Menu
Average Rating: 5.0
Your rating: none

We need to talk

hacker

How a New Jersey-based hose and accessories specialist became the victim of fraud

by Rich Vurva

When Jeff Scheininger, owner and president of Flexline, returned home from a business trip last fall, he was met in his office by his somber looking CPA. “We need to talk,” the CPA said, showing him the company’s most recent bank statement.

It showed several suspicious looking withdrawals from the account that the New Jersey-based Flexline used to pay employees, make purchases from vendors, and the myriad other transactions required to keep a typical business running smoothly.

The initial suspicious automated clearing house (ACH) transaction of just one cent occurred in late September. Once the thieves established that the account was active, they began withdrawing much larger amounts. Over a period of nearly three weeks, a total of more than $800,000 was stolen from the account.

When he learned about the unusual activity by reading his monthly paper statement, Scheininger immediately contacted his local bank branch, which put him in touch with the company’s fraud department. The local banker advised him to also contact his local police department to file a report.

Scheininger and his CPA spent about six hours on the phone speaking with a representative from the bank’s fraud department. “She was taking us through each and every transaction while she attempted to fill in forms. Because basically you have to file a corporate statement with the bank that these are suspect,” Scheininger says.

The next day, Scheininger visited his local bank branch, which put a hold on the account.

“So then I fell down the rabbit hole – at least I thought it was a rabbit hole – of law enforcement. I called the Secret Service because I was told to contact the Secret Service. I called the FBI and spoke to an agent who interviewed me at length. By this time, I was keeping an Excel spreadsheet of contacts,” he says.

No one that Scheininger contacted for help provided much assurance that he’d ever see his money again.

A test in patience
Fearing that legitimate checks that Flexline sent to vendors might bounce, Scheininger and his staff also contacted each vendor to explain what was happening and to notify them if their check didn’t clear.

Having contacted anyone that he hoped might help resolve the situation, Scheininger had nothing else to do but wait.

“I’m thinking, at least I’ve done something. We’ve got the fraud department that we can talk to. And then we unfurl weeks upon weeks during which time nothing happens. I call; I don’t sleep. I can’t find out anything,” he says. “My bankers are struggling to put into place the common sense kind of stuff that would prevent this from happening again. They couldn’t understand my rage and my fury because I didn’t care that they were helping me slam the barn door after the horse had bolted. I just wanted my money back.”

How could the activity take place without Flexline noticing the suspicious transactions sooner? Most of Flexline’s payments are processed using paper checks. Because the company only makes a handful of regularly scheduled ACH transactions, there was no urgent need to check bank activity online on a daily or even weekly basis. In addition, Scheininger always assumed that transactions issued through his bank – a well-known company with branches throughout North America – were safe and protected from fraud. For example, in order to use the bank’s online platform, he was provided with an “electronic token” that’s about the size of a credit card.

“If I wanted to move even $1, the bank would send a secure number to their special device and I would have to enter that secure number to validate that the transfer was legitimate. Yet here we have a case where hundreds of thousands of dollars were taken without any idea it was being taken, and no need for the token,” Scheininger says.

He’d also assumed that there were regulations in place to protect electronic fund transfers.

Regulation E was created by the Federal Reserve to outline rules and procedures for electronic funds transfers (EFTs), including ACH transactions. The regulation is meant to protect banking customers who use electronic methods to transfer money.

Regulation E also outlines consumer responsibility for reporting unauthorized EFT activity. For example, consumers must report lost or stolen credit cards no more than two days after the consumer becomes aware of the theft; otherwise, the bank has no obligation to refund losses.

Unfortunately, Scheininger was told that Regulation E applies only to individual account holders and does not apply to commercial business accounts.

Scheininger also assumed that his account would be protected by “positive pay,” a fraud prevention tool used by business customers to protect against check and ACH fraud. Banks use positive pay to match the checks a company issues with those it presents for payment. Any check considered suspect is sent back to the issuer for examination.

Somehow, the thieves convinced the bank that Flexline was one of their subsidiaries, and was therefore authorized to use Flexline’s account.

Scheininger ultimately learned that the thieves used two separate banks to accomplish their scheme and several falsified company names. Out of the total stolen from Flexline’s account, more than $300,000 of the transactions were reversed very quickly. But it took 45 days and countless hours of time on the phone, sending emails, writing a victim statement, contacting an attorney, and cajoling anyone and everyone he could think of to get the rest of his money returned.

Scheininger thinks the action that ultimately drew the matter to a conclusion was because of help from a detective at his local police department.

“One of the detectives called me up, had me come down, took all the account information, taped a statement, went to the county prosecutor and subpoenaed my bank, and the two banks that were most responsible for the thefts,” he says.

The records from the banks that withdrew the money traced the path to an account based in a foreign country. Stunningly, this one account showed about $40 million in fraud. Yet the FBI declined to investigate because the amount stolen from Flexline was less than $2 million.

An FBI agent suspects that an employee of one of Flexline’s vendors may have been paid to harvest their account numbers.

Scheininger may never know exactly who was behind the scheme or how they pulled it off. But his company was made whole and he has put steps in place to prevent future fraudulent activity. For example, he has separate accounts for receivables and payables. No outside company with permission to make a deposit into an account has the ability to withdraw money from that account. A third account can be accessed only by himself or his chief financial officer. He uses a fourth account for accepting ACH deposits from new companies where a previous relationship hasn’t been established. Finally, Flexline also checks account activity at least twice a day.

“If you do all those things and you’re vigilant, you can catch the thieves before the bank,” he says.

This article originally appeared in the July/Aug. 2022 issue of Industrial Supply magazine. Copyright 2022, Direct Business Media.

INDUSTRIAL SUPPLY MAGAZINE

The March/April issue of Industrial Supply magazine features an in-depth cover story about Joyce Lansdale and Vallen. Plus, we're featuring articles by contributing writers Dirk Beveridge, Frank Hurtte, and David Kahle, as well as interviews with numerous product and distribution industry experts.

Read The Articles Read The Digital Edition
sponsored by Tompkins Industries

SPONSORED ADS