Industry News

School district fails to reclaim $120,000 wired by bank to scammer

A school district in Indiana which had $120,000 transferred from its bank account after its email account was hacked, has failed in an attempt to reclaim the cash.

The problems for Lake Ridge Schools began in October 12 2016 when money earmarked for part of a seven million dollar construction project of an athletics complex at Calumet New Tech High School was fraudulently wired to parties unknown.

The email account of a business manager tasked with signing off payment requests had been hacked, and a request was made to the BNY Mellon banking giant, asking it to transfer $120,882.83 to several people listed as contractors on the project.

At the time, the school district’s business manager was on vacation – a fact not unknown to BNY Mellon as it had received an automated out-of-office email notification a few days earlier.

In addition, according to the lawsuit filed by Lake Ridge Schools, the payment request was different from those made previously – it was presented in a different font, contained some suspicious pixellation, and unlike past payments was a request for a wire transfer rather than a check.

And it’s not as though BNY Mellon wasn’t making any attempt at all to verify the payment requests it received via email from the school district’s email account. The first attempted fraudulent payment made by the email hacker was rejected, and had to be reissued the next day.

As media reports recount, the fraud was only discovered when the bank received a second payment request on October 18 2016, asking for more money to be moved. On that second occasion the bogus transfer request was intercepted by the bank before any more money could be stolen.

Remember – unlike a lot of the tales of business email compromise hitting the headlines this year, this is not the case of an employee being duped into believing their boss is ordering them to wire money to a supplier, or a bogus invoice that has been emailed into the accounts department.

This is a scenario where hackers have hijacked the email account of a member of the organisation authorised to approve payments, and then ordered the bank to wire the money to the criminals. Other than having an employee’s email account hacked in the first place, no member of staff has been duped.

In the opinion of Lake Ridge Schools, it was the bank’s fault that such a large amount of money had been fraudulently wired on the first occasion to criminals believed to be based off-shore and out of the reach of the authorities. Their opinion was that the bank should have been more diligent, and checked with the school district (presumably using a method other than email) that the payment request was genuine.

That was not a view shared by US District Court Judge Theresa Springmann, however, who dismissed the school district’s lawsuit and said that the bank was not responsible for the loss under its contract.

According to the judge, the lawsuit from Lake Ridge Schools failed to demonstrate that BNY Mellon had been negligent or committed misconduct by not spotting the payment request was fraudulent.

The agreement between the school district and bank asserted that the district’s building corporation assumed “all risks” and that the bank was unable to “determine the identity of the actual sender of such instructions.”

This opinion falls on deaf ears of the likes of school superintendent Sharon Johnson-Shirley who still believes that BNY Mellon should have reimbursed the district:

“They are the largest bank in the world and they are insured. I cannot believe they fought me nail and tooth. What can we do? We don’t have money to continue to fight them.”

There is perhaps an important lesson for all of us here.

It has becoming more and more common for people and companies to lose money due to online fraud, and it is not uncommon for banks to recompense us for our losses, with a mind to keeping our business and avoiding unsympathetic headlines.

These days are numbered. As fraudsters steal ever larger amounts of money through techniques such as business email compromise, we shouldn’t be surprised to find banks increasingly unwilling to accept responsibility for what goes wrong.

Now is a good time to put proper processes and technology in place to ensure that only authorised staff are able to authorise payments, and crucially that they have a reliable way of authenticating their identity to the banks wiring the money.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • There used to be a day when you had to show up to a bank in person and sign, in front of witnesses, for things like this. Glad we don't have to go through THAT hassle anymore. Think of all the time wasted.

  • Phil Zimmerman solved this problem almost 30 years back with PGP. Contributors to his successful defense against US government "munitions" charges used pgp encrypted and signed email messages to direct payments to it.

    Sich protection is far easier now, technically. Hacking the email account would have borne no fruit if the payment authorizations had to be encrypted and digitally signed (and the authorizing official secured the private key adequately).

    Shame on both him and the bankers.