Dining Out. PHOTO: Cybercrime Magazine.

Cybercrime: Lawyers Fight Back, When Banks Won’t

How a restaurant reclaimed (some) of its stolen money

David Braue

Melbourne, Australia – Jul. 25, 2022

When the family owners of Washington, D.C.-area restaurant Johnny Pistolas found out they had been compromised by thieves — who made off with $460,000 of their hard-earned cash — the inclination to despair was understandable.

Yet by acting quickly once they discovered the deception, the family was able to recover half the money as their bank clawed back the proceeds of around 25 fraudulent wire transfers that were processed over the course of around eight hours.

Those transfers drained five different accounts held by the Askarinam family, which has operated restaurants in D.C.’s Adams Morgan neighborhood for 40 years and bristled when longtime bank BB&T failed to notify them when the fraudulent transfers were executed shortly before New Year’s Eve.

While the bank was able to recover half of the lost money, the balance is still outstanding — begging the question of whether it will ever be recovered.

Banks generally argue that they’re not responsible for misuse of customer accounts, which are regularly targeted by fraudsters or abused by trusted service providers, such as accountants, that are engaged to provide critical financial support services.

If you’ve been hacked and your bank is telling you to talk to the hand, it may be time to bring in a specialist lawyer who’s been there before.

Cybercrime Radio: Lawyers Can Help

Fighting back, when banks won’t

“When a lot of organizations realize that they’ve had a loss from unauthorized funds transfer, there’s a feeling of despair and oftentimes the response from the institution can be that ‘we’re not responsible,’” John Lande, a civil litigation specialist with Des Moines, Iowa based Dickinson Law, told Cybercrime Magazine.

“The law is not quite as cut-and-dry as that,” said Lande — who is representing the Askiranam family in its fight to recover the stolen funds and said their situation “tracks a lot of the same facts and steps that a typical case like this follows.”

“The issue is what the agreements between the customer say about who’s responsible for that unauthorized transaction,” he said, “and I think organizations are well served by testing the legal liability of the bank by consulting an attorney who is familiar with this area of law.”

Fighting back, when banks won’t

Yet starting what is likely to be a protracted legal battle, against larger and better-funded financial institutions, is never going to be the easy option — and for small businesses that rely on having available funds to pay staff, invoices, and rent, just the long delay can be catastrophic.

One area where banks may be held liable for a breach, he said, stems from their obligation to ensure that a transfer is sent to the right recipient — an area where today’s rapid electronic transfers fall short because they never check the name of the intended recipient against the name on the receiving account.

“There are rules that banks are supposed to follow to verify the validity of transactions before they send them, and the default is that your financial institution is liable for an unauthorized wire transfer,” Lande explained.

Funds are transferred based entirely on routing and account numbers, he said — complicating the recovery process because “once the money hits the account, legally speaking, the transaction is complete [and] there’s no basis to recover the transfer that has already occurred.”

“Once a wire transfer is completed,” he added, “it can be very difficult to actually get money returned, because the U.S. payment system prioritizes speed and finality over accuracy.”

If the funds can’t be stopped before they’re transferred to an overseas jurisdiction where U.S. regulations don’t apply, he said, “the money is unrecoverable.”

The key is to get started sooner rather than later, with many companies contractually required to address any fraudulent incidents within a certain period of time.

Experts advise notifying the FBI’s Internet Crime Complaint Center (IC3) with all the details, since the FBI can — in cases where the fraud is $50,000 or more, transferred internationally, occurred within the previous 72 hours, and a SWIFT recall notice has been initiated — engage with your bank and activate its Financial Fraud Kill Chain (FFKC) process.

FFKC was used by the FBI’s Recovery Asset Team (RAT) 1,726 times last year and helped them freeze over $328m, according to the agency — a 74 percent success rate.

Yet even as you escalate the incident, be aware that the bank will be working to disclaim its responsibility in the process — and be prepared to counter.

“When I get involved, we try to contact the bank to see if there’s an ability to negotiate or get them to recognize that they have some exposure to the incident,” Lande said. “If that fails, ultimately you’d be looking at filing a lawsuit against the institution.”

Among other issues, the process of apportioning blame is likely to involve close examination of clauses that force customers or their banks to follow “commercially reasonable security procedures” to ensure that wire transfers are properly authenticated.

Just what that term means, Lande notes, is “flexible” — and was designed that way to allow it to apply to ever-changing technology.

Assuming that efforts to recover the money have failed, the key is to clarify the bank’s position early on and begin exploring other options — and doing so quickly.

“Over the last 10 years or so I’ve seen a real increase in the number of financial crimes that fraudsters are attempting to perpetrate against individuals, businesses, and financial institutions,” Lande said.

“Any organization that does have this kind of incident occur does potentially have a limited amount of time to do something.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.