A small Washington town lost $400,000 in an electronic heist that transferred the city's money from its Bank of America account to several other accounts, police said.
The theft occurred over the course of last Tuesday and Wednesday, authorities said. Burlington, Wash. employees who are paid via direct deposit were informed that their details may have been compromised.
Investigators said the theft was likely perpetrated by hackers and the U.S. Secret Service Puget Sound Electronic Crimes Task Force is taking a role in the investigation, the Skagit Valley Herald reported.
The town’s account has since been frozen.
A similar incident occurred in July of last year when Eastern European hackers defrauded a small Maine town of $30,000 in unauthorized direct-deposit payroll transactions from a TD Bank account. In a previous event, hackers took $345,000 from a Maine construction company.
Small towns and businesses are often targeted by hackers who know that their victims' security will be less than robust. These thieves often use phishing emails to trick employees into providing the information needed to access the town or businesses’ accounts. Once inside, hackers will transfer money to the accounts of " money mules," often in the U.S. on temporary visas, who withdraw the money and wire it back to a country like Russia or Estonia.
Who's responsible in a situation like this, the bank or the customer? When the breach happens as a result of a phishing scam, the scammer’s logins appear legitimate to the bank, and so the customer usually has to take the loss, something that can be tough on small towns like Burlington.
Banks do have tools in place to monitor suspicious activity, such as a sudden burst of transfers to bank accounts in foreign countries, and will often place holds on suspect transactions. But if a breach happens on a customer's end, it's usually the customer’s responsibility.
Consumer accounts are insured by the federal government for up to $250,000, but business accounts do not receive such protection.
Follow Ben on Twitter.