Fraudsters drained nearly $250,000 from bank accounts of the Center for Independent Living of Central PA, and the Harrisburg-based nonprofit wants its bank, Mid Penn Bank, to refund the money, according to a lawsuit filed last week in Dauphin County court.
- The Harrisburg-based bank allegedly failed to enforce “commercially reasonable” security controls on the accounts and thus it must refund the nonprofit’s money, according to the lawsuit.
- The center also charged the bank with breach of contract by allegedly failing to safeguard the nonprofit’s funds and declining to take responsibility for the loss.
- “We have always valued our relationship with The Center for Independent Living of Central PA,” the bank said in a statement. “While Mid Penn Bank cannot comment on pending litigation, we take the security of our customers seriously and will respond appropriately in court.”
What happened: External fraudsters appear to have burrowed into the center’s accounts through a scheme that included creating a secret email folder that diverted emails sent from Mid Penn to the nonprofit, which provides services to people with disabilities.
- Bank staff initially insisted the missing funds must have resulted from internal fraud at the center or issues with the nonprofit’s internal systems, according to the lawsuit.
- However, the lawsuit describes an external fraud that gained access to the center’s accounts and initiated unauthorized ACH transactions totaling more than $250,000.
How did it come light: Starting with an April 26, 2022, phone call that Mid Penn made to the center’s CFO, Marilyn Zarreii, according to the lawsuit.
- Mid Penn said one of the nonprofit’s two money-market accounts was overdrawn due to a $16,640 ACH transfer, according to the lawsuit.
- Zarreii said she had not authorized the transfer and the bank refunded the $16,640, according to the lawsuit.
- The center discovered two earlier unauthorized transactions from the same account — totaling $27,393 — which were returned by the business that received them.
Were there more: Yes.
- On further investigation, the center uncovered three ACH transactions from a second money-market account totaling $249,800, according to the lawsuit.
- The unauthorized transactions, which sent the money to an account at Citibank, took place in March 2022.
- They were proceeded by a series of so-called micro-entries — also known as trial deposits or test transactions — which are small transfers commonly used to verify the validity of ACH transactions, according to the lawsuit.
- Mid Penn sent email warnings to the center, but they were diverted to the hidden email folder, according to the lawsuit.
- The warnings included notes to Zarreii that her password had been changed and that someone had accessed the account outside the geographic area where she normally logged in,
- The lawsuit contends that Mid Penn should have done more in light of the “irregular activity” on the center’s two money-market accounts, which the lawsuit claimed are rarely, if ever, used for ACH transactions.
- “It was our savings account,” said Janetta Green, the center’s CEO.
- She said the center has turned over its findings to the FBI.
- The center is being represented by Philadelphia-based law firm Kleinbard LLC.
The trend: The potential for fraud using micro-entries — also known as micro-deposits — has triggered a raft of warnings from banks and credit unions over the last year or so.
- The National ACH Association, meanwhile, has been updating its rules for micro-deposits.
- The new rules, some of which take effect next month, reduce “the potential of receiving fraudulently-initiated micro-entries,” according to the association.