All eyes are keenly watching how the Kingsport based firm\u2019s case against its bank over a cyberheist\u00a0will turn out. A cyberheist targeting an industrial and construction firm left it with a loss of\u00a0$327,000. The firm is now suing its bank to recover the stolen money. In its suit, the firm alleges\u00a0that the bank was negligent and even breached their mutual contract.<\/p>\n
Tennessee Electric Company (now called TEC Industrial) is based in Kingsport, Tennessee. In May\u00a02012, cyber attackers targeted the company and managed to siphon off $327,804 from its corporate\u00a0account. The criminals used a host of networked money mules to steal from its bank accounts based\u00a0at TriSummit Bank.<\/p>\n
Of the $327k stolen via wire transfer, TriSummit managed to recover $135,000. This meant that\u00a0TEC was left to mourn a loss of slightly more than $192,000. Sometime after the dust had\u00a0seemingly settled TEC went to court claiming that the bank had acted negligently, fraudulently even\u00a0concealed some information and also breached a contract.<\/p>\n
Neither the bank neither Tennessee Electric wanted to comment on the issue when contacted.\u00a0However, in mid 2012, a mule (beneficiary) of thousands of the siphoned monies from TEC\u2019s\u00a0TriSummit bank accounts admitted to having received the monies.<\/p>\n
Through the complaint that Tennessee Electric made, the criminals first attacked on 8 May 2012.\u00a0The company lays this claim based on the fact that they had tried to log into their account via the\u00a0bank\u2019s website to upload that week\u2019s payroll to no avail. The company\u2019s controller called the bank\u00a0to ask why they couldn\u2019t access their account online. The bank informed the company that it\u2019s\u00a0probably because the site was under maintenance and suggested to the company\u2019s controller to visit\u00a0the local bank branch to execute the payroll upload physically. The company\u2019s weekly payroll often\u00a0falls between $200,000 and $240,000. However, this time, the controller uploaded $202,664.47 at\u00a0the bank.<\/p>\n
Cybercriminals who are into cyberheist normally use a malware that captures your password and\u00a0username and then controls what you see on your browser. Some banks require that customers use a\u00a0one-time token to login. This rogue software installed by the attackers will intercept your token and\u00a0then redirect you to a \u2018website under maintenance\u2019, \u2018down for maintenance\u2019 or even an \u2018error page\u2019.<\/p>\n
While you are wondering why the website has started behaving weirdly, the attackers are\u00a0meanwhile using your one-time token together with your credentials to log into your bank account.<\/p>\n
This is exactly what happened to Tennessee Electric according to its controller.<\/p>\n
The agreement between Tennessee Electric and TriSummit Bank was that after a utility had been\u00a0paid for, the customer would make a follow up with a verbal confirmation the following day. On\u00a0May 9th, Tennessee Electric called the bank to confirm on the $202,664.47 payment made the\u00a0previous day. To the consternation of the firm, the bank had approved a payroll draft of $327,804\u00a0which was to be distributed to 55 accounts in U.S. Apparently the bank never called the firm to\u00a0confirm or verify this payment order before paying it out.<\/p>\n
According to Tennessee Electric, TriSummit Bank called on 10th to seek customer\u2019s approval for the\u00a0fraudulent payment order. This is a whole day after the bank had already made the payment.<\/p>\n
According to Tennessee Electric, the laxity on the part of the bank is apparent because it should not\u00a0have made the fraudulent payment without verbal confirmation from Tennessee Electric. Moreover,\u00a0TriSummit bank called a day after releasing the money to seek approval for that same payment. As\u00a0it emerged later, the cyberheist had been conducted by a Russian cyber mob.<\/p>\n
This lawsuit could determine the future of cyberheist lawsuits. If this lawsuit reaches trial, it might\u00a0help set a precedent how cyberheist cases will be handled in future. As the trend has emerged, most\u00a0of these lawsuits are decided in favor of the bank and often the settled is negligible and quiet.<\/p>\n
Regulation E was set up to protect a bank\u2019s customers who are using its online services from cyberheists. It reduces the customer\u2019s liability considerably whenever they happen to lose money through\u00a0unauthorized fraudulent activity in their accounts. However, the customer must notify their bank\u00a0within 60 days of receiving an account statement which they dispute.<\/p>\n
Business entities do not enjoy the protection that individual customers enjoy through Regulation E.\u00a0The Uniform Commercial Code (UCC), which has been adopted by all the U.S states, seeks to\u00a0determine when a bank or a business entity is liable in case of a cyberheist. It states that a bank\u00a0provided that it is following security procedure which is commercially reasonable while providing\u00a0proper security against unauthorized payment order can process such payment order whether<\/p>\n
authorized or unauthorized the client. The bank\u00a0will, however, need to prove that it accepted the\u00a0order in good faith and in accordance with acceptable security procedure. It should also have\u00a0adhered to any other written agreement or special instructions restricting payment of such order\u00a0from the customer. This will be so if the payment order is issued in the name of the customer.<\/p>\n
In many states, the UCC is interpreted such that a business which has been attacked cannot hope for\u00a0more than what was stolen from it. In short, it rarely makes economic and legal sense for a business\u00a0to sue a bank especially if the amount is not much. This is because the litigation fees could easily\u00a0amount to the stolen money or even surpass it.<\/p>\n
We can only wait and see what will transpire in this case. At the same time, it is worth noting that\u00a0UCC together with other legal standards and procedures are making it impossible for businesses to\u00a0recover nay monies stolen through cyberheists.<\/p>\n","protected":false},"excerpt":{"rendered":"
All eyes are keenly watching how the Kingsport based firm\u2019s case against its bank over a cyberheist\u00a0will turn out. A cyberheist targeting an industrial and construction firm left it with a loss of\u00a0$327,000. The firm is now suing its bank to recover the stolen money. In its suit, the firm alleges\u00a0that the bank was negligent […]<\/p>\n","protected":false},"author":2,"featured_media":3124,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[37],"tags":[71,41,83,62,48,49,25,80,74,58],"class_list":["post-7277","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-news","tag-commercially-reasonable-security-measures","tag-hackers","tag-illegal-wire-transfer","tag-krebs","tag-malware","tag-money-mules","tag-password-stealing-malware","tag-payroll-theft","tag-phishing-email","tag-us-cyber-crime"],"yoast_head":"\n