As if there aren’t enough security issues to deal with these days, it looks as if someone has come up with a fast and efficient way to make big money in a very short period of time. Several large-to-midsize organizations have been hit by ACH (Automated Clearing House) fraud scams, in which the organization’s accounts are drained through a series of bank transfers.

In one case, a school system was hit. The thieves were clever, waiting until administrators were away on holiday leave before running the scam. And “during a four-day period between Dec. 29 and Jan. 2, siphoned US$704,610.35 out of two of the school district’s bank accounts.” Some was recovered, but the rest is gone for good. In another case, a Texas company was hit for $1.2 million dollars. Most was recovered, but the thieves made $150,000 in a few minutes. Not a bad day’s work.

How do these things happen? It’s the same old story — the thieves send a “targeted phishing e-mail, aimed at whomever is in charge of the company’s checkbook. By tricking the victim into running software, opening a harmful attachment or visiting a malicious Web site, the criminals are able to install keylogging software and steal bank account passwords.”

As usual, the warning is clear. Be very, very careful when opening emails containing any sort of attachment. If you’re suspicious, don’t open the message at all. If you think it’s from a legitimate sender (i.e. you recognize the address) contact the person by phone or some other trusted means to confirm they actually sent the message. And, of course, make sure your email is monitored by either an Enterprise-wide scanning system or by individual copies of a good antivirus/anti-malware package.

Anyone can be fooled. In pre-computing days, one trick was to call someone on the phone, claiming to be from a vendor in need of bank account data. Or, a scammer would send a phony invoice in the hope of obtaining the same information on a check or other instrument. Scams mainly rely on the mark trusting the scammer, or not checking the facts. Don’t get caught.

This entry was posted on Thursday, August 6th, 2009 at 8:49 pm and is filed under Phishing, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.