A $1.5 million cyberheist against a California escrow firm earlier this year has forced the company to close and lay off its entire staff. Meanwhile, the firm’s remaining money is in the hands of a court-appointed state receiver who is preparing for a lawsuit against the victim’s bank to recover the stolen funds.
The heist began in December 2012 with a roughly $432,215 fraudulent wire sent from the accounts of Huntington Beach, Calif. based Efficient Services Escrow Group to a bank in Moscow. In January, the attackers struck again, sending two more fraudulent wires totaling $1.1 million to accounts in the Heilongjiang Province of China, a northern region in China on the border with Russia.
This same province was the subject of a 2011 FBI alert on cyberheist activity. The FBI warned that cyber thieves had in the previous year alone stolen approximately $20 million from small to mid-sized businesses through fraudulent wire transfers sent to Chinese economic and trade companies.
Efficient Services and its bank were able to recover the wire to Russia, but the two wires to China totaling $1.1 million were long gone. Under California law, escrow and title companies are required to immediately report any lost funds. When Efficient reported the incident to state regulators, the California Department of Corporations gave the firm three days to come up with money to replace the stolen funds.
Three days later, with Efficient no closer to recovering the funds, the state stepped in and shut it down.
Up until the past few weeks, the firm’s remaining funds have been tied up in a conservatorship established by the state, effectively barring the company’s owners from accessing any of its money. In early July, the state appointed a receiver to help wind up the company’s finances.
The court-appointed receiver — Peter A. Davidson of Ervin Cohen & Jessup LLP in Beverly Hills — said he and the company are contemplating their options for recovering more of the lost funds from the bank — Irvine, Calif. based First Foundation.
“We’re exploring what choices we have to recover funds for those who had escrows and are owed money,” Davidson said. “We filed a claim with the insurance company and we’re looking at our options for possibly dealing with the bank.”
Davidson said the bank’s business customer logins were protected by a username, password and a dynamic token code, but that the one-time token wasn’t working at the time of the fraud.
First Foundation did not respond to requests for comment.
Efficient’s co-owner Daniel J. Crenshaw said the bank produced a report shortly after the heist concluding that the missing funds were stolen not in a cyberheist but instead embezzled by an employee of Efficient Services. Crenshaw said the bank later backed away from that claim, after the state appointed a local forensics expert to examine the controller’s computer; sure enough, they discovered that the system had been compromised by a remote access Trojan prior to the heist.
But by that time the money was long gone, and Efficient Services was out of business, forced to lay off its entire staff of nine employees. Crenshaw said the company was on track to clear a half million dollars in profit this year and to reach a million dollars in 2014.
“At the end of the day, we want our clients to get their money back, but after that, we lost our business,” Crenshaw said, noting that the company’s 20 former clients who are still owed money have been “very supportive” of suing the bank to recover their funds. “We lost everything, and it’s entirely likely that my brother and I can get back what we lost and the interest on that, and maybe that will cover at best the attorney fees. But we’re still nine people out of a job.”
Davidson said he’s stumped over why the bank didn’t bat an eyelash when the company’s money started moving overseas.
“This is one of the big issues we have with the bank,” Davidson said. “This company had never sent wires overseas before. Why not pick up the phone and confirm the transaction? That’s where I think the bank may have some problems.”
According to Charisse Castagnoli, a bank fraud expert and independent security consultant, few outside some of the larger banks offer country-blocking capability for wire transfers. For the most part, she said, the smaller institutions outsource their online banking systems to third-party service providers that simply don’t offer the capability to restrict overseas wires. The other part of the problem is that businesses — particularly title and escrow firms — too often fail to ask about placing such limits until an incident like this one occurs.
“It’s not widely implemented,” Castagnoli said. “On the wire side, there are just a few providers — Fedwire and ACI Worldwide are the big ones — and these software systems are ancient. Most smaller banks use a service provider that handles the Web site and plugs into these wire systems. Why aren’t there better controls available to businesses and banks so they can manage specific business risks in more appropriate ways? The answer is lack of imagination and lack of capabilities at the software layer. And if customers aren’t demanding it, why would banks spend probably hundreds of thousands to integrate that capability?”
Title and escrow firms are a favorite target of cyber thieves, precisely because banks are accustomed to these customers moving large amounts of money around on a daily basis. In April 2013, I wrote about a Charlotte, N.C. based escrow firm that lost $336,000 in a cyberheist that prompted a lawsuit from its own bank.
Last June, Village View Escrow Inc., another California escrow firm that lost $400,000 in a 2010 cyberheist, secured a settlement with its bank to cover the loss and the company’s attorney’s fees.
Things have gone differently for other title and escrow firms that opted to sue their banks following a cyberheist. Earlier this year, a Missouri court ruled against a $440,000 cyberheist victim. Another case brought by a Virginia title firm that lost $207,000 in a 2010 cyberheist is still making its way through the courts.
Efficient Services is not the only escrow firm in California to be hit with a cyberheist this year. A recent bulletin (PDF) from the California Department of Corporations indicates at least one other company was attacked this year to the tune of almost $1 million.
“Both cases involved unauthorized wires to foreign bank accounts, the DoC warned. “This is an important reminder that each escrow agent must be vigilant in protecting trust account.”
If you run a title or escrow firm — any small- to mid-sized business at all — please take a moment to read my list of recommendations here: Online Banking Best Practices for Businesses.