The Bank Scam That Hit My Business

Reprinted from Chris Mittelstaedt’s column Eureka on Inc.com

FruitGuys founder Chris Mittelstaedt explains how hackers got into his company’s bank account–and how not to let it happen to you.

Identity theft isn’t just something you have to worry about as an individual; your business identity could be at risk, too.

A few weeks ago my company was the target of a complicated bank scam. At 4:30 p.m. on a Monday afternoon, hackers managed to transfer our main phone line to a google voice number. At the same time, they requested our bank to wire money to an account using an arcane fax-based wire request. A bank employee who was not familiar with our account (our regular banker was out of the office) approved the wire request after calling our “office” and speaking to a scam artist posing as an employee. By the time we realized that our phones had been taken over early the next morning, the hackers had siphoned $15,000 out of the account.

The scam took advantage of the low-security threshold for the arcane wire process and the simple verbal approval process that banks use.  It could have been worse. The bank didn’t properly follow its own verification procedures and has since replaced the stolen money.

But my business wasn’t the only victim–the hackers  also hit a number of other companies and individuals in the same region all within a few days. Don’t let it happen to you.  Here’s what you need to know to avoid the same fate.

What You Don’t Know Can Hurt You

The fact that our telephone company doesn’t have stricter security measures and that our bank could be so easily fooled over the phone, has been a wake-up call. Our previous security measures focused on our own processes. This experience, however, was a good reminder that managing your vendors and deeply understanding their security procedures is key. You need to not only worry about what your business touches–data, people, processes inside the business–but you also need to worry about the security measures that your vendors use.

A Culture of Fraud

When your loss is small, you may be able to manage reimbursement conflicts with your bank rather easily. But through this process, I learned from a banking industry insider that the trend is for banks to move in the direction of limiting liability for loss. Some banks ask customers to sign disclaimers to release them of any liability while offering added “protections” during the fraud-management process. My advice: If your bank starts asking you to sign disclaimers, talk to a lawyer immediately.

Your Rights

While there are established fraud protections for individuals, thanks to such laws as the Fair Credit Reporting Act, The Truth in Lending Act, and The Electronic Fund Transfer Act, business protection falls mainly to the state level. I operate in California, where numerous statutes govern banking transactions, including the California Uniform Commercial Code. Yet, Kurt Taylor of Wilson, Marshall and Taylor, a Silicon Valley law firm, says this about the CA UCC:   “There are many limits on damages for actions under the UCC, and where the bank disclaims responsibility, litigation against the bank for negligence is often the only avenue for the account holder to recover the lost funds.”
Thus, if your business is the target of fraud and your bank disputes the claim then the burden for the loss is on you. My banker pointed out that banks generally are extremely reasonable when dealing with fraud and, as in our case, replace the money that was stolen. Even so, I was amazed to learn businesses don’t have stronger protection.

How to Protect Yourself  

Here are a few quick steps to help protect against fraud:

1. Insurance: Talk to your broker about what you can do to hedge your risk against theft with insurance. Make sure you ask specific questions about different kinds of theft.
2. Banking:  Talk to your bank so that you understand its security procedures. Ask about ways in which the bank has tried to make customers’ lives easier but express concern if it’s making things too easy.  Also, sign up for positive pay or other verification tools to help watch for check fraud.
3. Other vendors: Make a list of every vendor that has any sort of data about your business, what you do, and whom you serve, or that manages key functions you can’t do without. Learn about their security procedures and make sure you’re comfortable with their answers.
4. Professional help: Hire a security firm to assess your business’s weak spots.
5. Be known: Have a great relationship with your bank and banker or other vendors. Don’t be anonymous to them. You want them to know you well enough to ask the question–“is this something that makes sense?”