Valeina Allison got a call from her bank on a busy morning twoyears ago about a wire transfer from her company's account. Shetold the manager she hadn't approved the transfer. The problem was,her computer had.

As Allison, chief executive officer of Sterling Heights,Michigan-based Experi-Metal Inc., was to learn, her companycomputer was approving other transfers as she spoke. During hoursof frantic phone calls with her bank, Allison, 45, was unable tostop this cybercrime in progress as transfer followed transfer. Byday's end, $5.2 million was gone.

She turned to her bank, a branch of Comerica Inc., to helprecover the money for her metal-products firm. It got all but$561,000 of the funds. Then came the surprise: the bank said theloss was Experi-Metal's problem because it had allowed Allison'scomputer to be infected by the hackers.

“At the end of the day, the fraud department at Comerica said:'What's wrong with you? How could you let this happen?'” Allisonsaid.

In increments of a few thousand dollars to a few million pertheft, cybercrooks are stealing as much as $1 billion a year fromsmall and mid-sized bank accounts in the U.S. and Europe likeExperi-Metal, according to Don Jackson, a security expert at DellSecureWorks. And account holders are the big losers.

“I think they're losing more now than to the James Gang andBonnie and Clyde and the rest of the famous gangs combined,” saidU.S. Senator Sheldon Whitehouse, a Rhode Island Democrat whochaired a Select Committee on Intelligence task force on U.S.cybersecurity in 2010.

Eastern European Crooks
Organized criminalgangs, operating mostly out of Eastern Europe, target smallcompanies, school districts and local governments that maintain fatcommercial bank accounts protected by rudimentary security measuresat community or regional banks. The accounts typically aren'tcovered by insurance as individual accounts are.

“If everyone knew their money was at risk in small andmedium-sized banks, they would move their accounts to JPMorganChase,” said James Woodhill, a venture capitalist who is leading aneffort to get smaller banks to upgrade anti-fraud security fortheir online banking programs.

JPMorgan Chase & Co., the second-largest U.S. bank, is theonly major U.S. bank that insures commercial deposits against thetype of hacking that plagues smaller banks, Woodhill said. JPMorganspokesman Patrick Linehan declined to comment.

Smaller banks as well as many of the victims tend not to makethe thefts public, according to interviews with the customers andexperts such as Woodhill. As the threat becomes better known,small-business customers and other target entities may shift theirbusiness to large, national banks, which can better absorb thelosses to maintain customer relations and which have bettersecurity policies to protect clients from such crimes.

'Frightening'
“It's frightening for smallbusinesses because they have no clue about this,” said AvivahLitan, an analyst at Stamford, Connecticut-based Gartner Inc.,which does computer analysis. “They just don't have any clue, andeveryone expects their bank to protect them. Businesses are notequipped to deal with this problem, and banks are barelyequipped.”

Customers used to being made whole when they are victims ofcredit-card fraud or ATM thefts have had to sue small andmedium-size banks to recover losses after being blamed by theirbranches for permitting the crime, as Allison was.

The traditional help of law enforcement hasn't been there eitherfor such customers. In the heyday of bank robberies in the 1930s,the FBI became famous for Tommy-gun shootouts with the bad guys,who were put on the Most Wanted list. In most cases, the identitiesof the John Dillingers and Pretty Boy Floyds of the 21st Centuryaren't known because of online anonymity, and the bureau doesn'tdisclose statistics on how much these cybercrooks are stealing.

The Victims
Victims in the last two yearshave ranged from Green Ford Sales, a car dealership in Abilene,Kansas, to Golden State Bridge Inc., a construction company inCalifornia wine country. No need to use a mask or gun. Thesecriminals can steal millions from the comfort of their homesdressed in their pajamas.

The crime profits can be staggering and the risks minimal.Jackson, the security expert, said three sophisticated gangs eachhaul in at least $100 million a year. That dwarfs the $43 milliontaken in all conventional bank heists in the U.S. last year, fromstick-ups to burglaries, according to the FBI.

“A $100 million hit on a bank or a series of banks,” Whitehousesaid. “That's a pretty big bank robbery. And it doesn't even makethe press. It just trickles through in FBI tip sheets.”

New Priority
To law enforcement officials,cybercrime is a new priority. Both the Federal Bureau ofInvestigation and the U.S. Secret Service, which has jurisdictionover financial crimes, have boosted manpower to combatcomputer-enabled robberies and have formed partnerships withforeign law-enforcement agencies.

Those efforts have been swamped by the explosion in e-commerce,said Chris Swecker, a former FBI assistant director who advisescompanies on cybersecurity. As millions of customers have shiftedonline, criminals have followed, their hacking tools and nimblecriminal organizations racing ahead of old-school law enforcementmodels.

“Through cybercrime, transnational criminal organizations pose asignificant threat to financial and trust systems,” includingbanking, stock markets and credit-card services, according to aNational Security Council report issued in July.

Cybercrime has risen to the level of a national security threat,according to the report, citing a “critical shortage ofinvestigators with the knowledge and expertise to analyze the everincreasing amounts of potential digital evidence.”

Better Malware
The banking industry'sreluctance to confront this problem head-on has allowed criminalsto reinvest some of their booty to create better, more effectivemalicious software, known as malware, according to Woodhill.

Malware is what hurt Earl Goossen, business manager for GreenFord Sales, when he logged on to the company's payroll account atFirst Bank Kansas at 7:45 a.m. central standard time on Nov. 3,2010. Just two days earlier he'd used his computer to arrange forthe bank to send out the $63,000 payroll to employee accounts.Everything went smoothly at first. Goossen responded to a follow-upe-mail request from First Bank Kansas to okay the payroll, just ashe did on the 1st and 15th of every month.

Unbeknownst to Goossen, malicious software had infected thecomputer with a so-called worm, which had the ability to grabpasswords, user names and credit-card data.

Some malware allows hackers thousands of miles away to takeremote control of machines it infects, as if they were sitting atthe keyboard. This malware is affordable and easy to obtain. Abasic version sells for less than $5,000, Jackson said. Manymodels, licensed like commercial software from Microsoft Corp. andAdobe Systems Inc., even come with tech support, he said.

Phony Payroll
The worm on Goossen'smachine allowed thieves to log onto the website of the autodealer's bank using Goossen's credentials and set up a secondpayroll batch for the usual amount for nine non-existent employees.The additional payroll was sent out overnight by First Bank.

The software allowed the hackers to grab Goossen's e-mailpassword and banking details. All they had to do was change thenotification e-mail address to a name under their control.

When an amount like Green Ford's $63,000 is taken from a bank bygun-toting robbers, the FBI would typically dispatch special agentsto cordon off the crime scene and interview witnesses. No agentsarrived in Abilene on Nov. 4, and no one at the company was everinterviewed by the bureau about the theft.

DIY Detective
Green Ford's owner, LeaseDuckwall, filled out a report with local police, who don't have acybercrime unit. The Kansas Bureau of Investigation examined hiscomputer and found nothing of use. Frustrated, Duckwall turneddetective, interviewing bank employees, victims of similar crimesand whoever knew anything about cybertheft. In the end, the trailwent cold.

Representatives of the FBI and the Secret Service insist theyare not overwhelmed.

“I don't think it's right to conclude that because there are nota lot of arrests that law enforcement is not doing its job,” saidGordon Snow, the FBI's assistant director of the cyberdivision.

The FBI and Secret Service have increased the number of agentsdedicated to fighting cybercrime. Last September, as part of“Operation Trident Beach,” U.S. prosecutors in Manhattan arrested agang of money mules in connection with a wide-ranging cyberfraudring that had stolen $70 million from banks and tried to grabanother $150 million in the U.S. and Western Europe. No ringleaderwas arrested, even though five were questioned by police inUkraine, according to the FBI.

Frustration
The inability to put handcuffson suspects in Eastern Europe is a source of frustration for lawenforcement, according to representatives of the FBI and SecretService.

“We can't let that stop us from continuing to move forward,”said Pablo Martinez, who heads the cybercrime unit at the SecretService. “You have to go after every target.”

Mules, used by hackers as cutouts, are an obvious target, eventhe unwitting ones. When thieves stole the money from Duckwall'sdealership, some of the money first went to Shawn Young's accountin upstate New York. Young thought it was a legitimate transaction— at first.

Young, 35, was officially an assistant manager for R.E. CompanyBack Office. He got his job in October through a Careerbuilderwebsite ad that said an Australian office services company waslooking to expand into New York state. He was selected to scoutlocations in the Binghamton area. It did seem odd his new employernever asked for his Social Security number, he said in aninterview.

A Mule's Job
Part of his job was totransfer payments made by some of the company's U.S.-based clientsto various programmers. He corresponded with his boss, SamanthaSimons, exclusively through the company's intranet site.

At 8:45 a.m. on Nov. 3, Young got his first payment-relatedassignment. He logged into the R.E. Company Back Office intranetsite and learned from his supervisors that $4,975 had beendeposited into his account at M&T Bank in Endicott, New York.The sender was Green Ford Sales.

His boss said he could keep $145 of the money if he actedquickly. Within 10 minutes, he withdrew the funds and drove to theclosest Western Union office, a few miles away. Young pulled intothe Western Union parking lot and his cell phone rang. It was amanager from the M&T Bank branch where he'd made thewithdrawal. She said the bank had discovered the wire transferwasn't authorized. It was only then that Young realized somethingmight be wrong, he said.

Transfer Problem
On his way back the bank,his phone rang again. It was Simons, calling from a Syracusetelephone area code to see if there was a problem with thetransfer. Young, who had never spoken with his boss, told her he'dbeen asked to return the funds. In a matter-of-fact manner, Simonssaid OK and hung up, he said.

After learning from his bank that the wire transfer from GreenFord had been unauthorized, Young tried to log into the R.E.Company Bank Office website, but his access had beenterminated.

“I was lucky I did not send the money,” Young said. “I dodged abullet there.”

Unwitting money mules like Young aren't the only ones to havegotten wake-up calls in the new world of bank cybercrime. Customerssometimes find their friendly bank has become an adversary, quotingthe fine print of account contracts about who is responsible forwhat.

Patco Incident
On May 7, 2009,cyberthieves hacked into the bank account of Patco ConstructionInc., based in Sanford, Maine, and initiated a series of wiretransfers totaling $56,594. Some transfers bounced back, causingOcean Bank to send owner Mark Patterson a routine return notice viathe U.S. Postal Service.

Over the next several days, the crooks continued to transfermoney out of Patco's account, removing almost $500,000 beforePatterson received the mailed letter from Ocean Bank. The bankeventually recovered a portion of the transfers, leaving Patco witha loss of $345,444, according to Patterson.

Patterson said Ocean Bank rebuffed his attempts to reach asettlement, so in January 2010 he sued. He argued the bank shouldhave done a better job monitoring the company's bank account. OceanBank argued that its protections were “commercially reasonable,” inkeeping with general guidance issued by the U.S. banking industryin 2005.

In May, a federal magistrate judge in Portland, Maine, found forOcean Bank, now known as People's United Bank, a unit ofBridgeport, Connecticut-based People's United Financial Inc.

'Hopeful'
“We're hopeful the court willaffirm the magistrate's decision,” said Brent DiGiorgio, aspokesman for People's United, referring to a pending appeal.

That decision infuriated Woodhill, who co-founded Authentify, acybersecurity firm, in 1999. He is trying to change the lawgoverning liability in hacking cases.

“I can't fathom how one could consider a security procedure thatmakes it easy for people to steal money from school districts,churches and small businesses to be commercially reasonable,”Woodhill said.

Woodhill faulted banks for downplaying or hiding the scope ofbank heists, a posture he attributes to fear of underminingconfidence in an online banking system that saves financialinstitutions tens of millions of dollars a year in transactionsthat don't have to be processed by a human teller.

Last year, Woodhill came to the rescue of Karen McCarthy, whosemarketing firm was victimized by hackers in February 2010.McCarthy, who made one wire transfer on the same day every month,for $1,000, noticed a problem with her computer on Feb. 10. Thescreen had turned blue and appeared frozen, while other computersin her firm seemed to function normally.

McCarthy's Plans
In the weeks leading upto the frozen-screen episode, McCarthy had reached an agreement tosell her firm, Little & King. She'd bought out her lease, soldher office equipment and supplies and was preparing to join the newcompany as an employee, leaving behind the worries of businessownership.

After her computer froze, she printed out statements fromToronto Dominion Bank in preparation for the sale of her company.Over the Feb. 13-15 Presidents Day weekend, she couldn't figure outdiscrepancies between recent bank statements and the amount in hercompany's checking account. Finally, on the Monday evening, anational holiday, she checked her online banking account and sawfive unauthorized wire transfers.

She called TD Bank in a panic. Because of the holiday, she wastold no one was available. The next morning she marched into her TDBank branch, in Massapequa, New York, and asked an assistantmanager for help.

Calls Not Returned
At first the managertold her the bank would get her money back, she said. Once itbecame clear the funds were stolen, the bank stopped returning hercalls, McCarthy said.

The theft derailed the sale of McCarthy's company, forcing herto raid her children's college funds for needed cash. Of the$164,000 stripped from her account, TD Bank recovered almost$95,000, leaving her about $70,000 in the hole — and without anoffice or equipment, she said.

When she learned TD Bank was to hold a fraud-prevention seminaron May 13, 2010, in Burlington, Vermont, she hopped on a plane andslipped into the meeting. During the morning presentation, when anexpert in wire transactions was talking about ways that smallbusinesses could protect themselves from the dangers posed bycybercriminals, McCarthy raised her hand.

Why wasn't TD Bank doing a better job protecting its small-business clients, she asked. How had TD Bank allowed $164,000 to bewired out of her account even though she hardly every made wiretransfers? As the speaker tried to respond, McCarthy kept pepperinghim with questions about his bank's responsibilities to itsclients.

Let's Talk Outside
Two bankrepresentatives, including TD Bank's head of corporate security andinvestigations, walked over to McCarthy's table and suggested theycontinue the subject outside. McCarthy told the head of security itwas good to meet him finally, since she'd been calling him forweeks following the robbery and had never gotten through.

Jennifer Morneau, a spokeswoman for TD Bank, confirmed thatthere was such an incident involving a “woman from Long Island” atone of its anti-fraud seminars, and didn't have any furtherinformation.

“We constantly monitor and assess the security of our systems,”Morneau said in an e-mailed statement. “We also believe thateducating our customers is one of the best ways to help them defendagainst online fraud and identity theft, because even the bestsecurity measures can only prevent fraud if customers are alsovigilant about employing the necessary safeguards to protect theirinformation.”

Anti-Bank Website
With Woodhill's support,McCarthy started a website she calls www.yourmoneyisnotsafe-inthebank.organd has organized other cybercrime small-business victims acrossthe country. In industry presentations, Woodhill uses her as anexample in describing what's wrong with online banking and thecurrent rules governing the commercial accounts of smallbusinesses.

“If every small-business account holder in America knew whatKaren McCarthy had gone through, there would be a run on thebanks,” he said.

Last year Woodhill supported a proposed law, introduced by U.S.Senator Chuck Schumer, a New York Democrat, that would haveextended protections enjoyed by individual bank depositors topublicly funded entities such as school districts and towngovernments. Congress adjourned before any vote was taken.

Woodhill is now pushing for a federal law that would requireregional and community banks to warn their commercial clientsexplicitly of the dangers of cyber fraud. He's hired formerLouisiana congressman Billy Tauzin, a Democrat turned Republicanwho chaired the House Energy & Commerce committee, to representhim.

Bank Opposition
The American BankingAssociation has opposed attempts to extend cyberfraud protectionfrom depositors to small-business clients. Until recently, theassociation's position has prevailed.

Then came the Experi-Metal lawsuit brought by Valiena Allisonagainst Dallas-based Comerica. In June, U.S. District Judge PatrickJ. Duggan ruled in Detroit in favor of Allison and Experi-Metal,agreeing Comerica's response to the fraud didn't meet standards ofgood faith and fair dealing. Comerica agreed to pay Allison almostthe entire amount stolen.

Other cybercrime victims have taken note of this precedent, saidBrian Krebs, who has written about the Little & King case andother cyberthefts on his blog (www.krebsonsecurity.com).

Village View, an escrow company based in Redondo Beach,California, that was robbed of $465,558 by cyberthieves in March of2010, sued Professional Business Bank just two weeks after theExperi-Metal decision.

Bank Attitudes
The last thing communitybanks want is to be at odds with their clients, said Doug Johnson,a senior policy analyst for the American Bankers Association.

“Banks don't like to sue their customers and customers don'tlike to sue their banks,” he said. “When disputes occur, it's bestto try to work together for an appropriate result.”

Woodhill said the banking industry is behind the curve on thismatter, just as it was in 1978 when it opposed the Electronic FundsTransfer Act, which protects consumer bank deposits from fraud.

“That's one of the biggest favors Congress ever did for banks,even though they were against it,” he said. “Banks truly do notunderstand what their own interests are. Corporate lobbyists onlyplay defense.”

Bloomberg News

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.