A US court has ruled that Comerica Bank is liable for a $560,000 (£350,000) cyberheist, saying the bank should have done a better job to spot millions of dollars in fraudulent transactions after one of the bank's customers was tricked in a phishing attack two years ago.
In a June 13 decision, the court ruled in favour of Experi-Metal, a custom car parts maker that had sued Comerica after the January 2009 incident. In just a few hours, criminals tried to move millions of dollars to Eastern Europe, before Comerica's fraud department shut down the scam.
Most of the money was recovered, but in his ruling Judge Patrick Duggan of the US District Court for the Eastern District of Michigan said that the bank should have done a better job of stopping the fraud. A "bank dealing fairly with its customers, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier," Judge Duggan wrote in his ruling.
Experi-Metal's troubles started in the early morning hours of January 22, 2009. That's when the company's vice president of manufacturing, Gerry King, received a phishing email telling him to fill out what appeared to be a mundane piece of online paperwork: a "Comerica Business Connect Customer Form." He forwarded the email to Controller Keith Maslowski, who then logged into a website belonging to the criminals. With Maslowski's login credentials, the criminals were off and running. Over the next six-and-a-half hours they raced to steal as much of Experi-Metal's money as they could before their window of opportunity closed.
Comerica learned about the problem about four hours into the fraud, when JP Morgan Chase called to report some suspicious transactions coming into its accounts from Experi-Metal's account. A much larger bank, Chase could move money overseas, so the criminals were funnelling money into Chase accounts in order to then transfer it to Russia and Estonia.
Comerica's fraud department immediately took away Experi-Metal's account, but they made a mistake. They didn't knock the fraudsters off the Comerica server. Still logged in, the criminals managed to initiate another 15 wire transfers before a Comerica quality risk manager finally killed their session. That final push netted the criminals nearly $50,000.
After Comerica refused to cover the $560,000 loss, Experi-Metal filed suit, arguing that the bank should not have allowed the transfers. Comerica countered that since Experi-Metal was the company that was phished, it should have to pay.
Judge Duggan has ruled in Experi-Metal's favour in a bench opinion, but he has not yet said how much Comerica must pay.
The Michigan court's decision is important because US courts are only now starting to decide who should pay for these scams, known as Automated Clearing House (ACH) fraud. Security experts believe that ACH scammers have made hundreds of millions of dollars over the past few years, typically hitting small businesses, school boards and community organizations that work with smaller regional banks.
The hackers steal the online banking credentials of company employees and then quickly move hundreds of thousands of dollars out of accounts using the ACH system, which was created to move money such as payroll funds.
Consumers aren't liable for this type of fraud, but that's not the case when it comes to small businesses. In fact, despite this week's ruling it's really not clear who must pay after ACH fraudsters strike. Just last week another judge ruled in favour of the bank in a similar incident.