A construction company in Maine is suing its bank after about $588,000 disappeared from its accounts, alleging the bank failed to spot suspicious account activity before it was too late.
Over a week-long period in May, fraudsters made six transfers from the online bank accounts of Patco Construction Company, a family-owned developer in Sanford, Maine, according a copy of the lawsuit on the Washington Post’s Web site.
The money went to so-called “mules,” or people who have agreed to receive the funds and then further transfer it to the fraudsters. The hefty withdrawals exceeded the amount of money Patco had in its account, which was used solely for payroll.
To make matters worse for Patco, its bank — People’s United Bank, or Ocean Bank of Delaware — drew $223,237 on the company’s line of credit to cover the withdrawals. Ocean Bank now wants Patco to pay that money back with interest, the lawsuit said.
After the bad transfer came to light, Ocean Bank did recover or block $243,406, but Patco is still on the hook for $345,444.
The fraudsters had a lot of key information needed to do the transfers, conducted through the ACH (Automated Clearing House) Network, used by institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals.
The ACH system has proved vulnerable to fraud as of late, due to its age and a lack of controls in the underlying transfer system, investigators have said.
Several Patco employees were authorized to use the account. They logged in with a company ID and password and also their own ID and password, the suit said. For transfers over $1,000, the employees then had to answer two challenge questions. Since most of their transfers exceeded that amount, the challenge questions were used often.
Apparently the fraudsters were able to collect that security information. They could have done that by infecting computers used to perform transfers with spyware, often installed through social engineering techniques or by exploiting vulnerabilities in out-of-date software.
Patco argues that Ocean Bank did not offer two-factor authentication, which often involves the use of a token that displays a one-time password or a verification telephone call.
Patco also said the transfers were initiated from IP (Internet Protocol) addresses that had never been used by Patco, the transfers far exceeded what the company normally performed and were on days other than Friday, when the company paid its employees by direct deposit.
“None of these transactions triggered any suspicious activity alerts on the part of Ocean Bank,” the lawsuit alleges.
One of Patco’s owners, Mark Patterson, did received a notification on May 13 that one of the ACH transfers was rejected due to an invalid account number supplied by the scammers.
Patco notified the bank the next morning, but the bank already started the day’s ACH transfers and $111,963 floated away. Some of that amount was recovered.