A lawsuit filed by Experi-Metal Inc. (EMI) in Sterling Heights, MI alleges that Dallas-based Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank's security software. EMI says even though the bank had two-factor authentication using digital certificates for its online banking portal, the phishing scam was able to circumvent these measures.
EMI contends that Comerica's actions opened its online bank account to a successful phishing attack where more than $550,000 was stolen from the company's bank accounts and sent overseas.
News of this suit comes days after news of another Dallas-based bank, PlainsCapital Bank, suing one of its customers in a dispute over a similar hack.
EMI is but one of many companies across the U.S. being targeted by hackers in this fashion. The crimes have become so numerous that federal banking regulator FDIC issued a warning about this form of fraud.
EMI vs. Comerica
The complaint filed by EMI in December in a Michigan circuit court states that for many years Comerica used digital certificates for authenticating online banking. Once a year from 2000 to 2008, the suit alleges, Comerica sent emails to EMI and other bank customers instructing them to click on a link in the email, and then log in at the resulting website in order to renew the Comerica digital certificate.
Then, in 2008, Comerica began telling its customers to adopt a different security solution -- a security token to use along with user names and passwords. The tokens would generate a random set of numbers to be entered with the customer's user name and password to access the online bank account.
The suit claims that on January 22, 2009, an EMI employee opened and clicked on links within a phishing email that said it was from Comerica. The email duped the employee into believing the bank needed to update its banking software. It gave instructions to the EMI employee to log in at a linked website that mimicked Comerica's online banking site. The EMI employee provided the site with the company's online banking credentials, as well as the code generated by the bank's security token.
The phishers began to quickly move money out of EMI's account. Between 7:30 a.m. and 10:50 a.m. the same day, the phishers made 47 wire transfers to various accounts in Russia, Estonia, Scotland, Finland, China, as well as domestic accounts from which funds were quickly disbursed or withdrawn.
The bank's response says that the EMI credentials were used to initiate the wire transfers and were valid, and the phishing website the employee went to would have been discovered as fake, "to any reasonably alert person who was responsible for safeguarding EMI's financial records and digital credentials."
The bank also says its online security approach was reasonable "because they were in general used by other similarly situated customers of other banks."