From ABC 10 News:

The scam started with Feb. 9 email that appeared to be from the postal service, from an email address ending in, with additional instructions a click away.

“I thought it was legitimate and I clicked on the attachment,” said John …

Well that’s not smart. It sounds like the attachment was a virus that allowed the hackers to spy on his online activity and play man in the middle. But they weren’t just passively sucking up information. Here’s where “John” quadruples down on his first mistake:

Hours after clicking on the attachment, John was back on the computer, attempting to access the firm’s account with Pacific Premier Bank.

After entering his ID, he was transferred to a page asking for his PIN instead of the typical password. Soon after, he received a call from a man claiming to be from the bank, noticing he was having trouble logging on.

(Emphasis mine.) This does not happen. Banks do not call you when you are having trouble logging into your account.

“I just wanted to log onto my account and I thought this person was helping me,” said John.

Oh you poor idiot.

Two days later, the man called back and John says he repeated the steps.

Oh for the love of … STOP IT YOU MORON.

Hours later, John discovered a transfer for $289,000 – a big chunk of the account – to a Chinese bank.

Shocking. By which I mean not shocking at all.

The bank, if you want to know, declined to cover the loss.

(h/t ABA Journal)


  1. Sean Carter says:

    It seems like the bank did its fair share of stupid as well. It transferred out almost $300K to a foreign bank in one transaction? Unless this lawyer had a lucrative import-export side business, this should have raised some red flags. Twice, my bank has frozen my account because I used my ATM card in a hotel vending machine (apparently, they though that paying $2.50 for a Diet Coke was too excessive … I agree). In any event, I don’t think I’ll be doing business with PPB anytime soon.

    • Kirsten Weinzierl says:

      You bring up a very good point. Banks usually look for signs of unusual transactions or behavior and they should have been suspicious of this activity.

      • Davd Smith says:

        Banks can choose to do all sorts of things that seem like protection, but if they don’t do them, they have protected themselves as well as the UCC will let them.

    • Sam Glover says:

      On the one hand, I agree. On the other, it doesn’t seem like the hacker was responsible the transfer. It sounds like the lawyer helpfully made the transfer himself.

    • Victor Minjares says:

      Regulation E protection (capping your liability for bank fraud) only applies to consumer accounts, not business accounts. You can negotiate with your bank about getting better protection in case of fraud for your business account, but that would have to be done upfront – not after the theft. The lawyer in the story was very unwise, but this is a reminder to all of us to check whether or not our business checking fraud liability is “Reg E equivalent” or close to that. If not, you can ask the bank to add it, or take your business to another bank that will give you that kind of fraud coverage.

  2. Kirsten Weinzierl says:

    Darwinism, right?! Why wouldn’t the FDIC cover the loss?

  3. Paul Spitz says:

    Why did this guy have $289,000 sitting in a bank account?

Leave a Reply