April 3, 2006
To catch a thief | Despite a spate of recent robberies, Maine banks and regulators are more concerned with a bigger threat: fraud and scams
By Nancy Rosenbaum
On a Saturday morning in mid-March, a robber wearing a baseball cap and a hooded sweatshirt presented a written note demanding cash to a teller at Gorham Savings Bank on Marginal Way in Portland. He quickly made off with an undisclosed amount, marking the third robbery of a Gorham Savings branch since January.
But Gorham Savings isn't the only victim, as several other banks and credit unions across the state have been targeted in a startling spate of robberies. During the last five months, robbers have hit more than a dozen Maine banks, mostly in the southern part of the state, resulting in nine arrests in the last month and a half. Maine State Police Lt. Brian McDonough has been working in the Criminal Investigation Unit since 1993, and says he's "never seen anything like it."
It's no surprise, then, that the recent crimes have attracted a stream of media attention. One armed robbery at Gardiner Savings Institution in Newcastle in January even ended with an hour-long, high-speed car chase. But how much of a threat do robberies actually pose to a bank's bottom line?
While no one in the banking community downplays the potential risk for physical violence in a robbery, on average they don't cost banks very much in actual dollars and cents. In 2004, for example, only six bank robberies took place in the state, resulting in $32,343 in collective losses, according to the Maine Department of Public Safety's 2004 "Crime in Maine" report. "Robberies are very, very rare," explains Harry Reitze, vice president and manager of investigations and corporate security at Portland-based TD Banknorth. "But in comparison to the overall number of [crimes involving banks], robberies represent about one percent of our case volume. In dollar losses, robberies are five percent to six percent of our losses."
Instead, banks and their customers take the biggest hit from criminals who use stealth or scams ˆ not those wielding notes or weapons who take the money and run. "By and large, there's no comparison to where the losses occur ˆ it's on the fraud side," says Reitze.
Reitze estimates that his department tracks more than 100 categories of bank fraud, ranging from phony checks and credit card theft to Internet-based scams. The advent of counterfeit bank checks, U.S. postal money orders, and even Wal-Mart money orders are newer trends Reitze has been following. Kate Carney, security officer at Gorham Savings, adds that she's seen an increase in "phishing" cases, in which customers receive what looks like a reputable e-mail from a bank or a vendor like PayPal, eBay or Amazon.com prompting them to update their personal records on a phony site. After entering their account information, the customer's data goes straight into the hands of a scammer who can bleed the account dry.
Last month, scammers unleashed a phishing attack targeting customers of The First National Bank of Damariscotta, resulting in $140,000 in losses, according to CEO Daniel R. Daigneault. Customers received a bogus e-mail warning that their online banking access would be suspended in 24 hours if they didn't update their account information. While the majority of customers ignored the messages ˆ which suspiciously were sent on a Sunday, when banks are closed ˆ 150 people got caught in the scam. The perpetrators then used customers' PIN codes and account numbers to manufacture phony ATM cards, and made withdrawals over a ten-day period in locations ranging from Illinois to Virginia to Puerto Rico.
According to the Anti-Phishing Working Group based in Cambridge, Mass., 85%-90% of all phishing attacks target financial institutions. And while banks have long had tried-and-true strategies for training their employees to deal with brick-and-mortar robberies, bank fraud ˆ particularly the cybercrime variety ˆ represents a newer and rapidly evolving underworld that's harder to ensnare. That's why banks, regulators and industry experts across the state are working to combat these forms of theft using a combination of legislation, technology, cross-industry collaboration and old-fashioned consumer education.
In the wake of The First's recent phishing attack, for example, the bank is planning a "statement stuffer" warning customers about the perils of e-mail fraud. Daigneault acknowledges that not all customers look carefully at these materials, but he hopes enough people will take notice. "We're trying to stay one step ahead of the thieves," says Daigneault. "But it's a constant battle."
The con is on
Chris Pinkham, president of the Maine Association of Community Banks, says there are "three legs of the stool" when it comes to bank fraud. The first major category of fraud results from institutional data security breaches, when a bank or department store's records get exposed. These incidents can lead to unauthorized charges, the creation of counterfeit checks using stolen account numbers or even a scammer applying for credit in someone else's name.
The second link in the bank fraud chain is made up of cybercrime schemes such as phishing and "keylogging" (hidden software that records a user's keystrokes), which steal account numbers, pass codes or other account information.
The third major category of fraud comprises Internet-based money wiring schemes such as the "Canadian lottery," which began popping up in Maine last summer. The scam involves sending the "winner" of Canadian lottery funds what looks like an authentic bank check in the mail, with instructions to wire a portion of the money back to cover purported taxes and attorney fees. The check, of course, is a fake, and the winner has been taken for a ride ˆ sometimes to the tune of several thousand dollars. TD Banknorth's Reitze says the "bad guys" have honed in on bank checks because consumers typically believe that a bank check is unlikely to be counterfeit. "The customer gets lulled into a false sense of security," he says.
While Maine has a high record of success for apprehending bank robbers compared to other states ˆ Jere Armstrong, senior director of corporate security with Bank of America in Bangor, estimates that 75%-80% are caught ˆ ensnaring bank fraud perpetrators is much trickier for law enforcement. One reason: Many scammers are based overseas and are expert at using technology to cover their tracks.
So what happens when a customer has been scammed? It depends. Customers who overdraw their bank accounts as a result of a money wiring scam are legally required to compensate the bank for the loss. Duped customers are none too happy about owing back this money. "They're embarrassed because they've been conned," says Reitze. "They think that banks can afford the loss more than they can. But if the bank suffers a loss, we'll have to report it or sue [the victim]."
In cases in which an individual's bank account or credit card data is stolen in a security breach or phishing attack, The Federal Reserve Board's "Regulation E" ˆ also known as the Electronic Fund Transfers Act ˆ requires that banks limit the account holder's liability to between $50 and $500, as long as suspicious activity is reported within 60 days. Federal banking laws are less generous, however, when it comes to safeguarding business accounts, as Regulation E only applies to consumer accounts.
As a case in point, a Miami-based small business owner named Joe Lopez last year had $90,348 wired out of his Bank of America business account to a bank in Latvia after his computer became infected with a software worm, according to reports in The New York Times, USA Today and the South Florida Sun-Sentinel. Bank of America says it isn't responsible for the crime because the fraud didn't result from a security breach of its electronic systems, according to news reports. But Lopez sees things differently, and has filed a federal suit against Bank of America, claiming the bank knew about the risks posed by computer worms and should have informed customers. He also argues that Bank of America should have raised a red flag when a large sum of money was transferred from his account to eastern Europe, which is notorious for cybercrime.
The suit represents the first time a U.S. bank has been sued for losses suffered as a result of online bank fraud. If Lopez is victorious, his case could set a precedent that holds banks liable when its customers' funds vanish into the digital ether. "It would be a sweeping decision if it extended consumer protections of Regulation E to businesses," says Mark Walker, vice president of the Maine Bankers Association. But he says it's too soon to tell how the case will shake out, and that such a significant change likely would need to be considered in Congress.
Defensive measures
In the meantime, financial institutions in Maine are working to tip the scales against the fraudsters. Banks across the state recently have banded together within the Maine Anti-Phishing Coalition (www.nophishing.org). The cross-industry taskforce, whose official launch is slated for early May, was initiated by Sari Stern Greene, owner of Sage Data Security, a South Portland firm providing information security consulting services to banks, among other clients. After seeing how phishing attacks were causing grief to many of her banking clients, Greene decided to bring them together to discuss the problem. Greene says the coalition is the first state-run consortium dedicated to educating consumers about phishing and promoting best practice sharing. "Banks that in essence are competitors have joined forces to educate the public," Greene says.
Individual institutions that have been targeted in phishing attacks also are developing their own anti-fraud strategies. The First's home page now features a bold warning about the recent phishing scam, for example, emphasizing that the bank never solicits customers' account information using e-mail, the Internet or the telephone. Since the attack, the bank also has upgraded the third party technology it uses to process ATM transactions, Daigneault says, so doctored cards ˆ even those with the right mix of account numbers and PIN codes ˆ cannot be used to withdraw money.
The Maine Attorney General's Office also recently released a television commercial aimed at raising awareness about the Canadian lottery scam. And banks across the state are reinforcing their teller training programs to highlight the signs of fraud. "Our frontline people know their customers," says Kate Carney from Gorham Savings. "That's one of the advantages of a community bank. We can say, 'Wait, Mrs. Smith normally doesn't do that.' If we can step in and recognize red flags we can help our customers."
In Augusta, Will Lund, director of the Office of Consumer Credit and Regulation, has been working on a bill that would enhance consumer notification requirements in the advent of an electronic security breach. "The Act to Amend the Notice of Risk to Personal Data Act" would require any entity that stores electronic data ˆ whether it's a bank, department store, school, hospital or government agency ˆ to inform individuals whose records may have been compromised. (Currently, record storing and notification procedures for security breaches vary according to industry.)
Lund says that more than 20 states have passed similar laws, and Congress may even consider national legislation on the issue. But initially, the bill met with resistance from a wide range of industry representatives who were concerned about the bill's potential to create class action suits. Now that the bill's "right of action" language has been struck, Lund hopes it will win cross-industry consensus and hit the floor of the Maine Legislature within the next few weeks.
Still, Mark Walker of the Maine Bankers Association is skeptical that legislation can make a lasting impact on reducing bank fraud. "As a lawyer, I'm not sure that we need more law," he says. "The perpetrators are from abroad or out of stateˆ state law is not going to be the entire answer."
But according to Peter Cassidy from the Anti-Phishing Working Group, banks are highly responsive to legislation and regulations. New rules, he says, could be a good step to help the industry take a closer look at fraud protection. Looking into the future, Cassidy anticipates that cybercrime eventually will subside, once incremental changes in technology, regulations and industry policies are implemented. "I think everything will be changed a little bit ˆ how computers work, how we work with people online and how transactions are recorded and completed," he says. "You need to put friction in the system that's not onerous for the consumer but makes it onerous for the interloper."
In the meantime, TD Banknorth's Reitze warns that fraudsters are skilled at adapting to the latest preventive measures, which means banks need to roll up their sleeves to continuously combat fraud. "If banks don't take an aggressive stance," Reitze says, "banks will feel that pain."
But Gorham Savings isn't the only victim, as several other banks and credit unions across the state have been targeted in a startling spate of robberies. During the last five months, robbers have hit more than a dozen Maine banks, mostly in the southern part of the state, resulting in nine arrests in the last month and a half. Maine State Police Lt. Brian McDonough has been working in the Criminal Investigation Unit since 1993, and says he's "never seen anything like it."
It's no surprise, then, that the recent crimes have attracted a stream of media attention. One armed robbery at Gardiner Savings Institution in Newcastle in January even ended with an hour-long, high-speed car chase. But how much of a threat do robberies actually pose to a bank's bottom line?
While no one in the banking community downplays the potential risk for physical violence in a robbery, on average they don't cost banks very much in actual dollars and cents. In 2004, for example, only six bank robberies took place in the state, resulting in $32,343 in collective losses, according to the Maine Department of Public Safety's 2004 "Crime in Maine" report. "Robberies are very, very rare," explains Harry Reitze, vice president and manager of investigations and corporate security at Portland-based TD Banknorth. "But in comparison to the overall number of [crimes involving banks], robberies represent about one percent of our case volume. In dollar losses, robberies are five percent to six percent of our losses."
Instead, banks and their customers take the biggest hit from criminals who use stealth or scams ˆ not those wielding notes or weapons who take the money and run. "By and large, there's no comparison to where the losses occur ˆ it's on the fraud side," says Reitze.
Reitze estimates that his department tracks more than 100 categories of bank fraud, ranging from phony checks and credit card theft to Internet-based scams. The advent of counterfeit bank checks, U.S. postal money orders, and even Wal-Mart money orders are newer trends Reitze has been following. Kate Carney, security officer at Gorham Savings, adds that she's seen an increase in "phishing" cases, in which customers receive what looks like a reputable e-mail from a bank or a vendor like PayPal, eBay or Amazon.com prompting them to update their personal records on a phony site. After entering their account information, the customer's data goes straight into the hands of a scammer who can bleed the account dry.
Last month, scammers unleashed a phishing attack targeting customers of The First National Bank of Damariscotta, resulting in $140,000 in losses, according to CEO Daniel R. Daigneault. Customers received a bogus e-mail warning that their online banking access would be suspended in 24 hours if they didn't update their account information. While the majority of customers ignored the messages ˆ which suspiciously were sent on a Sunday, when banks are closed ˆ 150 people got caught in the scam. The perpetrators then used customers' PIN codes and account numbers to manufacture phony ATM cards, and made withdrawals over a ten-day period in locations ranging from Illinois to Virginia to Puerto Rico.
According to the Anti-Phishing Working Group based in Cambridge, Mass., 85%-90% of all phishing attacks target financial institutions. And while banks have long had tried-and-true strategies for training their employees to deal with brick-and-mortar robberies, bank fraud ˆ particularly the cybercrime variety ˆ represents a newer and rapidly evolving underworld that's harder to ensnare. That's why banks, regulators and industry experts across the state are working to combat these forms of theft using a combination of legislation, technology, cross-industry collaboration and old-fashioned consumer education.
In the wake of The First's recent phishing attack, for example, the bank is planning a "statement stuffer" warning customers about the perils of e-mail fraud. Daigneault acknowledges that not all customers look carefully at these materials, but he hopes enough people will take notice. "We're trying to stay one step ahead of the thieves," says Daigneault. "But it's a constant battle."
The con is on
Chris Pinkham, president of the Maine Association of Community Banks, says there are "three legs of the stool" when it comes to bank fraud. The first major category of fraud results from institutional data security breaches, when a bank or department store's records get exposed. These incidents can lead to unauthorized charges, the creation of counterfeit checks using stolen account numbers or even a scammer applying for credit in someone else's name.
The second link in the bank fraud chain is made up of cybercrime schemes such as phishing and "keylogging" (hidden software that records a user's keystrokes), which steal account numbers, pass codes or other account information.
The third major category of fraud comprises Internet-based money wiring schemes such as the "Canadian lottery," which began popping up in Maine last summer. The scam involves sending the "winner" of Canadian lottery funds what looks like an authentic bank check in the mail, with instructions to wire a portion of the money back to cover purported taxes and attorney fees. The check, of course, is a fake, and the winner has been taken for a ride ˆ sometimes to the tune of several thousand dollars. TD Banknorth's Reitze says the "bad guys" have honed in on bank checks because consumers typically believe that a bank check is unlikely to be counterfeit. "The customer gets lulled into a false sense of security," he says.
While Maine has a high record of success for apprehending bank robbers compared to other states ˆ Jere Armstrong, senior director of corporate security with Bank of America in Bangor, estimates that 75%-80% are caught ˆ ensnaring bank fraud perpetrators is much trickier for law enforcement. One reason: Many scammers are based overseas and are expert at using technology to cover their tracks.
So what happens when a customer has been scammed? It depends. Customers who overdraw their bank accounts as a result of a money wiring scam are legally required to compensate the bank for the loss. Duped customers are none too happy about owing back this money. "They're embarrassed because they've been conned," says Reitze. "They think that banks can afford the loss more than they can. But if the bank suffers a loss, we'll have to report it or sue [the victim]."
In cases in which an individual's bank account or credit card data is stolen in a security breach or phishing attack, The Federal Reserve Board's "Regulation E" ˆ also known as the Electronic Fund Transfers Act ˆ requires that banks limit the account holder's liability to between $50 and $500, as long as suspicious activity is reported within 60 days. Federal banking laws are less generous, however, when it comes to safeguarding business accounts, as Regulation E only applies to consumer accounts.
As a case in point, a Miami-based small business owner named Joe Lopez last year had $90,348 wired out of his Bank of America business account to a bank in Latvia after his computer became infected with a software worm, according to reports in The New York Times, USA Today and the South Florida Sun-Sentinel. Bank of America says it isn't responsible for the crime because the fraud didn't result from a security breach of its electronic systems, according to news reports. But Lopez sees things differently, and has filed a federal suit against Bank of America, claiming the bank knew about the risks posed by computer worms and should have informed customers. He also argues that Bank of America should have raised a red flag when a large sum of money was transferred from his account to eastern Europe, which is notorious for cybercrime.
The suit represents the first time a U.S. bank has been sued for losses suffered as a result of online bank fraud. If Lopez is victorious, his case could set a precedent that holds banks liable when its customers' funds vanish into the digital ether. "It would be a sweeping decision if it extended consumer protections of Regulation E to businesses," says Mark Walker, vice president of the Maine Bankers Association. But he says it's too soon to tell how the case will shake out, and that such a significant change likely would need to be considered in Congress.
Defensive measures
In the meantime, financial institutions in Maine are working to tip the scales against the fraudsters. Banks across the state recently have banded together within the Maine Anti-Phishing Coalition (www.nophishing.org). The cross-industry taskforce, whose official launch is slated for early May, was initiated by Sari Stern Greene, owner of Sage Data Security, a South Portland firm providing information security consulting services to banks, among other clients. After seeing how phishing attacks were causing grief to many of her banking clients, Greene decided to bring them together to discuss the problem. Greene says the coalition is the first state-run consortium dedicated to educating consumers about phishing and promoting best practice sharing. "Banks that in essence are competitors have joined forces to educate the public," Greene says.
Individual institutions that have been targeted in phishing attacks also are developing their own anti-fraud strategies. The First's home page now features a bold warning about the recent phishing scam, for example, emphasizing that the bank never solicits customers' account information using e-mail, the Internet or the telephone. Since the attack, the bank also has upgraded the third party technology it uses to process ATM transactions, Daigneault says, so doctored cards ˆ even those with the right mix of account numbers and PIN codes ˆ cannot be used to withdraw money.
The Maine Attorney General's Office also recently released a television commercial aimed at raising awareness about the Canadian lottery scam. And banks across the state are reinforcing their teller training programs to highlight the signs of fraud. "Our frontline people know their customers," says Kate Carney from Gorham Savings. "That's one of the advantages of a community bank. We can say, 'Wait, Mrs. Smith normally doesn't do that.' If we can step in and recognize red flags we can help our customers."
In Augusta, Will Lund, director of the Office of Consumer Credit and Regulation, has been working on a bill that would enhance consumer notification requirements in the advent of an electronic security breach. "The Act to Amend the Notice of Risk to Personal Data Act" would require any entity that stores electronic data ˆ whether it's a bank, department store, school, hospital or government agency ˆ to inform individuals whose records may have been compromised. (Currently, record storing and notification procedures for security breaches vary according to industry.)
Lund says that more than 20 states have passed similar laws, and Congress may even consider national legislation on the issue. But initially, the bill met with resistance from a wide range of industry representatives who were concerned about the bill's potential to create class action suits. Now that the bill's "right of action" language has been struck, Lund hopes it will win cross-industry consensus and hit the floor of the Maine Legislature within the next few weeks.
Still, Mark Walker of the Maine Bankers Association is skeptical that legislation can make a lasting impact on reducing bank fraud. "As a lawyer, I'm not sure that we need more law," he says. "The perpetrators are from abroad or out of stateˆ state law is not going to be the entire answer."
But according to Peter Cassidy from the Anti-Phishing Working Group, banks are highly responsive to legislation and regulations. New rules, he says, could be a good step to help the industry take a closer look at fraud protection. Looking into the future, Cassidy anticipates that cybercrime eventually will subside, once incremental changes in technology, regulations and industry policies are implemented. "I think everything will be changed a little bit ˆ how computers work, how we work with people online and how transactions are recorded and completed," he says. "You need to put friction in the system that's not onerous for the consumer but makes it onerous for the interloper."
In the meantime, TD Banknorth's Reitze warns that fraudsters are skilled at adapting to the latest preventive measures, which means banks need to roll up their sleeves to continuously combat fraud. "If banks don't take an aggressive stance," Reitze says, "banks will feel that pain."
Most Recent
Most Recent
Comments