Iowa Banking Law Blog
Phishing for answers: Part two
Jun. 14, 2011 – Mary A. Zambreno, Iowa Banking Law Blog
A Michigan court has ruled against Comerica Bank and in favor of the bank’s customer, Experi-Metal, Inc., holding that the bank should have prevented fraudulent wire transfers from the customer’s account that totaled more than $1.9 million in wire transfer payment orders.
We first blogged about this case in March of 2010. In December 2009, Experi-Metal filed a complaint alleging that Comerica’s conduct caused the company to become the victim of a phishing attack that led to the criminal initiating of 97 wire transfer payment orders totaling more than $1.9 million. On January 22, 2009, an email was received by an employee of Experi-Metal instructing him to click on a link. Upon doing so, the employee was directed to a website where he responded to a request for his confidential secure token identification, Treasury Management Web ID, and login information. Over the course of the day, payment orders totaling $1,901,269.00 were executed using the employee’s user information and directed to accounts at banks in Moscow, Estonia, and China. J.P. Morgan Chase reported six suspicious wire transfers to Comerica, upon which Comerica learned that Experi-Metal had not processed any wire transfer payment orders that day. Comerica subsequently recalled all processed wires, stopped all future activity and flagged Experi-Metal’s accounts for review before processing. Comerica recovered all but $561,399.
Comerica moved for summary judgment with respect to Experi-Metal’s claim that the bank bears the risk of loss for the unauthorized wire transfer orders. The court, however, denied that motion because it found genuine issues of material fact related to whether Experi-Metal’s employee, whose confidential information was used to facilitate the fraudulent orders, was authorized to initiate wire transfer orders on behalf of the company, whether Comerica complied with its security procedure when it accepted the wire transfer order from this employee, and whether Comerica acted in good faith when it accepted the wire transfer orders.
A six-day bench trial was held. The trial court found the employee was indeed authorized to initiate wire transfer orders through Comerica’s online service and that Comerica complied with its security procedures when it accepted the wire transfer orders with his user information. The court reached this conclusion after analyzing the various paperwork and documents signed by Experi-Metal regarding the authority of certain individuals at the company to transact with the bank.
Unfortunately for Comerica, the case turned on whether the bank acted in observance of reasonable commercial standards of fair dealing. The court found that Comerica failed to present evidence satisfying its burden of demonstrating that it accepted the wire transfer orders in good faith. In reaching this conclusion, the court considered the volume and frequency of the payment orders, the $5 million overdraft created by the book transfers in what is regularly a zero balance account, the company’s limited prior wire activity, destinations and beneficiaries of the funds, and the bank’s knowledge of prior phishing attacks on the bank.
Tags: banking litiation, Comerica Bank fraudulent wire transfers lawsuit, Experi-Metal lawsuit against Comerica Bank, phishing, phishing attack victim, phishing litigation
Industry Categories: Banks & Financial Institutions