Though businesses do not have the same legal protections that consumers have in limiting their liability for fraudulent transactions, a judge has decided that a Michigan metals shop should not be on the hook for half a million dollars in fraudulent transfers.
The company, Experi-Metal Inc. of Sterling Heights, was fooled in 2009 by a phishing email that impersonated Comerica Bank. The scammers tricked Experi-Metal's controller into accessing the company's bank account using a one-time passcode generated by a security token. Scammers then initiated transfers totaling $1.9 million, and all but $560,000 was recovered.
Experi-Metal sued its bank, alleging that Comerica's response was inadequate. For example, although the bank spotted the fraudulent transfers within four hours of the attack, it did not stop transfers that took place after that point.
On June 13, Judge Patrick J. Duggan wrote in his decision that "a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Comerica fails to present evidence from which this Court could find otherwise."
A spokeswoman for Comerica Inc. of Dallas said in an email that its security measures, including the use of a token, comply with the Federal Financial Institutions Examinations Council's guidelines for strong authentication. The bank also expects the judge's decision will be reversed by an appellate court, she said.
Expert Brian Krebs said in his "Krebs on Security" blog Friday that this decision, in the U.S. District Court for the Eastern District of Michigan, conflicts with a Maine decision that might put Patco Construction Co. of Sanford on the hook for a $345,000 under similar circumstances.
The Michigan decision has not yet specified how much Comerica should reimburse Experi-Metal, and the Maine decision, a magistrate's recommendation, has not yet been adopted by the U.S. district court, Krebs noted.
The two decisions may not affect other lawsuits, as "case law requires a published decision at the appellate level, and is only binding on the courts in the district where it is made," Krebs wrote. "Other district courts may consider and quote trial and appellate rulings, but they are not bound to follow them."
