On a regular basis, cybercriminals are creating hardship for businesses and consumers. Have you heard the story about a Texas company that was struggling to get its bank to pay for a $50,000 cyber theft?
You will want to hear about it, if you own a business. An August 2010 post by security blogger Brian Krebs will shock you.
“Attorneys for Dallas-based Hi-Line Supply Inc. recently convinced a state court to require depositions from officials at Community Bank, Inc. of Rockwall, Texas,” wrote Mr. Krebs.
“Hi-Line requested the sworn statements to learn more about what the bank knew in the time surrounding Aug. 20, 2009, when crooks broke into the company’s online bank accounts and transferred roughly $50,000 to four individuals across the country who had no prior business with Hi-Line,” he explained.
Ostensibly, the comments in the deposition are locked up, but the lawyers maintain the bank is guilty of security incompetence and a lawsuit was probably the next step.
“In the event Community Bank refuses to resolve this matter, now that we have uncovered some of the information obtained by virtue of the court’s order, Hi-Line intends to assert claims for misrepresentation, violations of the Texas Deceptive Trade Practices Act, fraud, and breach of warranties, among other things,” said Michael Lyons, a partner with the Dallas law firm Deans Lyons.
The fraud apparently began when Hi-Line processed its $25,000 payroll, according to Gary Evans, the firm’s president.
“After Hi-Line submitted that batch of payments to its bank, the unknown intruders attempted two more transfers of nearly identical amounts on Friday and the following Monday, Aug. 24,” explained Mr. Krebs.
“Evans said he had trouble logging in to his account on Thursday and had the bank reset his password, but the fraudulent transactions hadn’t showed up on his account at that time. He said he took that Friday off as he always does, and when he tried again to log in after returning to work on Monday, he again found the bank’s site would not accept his password,” he added.
“When I finally got the bank to reset my password and got into my account, I noticed the duplicate payroll batches and said ‘Why are you all pulling my payroll out three times?’”
Mr. Krebs quoted Mr. Evans about his recollection of how he came to realize his firm had been robbed. “At the time, as I was resetting my password, I had to scroll through the bank’s online customer agreement, which basically said the bank is not responsible for any fraud. I should have known at that point that they were not going to take any responsibility for this at all.”
Bank should have taken notice?
“Evans said the bank should have detected that something was amiss, and not just because of the unusual and repeated payroll batches,” wrote Mr. Krebs. “He said the crooks accessed his account from five different Internet addresses with locations that were nowhere near Texas, including from computers located more than 1,300 miles away, in Washington, D.C. and Maryland.”
The blogger says Community Bank did not respond to his request for a comment, but its deposition claims the cybercriminals “had infiltrated Evans’ computer with a virus and used it to steal his online banking credentials, which included a user name, password, PIN and several challenge/response questions.”
Mr. Krebs indicated the thieves pulled it off with the unknowing help of what are called money mules.
“Among those lured into the scam was Josh Enlow, a 28-year-old gas station attendant in Phoenix,” he wrote. “Enlow said he was hired by an entity calling itself The Total Group Co., which initially contacted him in an e-mail stating it had found his resume on a job search Web site, and would he be interested in an ‘accounts payable’ position?”
Reported, Mr. Enlow received several fund deposits and was asked to forward the money.
“He then wired the money to individuals in Eastern Europe as instructed, he said,” Wrote Mr. Krebs.
Burden of proof
“If the customer wants the bank to reimburse it for fraud losses, it’s up to the customer to prove that the bank’s security procedures are not commercially reasonable…” says IT security expert Stan Stahl, Ph.D. (citadel-information.com).
“The result, all too often, is that the customer has little choice but to sue the bank,” he adds.
But Dr. Stahl says there are reasons for such victims to hope:
“There’s a very good chance the bank’s procedure’s fail the test of commercial reasonableness,” writes Dr. Stahl. “
But he adds the burden of proving a bank is at-fault is “huge.”
He says one solution is cyber theft insurance.
He’s right, of course. My counsel is also to perform due diligence by a top-notch security advisor, and to make sure you really know your bank.
And, oh yes, Mr. Evans at Hi-Line Supply Inc. eventually settled with the bank for the loss. But Mr. Evans changed banks after the ordeal and the bank lost a good customer.
From the Coach’s Corner, here are related security tips:
Protect Your Financials, Systems and Technology – 15 Tips — Cybercrime has skyrocketed and is projected to get much worse. At risk is the health of your company as well as the welfare of anyone with whom you do business. Here’s how to protect your customers and your reputation.
10 Strategies for Internal Controls of IT and Financial Systems — Obviously, the welfare of your company depends on having an up-to-date information technology (IT) system. IT now impacts every facet of your business. So it follows that you should invest in IT controls to protect and enhance your financial system.
Embezzlement: Guidelines to Uncover and Prevent it — Embezzlement is a widespread nightmare. Here are proven strategies to discover embezzlement, and to prevent from occurring.
Protect Your Bank Account So You Can Sleep at night – Imagine for a moment. You’re sitting at your desk enjoying a second cup of morning coffee. Then, your phone rings. It’s a call from your bank to discuss possible fraud.
Strategies for Retailers to Prevent E-Commerce Fraud – Merchants are certainly aware of online fraud and 65 percent are trying to fight it, but their efforts aren’t working according to a study.
“Privacy is not for the passive.”