14 DAY TRIAL // A judge has sided with a company that lost over $500,000 to cyber fraudsters, by ruling that it's bank is liable for failing to act in good faith.
The problems started for Experi-Metal Inc., a business based in Sterling Heights, Michigan, back in January 2009 when fraudsters obtained access to its online banking account and initiated fraudulent transfers.
The attackers didn't use specialized malware like ZeuS or SpyEye, but a phishing email crafted to appear as originating from the company's bank, Comerica.
Minutes after the company's controller inputted login credentials and a special one-time-use code generated by his hardware token into the fake Comerica Bank website, attackers starting siphoning money out of the account.
Over 100 fraudulent wire transfers to banks in Estonia, Finland, China, Russia and Scotland, were processed by Comerica until the fraud was stopped.
The bank managed to reverse some transfers but $560,000 remain unrecovered. Experi-Metal sued Comerica and claimed that it even failed to block 20 transfers after becoming aware of the fraud.
The judge sided with the company and noted in his ruling that "a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier."
The exact sum that Comerica will be forced to pay has not been decided yet, but the ruling is in direct contradiction to one given earlier this month by a Maine district court in a similar case. In that case, the judge sided with the bank and ruled that it is not liable for the fraud.
Unlike consumers, who are reimbursed for fraud, companies don't enjoy the same protections by law. Because of this they need to be much more careful about their security. Online banking should be performed from a dedicated computer or operating system instance.