Charlotte-based Park Sterling Bank is suing a local real estate law firm to recover the six-figure sum it initially reimbursed the practice after a fraudulent wire transfer sent the firms money to Russia.
Wallace & Pittman PLLC, which has its office in SouthPark, had been the victim of a phishing scam that gave hackers access to the firms computers in May. The Charlotte bank and its former customer are now ensnared in a legal battle to determine who should have to bear the loss.
The case puts Park Sterlings online security under legal scrutiny at a time the banking industrys information technology capabilities have come under increasing pressure.
The nations largest banks have found themselves the victim of larger and more sophisticated cyberattacks that have crippled their websites for hours at a time. Mid-tier banks and their small-business customers also are becoming increasingly targeted by this type of phishing scam, industry experts say.
The suit also comes as courts across the country are coming to different decisions on what constitutes a reasonable security system for online accounts.
Both Park Sterling and Wallace & Pittman declined comment.
Money to Moscow
The scam began with a round of emails purporting to be from an industry group saying that a transaction hadnt cleared properly, according to the lawsuit. These emails directed readers to click on a link to resolve the problem.
Using the emails, hackers were able to install a keylogger a program that tracks a users activity on at least one of Wallace & Pittmans computers.
After figuring out the law firms online banking passwords, the hackers directed Park Sterling to send a $336,600.01 transfer through JPMorgan Chase & Co. to a Konstantin Pomogalove in Moscow, according to a legal document filed by the law firm.
Wallace & Pittman received a confirmation of the transaction and immediately called Park Sterling to stop it, but it was too late, the suit states. The bank initially refunded the amount stolen.
But later that month, executives demanded it be returned. State and federal law does not force banks to reimburse money lost through fraudulent activity for commercial customers if the bank has reasonable security in place.
Before Park Sterling could debit the amount, Wallace & Pittman obtained a restraining order against the bank, drained the account and closed it sparking the lawsuit.
Park Sterlings lawsuit argues that Wallace & Pittman declined to use a layer of security that would require two people to authorize wire transactions, and says the request appeared legitimate. The bank also argues that its customer agreement for the type of commercial account Wallace & Pittman used puts the burden of loss on the customer.
The law firm regularly uses wire transfers to send clients money at the close of a real estate transaction. But this was the first to go outside the country, Wallace & Pittman said in legal filings. The firm argues that should have raised enough suspicion to put a hold on the transaction.
Wallace & Pittman also argue that the bank should have warned the firm about phishing attacks, and said the banks security was not adequate.
The two parties have until the fall to prepare for a trial, according to the latest order from the judge overseeing the case.
Case law evolving
Should the suit go to trial, it would come as courts around the country have ruled differently on similar cases.
Cases decided in 2011 and 2012 found that banks could be held liable for losses after fraudulent wire transfers, placing a higher burden on banks online security practices, according to a memo sent to the N.C. Bankers Association by Raleigh law firm Poyner Spruill.
But a Missouri court ruled last week in favor of a bank that argued its customer opted out of its dual-authorization security measure.
These cases have become increasingly common since these types of phishing scams against bank customers began in earnest in the early 2000s. Scammers originally targeted large banks, lured by their large numbers of customers. The large banks quickly ramped up their security, and regulators issued their first security standards in 2005 and strengthened them in 2011.
Smaller banks and their small-business customers have become one of the most attractive targets for scammers. Smaller banks tend to be a step or two behind their larger peers in security, said George Tubin, senior security strategist at cybercrime prevention firm Trusteer. And small-business customers dont have as much invested in cybersecurity as a large corporation.
Most small businesses are not in the business of really understanding cyberfraud and what they need to do to defend themselves, Tubin said.
They have as much knowledge of security as the average consumer does, but they have a lot more money in their accounts. The criminals really target them.
Dunn: 704-358-5235 Twitter: @andrew_dunn
The Charlotte Observer welcomes your comments on news of the day. The more voices engaged in conversation, the better for us all, but do keep it civil. Please refrain from profanity, obscenity, spam, name-calling or attacking others for their views.
Have a news tip? You can send it to a local news editor; email firstname.lastname@example.org to send us your tip - or - consider joining the Public Insight Network and become a source for The Charlotte Observer.Read moreRead less