Yes. If you can trick senior citizens into giving you the information over the phone, you've got a legitimate business in the eyes of the banking industry.
This was a scam that caught my grandmother 10 years ago. The New York Times did a story on the industry:
State regulators have tried to protect victims like Mr. Guthrie. In 2005, attorneys general of 35 states urged the Federal Reserve to end the unsigned check system... But the Federal Reserve disagreed. It changed its rules to place greater responsibility on banks that first accept unsigned checks, but has permitted their continued use.
...In all, Wachovia accepted $142 million of unsigned checks from companies that made unauthorized withdrawals from thousands of accounts, federal prosecutors say. Wachovia collected millions of dollars in fees from those companies, even as it failed to act on warnings, according to records.
Yes. I've had my entire bank account emptied of 25,000 in the 1990's by someone of a different ethnicity and gender who had simply went through a dozen drive throughs of my bank in different city to cash checks in about an hour in an amount under the one that would have required more attention (as explained to me by the bank. They simply wrote checks out for cash and used the memo "to purchase car") I lived in Austin and the thief did this in Houston. I don't know if this same scheme is possible today.
I had to sign a paper in the bank swearing I did not withdraw the money and would help the bank as a witness if they found the criminal and then they gave me the equivalent amount of money in my account. IIRC it was kind of weird because they had grainy video/photos of the woman committing the crime.
Dangerous is relative. In the US you have roughly 60 days after a statement is received to escalate fraudulent transfers out of your account. If you file a complaint within this timeframe, your money will be returned. The problem of course is that if because that money was taken you miss your mortgage payment or car payment or student loan payment there could be associated fees from those lenders which you would be out. For businesses I think this timeframe may be as short as three days from the fraudulent transaction so in those cases it's a real problem.
Generally I recommend having two bank accounts, one which is rarely used other than for deposits and functions as a backup in the event your primary account is compromised. I also recommend not using a debit card and instead get the financial discipline to just pay off credit card balances each month and then use credit-cards for as much as you can from banks not tied to either your primary or backup checking account.
"1. Unlimited liability applies. The standard of unlimited liability applies if unauthorized transfers appear on a periodic statement, and may apply in conjunction with the first two tiers of liability. If a periodic statement shows an unauthorized transfer made with a lost or stolen debit card, the consumer must notify the financial institution within 60 calendar days after the periodic statement was sent; otherwise, the consumer faces unlimited liability for all unauthorized transfers made after the 60-day period. The consumer's liability for unauthorized transfers before the statement is sent, and up to 60 days following, is determined based on the first two tiers of liability: up to $50 if the consumer notifies the financial institution within two business days of learning of the loss or theft of the card and up to $500 if the consumer notifies the institution after two business days of learning of the loss or theft."
You can very easily avoid this by opening two bank accounts in the same bank and using online interface to transfer just as much as you need into your working account. Don't write or even create checks for the secondary account and don't disclose the account number to anyone for any reason.
I'm amazed what banks will re-enable with a simple phone call as long as you have a name, current address, SSN, and birthdate. But yes, it's a good step to take and makes it just that much harder to compromise an account so it's a good thing to do.
The odd this is, most people have physical access to a local branch of their bank. I know those are closing as people do more stuff online, but that's my point. We're trading convenience for security. Apparently the banking system isn't all that secure to begin with, so moving it online may really be the wrong thing to do.
I prefer two separate institutions for one reason: things like the Equifax breach. If someone attempts to impersonate you at your bank they could gain access to both accounts. If you have a 'silent' account somewhere else, they'd need to do account recovery at that location as well. The odds of that happening tends to be much lower.
I also like having two institutions, since one of the biggest threats is ATM card skimming. More machines are moving to EMV, but it's trivial for someone to set up a fake ATM or skimmer, siphon up magstripe data and PINs, and drain accounts. While you are not responsible for fraud, most institutions will freeze the account for 30 days (which is legal) while they investigate.
If that checking account has money for your rent or credit card bills, it could be disastrous.
So I use a separate account at a separate institution for my "spending money". All I use it for is to withdraw money at ATMs.
Yes, but that is also why people with money don't keep it in their checking account. Checking account just hold the money that you need to pay your immediate bills. your "life savings" flow through other savings, money market, and investment accounts. So if your checking account is compromised, you do lose some money and have some hassles to go through... but they aren't going to get everything else.
If you call your bank they will ask you for your account number (found on the check), Name (on the check), Address (on the check) and date of birth (not on the check), information about recurring deposit or last deposit (not on the check), and that's pretty much it. I always feel like this is something you can find out by buying someone a beer.
Once you have that first batch of data couldn't you forge the last deposit by depositing a small amount of money? After that you'd know when it happened and how much it was.
But how exactly does an ACH transfer work? I assume it can’t be done anonymously. Wouldn’t it be incredibly simple to find the culprit and reclaim the funds (using the article’s gas station clerk example)?
I'm not a cybercrime expert, but AFAIK once the fraudulent ACH goes through it's a matter of cashing out the money (to literal cash or resalable goods) before the ACH is inevitably reverted. This leaves the recipient account with a negative balance so it can basically only be used once.
That's pretty much it exactly. You use two stolen accounts. One with a large balance, one without. ACH from one to the other with a fraudulent. Hire someone to go into the bank in person and withdraw cash. You're done.
The account to which your money is fraudulently transferred might not even belong to the criminals. They probably have access to multiple compromised accounts and can shuffle money between them to throw off investigators.
