The suit, filed on Nov. 23, alleges that Choice Escrow of Springfield, Mo., was a crime victim because its bank, BankcorpSouth, didn't provide "commercially reasonable security." Via malware, hackers stole Choice Escrow's BancorpSouth online banking ID and password and on March 17 fraudulently wired $440,000 overseas to a bank in Cyprus.
"BankcorpSouth did not offer us a commercially reasonable security method for access to our online account," says Jim Payne, Choice Escrow's manager of business development.
BankcorpSouth, a $14.3 billion bank headquartered in Tupelo, Miss., says it doesn't comment on pending litigation, and would not comment on this lawsuit, according to BankcorpSouth's corporate communications head Randy Burchfield.
Another Zeus VictimAccording to Payne, it appears Choice Escrow fell victim to a variant of the Zeus malware, which obtained access to one of the company's computer work stations. "This malware then logged our keystrokes and sent our banking log in and password information to the cybercriminals," Payne says. "This seems to have been possible by the lack of a secure online banking environment provided by our former bank."
Choice Escrow notified BancorpSouth of a problem on the day of the transfer. "BancorpSouth indicated it would not retrieve the money and would not refund us the amount taken," Payne says. After the theft, Payne and other senior staff had to scramble to come up with more than $300,000 to cover the losses. The company was forced to lay off two employees, he says, and eventually was able to secure a small business loan to cover the account's losses.
The suit alleges that the bank approved the international wire transfer for $440,000 to Cyprus, despite it creating an overdraft of $90,000 in the account, and despite that Choice Escrow had never sent any international wire transfers before this one.
Payne describes Choice Escrow as a busy company with anywhere from $18 million to $25 million each month in deposits. Because the company is small, with only a handful of staff, it didn't choose to use the bank's dual control settings for ACH and wire transactions, Payne says.
Initially, Choice Escrow decided to remain quiet about the loss. "Our thinking was it would affect the trust our customers have for us," Payne says. As time passed and it became clear that BankcorpSouth was not willing to cover the company's losses, company leaders made the decision to file suit.
Similar CasesChoice Escrow's wire fraud incident is hardly the first. Rather, it's one of hundreds of recent corporate account takeovers made in the U.S. by foreign hackers aimed at looting bank accounts via ACH and wire fraud. The typical scenario: An individual at the business receives an email that is loaded with an executable file containing malware. The unsuspecting employee opens the email, infecting the computer with malware -- most often of the Zeus Trojan variety that is designed to steal online banking credentials.
Because Regulation E doesn't cover commercial fraud losses -- only consumer losses -- businesses and municipal districts are left to make up for these thefts.
Law enforcement agencies are actively investigating these cases, and members of one criminal gang were arrested recently both here in the U.S. and in Europe.
Another escrow company, Village View Escrow of Redondo Beach, Calif., was hit in an attack in March similar to the type that hit Choice Escrow, and hackers made off with $465,000. The two escrow companies are among many cases being reported, the largest heist being one that hit a New York state school district last December for $3 million.
Some other several high-profile corporate account takeovers include:
- Hillary Machinery vs. PlainsCapital Bank -- The case of a bank suing its own customer. This suit was settled for undisclosed terms;
- Experi-Metal Inc. vs. Comerica Bank -- The concurrent case of a customer suing its bank over fraud losses;
- PATCO vs. Ocean Bank -- One of the more recent conflicts to emerge nationwide, impacting banks and businesses of all sizes;
- The Catholic Diocese of Des Moines, Iowa, fell prey to hacker who took $600,000 in August. No word yet if its bank, Banker's Trust, has refunded the stolen money.
Turning to CongressSeeking legislative help, Payne reached out to an influential member of Congress to plead for more investigation of these crimes. In a letter to Alabama Congressman Spencer Bachus, Payne describes what he sees Choice Escrow and other victims of account takeover facing when trying to get a judge to rule in their favor in such cases.
"The Uniform Commercial Code is so arcane and written at a time before cybercrime became an issue deals with 'commercially reasonable security' - which has never been defined so that we have a clear understanding of what is commercially reasonable.
"I should obviously have a greater need for online banking security than say a tire dealer who does not wire money or transfer great sums of other people's money," he tells Bachus, who will be the next chairman of the House Financial Services Committee in the 112th Congress.
For businesses facing the same threats, it is not viable or economical for the business owner to also become an IT banking security expert, Payne says. "The banks have to step up and take the lead; they have the resources and the ability to make commercial accounts safe. For the amount we lost, BancorpSouth could have implemented the Fort Knox of online banking security."