How One Small Business Survived Wire Fraud
A California escrow firm has won a $600,000 settlement over wire fraud—a victory that nonetheless highlights how tough it is for small businesses to take banks to court in these kinds of cases.
In March 2010, computer criminals hacked into the network of Redondo Beach, Calif.-based Village View Escrow Inc., a small business that acts as the guarantor of payment for residential real estate transactions, holding other people’s money until the sale of a property is complete. The e-bandits sent 26 consecutive wire transfers—a total of nearly $466,000—to 20 people around the world who were not connected to the business. (If you think this couldn’t happen to you, think again: Wire fraud is so common the FBI has taken to issuing warnings about it, and said in 2009 it had cost U.S. businesses some $100 million.)
The company sued its financial institution—Professional Business Bank of Pasadena, Calif.—alleging that it misrepresented the security of its online banking systems and so was liable for fraud. Specifically, Village View Escrow contested the bank’s notion that a user ID and a password constituted “a state-of-the-art online banking system,” and alleged that Professional Business Bank’s use of single-factor authentication meant it did not follow federal online banking security advice, which suggests multi-factor authentication. The bank is now owned by Bank of Manhattan.
On Monday, the company’s law firm, Silicon Valley Law Group, announced that Professional Business Bank agreed to pay a $600,000 settlement, avoiding a court case that could have set a precedent making it easier for small businesses to sue their financial institutions over wire fraud.
These kinds of cases are notoriously difficult for small businesses to win in court because of the Uniform Commercial Code (UCC), a federal code adopted into most states’ laws. The UCC limits the financial damages related to wire transfer fraud only to the money stolen plus interest—no claims of negligence, fraud or breach of contract allowed. This means a small business, already hurting because of money lost to fraud, has to pay for a lawsuit it could easily lose.
"Arguably, the UCC is written to protect financial institutions," Julie Bonnel-Rogers, a business litigator and trial attorney who represented Village View Escrow, told CSO Online, a computer security news site. "It virtually makes it impossible for a small business owner or a medium-size business owner to recover."
The details of the fraud also make for sobering lesson in cybersecurity. Company owner Michelle Marsico told the Krebs on Security blog that Professional Business Bank had a policy of notifying her by e-mail every time a new wire was sent out of the company’s e-mail account. But the hackers apparently disabled that feature.
The hackers also managed to short-circuit another anti-fraud measure: a requirement that two employees sign off on any wire requests. A few days before the theft, Marsico said she opened an e-mail notifying her that a UPS package she had sent was lost, and telling her to open the attached invoice. Nothing happened when she clicked to open it, so she forwarded it on to her assistant, who also tried to have a look. It turns out the invoice concealed a program that let the hackers set up shop on Village View Escrow’s computers and plant password-stealing viruses on the two PCs.
Small businesses are frequent targets for this type of crime because they often are less security conscious than larger ones—and businesses like Village View Escrow are a prime target because the company keeps large sums of money in its accounts.
Bonnel-Rogers advised small businesses to check online banking contracts carefully. Chances are terms are very much in the banks’ favor if there’s a dispute. There are insurance policies to cover wire transfer fraud, she noted.
"One of the most important messages is that it is extremely difficult for small businesses to bankroll litigation and even more expensive to go through a trial," Bonnel-Rogers said.
Have you suffered from wire fraud? How have you handled it?
Photo credit: iStockphoto/Thinkstock