The new employee was to help Toronto-Dominion Bank track down money laundering from a New York outpost.
According to prosecutors in Manhattan, she instead used her access to banking information to distribute customer data to a criminal network on Telegram. Local detectives who searched her phone reportedly found images of 255 customer checks, along with other personal information on nearly 70 others.
It’s part of a little-noticed pattern emerging across U.S. banking — from towers in Manhattan to hubs in Florida and even the Louisiana suburbs.
While sophisticated scams targeting Americans’ life savings make headlines across the US, the industry’s lowest-paid workers continue to be caught selling sensitive customer information through the backdoor – emerging as a critical weakness in corporate risk management. banks.
That’s an uncomfortable trend, as companies steadfastly argue to policymakers and the public that customers bear the primary responsibility for ensuring they are not robbed of their savings. While many scams target people seemingly at random, some victims say the scammers who duped them knew a lot about their finances from the start.
“The more employees there are within a company with access to sensitive customer information, the greater the risk that access will be misused,” said RJ Cross, a privacy advocate at the US Public Interest Research Group.
“Companies must take technical measures to ensure that employees and contractors cannot make off with people’s information or access data that is not necessary for their work.”
Warnings have been going on for years.
Nearly a decade ago, then-New York Attorney General Eric Schneiderman publicly urged major lenders, including JPMorgan Chase & Co, Bank of America Corp and Citigroup Inc, to strengthen internal defenses after an investigation found that an identity theft ring had employed tellers from the industry. That built on a broader investigation from his office that found leaks by corporate insiders were already on the rise, with data “often obtained solely for fraudulent purposes.”
Such concerns now take on new urgency. US retirees with record wealth are facing an onslaught of elder fraud, with estimated annual losses exceeding US$28 billion (RM125.06 billion). For scammers, tips about who has a lot of money can be invaluable.
Meanwhile, bank lobbyists are fending off legislative attempts to force companies to do more to protect customers or share their losses.
The recent wave of bankruptcies shows that banks have not yet figured out how to prevent employees from trying to make money from their access to highly valuable and sensitive customer information. Some connect on social media with local conspirators for schemes as mundane as forging checks. Banks usually make these victims whole. But in recent years, more and more sophisticated scams have emerged, often leaving customers behind for their losses.
A few prosecutions, like the one against Wade Helms of Navy Federal Credit Union, illustrate how far data can flow.
Authorities in Escambia County, Florida, accused Helms of writing personal information about customers in a notebook, creating a handle for himself on the dark web and disclosing that he was looking for a buyer for customer information at Navy Federal, the largest U.S. lending company. union. In one chat room, Helms found someone claiming to be a broker for stolen data. The two allegedly spoke by telephone and then continued the conversation on a PC that Helms kept next to his desk.
The broker “wanted high-dollar account information because it would be easier to sell on the dark web,” according to an affidavit for an arrest warrant for Helms. The broker created Telegram pages called “Navy Wave,” where screenshots of customer accounts were posted. Some were provided by Helms, who took screenshots of customers’ bank statements and photos of their identification, according to the warrant.
“Navy Wave” had multiple handles starting with @ScammingServices with over 2,700 subscribers. By the time the credit union’s internal security discovered the breach, Helms had reportedly exposed as many as 50 accounts. At least five posts on the “Navy Wave” pages contained Navy Federal accounts that Helms provided.
In a deal with prosecutors, Helms pleaded no contest this year to 11 charges, including illegal use of personal identification, and was sentenced to 10 years’ probation. He was also ordered to repay about US$9,100 (RM40,651) to Navy Federal.
An attorney for Helms did not respond to messages seeking comment.
“Navy Federal takes all necessary precautions to protect the personal and financial information of our members,” a credit union spokesperson said in a statement. “We continually strengthen our processes to ensure member information remains confidential and continually monitor member accounts for unusual activity.” The lender said it was working with police to secure a conviction.
Stimulate companies
Adapting to crime trends is a challenge for companies, especially as companies expand their workforces by thousands of employees, including jobs with high turnover, said Jonathan Lopez, a former federal prosecutor who specializes in banking crime cases.
“It may not be about a flawed program in many cases, but the sheer number of people involved,” said Lopez, a partner at Jacobson Lopez in Washington. “While zero fraud rates may be impossible, institutions should be incentivized to continue striving to bring their fraud and insider fraud rates as close to zero as possible.”
TD Bank’s recent US$3.1 billion (RM13.84 billion) settlement with US authorities over failure to prevent money laundering found that managers’ focus on costs had contributed to weak internal systems. The result was a wave of crime that went largely unnoticed until federal investigators tracking fentanyl sales on the East Coast took a closer look at the bank.
The investigation revealed that several branch-level employees accepted bribes in the form of cash and gift cards to open accounts and issue debit cards that were then used to move money into Colombia through ATMs.
The heightened investigation also revealed that a New York-based branch manager stole more than US$200,000 (RM893,477) from an elderly customer, using account details and a fraudulent email address to siphon off funds even after the retiree dead. The banker, later fired by TD, admitted to the crime and was sentenced to more than a year in prison. His lawyer said he stole the money to pay his son’s college tuition.
In September, authorities in New York targeted Daria Sewell, a new hire in TD’s anti-money laundering operations, accusing her of saving images of customer checks on her phone. The breach exposed accounts to a network of New York-area fraudsters who were charged in a US$500,000 (RM2.23 million) check fraud scheme, according to the Manhattan district attorney’s office.
Investigators said Sewell distributed information on Telegram with instructions on how to open bank accounts and transfer money from the TD accounts to these accounts. Recipients then allegedly shared the winnings with her.
Sewell has pleaded not guilty to unlawfully possessing personal information. An attorney representing her did not respond to messages seeking comment.
“In both cases, the employees were terminated and we cooperated fully with authorities in their investigations,” a TD spokesperson said in an email. “As we have consistently said, these individuals are not representative of our 30,000 colleagues across the U.S. who serve our customers with integrity.”
Fraud ring
Outsourcing could cause more cracks in banks’ defenses.
In Louisiana, federal prosecutors have traced a check fraud scheme to employees of the international call center Teleperformance, where three employees in Shreveport were accused of selling account information for elderly USAA customers.
The scheme lasted nearly two years, with the three — Arazhia Gully, Maya Green and Zarrajah Watkins — joining in and offering information about customers with high account balances to a network of more than a dozen others, federal prosecutors said. Some recipients used counterfeit checks to withdraw money. Some of the proceeds were later deposited into the personal account of a Teleperformance employee and withdrawn from a nearby casino.
Trading that data was akin to ordering from a menu at a restaurant, with outsiders choosing which accounts to exploit.
In one example provided by prosecutors, Gully sent a conspirator a text message with the ages and account balances of eight USAA customers. The person replied with their choice: a 79-year-old with US$442,000 (RM1.97 million). Gully then sent a photo of a computer screen with detailed account information. Another victim was a 95-year-old with US$174,000 (RM777,265).
“We cooperated fully with authorities to assist in the investigation and terminated the employees as soon as we became aware of the incidents,” Teleperformance said in an emailed statement. “We work closely with our customers to ensure that we minimize our employees’ access to customer account information, ensuring that only the access necessary to provide the services is available and the risk of fraud is kept to the lowest possible level is minimized.”
A USAA spokesperson declined to comment.
The three Teleperformance employees have pleaded guilty to a bank fraud conspiracy and are awaiting sentencing. Attorneys for Gully and Watkins declined to comment.
Green’s attorney, Joey Greenwald, said his client was low-level in the network and paid only a few hundred dollars for taking screenshots of accounts.
Greenwald said he was surprised his client could see so much information, noting that she had a 10th-grade education and worked from home: “They hooked her up to a computer and a phone and she had all this access to customer accounts. Greenwald said he is not aware that Green has received any training on how to handle the data.
“It was pretty awful to trust her with this kind of information,” he said. –Bloomberg