ACH Fraud: Payroll Hack Drains $217KNon-Profit Says Bank Not to Blame for Losses
Cyberthieves reportedly funneled $217,000 from the Metropolitan Entertainment & Convention Authority, a nonprofit organization that operates the Qwest Center and other recreational facilities in Omaha. According to a post on KrebsOnSecurity and The Omaha World-Herald, an employee at MECA fell for a phishy e-mail that unleashed a malware attack that subsequently provided hackers access to the organization's payroll system.
From there, cyberthieves hijacked the system's login and password credentials, allowing them to add their own hires to the payroll. Those hired individuals or money mules, once on the payroll, received payment transfers from MECA's bank account, which was managed by First National Bank of Omaha. The payments went to the money mules hired through work-at-home scams.
The World-Herald reported Thursday that MECA says it's working with the Federal Bureau of Investigation to analyze the crime. "This was an important lesson to us about vulnerability in the online world," MECA told The World-Herald in a statement. "We have changed several online banking security procedures."
Gartner Analyst Avivah Litan says in the scheme of corporate account takeovers, the infiltration of payroll systems is more prevalent than the industry admits. "It's a very common method," she says. "I think it's more common than the one-off way. We hear about ACH and wire fraud a lot, but we don't hear about the payroll breaches, even though they represent just another way to push an ACH payment, without taking over the payroll submission account."
Payroll hacks are common, because they are difficult for banks to detect and prevent. "These payroll files or batch files are an issue," Litan says. And they're a pain point for banks and vendors.
"Under the old way, you would just get a hash total. But if at the end of the day the hash totals don't match, then it's tricky," she says. "How do you set limits, when you don't want to keep people from getting paid?"
Positive-pay lists are the evolving solutions, but even positive-pay lists struggle when it comes to accounting for employee name discrepancies, which can result when new people are hired, as well pay-scale variations that fall outside given or specified ranges.
But the most interesting twist surrounding the MECA incident is MECA's admission of responsibility for the attack. Before the attack, MECA allegedly passed on security options offered by First National Bank of Omaha, including one option that required two employees to sign off on every funds transfer.
"We had declined some of the security measures offered to us," Lea French, MECA's chief financial officer, reportedly told Krebs. "We thought that would be administratively burdensome, and I was more worried about internal stuff, not somebody hacking into our systems."
Litan says that admission of fault on the part of the commercial accountholder reflects a shifting perspective in the ACH fraud liability debate. "I think the fact that the customer is taking responsibility is a big change, and is probably a reflection of many of the customer education efforts banks have put in place recently," she says.