140 BMO customers say they lost $1.5M in transfer frauds, plan to sue bank
Elizabeth Bernas and her husband had planned to use the proceeds from their home sale to reno‐ vate their new house in Ajax, Ont., to pay for their children's university tu‐ ition and to go on a family vacation.
But before they could, they say someone accessed their Bank of Montreal ac‐ count without authorization in late 2022 and withdrew more than $63,000 through a series of transfers that the bank won't reimburse.
"We were shocked," Bernas said. "We almost dropped on the floor."
BMO told Bernas it won't compensate them because it appeared the transfers were done on their device, there were no failed login attempts to the account, and a mal‐ ware scan of the computer didn't show any irregularities, according to a letter from the bank CBC News has viewed.
"We were just so de‐ pressed; sleepless nights," Bernas said. "We all want our money back."
CBC News first reported on similar unauthorized transfers among BMO cus‐ tomers two years ago and has since heard from around another two dozen.
Now, more than 140 cus‐ tomers with similar experi‐ ences from across the coun‐ try formed a group with the plan of filing a class-action lawsuit against the bank. Col‐ lectively, they've lost more than $1.5 million, according to organizer Lisa Wong.
"We have people from all walks of life," she said. "We have new immigrants, we have professionals like doc‐ tors, engineers and we have business owners."
"[BMO's security] is not protecting us against the growing, sophisticated cyber‐ crime," said Wong, who lost $15,500, according to bank documents.
Toronto teacher Joe Ja‐ cobs and his wife lost $20,000 when a cybercrimi‐ nal seemingly accessed their line of credit, banking docu‐ ments show.
Now, they're responsible for the monthly payments, plus interest. In order to af‐ ford it, Jacobs says his family is renting out a room in their home and they've had to de‐ lay sending one of their chil‐ dren to university.
"It's really difficult," he said.
BMO spokesperson Jeff Roman says, like other banks around the world, BMO con‐ tinually adapts to help cus‐ tomers stay ahead of cyber‐ crime.
"In the digital world we live in, these scams are fast evolving and are becoming more sophisticated, targeting millions of Canadians with malicious texts and phone calls," Roman said.
"We realize how difficult it is when a customer unfortu‐ nately falls victim to these criminals, and we provide support based on the speci‐ fics of their individual cases and circumstances."
He says BMO is focused on detecting and preventing these situations when possi‐ ble, but can't share details for security reasons.
Wire and e-transfer fraud growing
E-transfer fraud in general is a "significant increasing con‐ cern," according to the Om‐ budsman for Banking and In‐ vestment Services (OBSI), the national organization that mediates some disputes be‐ tween member banks and clients.
OBSI spokesperson Mark Wright says e-transfer cases are typically difficult because the wrongdoer can't be lo‐ cated.
Also, "in most of these cases, we are not able to recommend that the bank pay compensation to the consumer because our inves‐ tigations show the consumer has unknowingly shared or given access to their confi‐ dential information and the bank has complied with its obligations," he said in an email.
How the fraud works
CBC News spoke with about half a dozen clients who say their BMO chequing, savings and/or line of credit accounts were drained when fraud‐ sters somehow got access and sent themselves money through e-transfers, global wire transfers and by setting themselves up as payees for bills.
BMO told them they won't be reimbursed because their passwords were used cor‐ rectly and, in some cases, one-time codes were sent and entered correctly and the IP addresses matched those of the client, according to emails from the bank.
The customers filed re‐ ports with police and the OB‐ SI, who sided with the bank.
WATCH | How victims are targeted:
Kenrick Bagnall, a former Toronto police cybercrime in‐ vestigator who worked in the bank security sector, says he believes the customers' de‐ vices were infected by mal‐ ware, which harvests digital credentials like passwords and IP addresses from a
computer, tablet or phone.
Bagnall says cybercrimi‐ nals often use social media to gain information about an individual, then send them a targeted phishing email based on their interests and recent activity, which if click‐ ed on, can infect a device.
The malware - which can evade even advanced scan‐ ning programs - then bun‐ dles the stolen information into a package, which is sold on the dark web for between $50 to $200, depending on several variables, according to Bagnall.
Cybercriminals can then mirror the victim's computer and log into accounts.
"It actually looks like the victim is logging in them‐ selves when they're not," Bagnall said. "So, as far as the checks and balances and controls and the reasonable effort that the bank is putting in, from a security perspec‐ tive, they're doing the right things." 'Blame the victim'
Wong says BMO should have done more to reduce the risk of its clients' money being stolen, should have flagged suspicious activity, stopped it and alerted customers.
Emile Landry, who lives in the Ottawa area, lost more than $22,000 in January through a series of wire transfers - a service he says he's never used in his 25 years of banking with BMO.
"After the first money transfer, why did they not stop it and question it in‐ stead of letting all four go through and empty the ac‐ counts?" said Landry who, like Bernas and Jacobs, is part of the group planning to sue the bank.
"At 80 years old… it hurts a lot. I had to get my son to lend me a few dollars."
BMO says customers can sign up for alerts, which warn customers if its system sus‐ pects unusual activity.
But the co-founder of Democracy Watch, a govern‐ ment accountability and cor‐ porate responsibility advo‐ cacy group, says that sort of security measure should be automatic.
Duff Conacher suggests all banks should have cus‐ tomers set up maximum dol‐ lar amount for transactions and, if there's an attempt to exceed it, the customer must sign off.
He says banks pushed consumers into online bank‐ ing and so the liability should, at least in part, lie with banks.
"The current system is a 'blame the victim' system as opposed to blame the institu‐ tion that's responsible for setting up online banking and maintaining it and failing to maintain it in a way that ensures it's safe," Conacher said.
Jacobs, the teacher, says it's not reasonable for con‐ sumers to be fully up to date on all things cybercrime and the changing vulnerabilities.
"The whole system is so vulnerable and people are so vulnerable to being hacked or to having their security compromised and yet it's a system that we're essentially forced to have to participate in," he said.
"I just feel like the bank has to take a bigger role in providing security for their customers."
The Canadian Bankers As‐ sociation, which represents Canada's largest institutions, didn't directly answer a ques‐ tion about whether banks should consider liability for these types of losses. In‐ stead, spokesperson Maggie Cheung said Canadian banks "are committed to helping protect their customers from financial scams" and the or‐ ganization works with its members to help customers detect and prevent scams.
Roman, the BMO spokesperson, says the bank is determined to work with the government, the tech‐ nology industry and other banks to help Canadians de‐ fend themselves against scams.
Tips to protect yourself Bagnall suggests "slowing down and being hypersensi‐ tive" when browsing websites or receiving emails.
He also reminds people to be cognizant of what they share on social media and that long passwords equal strong passwords.
Bagnall's five recommen‐ dations to both companies and individuals are:
Be aware of what data is stored where, and un‐ der what sort of secu‐ rity. Be aware of vulner‐ abilities - both digital and human. Educate yourself on current threats. Plan ahead by imagining a threat or problem. What would you do if you lost your phone, for instance? Have a recovery plan in case disaster strikes. How will you get your data back, for instance?