Pub. 9 2014-2015 Issue 6

Recently, a bank experienced significant losses due to fraudulent ACH transfers. The bank’s employees logged off of their corre- spondent bank’s ACH system at 5:00 pm. A few minutes later, a hacker took control of one of the bank’s computers and logged back into the correspondent bank’s ACH system. The hacker uploaded two ACH files totaling $600,000 with instructions to distribute the funds to over 100 recipients in 40 different banks. Then, the hacker logged on as another bank employee and approved the ACH transactions. By 5:20 pm the hacker logged off. Since the ACH files were sent from a bank computer, and appeared to be approved by someone who is an authorized user, the correspondent bank processed the ACH files following the agreed security procedures. Six days later, the bank found the two ACH transactions while reconciling its correspondent bank account. It was quickly determined that the bank computer had been hacked and the crooks had created the fraudulent transactions which were sent through the bank’s computer to the correspondent bank. The bank attempted to reverse the ACH transactions. In most cases, the recipient bank had already released the funds to a customer so the transactions could not be reversed. Many of the recipients could not be found. The few that were explained how their “new employer” had asked them to send out the money they received by MoneyGram or Western Union to people in other countries. They still believed their “new employer” was legitimate until they were told the money was actually stolen funds. The recipients had kept a $50 “bonus” from the funds and were expecting a salary paycheck at the end of the month. The contracts with the correspondent banks held the sending banks responsible for the fraudulent transactions because the correspondent banks followed the agreed upon security procedures. As a sending bank, your bank should make certain that security procedures are in place to ensure transactions with your correspondent bank are safe. The first change each of these banks made to prevent a repeat of this scenario was to alter the agreed upon security procedures with the correspondent bank. Now the correspondent bank will not process any ACH transactions until the correspondent bank has called a particular person at the sending bank and verbally verified the transaction is legitimate. The use of a verified phone number call back procedure before processing wire transfers or ACH requests received by fax, e-mail or through internet bank- ing is still one of the best controls available today. The second change one bank made was to purchase a new computer and remove almost all of the software from the computer. They eliminated all e-mail functions, and set the web browser to access only the correspondent bank system. ACH files are moved to this computer via flash drive, and this computer is only used to communicate with the correspondent bank for ACH and wire transfers. While not impossible, the chances of this computer being infected by a virus or spyware are much lower. Banks should consider implementing both the requirement that their correspondent bank perform a verbal call back, and setting up a special dedicated computer that is only used to send the bank’s wire and ACH transactions to its correspondent bank. Implementa- tion of these controls may prevent the financial loss and the multiple headaches from a large, fraudulent transaction. - 60% of organizations were exposed to actual or attempted fraud in 2013. - 19% of organizations that were exposed to at least one ACH fraud attempt in 2013 suffered a financial loss as a result. by: Charles m. Towle SECURITY OFFICER’S BY-WORD kbs blue sheet Call KBS (785) 228- 0000 to discuss this article and other loss prevention topics or products to help protect your bottom line. twitter.com/kbsforbanks linkedin.com/company/kbsforbanks Connect with us on social media: Two other banks reported similar incidents within a two week period. These were small banks which relied upon their correspon- dent bank to process ACH transactions. 2014 AFP Payments Fraud and Control Survey Visit this link for more information on how the money leaves the US instantly: http://tinyurl.com/kbsbywordsupplement.