It would be music to any non-profit organization’s ears: an unexpected $1,000 donation. But the offer came with dirty strings attached, and the surprise donation to California-based Urban Age Institute was hardly a gift at all. Instead, it placed the organization right in the middle of an extensive — but elegantly simple — worldwide scam.
Within days, $10,000 worth of checks were written against the non-profit's accounts and cashed by a woman in Georgia. She in turn wired money to Nigeria. The incident left the organization's leaders wondering: Is it that easy to raid anyone's checking account? The answer, according to banking experts interviewed for this story, is yes.
Armed with just a checking account number and bank routing number, criminals can create checks at whim, experts and law enforcement authorities say. In fact, as the Urban Age Institute found out, at least one Internet site makes the process even easier. All the fraudulent checks drawn on the organization's checking account were printed and mailed by Qchex.com, a Web site whose stated aims are to make sending and e-mailing check payments easy for anyone connected to the Internet.
"The scope of the problem is potentially breathtaking," said Mary McNamara, who helps run the Urban Age Institute with her husband Gordon Feller.
At Qchex.com, users who sign up to print checks must provide only a working e-mail address. No other attempt is made to verify their identity. In fact, the site urges people to register their checking accounts at Qchex before someone else does.
James Danforth, chief operating officer of Neovi Data Corp., which owns Qchex.com, said that while some fraud has occurred at the site, it is no more common than fraud at other Internet payment services such as eBay's PayPal. Qchex is largely used by legitimate businesses looking for a low-cost way to send money and make payments, he said.
The demand-draft dilemma
At the center of the controversy is a little-known system for cashing checks called demand drafts. Most consumers presume that checks must be signed by an authorized account holder. That's ordinarily true, but not in the case of so-called "demand drafts." These look just like checks, but indicate "signature not required" or a similar message in the authorized signature area. And generally, banks cash them just like valid, signed checks.
Demand drafts were designed to accommodate legitimate telemarketers who receive authorization from consumers to take money out of their checking accounts. But the potential for abuse is high. Not only do they not require a signature, but they require no action by the checking account holder.
What's needed to create a demand draft? Simply the account number and bank routing number — information found on every single check. Write a check to your 12-year-old babysitter, and she has all the information she would need to clean out your account.
Demand drafts, also known as "remotely created checks," have become such an attractive target for criminals of late that the Federal Reserve in February proposed a new set of rules to govern them. And the National Association of Attorneys General last month called on the Fed to place an outright ban on demand drafts, citing increased fraud.
"The fact that a stranger can pull money out of a person's bank account using only the numbers at the bottom of his or her check is not commonly understood," the group wrote to the Fed, commenting on the proposed rules change. "Complaints about unauthorized bank debits are believed to be grossly underreported, perhaps because of the lack of public awareness of this type of bank account vulnerability."
The comment period on the new Fed rule ended May 3. If adopted by the board of governors, the new rules would make demand drafts similar to electronic transfers, giving consumers uniform rights to demand refunds and putting additional burdens on the bank that cashes the check to verify its authenticity.
Non-profit targeted twice
In late April, the Urban Age Institute received an e-mail from a would-be donor, who asked for instructions on how to wire a donation into the agency's account. Not thinking anything unusual about the request, the group sent him its account numbers.
The "donor" used this information to print $10,000 worth of checks at Qchex. The checks were then sent to a woman in Snellville, Ga. The woman, who did not want her name used, said she had recently begun an online affair and cashed the checks at the behest of her new Internet boyfriend. She then used Western Union to wire the money to him in Nigeria, where he was supposedly working on assignment. Now she is out $4,000 and all her bank accounts are frozen, pending additional investigation.
The "donor" tried to cheat Urban Age a second time as well, by sending a $3,000 Qchex check drawn on a different account to the group and asking that Urban Age send $2,000 back via wire transfer. That set off alarm bells for McNamara, who went online to learn more about Qchex.
When she followed a link to register in order to find out more about the check she received, she found out her husband’s e-mail had already been used to set up an account. Then, she found out the non-profit’s bank account had been registered, too.
“The bank account number ... has already been registered and assigned to another Qchex user,” the site told her. “Please contact the existing account holder to obtain authorization for using the above account.”
McNamara said she couldn't believe that someone else had taken control of her checking account. "Oh my God," she recalled saying to herself. "This is unbelievable."
McNamara was able to close the Urban Age checking account before money was taken out of it to cover the $10,000 in checks, which had already been deposited into the Georgia woman's Bank of America account.
McNamara provided MSNBC.com with copies of the canceled checks, and a record of correspondence with Qchex. She said the U.S. Secret Service and the Marin County Sheriff's department were investigating. Secret Service spokesman Jonathan Cherry said he couldn't comment on any ongoing investigations. A Marin County detective confirmed he was investigating the case.
Fraudulent checks often go unnoticed
The donation check ultimately received by Urban Age had a statement where the authorized signature normally appears. "Signature not required," it read. "Your depositor has authorized this payment to payee."
Meanwhile, the checks drawn against Urban Age's accounts included the name "Edward William," and offered an address in Van Nuys, Calif., hundreds of miles from the institute's real address. No matter — the banks that cash such checks don't attempt to verify that the account number matches the name on the account.
"Banks are automated to the point where that (check) can go through the system and never be examined by a human being," said John Burnett, associate editor of Bankersonline.com, an online newsletter and consulting firm. "The bank is just hedging its bets. If the losses are not for as much money as it would cost to hire people to look at every check, it's a good bet."
No one knows how many demand drafts are written each year, because the checks are processed just like regular, signed checks, said Jack Walton, an associate director at the Federal Reserve who specializes in bank operations and payment systems. And no one knows how commonly they are used for fraud.
But the attorneys general letter to the Fed said one community bank surveyed demand drafts and found 73 percent to be fraudulent.
"One of the weaknesses in U.S. payment systems is how easy it is to create bogus checks and deposit them at a bank," said Michael Herd, a spokesman for NACHA/The Electronics Payments Association, which sets rules for electronic bank transfers.
Last year, MSNBC.com exposed a Web site named PharmacyCards.com that was creating demand draft checks and withdrawing $139 from checking accounts all over the United States. The Federal Trade Commission later sued the site and alleged it had attempted to steal $10 million with bogus demand drafts. Herd said that incident is part of the reason demand drafts are now under increased scrutiny by the Fed.
Victim blames Web site
McNamara of Urban Age said the Web site that printed and mailed the checks on behalf of the con artists should be held responsible for its role in enabling the fraud.
“[Qchex] does not verify that the person writing the checks is the actual account holder. Security is astonishingly loose,” she said. “This is awful.”
In fact, the site urges consumers to register their checking account numbers before they are claimed by a criminal.
“Registering your bank accounts with Qchex ensures no one else can setup or access your account numbers on the Qchex system,” the site advises in its instructions.
There are dozens of fraud complaints against Qchex on various consumer-oriented Internet sites; the Better Business Bureau in San Diego maintains an unsatisfactory rating for the firm owing to complaints. Qchex COO Danforth said he believed most of those complaints had been resolved and insisted "we don't like bad guys using the system."
Danforth said that while criminals have occasionally used Qchex to commit fraud, similar frauds can just as easily be committed with a home computer and a printer.
"Anybody could take any check in America and commit fraud," Danforth said. "A check is a very simple document to reproduce." Danforth said Qchex receives 10 to 15 complaints each week, but said that was only about one-quarter of 1 percent of all transactions. He said the site is adding anti-fraud measures in response to complaints, but so far, none of those measures included identity verification.
Danforth said banks should bear the blame for any fraud committed using Qchex systems.
"I would ask, 'Why the heck would the bank clear [the] checks?" he said. "What do they do to validate the checks?"
Burnett of Bankersonline.com said he had heard complaints from banks about Qchex, but would not speculate on the Web site's motives. He was critical, however, of its verification procedures.
"Clearly their unwillingness to take even the most rudimentary steps to identify who they are dealing with seems to be facilitating fraud," he said.
New regulation might help
While the Fed's Walton wouldn't comment on Qchex, he did say that a rise in complaints about demand drafts led to the proposed new regulations. Currently, demand drafts are regulated by a patchwork of state laws called the Uniform Commercial Code.
In most states, consumers who complain about a bad demand draft within a reasonable amount of time are entitled to a refund from their bank. The liability for accepting a bad check falls to the account holder's bank, called the paying bank, because in the past it was deemed to be in the best position to detect fraud.
But the rules only give the bank 24 hours after receiving the check from the institution that cashed it to make a fraud determination. That makes the work of con artists easier since banks rushing to make quick judgments often don't detect fraudulent demand drafts until a consumer complains, well after the 24-hour period.
With its new proposal, the Federal Reserve would set a new nationwide standard that would put the liability on the bank that cashes the demand draft in the first place, putting the burden on that bank to check its authenticity. In addition, the paying bank would have 60 days to return a bad check, similar to rules governing electronic payments. And consumer rights would be spelled out more specifically, as with electronic transfers such as debit card payments.
While the National Association of Attorneys General maintains that demand drafts are archaic, and accomplish nothing that electronic payments cannot do, Walton, of the Federal Reserve, dismissed the idea that they would be banned and dropped. Few payment systems ever completely disappear, even after they fall out of vogue, he said.
"There are many legitimate uses for demand drafts," Walton said, adding that even if they were eliminated, criminals would just switch to another method of thievery. "Ultimately, they will switch to something else. ... Bad actors can game any system."
What consumers should do
The irony of the demand draft system is that it may mean that simple, old-fashioned paper checks are ultimately more risky to use than an electronic payment. Walton said they are at least of equal risk. "Paper does inherently go through a lot of hands," he said. And every person who handles a check has the ability to commit check fraud.
Herd said consumers should realize that checking account numbers are just as valuable to criminals as credit card numbers and should be treated with similar care.
McNamara's brush with banking fraud left her spooked, she said. She said she had no idea someone could print checks using the organization's account numbers and now has stopped writing checks.
“I'm scared to do anything now,” she said. “Anyone sitting in an Internet cafe in Lagos or Moscow can enter your checking account number on [the Internet] and begin forging checks.”
Bob Sullivan is author of Your Evil Twin: Behind the Identity Theft Epidemic