Sign up for the Talking Points newsletter, a carefully curated recap of the most important business news, delivered fresh each afternoon, Monday through Friday.
Berkshire Bank was the alleged target of an increasingly common type of cyberheist this fall that bilked a longtime customer out of more than $1 million, according to a lawsuit filed this week.
Jim Jacobs, a Florida-based modern art dealer, filed suit in US District Court in Springfield alleging that the bank’s inadequate fraud detection systems allowed criminals to steal $1.4 million from his account and move the money to Hong Kong through two wire transfers in October.
Jacobs, who has ties to the Western Massachusetts art community, opened his personal account with Great Barrington Savings Bank in 1980, before it merged with what eventually became Berkshire Bank, now an $8 billion institution.
According to the lawsuit, over the years Jacobs’s account grew significantly, and he was assigned a personal banker at Berkshire Bank who handled his transactions — a common practice among financial institutions looking to cater to high-net-worth clients.
Over the course of a week in October, the personal banker fell for three fake, or spoofed, e-mails from somebody pretending to be Jacobs. The imposter directed the banker to transfer $580,000 and $826,000 into two separate banks in Hong Kong, suggesting the payments were related to the work of abstract painter Agnes Martin, according to the lawsuit.
Berkshire Bank failed to verify that Jacobs was actually making the requests, according to the lawsuit. The transactions should have raised red flags at Berkshire Bank because Jacobs had never done business with the companies receiving the money, nor their Hong Kong banks, in the past, according to the lawsuit.
Scams that use fake e-mail to target businesses are on the rise nationally, according to cybersecurity experts and law enforcement officials.
Since June 2015, approximately 370 victims from Massachusetts, Maine, New Hampshire, and Rhode Island have reported losses of about $33 million due to such schemes, according to the FBI’s Boston office.
In most cases, cybercriminals were able to glean enough information about employees in a company to create a fake e-mail from an executive that’s sent to accountants or financial officers instructing them to make wire transfers into accounts held by the thieves. These schemes have hit technology companies, small businesses, and real estate firms, said Michael Kelly, a supervisory special agent for the economic crime squad in the Boston FBI office.
“If you make wire transfers on a regular basis, you’re going to be targeted,” Kelly said. “We are in a fast-paced business environment. We’re not used to doing things face-to-face anymore and this scheme takes advantage of it.”
Banks, which were targeted in the first wave of these scams, have deployed increasingly sophisticated algorithms to weed out potentially fraudulent wire transfer requests from their customers, Kelly said.
Jacobs learned of the unauthorized transfers when he returned from a European vacation in late October and spoke with the personal banker, who mentioned the transactions.
“Berkshire Bank, by failing to exercise the care of a reasonably prudent person in connection with sending and resending of wires to Hong Kong without authenticating the transfer orders, breached its fiduciary duty,” the lawsuit states.
Jacobs was not available for comment. His attorney, Lucy Prashker, declined to comment on the details of the case. However, she said the FBI is aware of the case.
The FBI declined to say whether it is investigating.
Berkshire Bank officials declined to comment on pending litigation. However, according to the lawsuit, the bank has argued that the banker was acting as Jacobs’s agent at the time and not as a Berkshire Bank employee.
Most banks have technology in place that flags unusual wire transfers, especially if they are for significant amounts or are being sent to bank accounts that a customer has never done business with before, said Seth Ruden, a senior fraud consultant with ACI Worldwide, a Florida-based payment systems company.
Some institutions can even detect whether customers are using their usual computer to send requests and whether it can be trusted, Ruden said.
“Banks do and should have anomaly [detecting] systems in place,” Ruden said. “If they don’t, they’re missing a key component.”
It’s unclear what procedures Berkshire Bank had in place for customers such as Jacobs.
According to the lawsuit, Berkshire Bank never provided Jacobs with security measures to protect his account from fraudulent wire transfers.
After the theft, recovering the money can be a challenge, officials said.
The FBI’s Boston office has recovered about 40 percent of the $33 million stolen in the region.
In Berkshire Bank’s case, its wire transfer supervisor first requested that Jacobs waive his rights to sue the bank over its efforts to retrieve the money, even in the case of gross negligence and willful misconduct, according to the lawsuit.
“Shocked by Berkshire Bank’s improper attempt to condition any effort to recover the funds on securing a waiver from Mr. Jacobs of rights against Berkshire Bank, Mr. Jacobs declined,” the lawsuit states.