Two years ago hackers stole $5.2 million from the online account of Experi-Metal, a 135-employee metal products manufacturer in Sterling Heights, Mich. The bank, Comerica (CMA), got nearly 90 percent of the money back, but said the unrecoverable $561,000 was Experi-Metal’s problem because the company had allowed a computer to be infected. “The fraud department at Comerica said, ‘What’s wrong with you? How could you let this happen?’ ” says Valiena A. Allison, Experi-Metal’s chief executive officer. The company sued to recover the money, and in June a U.S. District Court judge in Detroit found that Comerica’s response didn’t meet standards of good faith and fair dealing. Comerica agreed to pay almost the entire amount. (The bank declined to comment, beyond saying that the matter was resolved.)
Cybercrooks are stealing as much as $1 billion a year from the accounts of small and midsize companies in the U.S. and Europe, according to estimates from Dell SecureWorks (DELL), a security arm of the PC maker. Overseas gangs target small commercial accounts protected by rudimentary security measures at community or regional banks. The accounts typically aren’t covered by fraud insurance, as individual accounts are, and businesses often find themselves on the hook for losses. “Everyone expects their bank to protect them,” says Avivah Litan, an analyst at tech researcher Gartner (IT). “Businesses are not equipped to deal with this problem, and banks are barely equipped.”
Hacking losses dwarf the $43 million the FBI says was taken last year in conventional bank heists, and authorities are struggling to keep up with criminals abroad, whose trails turn cold fast. For perpetrators, profits can be staggering and risks minimal. In a bust last September, federal prosecutors in Manhattan arrested dozens of middlemen in a cyberfraud ring that they say had stolen $70 million. Although police in Ukraine questioned five people in the case, the FBI says, no ringleader was arrested.
Both the FBI and the U.S. Secret Service, which investigates financial crimes such as counterfeiting, have boosted manpower to fight online thefts. Despite the difficulty in tracking thieves overseas, investigators insist they aren’t overwhelmed. “I don’t think it’s right to conclude that because there are not a lot of arrests that law enforcement is not doing its job,” says Gordon M. Snow, assistant director of the FBI’s cyberdivision.
If cops fail to get the money, courts don’t always help small businesses. Patco Construction, a 22-employee builder in Sanford, Me., lost $354,444 in 2009 after cyberthieves hacked its accounts, co-owner Mark Patterson says. When the bank, now named People’s United Bank (PBCT), rebuffed his attempts to reach a settlement, he sued. He argued the bank should have better monitored his account. Federal judges have twice agreed with the People’s United contention that its protections were “commercially reasonable.” Patterson plans a further appeal.
The Patco rulings infuriated James R. Woodhill, a venture capitalist leading an effort to get smaller banks to upgrade online security. Woodhill, who co-founded cybersecurity firm Authentify in 1999, wants Congress to require banks to warn commercial clients explicitly of the dangers of cyberfraud. “I can’t fathom how one could consider a security procedure that makes it easy for people to steal money from school districts, churches, and small businesses to be commercially reasonable,” Woodhill says. Last year Senator Charles E. Schumer (D-N.Y.) introduced a bill to make banks extend cyberfraud protection, already required for individual depositors, to small business clients.
The American Bankers Assn. says businesses might get lax about security if they knew fraud losses would be covered. “The goal is to … have a partnership between a business and a bank and recognize that every one of those partners has a responsibility to secure the environment,” says Doug Johnson, senior policy analyst for the ABA. “If you put in a provision that takes away any responsibility, it gives the commercial customer no motivation to be active partners with the bank.”
Absent action from Congress, some victims who got burned are trying to warn other companies how vulnerable they are to hacking losses. Karen McCarthy’s business account at TD Bank (TD) was hacked in February 2010, costing her $70,000 and derailing a planned sale of her five-employee marketing firm, Little & King. A manager at her local branch in Massapequa, N.Y., told her she would get her money back, but McCarthy says the bank stopped returning her calls once it became clear the funds were stolen.
When she learned TD Bank was planning a fraud prevention seminar in Burlington, Vt., she hopped on a plane and slipped into the meeting. During a presentation on protecting small businesses from cybercriminals, McCarthy raised her hand and peppered the speaker with questions about her case. Two bank representatives, including TD Bank’s head of corporate security, walked over to McCarthy’s table and suggested they talk outside. McCarthy told the security chief it was good to meet him finally, since she’d been calling him for weeks and had never gotten through.
Jennifer Morneau, a spokeswoman for TD Bank, confirmed an incident involving a “woman from Long Island” at one of its seminars, though she didn’t offer any details. “We constantly monitor and assess the security of our systems,” Morneau said in an e-mail. “Educating our customers is one of the best ways to help them defend against online fraud and identity theft, because even the best security measures can only prevent fraud if customers are also vigilant.”
With Woodhill’s support, McCarthy has started a Web campaign to alert companies that banks won’t cover online fraud losses. “If every small business account holder in America knew what Karen McCarthy had gone through,” Woodhill says, “there would be a run on the banks.”