Marci Horn's three small children needed her attention more than ever. Her husband's sudden death had left her their only caregiver. Suddenly, the 39-year-old Bethesda, Md., woman had to do all the hugging, all the talking, all the earning — and for the first time she had to take care of the family finances.
So when she received an e-mail that appeared to be from SunTrust last November, she was confused. The e-mail asked her to update her account information. She ignored it, and several others.
"But they became more and more urgent," she said.
So finally, to get SunTrust off her back, Horn clicked on the link and filled out the form.
"I was trying to be responsible, trying to take care of everything," she said. Instead, she found herself in an even bigger hole. A few days later, when she went to withdraw money from her checking account, it was $800 overdrawn.
Within one day, Horn said, her account information had made its way all around the former Soviet Union. A Fraud Charge List she received from the bank, which she showed MSNBC.com, reveals a remarkable pattern. A $114.04 withdrawal from Obolensk, Russia — then another, the same day, for $380.13. Three days later, there's a $190.21 withdrawal made in Kyiv, Ukraine. Then a $380.09 withdrawal in Domashna, Latvia. Eventually, along with other charges, there are $224 in non-sufficient funds charges. The tab ran up to $3,000.
Horn believes someone used her information, gleaned from the responses she gave to that one e-mail, to print up clone ATM cards. The cards were then used to make withdrawals at money machines. The scam is called “white card” fraud.
Last week, MSNBC.com reported that white card fraud is on the rise, and some banks weren't doing all they could to protect consumers. But you can get a refund from the bank if it happens to you — even if the bank at first tries to make you pay for the fraud.
Your rights explained
Federal banking regulations provide broad protections to consumers like Marci Horn, even when they accidentally surrender bank account information and PIN numbers. But consumers who are unaware of their rights might end up unnecessarily footing the bill.
Initially, Horn assumed all was lost because she had fallen for the e-mail trick, known as phishing.
"I figured it was all my fault, there was nothing (the bank) could do," she said. But she followed up with SunTrust anyway, and after three weeks, the firm had refunded her money. SunTrust spokesman Hugh Suhr refused to discuss Horn's case, citing customer privacy.
Horn's case is covered by what's known as "Reg E," a set of regulations issued by the Federal Reserve that governs all manner of electronic transactions. That includes online banking, ATM withdrawals and debit card payments. The rules bear some similarities to those regulating credit cards — where consumer liability is capped at $50 — but there are some important distinctions. In short, consumers who don't act quickly in the face of an ATM or debit card fraud face the possibility of losing everything in the checking account.
Horn got her money back because she went to the bank immediately after discovering the losses. When an ATM card, PIN number, or online banking password is stolen, consumers must report the loss within two days of receiving their bank statement that reflects the fraud, according to Reg E. Consumers who do so are only liable for $50 in losses, much like credit cards. But waiting a third day can be costly; liability jumps to $500. And if a consumer waits more than 60 days, the liability is unlimited.
Negligence doesn't reduce consumer rights
The rules are designed to encourage consumers to feel safe about electronic transactions, says John Burnett, an editor at BankersOnline.com.
“Word from the Fed is that if someone gets hit with this then the customer has been tricked, and the transaction is unauthorized and the consumer is protected,” he said.
Even in a case where consumers are slow to report the fraud, there is protection in place. Consumers who who fail to tell the bank when a fraud shows up on their statement face unlimited liability only for money stolen after that 60-day window closes. Liability for thefts before 60 days is capped at $500. And since most frauds happen over a couple of frantic days, as in Horn's case, consumers generally get refunds.
“When it’s an ongoing, repeat fraud, then the customer can end up being responsible if they fail to contact the bank,” Burnett said. "But usually, they are covered."
That coverage extends even if the consumer accidentally gives away the keys to their financial kingdom, such as answering a phisher's e-mail. There are many reasons people take a phisher's bait. Horn was under stress, and the SunTrust e-mails looked real. A spokeswoman for the Federal Reserve said banking regulations protect consumers even when they make mistakes — even mistakes such as writing their PIN number down in a place where a crook can find it. She referred all questions to the Fed's staff opinion on Reg-E, which is posted on a federal government Web site.
“Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E,” the opinion indicates. “Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer's liability for unauthorized transfers.”
Credit cards vs. debit cards
The rise of debit cards, sometimes called check cards, has increased the importance of Reg E to consumers. The distinction between credit cards and debit cards is often confusing for consumers, because they appear identical at the store checkout stand. But debit card payments are immediately deducted from a consumer's checking account, meaning fraud victims are in the position of needing a refund, rather than simply disputing a charge. It also means debit card transactions are governed by Reg E, rather than credit card consumer regulations, which are more generous to consumers.
Reg-E says consumers must be given a temporary credit within 10 days while the bank investigates the potential fraud, but many banks offer such temporary refunds even more quickly. Bank of America spokeswoman Betty Reiss says her firm usually issues such "provisional" credits within two or three days.
Still, because debit card payments are considered an electronic transaction, consumers are potentially liable for the entire fraud if it goes unreported.
The distinction is important in cases of massive data theft, such as the exposure of 40 million credit cards by CardSystems International earlier this year, said Avivah Litan, a researcher at financial industry security consulting firm Gartner Inc.
"There are debit cards in there with the credit cards," she said. "And consumers dealing with fraudulent charges on their debit accounts have a different problem."
In Horn's case, if the criminal used her personal information to print up fake debit cards and made purchases at retail stores rather than withdrawing cash, she would face the same procedure in her quest for a refund.
It's not clear how common these types of mysterious checking account withdrawals are. Banks don't publicly disclose fraud numbers, but there is some evidence that such fraud is on the rise. The Anti-Phishing Working Group, which is sponsored by the financial industry, says e-mail attacks continue to rise, with more than 15,000 distinct phishing spam campaigns in June, a record. And a Gartner report issued last month based on consumer survey responses, estimated that 3 million people nationwide have experienced an unauthorized transaction out of their checking account. And about 12 percent of those consumers reported they hadn't received refunds, the report said.
There are other signs that mysterious withdrawals using counterfeit debit cards and other nefarious means are a real problem. One of the more high-profile credit card hacker cases, in which BJ's Wholesale Club allegedly exposed 8 million credit cards, led to a settlement with the Federal Trade Commission filed last month. In its complaint, the FTC said there was evidence that counterfeit card use was rampant at BJ's.
“Beginning in late 2003 and early 2004, banks began discovering fraudulent purchases that were made using counterfeit copies of credit and debit cards the banks had issued to customers,” the complaint says. “The customers had used their cards at (BJ's) stores before the fraudulent purchases were made, and personal information (BJ's) obtained from their cards was stored on (BJ's) computer networks. This same information was contained on counterfeit copies of cards that were used to make several million dollars in fraudulent purchases.”
Refunds not automatic
Despite the protections, and the news of increased fraud, some consumers still have to fight for refunds.
Nicole Ball, who works for Fox television near Los Angeles, says she had her account drained of $1,000 in early May. Initially, Bank of America issued her a provisional credit for the amount, then began to conduct an investigation. Two weeks later, the bank took back the money, saying they blamed Ball. The withdrawals were made from a cash machine using an ATM card and the correct PIN, the bank said, so she must have authorized the transaction.
“We believe these transactions were made by you or persons authorized by you due to the fact that your PIN was used,” says the letter, a copy of which was shown to MSNBC.com. Bank of America's Reiss said she couldn’t discuss the specifics of the case.
But Ball believes she was a victim of “shoulder surfing,” at an ATM, that her pin and card information was stolen by someone who managed to monitor her at an ATM machine. After sending 15 pages of documentation proving she wasn’t anywhere near the ATM machines where the withdrawals were made, Bank of America refunded her money.
“People thought I was crazy every time I described this scam when it happen to me. I started to think that I was losing my mind,” Ball said. “I heard all the famous phrases ‘You authorized these transactions ... you gave someone your PIN ... it had to be you ... we will not reimburse.’ "
Banking consultant Tom Trusty says its common for bank employees to initially react to these kinds of fraud with skepticism, in part because they are so new. Consumers should know the bank might initially try to blame the consumer first. “Your PIN was used, so it must have been you,” is a common first reaction defense, he said.
That’s why it’s important for consumers to know their Regulation E rights when they go to a bank to complain.
“You’ve got to stay on them. They will try to tell you it’s your fault,” Trusty said. "You have to keep at them."