Court says Comerica Bank must pay after customer is hacked

In the second ruling on ACH fraud in a week, a federal court said the bank could have done better

A Michigan court has ruled that Comerica Bank is liable for a US$560,000 cyberheist, saying the bank should have done a better job to spot millions of dollars in fraudulent transactions after one of the bank's customers was tricked in a phishing attack two years ago.

In a June 13 decision, the court ruled in favor of Experi-Metal, a Sterling Heights, Michigan, custom auto-parts maker that had sued Comerica after the January 2009 incident. In just a few hours, criminals tried to move millions of dollars to Eastern Europe before Comerica's fraud department shut down the scam. Most of the money was recovered, but in his ruling Judge Patrick Duggan of the U.S. District Court for the Eastern District of Michigan said that the bank should have done a better job of stopping the fraud. A "bank dealing fairly with its customers, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier," Judge Duggan wrote in his ruling.

Experi-Metal's troubles started in the early morning hours of Jan. 22, 2009. That's when the company's vice president of manufacturing, Gerry King, received a phishing e-mail telling him to fill out what appeared to be a mundane piece of online paperwork: a "Comerica Business Connect Customer Form." He forwarded the e-mail to Controller Keith Maslowski, who then logged into a website belonging to the criminals. With Maslowski's login credentials, the criminals were off and running. Over the next six-and-a-half hours they raced to steal as much of Experi-Metal's money as they could before their window of opportunity closed.

Comerica learned about the problem about four hours into the fraud, when J.P. Morgan Chase called to report some suspicious transactions coming into its accounts from Experi-Metal's account. A much larger bank, Chase could move money overseas, so the criminals were funneling money into Chase accounts in order to then transfer it to Russia and Estonia.

Comerica's fraud department immediately took away Experi-Metal's account, but they made a mistake. They didn't knock the fraudsters off the Comerica server. Still logged in, the criminals managed to initiate another 15 wire transfers before a Comerica quality risk manager finally killed their session. That final push netted the criminals nearly $50,000.

After Comerica refused to cover the $560,000 loss, Experi-Metal filed suit, arguing that the bank should not have allowed the transfers. Comerica countered that since Experi-Metal was the company that was phished, it should have to pay.

Judge Duggan has ruled in Experi-Metal's favor in a bench opinion, but he has not yet said how much Comerica must pay.

The Michigan court's decision is important because U.S. courts are only now starting to decide who should pay for these scams, known as Automated Clearing House (ACH) fraud. Security experts believe that ACH scammers have made hundreds of millions of dollars over the past few years, typically hitting small businesses, school boards and community organizations that work with smaller regional banks. The hackers steal the online banking credentials of company employees and then quickly move hundreds of thousands of dollars out of accounts using the ACH system, which was created to move money such as payroll funds.

Consumers aren't liable for this type of fraud, but that's not the case when it comes to small businesses. In fact, despite this week's ruling, it's really not clear who must pay after ACH fraudsters strike. Just last week a Maine magistrate judge ruled in favor of the bank in a similar incident. That decision could cost Patco Construction, in Sanford, Maine, $345,000.

While many ACH fraud disputes are quietly settled out of court, with both sides accepting some losses, if companies take ACH fraud disputes to court, the decision of liability is almost a coin toss, said David Navetta, a founding partner with the Information Law Group. "I expect that we will see varying opinions in various jurisdictions," he said. "If things start getting appealed to the appellate courts ... then the district courts are bound by that ruling. That's when it starts to get serious."

That's exactly what's going to happen in this case, according to bank spokeswoman Kathleen Pitton. According to her, Comerica plans to file an appeal. "We presented evidence that disputes the allegations made against us and believe that, following a review of the evidence, the appellate court will agree and reverse this decision," she said in an e-mail message.

Neither Experi-Metal nor its lawyer, Richard Tomlinson, returned calls seeking comment. News of the ruling was head

Banks are now doing a better job of spotting ACH fraud than they were in 2009, but the criminals are still making money, said Avivah Litan, a distinguished analyst with Gartner Research. "Every bank I've talked to is really concerned about it and worried about it," she said. "Some are better able to deal with it than others."

Companies such as RSA Security, Actimize and Guardian Analytics sell customer profiling and fraud detection systems designed to flag fraudulent transactions, but the fraudsters are always on the lookout for ways to beat the bank. "They've been known to beat the profiling systems," Litan said. "It's becoming very problematic."

And as the recent court decisions have shown, nobody knows for sure who's going to be left footing the bill.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitycybercrimeinternetlegalfinanceManufacturingindustry verticalsComerica Bank

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments



Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?