Two ongoing lawsuits will test just how responsible big banks are for recent fraud losses and whether their monitoring practices are enough to shield them from accountability when customers lose money to insider threats and phished credentials.
In one case, Joyce's Jewelry, a jeweler in Uniontown, Pennsylvania, alleged in the U.S. District Court in Pittsburgh that PNC allowed hackers to empty the business's accounts because it lacked adequate measures to prevent the fraud.
Hackers successfully phished for one employee's credentials and used them to wire away all $1.6 million the company had in its four accounts. However, PNC promised to require tokens from two Joyce's employees to complete such transactions, according to Joyce's, which is one reason why the company claims PNC bears responsibility.
According to a spokeswoman for PNC, the bank "maintains a comprehensive set of security controls" to protect customers. Those measures "include direct communication to customers about the importance of keeping their credentials confidential and preventing bad actors from gaining access to their online accounts." The bank also recovers funds on customers' behalf when possible.
"Unfortunately, in this case, the customer voluntarily provided a bad actor with credentials that allowed access to its accounts," the spokeswoman said. "While PNC regrets any losses incurred by any customer, it disagrees with the allegations in this case and believes it acted appropriately with respect to these transactions."
Beyond losing "substantially all" its money, Joyce's also said that PNC has classified $200,000 of the fraudulent transactions as overdraft, that PNC has referred the company's accounts to a collections agency, that the bank kept for itself most of the money it recovered from a fraudulent transaction to JPMorgan, and that the bank has billed Joyce's for "corporate analysis charges" as a result of the episode.
In the other case of a business customer suing its bank over money lost to fraud, a judge in the U.S. Southern District Court of New York allowed Thailand-based manufacturer Essilor (EMTC), which makes Ray-Ban glasses, to move forward with its case against JPMorgan Chase in a complex fraud case that led to $272 million in losses from EMTC's accounts, including $100 million that remains unrecovered.
The case involves a then-current EMTC employee, Chamanun Phetporee, who fraudsters allegedly recruited for the heist. Phetporee allegedly stole credentials from another EMTC staff member because, as in the Joyce case, the bank required a second employee to approve transactions for them to go through.
EMTC sued JPMorgan in federal court in New York in April, claiming the bank had been aware of a pattern of fraudulent transactions that led to a monthslong heist and failed to notify the company. The company said JPMorgan should have caught red flags including a jump in monthly dollar volume and the movement of money to shell companies at regional banks, often in high-risk jurisdictions.
U.S. District Judge Lewis Liman dismissed breach-of-contract and negligence claims against JPMorgan, but said that EMTC can go forward with a jury trial over a New York contract law provision that requires banks to refund unauthorized payment orders from a customer. A JPMorgan spokesman declined to comment on the decision.
In both the case against PNC and the case against JPMorgan, the customers have claimed that the banks acted negligently in their duty to ensure transactions were authorized by two employees, a standard safety feature. The customers also allege that the banks knew or should have known about red flags associated with the fraudulent transactions.
Banks typically implement varying levels of authentication based on the amount of risk associated with a transaction, according to Julien Bonnay, the U.S. head of technology and cybersecurity for the financial services consultant Capco. For example, if a banking customer tries to wire money to an account with which the customer has never before interacted, the bank might make a phone call to the customer to ask whether they meant to initiate the transaction.
In cases where a customer or fraudster initiates multiple wires back-to-back from an account, such as in the case of Joyce's Jewelry, that is the kind of behavior that "should raise a flag and require a call to the client to validate" that they intended to initiate such transactions, according to Bonnay.
He also said that fraudsters should not be able to simply steal a password to initiate a fraudulent transaction. He said U.S. regulators require banks to implement multifactor authentication on customer accounts, meaning that a one-time password from an app or text-messaged code is required to initiate a wire.
Two-factor authentication is an essential tool for preventing account takeover, as apparently happened in the case of Joyce's Jewelry, according to Gergo Varga, product evangelist for fraud prevention company SEON. However, it's not the only protection.
"It's worth pointing out that two-factor authentication isn't a totally 'bulletproof' system, but it can certainly help to greatly reduce the likelihood of account takeovers," Varga said.
When authenticating a transaction, a text-messaged or app-created code sometimes makes sense, but Varga said the key is to use methods that are hard for fraudsters to work around.
"In an instance like this, it would be best practice to ring the customer directly and to speak with them about the activity on their account," Varga said.