Experi-Metal v. Comerica

Experi-Metal, Inc., v. Comerica Bank (docket number: 2:2009cv14890) is a decision by the United States District Court for the Eastern District of Michigan in a case of a phishing attack that resulted in unauthorized wire transfers of US$1.9 million through Experi-Metal's online banking accounts. The court held Comerica liable for losses of US$560,000 that could not be recovered from the phishing attack, on the ground that the bank had not acted in good faith when it failed to recognize the transfers as fraudulent.

Background
Experi-Metal, a Macomb, Michigan-based company, held accounts with Comerica, headquartered in Dallas, Texas. Experi-Metal had signed up for a NetVision Wire Transfer service allowing it to send and receive payments and incoming fund transfers through the Internet.

Phishing attack
At approximately 7:35 am on January 22, 2009, an Experi-Metal employee opened a phishing email containing a link to a web page purporting to be a "Comerica Business Connect Customer Form". Following the email's link, the employee then proceeded to provide his security token identification, WebID and login information to a phony site. As a result, the fraudulent third parties gained access to Experi-Metal's accounts held with Comerica.

In a six-and-a-half-hour period between 7:30 am and 2:02 pm, 93 fraudulent transfers were made from Experi-Metal's accounts totaling US$1,901,269.00. The majority of the transfers were directed to bank accounts in Russia, Estonia and China.

Between 7:40 am and 1:59 pm, transfers totaling US$5.6 million were executed among accounts using the information obtained from the phishing attack. In one account, the transfers resulted in an overdraft of US$5 million.

At 11:30 am, Comerica was alerted to the potential fraud by a telephone call from a JP Morgan Chase employee who had noticed suspicious wire transfers sent from an Experi-Metal account to a bank in Moscow, Russia. Sometime between 11:47 am and 11:59 am, Comerica alerted Experi-Metal to the transfers and confirmed that the legitimate account holder had not made any transactions during the course of the day. By 12:25 pm, Comerica put a hold on Experi-Metal's online banking transactions and began to "kill" its user session in an attempt to forcefully remove the people making the transfers from the Comerica online service.

Comerica was successful in recovering a portion of the transfers. In total, US$561,399 was lost in the fraudulent transfers arising out of the phishing scheme.

Opinion of the US District Court in Michigan
The court considered two main issues in its decision. The first issue was whether the Experi-Metal employee whose confidential information was used to initiate the fraudulent transfers was authorized to initiate transfers on behalf of the company, and in turn, whether Comerica complied with its own security procedures in accepting the orders. The second issue was whether Comerica acted in "good faith" in accepting the orders on Experi-Metal's account.

User information initiating fraudulent transfers
There was some question as to whether the Experi-Metal employee who fell victim to the phishing incident was authorized to make wire transfers on behalf of the company. The issue was raised in the context of whether Comerica was complying with its security procedures when it accepted the wire transfers that were made using his account user information on January 22, 2009.

After considering several contextual factors, the court concluded that the employee who had provided his account user information was authorized to initiate transfers with Comerica on behalf of Experi-Metal. As a result, Comerica was found to be in compliance with its own security protocols when it accepted the orders.

Good faith
A second issue in the case concerned the issue of 'good faith' on Comerica's part in accepting the wire transfers initiated by the fraudulent third parties.

Under Michigan law, wire transfer orders are effective as orders of the customer even if they are not actually ordered by the customer, provided certain criteria are met. The issue in this case was whether the orders were accepted in good faith and in compliance with the security procedures, written agreements or instructions of the customer. If the orders made to Comerica on Experi-Metal's account were not received in "good faith", they would not be effective.

While the court found that Comerica's security procedures were commercially reasonable, it found the bank failed to prove it had accepted orders for the fraudulent transfers in good faith. Under Michigan law good faith requires "honesty in fact and the observance of reasonable commercial standards for fair dealing."

Because there was no suggestion that Comerica's employees acted dishonestly in accepting the fraudulent orders, the court moved to the element of the good faith test dealing with reasonable commercial standards for fair dealing. Here, the court found Comerica failed to meet the burden of proving that its employees met reasonable commercial standards of fair dealing in the context of the fraudulent transfers, and in particular with respect to the unusual overdrafts to the Experi-Metal accounts. On this last point, the court made specific reference to the overdrafts of US$5 million on an Experi-Metal account that usually had a $0 balance.

Result
Primarily on the basis that Experi-Metal's online wire transfer orders were not received in good faith, the court ordered Comerica to compensate Experi-Metal for its losses. Comerica reportedly reached an out of court settlement with Experi-Metal soon after the court's decision.

Significance
Experi-Metal v. Comerica represents a relatively early decision in an emerging area of case law relating to online banking fraud in the US.

Similar US online banking fraud cases
In Patco Construction v. People's United Bank a US District Court in Maine held that the defendant bank was not liable for US$588,000 in fraudulent transfers that were believed to result from Zeus keylogger malware attacks.

Patco was an online banking customer and account holder at People's Bank at the time of the malware attacks. Between May 7 and May 16, 2009, unknown third parties made multiple online transfers totaling US$588,851 out of Patco's account. Ultimately, the bank was able to block US$243,406 of the fraudulent transfers.

Patco alleged that its losses were related to People's Bank's deficient online security. The court found that People's Bank did suffer from some security weaknesses, but that on the whole, its security procedures were commercially reasonable. Accordingly, it found that the bank was not liable for the losses resulting from the fraudulent transfers. Although the facts of this case differ from those in Experi-Metal v. Comerica, it may be a challenge to reconcile the contrast between the two decisions. However, in July 2012, this decision was reversed by an appellate court. The parties later settled out of court, with People's United Bank paying the remainder of what was stolen from Patco's account, as well as $45,000 in interest.

"In a landmark decision, the 1st Circuit Court of Appeals held in "Patco Construction Company, Inc. v. People's United Bank", No. 11-2031 (1st Cir. July 3, 2012) that People's United Bank (d/b/a Ocean Bank) was required to reimburse its customer, PATCO Construction Co., for approximately $580,000 that had been stolen from PATCO'S bank account. In so doing, the court reversed the decision of the U.S. District Court for the District of Maine that had granted summary judgment in the bank's favor."

In Village View v. Professional Business Bank a similar claim was filed in the Superior Court of California in June 2011. Village View sued for losses incurred as a result of unauthorized and fraudulent wire transfers made from its account with Professional Business Bank on March 16–17, 2010, totaling US$195,874.

The attacks began with a banking Trojan disguised as a UPS shipping receipt, which was accepted and opened into the Village View network by unsuspecting employees. The file was later found to contain malware that did several things including disabling of email notifications normally sent by the bank each time a transfer was made from Village View's account. The fraudulent transfers were made to international accounts, including banks in Latvia.

Village View Escrow alleges in its claim that the unauthorized transfers were a result of Professional Business Bank's inadequate security system. Specifically, Village View alleges a failure on the part of Professional Business Bank to provide 'commercially reasonable security' procedures in accordance with California law and an accompanying failure to accept the orders for wire transfers in 'good faith.'

Phishing and bank fraud trends in the US
Wire transfer fraud and phishing are the sub-types of bank fraud used against Experi-Metal.

Among US banking institutions, December 2011 saw US national banks targeted most frequently by phishing at 85%, followed by regional US banks at 9% and US credit unions at 6%. In terms of overall volume of phishing worldwide during the same period, the UK was a target 50% of the time, followed by the US at 28%, Brazil at 5%, South Africa at 4% and Canada at 2%.

Malware such as the Zeus Trojan has been used extensively by criminals to steal personal banking information which can then be used to make fraudulent transfers out of the victims' bank accounts. In some cases, the perpetrators of the attacks have been caught and prosecuted, both within the US, as well as in other countries.

Challenge of prosecuting online banking fraud
While the types of activities in Experi-Metal v. Comerica might fall under the Computer Fraud and Abuse Act as an offense, the challenges of determining jurisdiction in an online environment, identifying perpetrators and collecting evidence remain as potentially significant obstacles in any attempts to enforce such legislation.