THE finance chief of Fortelus Capital Management LLP got an alarming phone call just as he was getting ready to leave work on a Friday.
The caller said he was from Coutts, the London-based hedge fund’s bank, and warned there may have been fraudulent activity on the account. Fortelus chief financial officer Thomas Meston was reluctant, but agreed to use the bank’s smart card security system to generate codes for the caller to cancel 15 suspicious payments. He hung up just after 6pm, according to court filings.
When Meston logged on to the firm’s online bank account on the following Monday, he saw that £742,668 (RM4.33 million, US$1.2 million) was gone. Coutts, a unit of Royal Bank of Scotland Group plc, had no record of the Friday phone call. Meston had been conned.
Meston was terminated by Fortelus and is now being sued by the fund, which says he breached his duty to protect its assets. Details of the phone conversation, which took place in December 2013, were described in documents from the firm’s London lawsuit. Meston denies he was negligent and says he acted honestly, according to his court documents in the case.
The incident shows how even the most sophisticated online security systems can fail because of human error. Firms, too, often see cybersecurity as a technical issue and don’t recognise the risk of employees being targeted, the Bank of England said in a report last week that called cybercrime a growing threat to financial stability.
“People are always the weakest link,” said Jason Ferdinand, a director at Coventry University, who runs the United Kingdom’s first cybersecurity master of business administration course. Employees “often assume that they do not have to think about security because a machine or software is doing it for them.” Fortelus lawyer Daniel Astaire said no client funds were affected by the breach, and the firm reported it to police, who are investigating. Fortelus has “strong internal policies against fraud prevention” and this was “an isolated incident”, he said in an email.
Meston “believed that he was preventing a fraud from being carried out against the claimants, and this belief was reasonable”, his lawyers said in court filings. They said he’s not personally responsible for the firm’s assets and that Coutts should have to repay Fortelus.
Hedge funds are not the only victims of a “Friday afternoon scam”. Zurich Insurance Group AG warned in May that law firms were targeted by fraudsters impersonating bank staff that asked for access to accounts, often late on a Friday.
The frauds cost firms and their insurers an estimated £5 million over three months this year, Zurich said.
The theft was carried out by an “unknown third party”, Fortelus said in court documents. The caller identified himself as “Simon Hughes” from the Coutts online fraud response team, and transfers were made to accounts under names including EE Traders, AA Ltd, MK Trader, P Plumbers and LLM Client Account, according to court filings.
“This story is sad because it may well have been an honest mistake, but because of the technological advances made in finance, where the majority of their business is digital, significant losses can happen very quickly,” said Ferdinand. — Bloomberg
This article first appeared in The Edge Financial Daily, on July 10, 2015.