An Oregon farm products company is suing its bank over losses in a phishing attack which saw $223,500 transferred to accounts in Ukraine in 2010. It's the latest in a series of legal cases where phishing victims have sued in an attempt to recover losses.
The heist, which happened in 2010, saw various amounts transferred out of a corporate account belonging to Oregon Hay, and into a bank in Ukraine, over a period of three days. All amounts were just below a $75,000 threshold set by Oregon Hay. Neither Oregon Hay nor its bank, Community Bank, noticed the transfers at the time.
The incident was reported by influential security blogger, Brian Krebs in his Krebs on Security blog.
Krebs says that the case, filed at Umatilla County Circuit Court, is “the latest in a series of legal challenges seeking to hold financial institutions more accountable for costly corporate account takeovers tied to cybercrime. Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves. But as cyberheists have ramped up dramatically over the past several years, a number of victim companies have opted to sue their financial institutions in the hopes of recovering the losses.”
Earlier this year, Computerworld reported a ruling in which a judge denied the claim of an escrow company against its bank in a case involving a $440,000 fraudulent transfer, even though the transfer request initiated from outside the U.S. an occurrence unprecedented in the company's history with the bank.
ESET researcher David Harley warns that phishing emails are evolving rapidly to become more convincing in a detailed blog post here.
Crucially, such emails are often getting through to inboxes of well-defended mail services - meaning that they may find a fresh audience. Harley says, “Right now malware and phishing forms, apparently from reputable companies, seem to be particularly successful at getting through mail services with exceptionally good filtering.”