Business manager had a hacked email account

The bank isn’t always responsible for making you whole after a business email compromise. Indiana’s Lake Ridge Schools lost more than $120,000 from a seven-million-dollar construction fund established to build an athletic complex. The funds were stolen via a wire transfer ordered through a hacked email account. That account belonged to a business manager who was authorized to request payments.

The money was requested in the form of wire transfers to several people thought to be contractors on the project. At the time the wire transfers were requested, the business manager was on vacation and the bank, BNY Mellon had received an out-of-office notification days before.

Email had a different font

Lake Ridge Schools sued BNY Mellon, alleging that the bank’s failure to detect fraud amounted to culpable negligence. Lake Ridge argued that the email requesting the transfer used a different font from that normally used, and that it was unusually pixelated. And the school district pointed out that wire transfer was unusual: their normal method of issuing payments was by check.

BNY Mellon had rejected the first request for payment the day before the successful request. Both requests came from the same hacked email account. The fraud was discovered when the bank received an additional email requesting that more funds be moved. They stopped that request before additional money was stolen.

The Lake Ridge Schools believed BNY Mellon was at fault for honoring the fraudulent email. US District Court Judge Theresa Springman disagreed and dismissed the case. She found that Lake Ridge failed to prove either negligence or misconduct on the bank’s part. The agreement between the bank and the school stated the district’s Building Corporation would assume “all risks.” Moreover, the bank couldn’t reasonably be expected to be able to determine the actual sender of the bogus transfer instructions.

When the money is gone, it is gone

School superintendent Sharon Johnson-Shirley believed that BNY Mellon should have reimbursed the school. It is common for people and organizations to lose money as a result of online fraud. It’s not uncommon for banks to reimburse losses in order to retain business and avoid unsympathetic headlines. But as fraudsters steal larger amounts through business email compromise, banks are unwilling to accept responsibility.

The Lake Ridge case differs from normal business email compromise scams in that a third party was conned, as opposed to the victim organization. No employees were duped. In this case an email account belonging to an officer authorized to order transfers was hijacked. At some point, by unknown means, the criminals obtained the access and credentials necessary to perpetrate the fraud.

Proper processes and technology can help reduce this kind of risk, but wire transfers are always fraught. It’s not like credit card fraud. Once the money is transferred, it’s usually gone. Here again, realistic, new-school, interactive security awareness training can help. It can also help organizations, like banks, who handle such requests. Alert and skeptical bank employees have stopped fraudulent transfers before. And do remind employees that credentials are always of interest to cybercriminals. This case shows why. The Chicago Tribune has the story:

https://www.chicagotribune.com/suburbs/post-tribune/news/ct-ptb-lake-ridge-lawsuit-st-1127-story.html

Cyber Safety Net is a KnowBe4 partner. Reposted with permission from https://blog.knowbe4.com/learning-a-lesson-the-hard-way. Cyber Safety Net – keeping you safe online. See https://cybersafetynet.net/cyber-security-awareness-training/ to train and strengthen your human firewall. See https://youtu.be/UFpFesrcnvY and https://www.knowbe4.com/security-awareness-training-features/ to learn more.