Hacked Real Estate Firm Can’t Claw Back $580,000 From Bank That Completed Transfer

Max Mitchell at Law.com has an interesting and rather painful story. Don’t let this happen to your organization.

“A federal judge has dismissed the lawsuit that a Bucks County real estate firm brought against Bank of America for failing to stop a more than $500,000 wire transfer that happened after one of the firm’s principals was hacked.

U.S. District Judge Harvey Bartle of the Eastern District of Pennsylvania on Tuesday dismissed the lawsuit that O’Neill, Bragg & Staffin brought against Bank of America, finding that the firm failed to show that the banking institution breached any agreement, violated federal regulations or breached the Pennsylvania Commercial Code.

“What is alleged to have happened to the law firm here is indeed unfortunate. The computer hacker, of course, is the real culprit, but is not a party to this lawsuit,” Bartle said. “For the reasons stated above, as between the law firm and the bank, the law firm must bear the loss on the facts set forth in the amended complaint.

Warminster-based O’Neill Bragg and its principals filed a lawsuit in federal court in Philadelphia against Bank of America, claiming the bank was responsible for the damage done after hackers used deceptive emails to dupe a member of the firm into transferring more than a half-million dollars to the Bank of China.

The hacker posed as a partner of the firm, Gary Bragg, according to the complaint, and emails involved a loan transaction of which the hacker seemed to have intimate knowledge.

In the correspondence, the hacker addressed partner Alvin Staffin by his nickname, Mel, making the ruse even more convincing, and asked for a $580,000 transfer from the firm’s IOLTA sub-account to the Bank of China.

Bank of America made the transfer at Staffin’s request. After the transfer was made, Staffin called Bragg to discuss it, finding out only then that Bragg had no knowledge of the $580,000 request.

“Staffin realized OBS had been victimized by a computer hacker, and immediately notified defendant bank of the fraud,” the complaint said. Judge Bartle, however, determined that the request to cancel the transfer, which came just over an hour after the transfer was confirmed, did not qualify as a “valid and timely stop payment order,” OUCH.

Full story here: https://www.law.com/thelegalintelligencer/2018/11/14/hacked-real-estate-firm-cant-claw-back-money-from-bank-that-completed-transfer/

This is another painful CEO Fraud (aka Business Email Compromise) story that could have easily been prevented by some new-school security awareness training.

Cyber-attacks are rapidly getting more sophisticated. GDR Group will help train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now and email [email protected] to request a quote for Security Awareness Training and Phishing Testing for your organization.