Park Sterling Bank in Charlotte is battling to retrieve hundreds of thousands of dollars it refunded to a commercial customer who was defrauded by cyber thieves.
The $2 billion-asset bank is suing Wallace & Pittman, a crosstown law firm, to recover funds the firm relayed electronically to Russia after an email that purported to be from an industry group lured someone at the firm to surrender their user name and network password, the Charlotte Observer reported.
The fraudsters used the access to install software on at least one of the firm's computers that allowed them to hijack its account at Park Sterling, according to the publication.
Masquerading as Wallace & Pittman, the thieves instructed Park Sterling to transfer roughly $336,600 through JPMorgan Chase to a recipient in Moscow. The law firm asked Park Sterling to stop the transfer after receiving confirmation of it, but the request allegedly came too late.
Park Sterling initially refunded the sum stolen but later demanded its return. Under the Uniform Commercial Code, a bank has no obligation to refund money to business customers provided the bank has "commercially reasonable" security.
In its lawsuit, Park Sterling charges Wallace & Pittman with failing to use security that would require more than one person to authorize wire transfers and that the agreement that governed the firm's account put the risk of loss on the customer.
For its part, Wallace & Pittman alleges the bank should have flagged the transfer because it was the first the firm authorized to go abroad and that the bank should have warned customers about phishing attacks.
Spokesman for both Park Sterling and Wallace & Pittman did not respond immediately to a request for comment.
The dispute, which is slated to go to trial this fall, comes amid a series of lawsuits over whether banks or their business customers should bear the risk of loss when wire transfer fraud occurs.
In March, a U.S. district judge in Missouri tossed a lawsuit against BancorpSouth Bank (BSB) brought by Choice Escrow and Land Title, which aimed to recover $440,000 stolen by cyber thieves who tapped the company's account in 2010.
The court based its ruling on the company's refusal to install security measures the bank suggested it use. "The case hinged on the whole idea that the bank offered a security option and the customer didn't want to use it," George Tubin, a senior security strategist at security company Trusteer, told American Banker recently.
The Missouri decision follows several cases of wire transfer fraud that went against banks, although judges in those rulings suggested customers could be liable in some circumstances.
The Federal Financial Institutions Examination Council recommends that financial institutions encourage commercial customers to use systems that require multi-factor authentication. "Since the frequency and dollar amounts of these transactions are generally higher than consumer transactions, they pose a comparatively increased level of risk to the institution and its customer," FFIEC wrote in a bulletin the council published in 2010.
Be the first to comment on this post using the section below.