A Taft oil producer has become a poster child of sorts for cyber fraud after suspected Ukrainian thieves managed to remove almost $300,000 from a company bank account last fall.

TRC Operating Co. Inc.'s unfortunate experience, now the subject of a lawsuit between it and Fresno-based United Security Bank, came up in a Congressional hearing last week as legislators considered the financial industry's legal responsibilities with regard to online security.

The case highlights what has become a touchy question for banks and their commercial customers: Who should take the hit when thieves manage to siphon money out of commercial accounts?

TRC's lawsuit, filed May 17 in Kern County Superior Court, claims the bank received three payment orders totaling $587,360 on Nov. 10. Believing them to be authorized by TRC, United Security processed the transactions.

Four days later, the bank received another nine payment orders on the company's account -- but this time the total exceeded TRC's wire transfer limits and so the transactions were not allowed, the suit states.

United Security contacted the oil company, learned it had not authorized any of the transfers and successfully called back all but one of the payments, a $299,600 order that according to TRC was sent to the New York branch of a Ukrainian bank and ended up with an individual named Zaluskyi Bogdan.

TRC says United Security should cover the fraudulent transfer but that the bank has refused to do so.

"TRC believes it followed every appropriate procedure and precaution. I mean, that's why we're indignant," company representative Dan Kramer said.

United Security President Dennis Woods disagrees. Although he declined to address specifics in the lawsuit, he insisted clients' deposits are safe -- as long as account holders take proper precautions.

"You do have to follow the procedures, obviously, but (deposits) are totally safe," he said.

A sizeable problem

Federal rules require banks to cover such losses above $50 on retail accounts but not commercial accounts. Some groups are pushing to change that.

According to a website set up by commercial account holder advocates, yourmoneyisnotsafeinthebank.org, 11 lawsuits similar to TRC's are in litigation.

The site says that more than $40 million was stolen from small business accounts in 2009 alone, and that since 2008, cyber theft has victimized more than 1,000 U.S. school districts, churches, municipalities, nonprofits and small businesses.

Cyber thieves use several means to steal businesses' money, ranging from malicious, undetectable software that records usernames and passwords to data breaches, look-alike websites and actual interception of online banking transactions, the site states.

A representative of the website, cyber security advocate James Woodhill, spoke at a hearing Friday of the U.S. House of Representatives' Committee on Financial Services' Subcommittee on Capital Markets and Government Sponsored Enterprises. He made prominent mention of TRC's lawsuit in his five minutes of testimony.

Woodhill said banks' commercial customers generally do not understand that their accounts are not covered against cyber theft the way retail accounts are. If they did, he said, they might take extra steps to protect themselves, such as quit online banking or even move their money.

Sharing responsibility

The banking industry has resisted calls to give commercial customers equal protection against cyber theft. Instead, it advocates "shared responsibility," a term that encourages both parties -- the bank and the business customer -- to take various steps to secure accounts.

The American Bankers Association's vice president of risk management policy, Doug Johnson, said he was present for Woodhill's testimony before Congress and that he is familiar with TRC's case, which he declined to discuss in detail. But in general, he said, commercial customers must abide by reasonable security standards agreed to by the bank and the account holder.

"If the customer doesn't abide by those standards, they are ... liable for the loss," Johnson said.

Proper security measures that may be taken by business customers include using different levels of authentication -- for instance, requiring at least two of the customer's employees to approve a wire transfer -- or using specific equipment when banking online.

Federal rules have been proposed in recent years that would extend certain protections to commercial customers. Johnson said these would remove the incentive businesses have to protect their own accounts.

Besides that, he said, banks cannot afford to cover businesses' cyber theft losses.

"At the end of the day," he said, banks and their business customers "are going to be most effective against these attacks when we are working together instead of at cross purposes."

But Kramer, speaking for TRC, said the company's lawsuit against United Security shows that banks aren't doing enough to protect their clients.

"This should be a real kind of clarion call to other businesses ... that this could happen to them, too," he said.