Share via Email

Victims Map
Cyber Crime Victims Map


Educate & Protect

Take Action



Featured Video



Settlement Reached in ACH Fraud Case

Village View EscrowA lingering legal dispute over a corporate account takeover incident at an escrow company in California has finally come to a close.

Village View Escrow Inc., which in March 2010 lost nearly $400,000 after its online bank account with Professional Business Bank was taken over by hackers, has reached a settlement with the bank for an undisclosed amount, says Michelle Marsico, Village View's owner and president.

As a result of the settlement, Village View recovered more than the full amount of the funds that had been fraudulently taken from the account, plus interest, the company says in a statement.

More details about the settlement are expected to be issued in coming weeks.

"While we remain confident in the strength of our legal position, we entered into the settlement agreement to bring this matter to a conclusion and to focus all our energy on our business," Marsico says in the statement. "With this settlement, we can now put the litigation behind us and move forward with a clear conscience that we did everything we could to correct this situation."

The case dates back to 2011, when Village View sued the bank for reimbursement of direct financial losses suffered from the attack as well as damages. In the complaint, Village View also requested reimbursement of maintenance and service fees it paid to the bank between 2008 and 2010.

Investigations conducted by the California Department of Corporations, the Federal Deposit Insurance Corp. and the Redondo, Calif., Police Department, determined that Village View Escrow played no role in the cybertheft it suffered and took all necessary precautions to avoid the losses, according to the statement.

The Case Premise

At its core, Village View's suit raised questions about "good faith," reasonable security and Professional Business Bank's compliance with existing FFIEC authentication guidelines.

The complaint alleged that Professional Business Bank failed to have procedures in place for the recovery of stolen funds, in essence ignoring "numerous warnings from the FFIEC and the FDIC of the prevalence of" online attacks and incidents of corporate account takeover.

Village View took a hit after hackers broke into its network, accessed and stole bank credentials and then sent 26 consecutive wire transfers out of the country. Dual controls were not used by the business, but an e-mail verification service offered by Professional Business Bank was successfully disabled by the criminals.

When the hackers disabled the bank's e-mail notification service, an alert should have automatically been generated and sent to the bank's department responsible for applications and systems maintenance, Village View contended.

Two similar cases, PATCO Construction Inc. vs. Ocean Bank and Experi-Metal Inc. vs. Comerica Bank, raised questions about liability and reasonable security, yet each resulted in a different verdict.

In 2010, PATCO sued Ocean Bank for the more than $500,000 it lost in May 2009, after its commercial bank account with Ocean Bank was taken over. PATCO argued that Ocean Bank was not complying with existing FFIEC requirements for multifactor authentication when it relied solely on log-in and password credentials to verify transactions.

Last year, a District Court magistrate found the bank met legal requirements for multifactor authentication and dismissed the suit.

In December 2009, EMI sued Comerica after more than $550,000 in fraudulent wire transfers left EMI's account.

In the EMI ruling, the court found that Comerica should have identified and disallowed the fraudulent transactions, based on EMI's history, which had been limited to transactions with a select group of domestic entities. The court also noted that Comerica's knowledge of phishing attempts aimed at its clients should have caused the bank to be more cautious.

In the ruling, the court required Comerica to reimburse EMI more than $560,000 of the $1.9 million the business lost after the bank approved the fraudulent wire transfers.

Source: BankInfo Security