Even though Uniform Commercial Code places loss risk with banks for unauthorized transfers, a Federal court ruled against an SMB in Missouri last month and with the larger bank — primarily because the SMB did not implement fraud prevention controls offered by the bank. This resulted in a $440,000 loss for the SMB. Here’s the nutshell version:
- SMB has business account with bank
- Bank offers security (fraud prevention) controls for SMB
- SMB declines to implement controls (twice)
- SMB computer hacked & SMB’s credentials used to transfer money from its bank to Cyprus bank
- SMB sues bank for loss stemming from stolen funds
- Federal court rules against SMB and with bank
- SMB out $440,000 plus legal expenses
If this indeed sets precedent, this further increases SMB business risk.
Some lessons learned:
- If your bank offers recommended security services or tools, use them (unless you can show that this directly and materially negatively impacts your business)
- Use Positive Pay where list of authorized checks are provided to the bank via separate channel (i.e. bank has to cross check against that list prior to paying checks/requests presented to them)
- Use a dedicated computer for banking transactions
- Use two-factor authentication where possible
- If not using Positive Pay or similar service, establish criteria with your bank for when they should alert you that a check or transfer request seems unusual
More here in this Dark Reading story.