Network News

X My Profile
View More Activity

Scammers Randomly Target Checking Accounts

An alarming report published this week on the official Internet news service of the U.S. Air Force highlights the need for consumers to keep a close eye on their bank account statements for signs of fraud.

The piece tells the story of an investigation launched after an Colorado airman discovered that his bank account was $124.90 less than it should have been. The man's bank, a Peterson AFB branch of 5-Star Bank, found that scammers apparently generated random account numbers, into which they tried to deposit one cent. When one of the tiny deposits clears, the criminals know they've hit upon a live account and begin to withdraw funds from it.

Turns out the crooks had automated the process: The charges appeared to be coming from Equity 1st Mortgage, based in Wilmington, N.C.. An employee at the mortgage company said it had not made the charges, but that she'd handled approximately 100 phone calls from scam victims since at least 2006. In every case the amount withdrawn was the same and occurred at the beginning of the month, no doubt to stay well ahead of the issuance of end-of-the-month bank statements.

The story notes that the scammers appeared to be taking advantage of validation weaknesses among businesses using the automated clearinghouse (ACH) system, a private electronic payment network that links banks with one another via the Federal Reserve. The network is used by banks to process large volumes of payroll, credit and debit card transactions, but it also facilitates direct payment of consumer bills such as mortgages, loans and utility bills, as well as business-to-business and federal, state and local tax payments.

Avivah Litan, a fraud analyst with Gartner Inc., said many banks have no real-time validation mechanisms in place to detect fraudulent ACH transactions, although that deficiency is starting to get the attention of federal regulators.

"All it takes is a routing number and knowing the numbering scheme on one account number, and then the fraudsters just increment the numbers and do the deposits, all of which can be done in an automated batch program," she said. "The ACH system was really designed for bank to bank transfers, and until recently it was a closed system that wasn't open to the general public."

Today, the ACH system is used by millions of consumers and businesses to initiate debits and pay bills online. According to NACHA-The Electronic Payments Association, which develops operating rules and business practices for the ACH system, Internet-initiated ACH payments grew by an estimated 35 percent in 2006 to 1.8 billion. NACHA estimates that 85 percent of Internet-initiated ACH payments are to pay bills via companies' or billing services' Web sites, and 10 percent are to transfer funds.

ACH fraud poses far more of a risk to businesses than it does to consumers. By law, consumers have up to 60 days to dispute a debit against their accounts, whereas businesses are given just 48 hours.

By Brian Krebs  |  May 3, 2007; 2:00 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Apple Patches QuickTime Security Hole
Next: Microsoft to Issue Seven Security Updates


It seems to me that the solution is that ACH system should be a "push payment" system, where any payments must be initiated by the account owner. "Pull payments" in which funds are taken from the account must be preapproved by the account owner based on the payee account number.

Then again, why do we need checks any longer? They are just another method to commit fraud.

Then your bank account can become public information because no one can take funds without your approval. The equivalent of a check would be to give your bank account number, and the payee would deposit into your account. This model works quite well in other countries.

Posted by: Moike | May 3, 2007 2:45 PM | Report abuse

What bank has 100 reported (REPORTED!) cases of fraud over 6+ months and hasn't fixed the hole? That bank gets zero out of five stars, in my opinion.

Posted by: josh | May 3, 2007 11:11 PM | Report abuse

What was the description of the transaction on the bank statement? Speaking of bank fraud. I got a phishing email targeting my Bank of America account a few months ago. I was amazed by the quality. It said my statement was ready to be viewed and it looked spot on like something I would get if BoA sent me those type of emails (they don't).

Posted by: D | May 4, 2007 11:30 AM | Report abuse

I must correct the record with regard to this story: The personnel at Equity 1st Mortgage in North Carolina have received more than 100 phone calls, due to the withdrawal coming from "Equity First." The two entities are not the same, but a search for "Equity First" on Google yields the North Carolina company among the top results.

Posted by: Donald Branum | May 4, 2007 12:20 PM | Report abuse

Hi Donald,

Not sure what happened there, but two hole sentences got left out of the original version of this post, which evidently led to the two institutions being conflated. The above text has been changed to reflect the information you pointed to. Thanks!

Posted by: Bk | May 4, 2007 12:31 PM | Report abuse

What am I missing here?? Why would a bank let someone drain my funds, simply because they were allowed to deposit a penny in my account. Hey, I don't mind if someone deposits... but no withdrawal without my approval

Posted by: Doug | May 7, 2007 9:20 AM | Report abuse


That is why they are calling it a weakness. Banks subscribe to the ACH network, which has a set of rules which must be followed. One of those rules is designed to ensure that the appropriate accounts are charged. There is a required "preauthorization" which includes depositing a small amount, and verifying it with the customer before transactions begin.

A verified transaction then authorizes the company to do business. The weakness here is that someone found out a way to use a false preauthorization to show the bank that they are "authorized" to transact business. By presenting certain transactions, the fake company shows the bank that you *do* have approval.

This the weakness.

Posted by: Donald Smith | May 7, 2007 3:21 PM | Report abuse


Good stuff. I work with ACH daily, not at any of the institutions named though, but with a credit union. It's likely that the 100 inquiries were from separate institutions. Also, Reg E and the NACHA rules allow any ACH debit to be returned as unauthorized, for up to 60 days after the debit. If one looks at their statements regularly...they won't lose a cent. Also, if they use e-statements (or homebanking) regularly, then they'll find out about it VERY quickly.

Posted by: Carlton | May 17, 2007 5:02 PM | Report abuse


Great point. Unfortunately, NACHA rules made the "preauths" optional, instead of mandatory. Which is why consumers should look at their accounts with great regularity. It's also a good reason not to have "low activity" accounts laying around with various financial institutions. And one reason some FIs charge a fee for low/no activity.

Posted by: Carlton | May 17, 2007 5:16 PM | Report abuse

i am ashame how people can come and withdraw monies form your bank account. i am also a victim of this scam. upon veiwing my account they to deposit 1 cent into my account and turn around and withdrew $124.90 from my account. i hope onec the sammers are caught they too become victims of there hard earn monies.

Posted by: tonja | May 21, 2007 6:57 PM | Report abuse

I can assure individuals I work with online security applications for financial institutions. As it states at 5 Star Bank that the scammers apparently generated random account numbers to Pre Note accounts with .01 is almost impossible.
No Processing ACH Bank would allow a merchant to run millions of pre notes to validate accounts without knowing who they are processing for. Also there is no such thing as a good response only bad "R Codes" such as NSF, Account Closed, Frozen, or not found come back and this usually takes up to 15 days at the most to return before they are cleared.
If this was a fraudulent transaction or he was a victim of Identity theft then why did he not close the account and report the issue instead of letting it continue. The company I work for used to see this same issue with Cash Advance Companies online and the customer usually is the one who initiated the transaction. Indentity theft is out there but in this case the scammers would have to use a bank on the backend to do it and even if they did get it processed the bank would freeze the account and the scammers would never be able to get the money.

Posted by: Chris | May 23, 2007 6:41 PM | Report abuse

I have just noticed onmy online bankig that a deposit for .01 was made to my account by equity 1st and yesterday my bank debited my acount for you guessed it $124.90. I calledmy bankand informed tehm and in the morning will be discussing the problem and fraud case with the main folks at my bank as well as other banks so they can install a safeguard to regpject any transactions from equity 1st. Hopefully my bankwil reverse the transaction as it has to have a place or accvount to gointo and with getting the federal reserves and all banks invoklvedd in it we can put a stop to it once ansd for all and create better security with our ownbanks.

Posted by: william chandler | May 24, 2007 9:12 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company