected that his bank would reimburse him.



At first, he says the staff at the local bank said, "Not a problem". But later, Krier says that bank told him, "It's a business account so you're out of luck."



That's despite the fact that Krier had, in advance, given the bank the dates of his trip to Peru, and the fraudulent withdrawals occurred after his return date, but the bank didn't notify him. Krier says he considered suing West Coast Bank, but was advised he'd spend much more on legal fees than he'd recover. West Coast Bank was later bought by another bank.


For Stuart Rolfe, a Seattle businessman, the stakes were much higher and the scam much more sophisticated. Cyber thieves hacked his e-mail account, impersonated him and transferred more than $1 million through U.S. domestic accounts to an account in China.



He was stunned. "Any time you have a theft, certainly one of this dollar amount, it is shocking and very disturbing," he says.



Rolfe's firm, Wright Hotels, invests in and develops hotel properties. (In the interest of full disclosure, Rolfe and his wife have made substantial contributions to NPR.)



Rolfe says one of the most unsettling things was realizing that once the cyber thieves had accessed his e-mail, they had vast and intimate knowledge of his life and business practices.



"They knew exactly how I had communicated with our bookkeeper," he says. "They knew exactly what kinds of things that I said" in e-mails to her authorizing transfers. He made another disturbing discovery: When he looked back at the transfers, he found that when they were authorized he always seemed to be in business meetings.



That's because the thieves also had access to his Outlook calendar. It meant the cyber crooks could safely impersonate Rolfe and write e-mails telling his bookkeeper to transfer funds to their bank accounts. The thieves could respond to any questions from Rolfe's bookkeeper and then delete all those communications from the account before Rolfe returned from his meetings and checked his e-mail again.



The most recent FBI data show a huge growth in this kind of fraud. More than 8,000 companies have been victimized over the past 2 years. Their losses total nearly $800 million.



In Rolfe's case, the scam went on for several weeks before he discovered it. Since the transfers were fraudulent, he says he requested and fully expected reimbursement from his bank, JPMorgan.


"The response was that they were terribly sorry for our loss, but that they could not accept any responsibility nor offer any reimbursement to us for the loss," he says.



JPMorgan declined to be interviewed but provided a written response saying it regrets Rolfe's loss. The bank said it had followed exactly the procedure Rolfe had agreed to for transferring funds.



Rolfe says the bank should be held liable because the size, frequency and destination of the fraudulent transfers were completely out of character for his account.



"There should have been 15 or 20 different red flags that would have gone up in our account if the bank had been paying any attention to these requests," Rolfe says. He argues there's a flaw in the legal system if banks are not responsible for providing that type of protection.



The law does require banks, under the Uniform Commercial Code, to offer business customers a "commercially reasonable" security protocol. If the bank follows that protocol it can refuse to reimburse businesses that are victims of fraudulent money transfers.



Mark Patterson is now very familiar with the rules. A few years ago his company, PATCO Construction, based in Sanford, Maine, was the victim of cyber fraud. He described it in detail as he inspected work on some townhouses his company is building in Kennebunk, Maine.



He said that over consecutive nights, about $100,000 a night was taken out of PATCO's checking account. By the time his chief financial officer discovered it, Patterson says, "we were down about $545,000."



Patterson thought his bank, Ocean Bank, would reimburse him. It refused and he sued. Patterson says the bank threw a huge amount of resources at the case. He says he discovered in mediation that the bank had spent "in excess of $1.2 million fighting this, when we offered to settle this for $200,000."



PATCO lost the first round but won on appeal when a panel of judges concluded Ocean Bank's security had not been commercially reasonable.



Patterson believes the law should be changed to make banks shoulder more responsibility for cybercrime losses at small businesses.



Stuart Rolfe agrees. "I think it's as simple as saying that banks are in the best position to be able to provide this type of protection," he says.


Doug Johnson, a senior vice president who oversees cybersecurity policy at the American Bankers Association, rejects the idea that banks should bear greater responsibility.



"If we gave small businesses that now have to abide by the Uniform Commercial Code those additional protections, then what we do is we take away some of the incentives that they have to have the proper levels of security within their organizations," Johnson says.



Mark Patterson says that logic runs both ways. "Let's just say they don't necessarily put the same amount of effort in if it's your nickel that might be lost," he says.



Patterson has been to Washington several times to try to convince members of Congress to shift more responsibility to the banks in these cyber fraud cases. He says he hasn't had any luck.



Johnson says the best way forward is for banks to inform their customers about the dangers they face so they can work together to beat the bad guys. He offers these tips to businesses: educate your employees, change passwords often, require two-person approval for fund transfers and dedicate a single computer to be used only for financial transactions.

[ttt]

I knew that business credit cards were exempt from all the new requirements but I had no idea that business bank accounts were treated so differently than consumer accounts.

For all the talk about how great small businesses are rah rah, both parties are actually pretty crappy to small businesses. It's not something that's really on D's radars, and R's only actually care about big businesses. Everyone likes to give lip service to small businesses, but when it comes to things that actually help them, nobody is willing to do it.

Tangential rant: though people love to complain about the federal government and burdensome taxes and regulations, IME, the most burdensome regulations and taxes come at the state and local level. I could not believe how much it cost in licenses and fees and all that crap just to set up a small business. It's ridiculous.

[IIOY]

Sept 15, 2015 7:33:49 GMT -5 ttt said:

I could not believe how much it cost in licenses and fees and all that crap just to set up a small business. It's ridiculous.

I know we've discussed this a thousand times on here, but just yesterday I read an article detailing how licenses and fees prevent beauty school graduates from doing well for themselves.  They have to pay for a very expensive education to enable them to qualify for licenses to begin with, and then pay through the nose for those licenses.  The average beauty school grad makes something like $25,000/year but has a boatload of student loan debt.

[ttt]

Sept 15, 2015 7:39:50 GMT -5 IIOY said:

Sept 15, 2015 7:33:49 GMT -5 ttt said:

I could not believe how much it cost in licenses and fees and all that crap just to set up a small business. It's ridiculous.

I know we've discussed this a thousand times on here, but just yesterday I read an article detailing how licenses and fees prevent beauty school graduates from doing well for themselves.  They have to pay for a very expensive education to enable them to qualify for licenses to begin with, and then pay through the nose for those licenses.  The average beauty school grad makes something like $25,000/year but has a boatload of student loan debt.

I posted an article a while ago about how this could be some common economic ground between Rs and Ds - reducing the amount of fees and licensing requirements and such for professions like cosmetology. Rs like reducing requirements on businesses and Ds like that it eases the burden on low-income workers who are working independently. Do you really need 80 hours of continuing education every year to do manicures? 

The article didn't get any traction at the time but maybe I'll repost. 

[ttt]

Here's the article: www.vox.com/2015/7/28/9052179/cea-report-occupational-licensing

[IIOY]

Sept 15, 2015 7:45:56 GMT -5 ttt said:

Sept 15, 2015 7:39:50 GMT -5 IIOY said:

I know we've discussed this a thousand times on here, but just yesterday I read an article detailing how licenses and fees prevent beauty school graduates from doing well for themselves.  They have to pay for a very expensive education to enable them to qualify for licenses to begin with, and then pay through the nose for those licenses.  The average beauty school grad makes something like $25,000/year but has a boatload of student loan debt.

I posted an article a while ago about how this could be some common economic ground between Rs and Ds - reducing the amount of fees and licensing requirements and such for professions like cosmetology. Rs like reducing requirements on businesses and Ds like that it eases the burden on low-income workers who are working independently. Do you really need 80 hours of continuing education every year to do manicures? 

The article didn't get any traction at the time but maybe I'll repost. 

I have to pay $70/year just to maintain an inactive law license in PA.  Inactive, meaning I can't do a single thing with it unless I revert back to active, take three years' worth of CLEs, and pay a steep fee. 

[ttt]

Sept 15, 2015 7:52:22 GMT -5 IIOY said:

Sept 15, 2015 7:45:56 GMT -5 ttt said:

I posted an article a while ago about how this could be some common economic ground between Rs and Ds - reducing the amount of fees and licensing requirements and such for professions like cosmetology. Rs like reducing requirements on businesses and Ds like that it eases the burden on low-income workers who are working independently. Do you really need 80 hours of continuing education every year to do manicures? 

The article didn't get any traction at the time but maybe I'll repost. 

I have to pay $70/year just to maintain an inactive law license in PA.  Inactive, meaning I can't do a single thing with it unless I revert back to active, take three years' worth of CLEs, and pay a steep fee. 

That is utterly absurd. 

H went on an epic, days-long rant about the CE requirements for private investigators in Georgia. You can go up to the probate court and get a license to carry a gun concealed with zero training, zero experience, zero proof that you have the slightest business carrying a weapon, but you can't go up to people with court papers and say "you've been served" unless you've gone through extensive 'training' and classes and passed a test and then take yearly classes about the right way to hand people papers. 

[Cicero]

Sept 15, 2015 7:45:56 GMT -5 ttt said:

Sept 15, 2015 7:39:50 GMT -5 IIOY said:

I know we've discussed this a thousand times on here, but just yesterday I read an article detailing how licenses and fees prevent beauty school graduates from doing well for themselves.  They have to pay for a very expensive education to enable them to qualify for licenses to begin with, and then pay through the nose for those licenses.  The average beauty school grad makes something like $25,000/year but has a boatload of student loan debt.

I posted an article a while ago about how this could be some common economic ground between Rs and Ds - reducing the amount of fees and licensing requirements and such for professions like cosmetology. Rs like reducing requirements on businesses and Ds like that it eases the burden on low-income workers who are working independently. Do you really need 80 hours of continuing education every year to do manicures? 

The article didn't get any traction at the time but maybe I'll repost. 

Please do. I don't know why a cosmetologist should need continuing education hours to remain livensed when I as a lawyer do not (in 50% of the state's where I am fully licensed).

[pescalita]

Even for individual accounts, the bank rarely ends up footing the bill - they get it back from the merchant unless it's cash.