Some hackers are going back to basics when it comes to stealing money, as one Powell couple found out, to the tune of $10,000 over several months.

How much money could be taken from your wallet without being noticed? How about your bank account?

That’s what the latest trend in online bank fraud is counting on: Transactions small enough that the account’s owner won’t notice. With smartphones and online banking, it is increasingly common for people to not keep track of all of their transactions with a handwritten ledger, which means they don’t double-check their charges.

In recent years, debit card fraud has increased 30 percent annually, affecting one in 14 consumers, according to The Plain Dealer.

But, this is nothing new. Much like the famed tale of Frank Abagnale Jr., who created fraudulent checks in the 1960s and was later the subject of the movie “Catch me if you can,” this form of fraud is no different.

Bank account fraud scams take many forms and constantly evolve into new variations for catching consumers off guard, said Wells Fargo spokesperson Staci Schiller.

In this case, all it takes is a bank account number and a routing number — which are provided on every check.

Those numbers are how checks turn into transactions; it’s all the information needed, and no signature is necessary.

Bank account passwords and usernames do nothing to stop these transactions, since it bypasses all of those high-tech advancements in security and goes straight to the money.

$10,000 stolen

Craig Coen and Suzy Gatlin of Powell had $10,000 stolen from them over several months.

Each of the transactions were withdrawn through PayPal with different names attached, Gatlin said. Neither Gatlin nor Coen have a PayPal account, so it wasn’t a case of their account getting hacked. Making a charge over PayPal is no different than writing a check; PayPal is merely a middleman for the transaction.

“You just see all these weird charges,” Coen said.

The totals charged for each transaction varied from just a few dollars on up to $300, none so big that they’d draw attention as suspicious purchases. But, what was suspicious was the quantity of charges made — upwards of 20-50 charges in a single day, Gatlin said.

“It seems like once they get wind you are on to them, the charges get big,” Coen said, noting that they have changed bank account numbers numerous times. “They just keep coming.”

The $10,000 was not stolen all at once, but was spread out over a long period of time with many different fraudulent transactions. 

“Suzy thought it was me, and I thought it was her (spending money),” Coen said.

On one occasion, they got a new account and found there were charges on it before they had even used it.

“You feel violated; someone stole from you, and there’s nothing you can do about it,” Gatlin said. “You don’t understand what is happening to you at first.”

Each time this happened, they went through their charges with their bank and had each of their charges reversed. So far, the couple has gone through this process a few different times, and each time included 50-60 charges.

“I spent days on it or more, confirming they did what they said,” Coen said. “It was pretty devastating — it just takes that much time out of your life.”

The time wasted doesn’t end there; it’s an ongoing daily ritual. Coen said he checks every account each morning.

“It changes your life,” Gatlin said. “You have to look at all of it.”

“It becomes a ritual, you wake up and look at the accounts,” Coen added. “I don’t want to, but I have to.”

Gatlin said they were considering getting Life Lock or something similar, and she wasn’t sure what advice to give to those going through the same experience.

Local bankers agreed, there is nothing that can be done to stop this type of theft. But, there are ways to combat it.

How common is it?

The Federal Bureau of Investigation did not provide statistics before press time about how often this type of bank fraud occurs. However, local bankers say it is becoming increasingly common.

“It comes and goes in trends, but we see a lot of it,” said Powell Police Chief Roy Eckerdt.

PayPal seems to be the popular route for now.

The process is essentially an electronic check, said Larry Larsen, market president at Big Horn Federal in Powell.

“The process is to make it convenient and easy for consumers, but it also is causing our fraud individuals to escalate, and we are seeing more and more of it.”  

This type of crime was unheard of just 10 years ago, but it has become more common over the last 3-5 years, Larsen said.

“Criminals are just getting smarter, and technology is helping them,” Larsen said.

At just Big Horn Federal in Powell alone, there have been four cases reported between Christmas 2014 and late July 2015, said Brittany Bertagnole, customer service representative at Big Horn Federal.

Some Powell businesses were victims of a recent similar crime where someone duplicated their checks and ordered hot tubs, Larsen said.

“It is a huge conversation,” Eckerdt said.

The scams Powell Police run into tend to work through an area such as phone scams and Facebook scams, all seeking to get checking account information.

“If it is too good to be true, it probably is — then we forget what we tell our kids and go after that silver lining in the cloud,” Eckerdt said.

But, unlike the traditional online scams, this one didn’t have any emails from the prince of Nigeria promising gold, or false claims of relatives in jail. The victim’s only crime was having a bank account that was compromised in any number of possible ways.

Know your enemy

There are two enemies in this type of bank fraud: the thief and laziness.

As easy as it is to steal from a bank account, it is even easier to not notice anything was stolen. 

“It is kind of a catch-22, you have all this access and it is right there at your fingertips, and some people said ‘I don’t need to balance my checkbook every day because I have all this access,’” said Rich Stearns, assistant vice president at First Bank of Wyoming.

As for those committing the crime, advanced thieves can use random number generators or hack into other online accounts. Others just take the bank account and routing numbers that are found on checks.

Basically, it’s the same old trick that was played with cashier’s checks, then traveler’s checks, Bertagnole said.

“Some of these people would be amazing if they had an honest job, but they can’t go into the normal world and make that kind of money legitimately,” Stearns said.

During a training session, Stearns said he learned that there are online software vendors that sell programs that steal other people’s information.

Thieves don’t know how much is in the account that they are stealing from, so most transactions are small, Stearns said, estimating somewhere around $200-250 for the larger ones. It usually consists of five or so transactions, well under the $100 mark, Stearns said.

“That is the reality of the world we live in, the precaution is being aware,” Eckerdt said. “Most of us don’t have a million dollars and we would notice it.”

Typically, PayPal or similar service providers, will run an authorization check to the account, charging and refunding a few cents to see if the account is active, Larsen said.

“That threw a red flag for us because who pays 92 cents online?” Larsen said.

Many of these scams and raids come from outside of the country, Eckerdt said. “They will pin for a dollar to see if they can get access to them, then come back and hammer it,” Eckerdt said.

Fighting back

The first and biggest step anyone can take in protecting themselves is to be aware, Eckerdt said.

“What we try to stress to our customers here is no one piece of online things, no one feature, is fool proof,” Stearns said. “There is a way around anything, so what we try to stress is the more layers you put in place, the more secure you are.”

These are the seemingly obvious steps that often appear annoying but actually serve an important purpose:

• Use long passwords with capital letters, numbers and symbols

• Change passwords often

• Shred paper documents

• Avoid using public computers or free WiFi hotspots, particularly for banking purposes

“The fact of it is, this is the world we live in,” Stearns said. “In today’s world with the electronic transfer of funds it is even more important now to keep on top of your finances and look at your account every day.”

One of the biggest steps involves keeping email accounts secure since everything is connected to that one email address.

“It all flows through your email account — your banking and email should be the two strongest passwords,” Stearns said.

An example of a weak password would be “powell” or “wyoming123,” while a strong password would be more along the lines of “Fourty

2DegreesBe

low0!?” since it’s a memorable phrase but impossible to guess. 

Some banks require their customers change their password every three months, to protect the customer and the bank as well, Larsen said.

“We do get a lot of customers upset when they have to update their passwords, but there is a reason for it,” Bertagnole said.

Some banks offer services that send text message alerts to the account owner’s cellphone, notifying them whenever a transaction is made. This can be set up for all purchases, or for purchases under a set dollar amount.

“If it is fraudulent, you can shut your card down — I love it,” Stearns said.

IBM’s Trusteer Rapport is another product that users can buy to protect themselves. It isn’t an anti-virus program, instead it monitors what is going on behind the scenes on your computer while browsing online. Then, it locks in a secure connection to just what is intended and focuses on malware.

Unlike viruses, malware gather up personal information and send it out. It is often the case that malware is inside a computer, completely unknown to its owner.

It is possible the criminal has been “fishing” for information for more than a year, Bertagnole said.

“I’ve seen some where you run anti-virus and it doesn’t get rid of all of it,” Stearns said. “They had to completely wipe their computer and start all over again.”

Consumers aren’t in this battle alone; banks also have fraud mitigation software to look for unusual spending, Stearns said.

“We have been fortunate at our institution and the bank isn’t eating any money,” Larsen said.

If the bank is able to catch a fraudulent charge quickly, they can get the money back through PayPal, Larsen said.

Both Larsen and Stearns said that the only thing people can do is be vigilant about checking their transactions.

Who are the victims?

Large companies and the wealthy aren’t the usual targets, it’s normal people. But, it’s through large-scale security breeches that the average citizen’s information gets stolen.

“The average Joe is not their target,” Stearns said (in reference to large corporate hacks). “It is amazing the stuff that is out there. The larger, what you would call ‘criminal organizations’ usually reside in other countries and have access to a lot of funds and look to steal a lot of money.”

Sometimes information was stolen by means as simple as looking at the numbers on an old check. Other times it is from information sold during the large-scale security breeches that make national news. Target and Sony’s Playstation Network were some of the recent large-scale hacks.

Most of the time, the identity thieves don’t use that information, they sell it, Stearns said.

“We had a customer with fraudulent checks and numbers from 2011 and hadn’t used those numbers since then,” Larsen said. “They found a check from that long ago and created fraudulent checks.”

Larsen recalled discussions in college about the transition into a paperless society, and it’s basically already here since handwritten checks are commonly converted into electronic checks and handed back at the cash register in stores.

Consumer protection

Victims of fraudulent transactions can usually get their money back, Stearns said.

Regulation E of the Electronic Fund Transfer Act is designed to protect consumers from fraudulent electronic transfers of funds.

“Bad things happen to good people — that is why those rules are in place,” Stearns said.

Regulation E protects customers when there is unauthorized account activity, Schiller said.

But, fraudulent charges must be reported within 60 days from the date of the statement it first appears on. This means victims could potentially have a 60-90-day period to find and report those charges.

“It is really hard to make the claim six months later that this is money I didn’t spend,” Eckerdt said.

Sometimes people will make claims that they didn’t spend money that they actually did spend, so the bank needs to go through the right steps to verify it, Eckerdt said.

If a fraudulent charge is found, customers should contact their bank immediately, Larsen said.

“They should hold your hand through the process and make suggestions,” Bertagnole said.

She also recommended contacting the local authorities or even the Federal Trade Commission.

“Depending on the amount, they will turn it over to the FBI’s fraud department,” Larsen said.

After that, the bank will create a new account for the customer since their previous account number is still susceptible to fraudulent charges, Bertagnole said.

“We need to create the awareness that this is going on and people need to check their accounts often and if there are problems they need to contact their financial institution,” Larsen said.