In a classic case of bank impersonation, a hedge fund, Fortelus, lost USD 1.2 million when someone posing as their bank tricked Fortelus’ Chief Financial Officer into generating secure codes to supposedly cancel suspicious transactions. But in fact, the codes were used to set up transactions stealing USD 1.2 million.
On a Friday evening in December 2013, a caller purporting to be “Simon Hughes” from Coutts, warned CFO Thomas Meston of Fortelus Capital Management LLP, based in London, that there may have been suspicious transactions on the account. He was then persuaded to generate codes from the bank’s security card and device.
The lawyer for Fortelus, Daniel Astaire said that the firm had “strong internal policies against fraud prevention” and this was “an isolated incident,” according to Bloomberg.
A case alleging negligence has been launched in London’s High Court of Justice, Queen’s Bench Division: Fortelus Capital Management LLP & Anr v. Mr. Thomas Meston.
With limited background to go on, it is hard to make comment on what actually happened or who was at fault for allowing this fraud to occur. However, I can make a few observations:
1. I trust that Fortelus’ lawyer was misquoted by Bloomberg. Maybe read that line again to see what I mean.
2. It is never a good idea to accept the credentials of someone who telephones in. Some fraudsters advise people to call back the official bank number, while keeping hold of the line so it is never hung up, and it appears that one has got through to the bank to confirm identity. This is basic anti-fraud knowledge.
3. Giving security codes over the telephone is highly inadvisable in any circumstances, and all banks that I know of advise never giving complete security codes or PINs over the telephone.
4. Having multiple persons required to make transactions is good practice. With cheques, two signatures were required as a standard of reasonable competency. With online access, this basic requirement is more complex to administrate.
5. Specific internal procedures at Fortelus could have been in place which would have put Mr Meston’s actions in breach of his contract. Equally, failing to implement sensible features provided by the bank to restrict access and secure the account could have been negligent.
6. Judging by Coutts’ current security features, it seems likely that Mr Meston had sole administrative access, and therefore his security card or cards could have been used either for transactions or to raise the limits on another user account. This is why, wherever possible, dual authorisations should be used for everything significant.
7. How come the bank lost track of where the money went?