Last week I traveled to Cooperstown, N.Y. to deliver a keynote address about the scourge of online banking fraud that I’ve written about so frequently this past year. I flew into Albany, and in the short, 60 minute drive west to Cooperstown, I passed through tiny Duanesburg, a town whose middle school district is still out a half million dollars from e-banking fraud. On my way to Cooperstown, I also passed within a few minutes of several other recent victims — including a wrecking firm based on Schenectady that lost $70,000 last month when organized thieves raided its online bank account.
Alexander “Sandy” Jackson‘s world started crashing down on Apr. 20, the day he learned that more than $70,000 of company’s cash had been transferred to 10 complete strangers scattered about the United States. Since then, the owner of Jackson Demolition Service has spent a good deal of time trying to retrieve that money. So far, he and his bank have recovered about one-third of the amount stolen.
Oddly enough, Jackson first learned of the fraud after being contacted by an individual who received close to $5,000 of the firm’s money.
That individual was Montgomery, Ala. resident April Overton. In March, Overton responded to an e-mail from a company that said it found her resume on Careerbuilder.com, and would she be interested in a work-at-home job entering tax information on behalf of American tax filers? Overton said she accepted the job, and for more than a month worked several hours each day completing various tax forms with personal tax information sent to her via e-mail, forms that she then had to fax back to her employers, who claimed to be Tax World LLC, at www.taxreturnsworld.com.
“I was basically processing tax returns, and they’d have me log in to a site every morning between the hours of 8:30 a.m. and 11:30 a.m., and would send me information, have me filing out [IRS Form] 1040 tax returns,” Overton said.
The information at taxreturnsworld.com indicates that the company is based in New Jersey, and that it has been in business since 2002. However, the state has no record of a business by that name, and the domain name was registered in March 2010 via a Russian domain name registrar. In addition, the same Web server hosts an identical site reachable through the domain worldtaxreturns.com. A message left at the phone number listed on both sites was not returned.
Overton said she spent more than a month entering and faxing tax information for Tax World before she was paid. The payment took the form of an unexpected $4,700 deposit into her bank account from a company in North Carolina. She said she spent that money, assuming it was payment for her work, until the deposit was recalled by the issuing bank, at which point her account went thousands of dollars into the red.
A few days later, she received another $4,700 deposit, this time from Jackson Demolition Service. Suspecting that the rug was about to be pulled out from beneath her yet again, she picked up the phone and called the wrecking firm, effectively alerting workers there to the missing money. Overton’s bank, however, appears to have used the deposit from Jackson to replace the overdraft amount from the previous deposit from the North Carolina firm.
“She got a $4,700 deposit and spent it right away, but her bank overdrafted her account because that deposit got recalled,” Jackson said. “Then my money comes flying in there and her bank grabs that to replace the missing money.”
Overton has promised to repay the $4,700 to Jackson. Meanwhile, it remains unclear what Overton’s employers were doing, if anything, with the completed tax forms, although experts say it’s not uncommon for organized criminal groups to secretly file taxes on behalf of other people, request a refund and then later request that the refund check be sent to a new address.
The closing slide in my presentation up in New York included a list of tips that I urged small business owners in the audience to consider in order to avoid becoming the next victim of this type of crime. The thrust of my speech was that today’s attacks against online banking have become so sophisticated that banks need to adopt authentication mechanisms that work even when their customers’ PCs are already compromised by organized criminal gangs.
Unfortunately, very few commercial banks are prepared to meet this threat. As such, I encourage small business owners to take a few simple precautions, such as banking online only from a dedicated computer. This can take the form of a laptop or desktop that’s used only for online banking and nothing else; a Mac OS X system (all of the malware used to steal online banking credentials simply fails to run on non-Windows computers); or a bootable Linux installation that runs off of a CD-Rom or DVD.
By the way, if you ever get a chance to visit Cooperstown, N.Y., consider staying at the picturesque Otesaga Resort Hotel there, where I snapped this photo last week right before a thunderstorm moved into the area.
Further reading: Target: Small Businesses