<<Print>>

Bank robbers used to burst into banks brandishing guns and bearing notes demanding cash to the teller behind the window. Today, the thieves may be on the other side of the counter.

As concerns over identity theft and foreign cyberattacks rise, customers are largely in the dark about a growing threat just around the corner: bank tellers and managers with instant access not only to their critical personal information, but also to their cash.

Though much of the focus on bank fraud has been on sophisticated hackers, it is the more prosaic figure of the teller behind the window who should worry depositors, according to prosecutors, government officials and security experts.
Tellers and those who oversaw them once played a sober, respected role in towns small and large, carefully counting out bills and peering at signatures. But A.T.M.s, direct deposits and electronic banking have diminished tellers’ importance, to the point that their work is now low paidand, prosecutors say, occasionally criminal.

Rich and elderly bank customers are particularly at risk, prosecutors say, when tellers and other retail-branch employees tap into accounts to wire funds without authorization, make fake debit cards to withdraw money from A.T.M.s and sell off personal information to other criminals. Accounts with high balances and those with direct deposits of government funds, likeSocial Security payments, are especially coveted.

“It’s a rampant problem,” said Brenda Fischer, chief of the Cybercrime and Identity Theft Bureau for the Manhattan district attorney’s office. The Manhattan prosecutor’s office estimates it brings at least one case against a teller per month.

Last year, a teller in White Plains was sentenced for her role in an identity theft ring that pilfered $850,000 from bank accounts. Wiretaps revealedthat the defendants spoke in code about potential bank targets, referring to TD Bank as “touchdown” and JPMorgan Chase as “Yase.” A former teller at a Capital One branch in Maryland was sentenced in 2014 for gaining access to seven accounts and passing customer information to a co-conspirator who drew checks on the accounts.

Across the country last year, cases included a former Pennsylvania teller sentenced for withdrawing money from accounts; a former Manhattan teller sentenced for using information to receive tax refunds that he routed to himself; a former Connecticut teller who took cellphone photos of account information, and used that to cash fraudulent checks; and a formerVirginia credit-union teller who took out loans from the union in customers’ names. The money she stole ultimately led to the credit union’s collapse.

Other lower-level employees who work at bank branches may have too much access to customer information, prosecutors say: In December, prosecutors in Brooklyn obtained indictments against two bankers who worked at retail locations of JPMorgan Chase in the borough, saying they withdrew roughly $400,000 from accounts through fake A.T.M. cards and in-person withdrawals.

Bringing charges against tellers and low-level managers can be challenging, prosecutors say, because of banks’ lax security controls and gaps in regulation.

One Chicago-area teller jumped from Washington Mutual to LaSalle Bank to Fifth Third before he was caught, withdrawing over $2 million along with his co-conspirators.
The crew rerouted customers’ addresses to mailboxes they controlled, created driver’s licenses in customers’ names to open credit cards, and even created fake businesses so they could buy credit-card terminals — then approve the fake charges they had rung up.

Despite the sums at stake, executing the crimes can be easy, prosecutors say. Many of the tools that criminals need, like a card printer, are just a mouse click away, available for purchase for a couple of hundred dollars on the Internet. And videos that detail the mechanics of the scams circulate online in a kind of underworld collection of do-it-yourself segments.

Tellers and employees at retail branches, who can gain access to a customer’s information with a few taps of a keyboard, are at the centers of the schemes. Last year, for instance, Peter Persaud, an employee at a Chase branch in Brooklyn, sold customer information to an informer for $2,500 per customer, according to federal prosecutors.

Mr. Persaud has pleaded not guilty; the case is continuing.

In other cases, the tellers are just the conduit. Thieves are bribing them to hand over personal data that thieves use to drain money from accounts and make debit cards, checks and credit cards in customers’ names.

Tellers, who are paid modest salaries, can be particularly vulnerable to bribes, security experts say. According to the Bureau of Labor Statistics, the median annual income for tellers in 2014 was $25,760, a salary that prosecutors say does not match the high-risk nature of their jobs.

One thief, for instance, offered tellers an array of perks, including jaunts on private planes, limousine rides, manicures and one-on-one meetings with famous athletes, in exchange for customer information, according to a 2011 indictment from prosecutors in Charlotte, N.C. Four years later, the same man ran into trouble again when federal prosecutors indicted him over accusations that he used confidential information from Wells Fargo customers to withdraw roughly $100,000 from accounts.

Despite their importance, tellers and many low-level bank employees are not subjected to rigorous background checks.

Under laws passed in the aftermath of the Sept. 11 attacks, banks are required to thoroughly vet their customers and closely monitor accounts to detect any suspicious activity. The same level of scrutiny does not always apply to the tellers, according to prosecutors. Sometimes, little more than a basic criminal-background check is performed,

Many banks simply close a fraud investigation once a teller resigns, allowing the former employee to move on to another bank, security experts say.

To keep their illicit activities undetected, the tellers, prosecutors say, often keep unauthorized withdrawals below $10,000, the threshold that sets off another layer of review under banking laws. Especially in accounts with large balances, the thefts can go unnoticed for years.

State laws intended to prevent identity theft have not kept pace with the sophistication and scale of the crimes, a lag that can hamstring prosecutors.

Under New York law, for example, prosecutors cannot bring charges against criminals for the total amount of money stolen from multiple banks, which would result in more serious charges and sentences. Instead, they are required to treat each bank as an individual victim.

More than money is at stake. Personal identification information — Social Security numbers and addresses — can be trafficked on the black market, where thieves sell vast collections of data to the highest bidders.

“All of your personal information is suddenly in the wild,” Ms. Fischer said.

Controls at banks have sorely lagged, security consultants say.

Kevin Streff, managing partner at Secure Banking Solutions, a security consulting firm, said the sluggish controls came, in part, from banks’ outdated view that tellers handled only low-risk transactions. “The banks are still too trusting of the individuals they employ,” Mr. Streff said, adding that banks tend to err on the side of giving tellers too much access.

Doug Johnson, senior vice president for payments and cybersecurity policy at the American Bankers Association, said that banks, recognizing the thefts can cause “substantial reputational risk and strain relationships with customers, are committed to guarding against these attacks by sharing information about problematic tellers and instituting more monitoring of accounts.” Mr. Johnson said some banks were restricting the amount of information tellers could get into.

This summer, New York’s attorney general sent a letter to some of the biggest banks, including JPMorgan Chase, Bank of America and Wells Fargo, urging them to reduce tellers’ access to crucial customer information. New tellers usually had “unlimited access to financial institution customers’ account data,” the attorney general, Eric T. Schneiderman, wrote.

Despite the warnings, progress has been slow. “There is a reluctance to provide real oversight, rigor or even security training because it costs time and money,” Mr. Streff said.

For now, banks generally address the issue by reimbursing customers for any losses.

Even when banks put in controls, employees may find ways around them. In a January 2015 conversation recorded by the Federal Bureau of Investigation, Peter Persaud, the Chase employee at a Brooklyn branch, discussed his methods. If Chase questioned the withdrawals, his name might surface as they looked at who had reviewed the accounts, he said, so he would “see if I can get somebody else that could look up” names, too. Two weeks later, he said that he had to be careful about whose accounts he reviewed: “I got to have a reason to be in that account,” he said, adding an expletive.

Mr. Persaud was suspended from Chase in February 2015, he told the informer, adding, “I can’t get nothing while I’m suspended.” However, in March, Mr. Persaud called the informer again. He said he had been reinstated and would sell the information in four Chase accounts for roughly $16,000.