Who foots the bill when bank fraud results in money being siphoned from a business account – the bank or the customer? In one recent court case, a small business managed to score a victory against a bank that lost nearly $600,000 of its money.
Some businesses have previously tried to recoup their losses after instances of bank fraud resulted in significant amounts of money being stolen by cybercriminals. However, businesses lose many of those cases, including a 2011 lawsuit against a bank account that was breached after a phishing attack.
As a result of the bank fraud, Maine-based Patco Construction Company had $600,000 stolen from its account. After the bank was notified about the unauthorized transfers, it was able to block $243,000 worth of the transfers — but Patco was still on the hook for $345,000.
The company sued the financial institution, Ocean Bank, now called People’s United, claiming it failed to follow best security practices to protect its customers’ accounts. For example, the FFIEC recommends using multi-factor authentication to prevent bank fraud, but Ocean used only passwords and security questions to validate transactions.
Also, Patco argued the bank should have noticed the suspicious transfers and stopped them before they went through — the transactions were larger than those normally made by Patco and were authorized from unfamiliar IP addresses.
However, the court ruled in favor of Ocean, claiming that Patco was responsible for the bank fraud because it failed to secure its log-in credentials and was at fault for the phishing attack that initially led to those credentials being stolen.
In a decision last month, though, that ruling was overturned on appeal. This time the court agreed that Ocean was behaving negligently when it ignored the warning signs of the fraudulent transactions (Cite: Patco v. Ocean Bank).
The appeals court ruling is being touted as a breakthrough for businesses that are hit by fraudsters who take advantage of weak bank security practices.