140 BMO customers say they lost $1.5 million in wire fraud, plan to sue bank

Elizabeth Bernas and her husband planned to use the proceeds from the sale to renovate their new home in Ajax, Ont., pay for their children's university tuition and go on family vacations.

But before they could, they say someone hacked into their Bank of Montreal account in late 2022 and withdrew more than $63,000 through a series of bank wire transfers.

“We were shocked,” Bernas said. “We almost fell to the floor.”

BMO told Bernas they would not be reimbursed because the transfers were made on their device, there were no failed account login attempts, and a computer malware scan showed no violations, the letter said. bank viewed CBC News.

“We are deeply depressed; sleepless nights,” Bernas said. “We all want our money back.”

CBC News reported such unauthorized transfers for the first time among BMO customers two years ago and heard from about two dozen others since then.

Now, more than 140 clients with similar experiences from all over the country have formed a group with a plan to file a class action lawsuit against the bank. Organizer Lisa Wong said they lost more than $1.5 million.

“We have people from all walks of life,” he said. “We have new immigrants, we have professionals like doctors, engineers, and we have business owners.”

“(BMO's security) is not protecting us from this growing, sophisticated cybercrime,” said Wong, who lost $15,500, according to bank filings.

Toronto teacher Joe Jacobs and his wife lost $20,000 when a cybercriminal accessed their line of credit, bank records show.

Now they are responsible for monthly payments and interest. To make ends meet, Jacobs says she's been renting out a room in her family home and has had to delay sending one of her children to university.

“It's really hard,” he said.

BMO spokesman Jeff Roman said that like other banks around the world, BMO is constantly adapting to help customers prevent cybercrime.

“In the digital world we live in, this fraud is rapidly evolving and becoming more sophisticated., targeting millions of Canadians malicious texts and phone calls,” Roman said.

“We understand how difficult it is when a customer is unfortunately a victim of these criminals and we offer support based on the specifics of their individual case and circumstances.”

He said BMO aims to detect and prevent these cases whenever possible, but cannot share details for security reasons.

Wire and wire fraud is on the rise

According to the Ombudsman for Banking and Investment Services (OBSI), a national organization that mediates some disputes between member banks and customers, wire transfer fraud in general is “a significant growing concern”.

According to OBSI spokesman Mark Wright, electronic transfer cases are usually difficult because it is impossible to find the wrongdoer.

---

Also, “in most of these cases, we are unable to recommend that the bank compensate the customer because our investigations show that the customer unknowingly shared or authorized their confidential information and the bank complied with its obligations,” he said. said in an email.

How the scam works

CBC News spoke to about half a dozen customers who say their BMO checking, savings and/or credit accounts were wiped out when fraudsters somehow gained access and used wire transfers, global money transfers and posing as payees. bills.

BMO told them they would not be reimbursed because their passwords were misused and in some cases the one-time codes were sent and entered incorrectly and the IP addresses matched the customer's, according to emails from the bank.

Customers reported to the police and OBSI, which sided with the bank.

Kenrick Bagnall, a former Toronto police cybercrime investigator who worked in the banking security sector, believes customers' devices are infected with malware that collects digital credentials such as passwords and IP addresses from a computer, tablet or phone.

Bagnoll said cybercriminals often use social media to obtain information about an individual, then send them a targeted phishing email based on their interests and recent activities that, if clicked, can infect a device.

According to Bangnall, the malware, which can bypass even advanced scanning programs, bundles the stolen information into a package that can be sold on the dark web for anywhere from $50 to $200, depending on several variables.

Cybercriminals can then impersonate the victim's computer and gain access to accounts.

“It looks like he's actually going in when the victim isn't,” Bagnoll said. “So in terms of the checks and balances and controls and the reasonable efforts that the bank is putting in, they're doing the right thing from a security perspective.”

“Blaming the victim”

Wong said BMO should have done more to reduce the risk of its customers' money being stolen, flagging suspicious activity, stopping it and warning customers.

Emile Landry, who lives in the Ottawa area, lost more than $22,000 in January through multiple wire transfers – something he says he's never used in 25 years of banking at BMO.

“After the first transfer, why didn't they stop it and ask questions instead of going through four and releasing the account?” said Landry, who, like Bernas and Jacobs, is part of a group that plans to sue the bank.

“At 80 years old… it hurts. I had to lend my son a few dollars.'

BMO customers can subscribe to alerts, which alert customers if its system suspects unusual activity.

But the founder of Democracy Watch, an organization that promotes government accountability and corporate responsibility, says the security measure should be automatic.

Duff Conacher recommends that all banks set a maximum dollar amount for customers for transactions, and that any attempt to exceed it must be signed by the customer.

He said the banks pushed consumers to bank online, so the responsibility must lie, at least in part, with the banks.

“The current system is a 'blame the victim' system, as opposed to blaming the institution responsible for creating and operating online banking and failing to operate it in a manner that ensures it is secure,” Conacher said.

Jacobs, the teacher, says it's unwise for consumers to be fully aware of all cybercrime and changing vulnerabilities.

“The whole system is so vulnerable and people are so vulnerable to being hacked or having their security compromised, but it's a system we're forced to participate in,” he said.

“I feel like a bank should play a bigger role in keeping their customers safe.”

The Canadian Bankers Association, which represents Canada's largest institutions, did not directly respond to questions about whether banks should consider liability for such losses. Instead, spokeswoman Maggie Cheung said Canadian banks are “committed to helping protect their customers from financial fraud” and that the organization is working with its members to help customers identify and prevent fraud.

BMO spokesman Roman said the bank is committed to working with the government, the technology industry and other banks to help Canadians protect themselves from fraud.

Tips for protecting yourself

Bagnoll recommends “slowing down and being more responsive” when browsing websites or receiving emails.

It also reminds people to be aware of what they share on social media and that long passwords equal strong passwords.

Bagnoll's five recommendations for both companies and individuals:

1. Know what data is stored where and with what security.
2. Be aware of digital and human vulnerabilities.
3. Educate yourself about current threats.
4. Plan ahead by imagining the danger or problem. For example, what would you do if you lost your phone?
5. Create a disaster recovery plan. For example, how do you get your data back?