A long-time Butterfield Bank customer says she had $4,000 stolen from her account after falling victim to cyber crime.
Though she eventually managed to get the money returned, Ms Phillips, who has asked that we do not use her first name, said $4,000 was taken out of her account when she answered an e-mail last week asking her to update her online account. She says she thought the e-mail was Butterfield, her bank of 24 years.
“I immediately felt uncomfortable and knew I had made a grave mistake,” said the senior accounting executive based in Hamilton.
Just minutes after the incident she found that $4,000 had been wired to a bank in South Africa from her account, with the wire transfer stating that her home address was the PO Box of Butterfield Bank.
Visibly upset, Ms Phillips ran to Butterfield Bank to plead for help.
“When I got there they basically shrugged their shoulders and said ‘you shouldn’t have done that, we can’t help you’,” she said. “I felt helpless.”
The staff at the bank told her they would send a SWIFT message (a means by which global banks communicate with each other) to the beneficiary bank but said they were not liable for the missing money.
Butterfield’s internet banking agreement states that they are not liable for losses that occur should there be a breach in the account holder’s security.
Not satisfied, Ms Phillips took it upon herself to find the South African bank, ABSA Bank, get up in the early hours of the morning and call as many people as she could until she reached the right person.
After several tense hours of speaking with ABSA Bank, Ms Phillips said she sent all the information needed to Butterfield so they could assist in the return of the funds.
“I begged and pleaded and sent numerous e-mails to Butterfield Bank to help me but I got nothing back from them. Nothing,” she said. “Never was there the offer to see if the wire had gone through and if there was a way to stop it.
“Of the numerous e-mails that I sent, not once did I get a response from the various persons that I contacted with the bank until the funds were credited back.”
Ms Phillips said she finally got a call from her bank later that morning stating her $4,000 was credited back to her account.
Butterfield Bank, when questioned about the case, said they could not comment on the particulars of individual customers’ transactions.
The bank certainly isn’t the only group being targeted, in fact a 2011 Norton Corp report estimated the global cost of cybercrime at $400 billion annually.
Cyber crime is a growing concern in Bermuda. Last week The Royal Gazette reported that the Bermuda Monetary Authority, Department of Consumer Affairs and the Bermuda Police Service came together to warn the public about the scams.
In response to questioning about what they are doing to stop scammers targeting their customers, a Butterfield Bank spokesperson said: “When we learn of a phishing scam being perpetrated we take immediate action to have the fraudulent website disabled.”
The spokesperson said the bank had issued several statements to the media warning customers of such threats.
“We will NEVER request customers’ personal information, account data or online banking login credentials via e-mail and we will NEVER send customers links to a website asking them to ‘update’ or ‘unlock’ their online banking account access,” the bank said in an e-mailed statement.
Ms Phillips admits that she was at fault for falling for the e-mail scam but said that further stop-gap measures should be put in place to protect customers.
“I had a weak moment, I knew I was at fault but the least they could have done was answer one of my phone calls or my e-mails,” she said, adding that she is in the process of moving her account to another bank. “Who checks the outgoing wire information at the bank? It has to be approved by someone and my address is certainly not the PO Box of the bank. There are zero internal controls, that I have seen, to stop fraudulent transactions. Is that how you protect your clients?”
According to Butterfield Bank, once they find out a customer has been a victim of online fraud, they “take immediate action to contact the correspondent and/or the receiving banks” to recover the funds but depending on the situation, they may not be able to intervene before the thieves disappear with the money.
As part of Butterfield’s online security, the bank uses a public-key encryption token, which they now have asked customers to input twice but the bank says even that isn’t foolproof.
“Double authentication provides an additional layer of protection in respect of wire transfers, however, where a customer has voluntarily provided his or her account credentials to a third party, it is not a guaranteed means of stopping resulting unauthorised account access,” the bank said.
Some local banks have begun instituting an additional layer of protection by calling people who make wire transfers to confirm its authenticity.
“In order to ensure the highest level of service, but also security, when making transfers to local or foreign banks, HSBC may, from time to time, contact clients to validate transactions after the initial request has been submitted,” said a HSBC Bermuda spokesperson.
Both HSBC Bermuda and Capital G are also aware of scams circulating the Island and both have policies in place to review breaches and losses on a “case-by-case” basis.
“We shall deal with each suspected incident of fraud on a case-by-case basis,” said a Capital G spokesperson. “If it is determined that you took reasonable care to protect your personal information (including PINs and passwords) and acted reasonably in protecting such information, your losses shall be returned to you in accordance with our terms and conditions.”
Ms Phillips warns others that it only takes a weak moment to make a costly mistake.
“I guess the moral is to never give up,” she said. “Yes, it probably cost me $150 in phone calls to South Africa but better that than the $4,000 that BNTB bank was not willing to help me get back.”