140 BMO customers say they lost $1.5M in transfer frauds, plan to sue bank
Bank says it works to detect cybercrime and prevent customers from being scammed
Elizabeth Bernas and her husband had planned to use the proceeds from their home sale to renovate their new house in Ajax, Ont., to pay for their children's university tuition and to go on a family vacation.
But before they could, they say someone accessed their Bank of Montreal account without authorization in late 2022 and withdrew more than $63,000 through a series of transfers that the bank won't reimburse.
"We were shocked," Bernas said. "We almost dropped on the floor."
BMO told Bernas it won't compensate them because it appeared the transfers were done on their device, there were no failed login attempts to the account, and a malware scan of the computer didn't show any irregularities, according to a letter from the bank CBC News has viewed.
"We were just so depressed; sleepless nights," Bernas said. "We all want our money back."
CBC News first reported on similar unauthorized transfers among BMO customers two years ago and has since heard from around another two dozen.
Now, more than 140 customers with similar experiences from across the country formed a group with the plan of filing a class-action lawsuit against the bank. Collectively, they've lost more than $1.5 million, according to organizer Lisa Wong.
"We have people from all walks of life," she said. "We have new immigrants, we have professionals like doctors, engineers and we have business owners."
"[BMO's security] is not protecting us against the growing, sophisticated cybercrime," said Wong, who lost $15,500, according to bank documents.
Toronto teacher Joe Jacobs and his wife lost $20,000 when a cybercriminal seemingly accessed their line of credit, banking documents show.
Now, they're responsible for the monthly payments, plus interest. In order to afford it, Jacobs says his family is renting out a room in their home and they've had to delay sending one of their children to university.
"It's really difficult," he said.
BMO spokesperson Jeff Roman says, like other banks around the world, BMO continually adapts to help customers stay ahead of cybercrime.
"In the digital world we live in, these scams are fast evolving and are becoming more sophisticated, targeting millions of Canadians with malicious texts and phone calls," Roman said.
"We realize how difficult it is when a customer unfortunately falls victim to these criminals, and we provide support based on the specifics of their individual cases and circumstances."
He says BMO is focused on detecting and preventing these situations when possible, but can't share details for security reasons.
Wire and e-transfer fraud growing
E-transfer fraud in general is a "significant increasing concern," according to the Ombudsman for Banking and Investment Services (OBSI), the national organization that mediates some disputes between member banks and clients.
OBSI spokesperson Mark Wright says e-transfer cases are typically difficult because the wrongdoer can't be located.
Also, "in most of these cases, we are not able to recommend that the bank pay compensation to the consumer because our investigations show the consumer has unknowingly shared or given access to their confidential information and the bank has complied with its obligations," he said in an email.
How the fraud works
CBC News spoke with about half a dozen clients who say their BMO chequing, savings and/or line of credit accounts were drained when fraudsters somehow got access and sent themselves money through e-transfers, global wire transfers and by setting themselves up as payees for bills.
BMO told them they won't be reimbursed because their passwords were used correctly and, in some cases, one-time codes were sent and entered correctly and the IP addresses matched those of the client, according to emails from the bank.
The customers filed reports with police and the OBSI, who sided with the bank.
Kenrick Bagnall, a former Toronto police cybercrime investigator who worked in the bank security sector, says he believes the customers' devices were infected by malware, which harvests digital credentials like passwords and IP addresses from a computer, tablet or phone.
Bagnall says cybercriminals often use social media to gain information about an individual, then send them a targeted phishing email based on their interests and recent activity, which if clicked on, can infect a device.
The malware — which can evade even advanced scanning programs — then bundles the stolen information into a package, which is sold on the dark web for between $50 to $200, depending on several variables, according to Bagnall.
Cybercriminals can then mirror the victim's computer and log into accounts.
"It actually looks like the victim is logging in themselves when they're not," Bagnall said. "So, as far as the checks and balances and controls and the reasonable effort that the bank is putting in, from a security perspective, they're doing the right things."
'Blame the victim'
Wong says BMO should have done more to reduce the risk of its clients' money being stolen, should have flagged suspicious activity, stopped it and alerted customers.
Emile Landry, who lives in the Ottawa area, lost more than $22,000 in January through a series of wire transfers — a service he says he's never used in his 25 years of banking with BMO.
"After the first money transfer, why did they not stop it and question it instead of letting all four go through and empty the accounts?" said Landry who, like Bernas and Jacobs, is part of the group planning to sue the bank.
"At 80 years old… it hurts a lot. I had to get my son to lend me a few dollars."
BMO says customers can sign up for alerts, which warn customers if its system suspects unusual activity.
But the co-founder of Democracy Watch, a government accountability and corporate responsibility advocacy group, says that sort of security measure should be automatic.
Duff Conacher suggests all banks should have customers set up maximum dollar amount for transactions and, if there's an attempt to exceed it, the customer must sign off.
He says banks pushed consumers into online banking and so the liability should, at least in part, lie with banks.
"The current system is a 'blame the victim' system as opposed to blame the institution that's responsible for setting up online banking and maintaining it and failing to maintain it in a way that ensures it's safe," Conacher said.
Jacobs, the teacher, says it's not reasonable for consumers to be fully up to date on all things cybercrime and the changing vulnerabilities.
"The whole system is so vulnerable and people are so vulnerable to being hacked or to having their security compromised and yet it's a system that we're essentially forced to have to participate in," he said.
"I just feel like the bank has to take a bigger role in providing security for their customers."
The Canadian Bankers Association, which represents Canada's largest institutions, didn't directly answer a question about whether banks should consider liability for these types of losses. Instead, spokesperson Maggie Cheung said Canadian banks "are committed to helping protect their customers from financial scams" and the organization works with its members to help customers detect and prevent scams.
Roman, the BMO spokesperson, says the bank is determined to work with the government, the technology industry and other banks to help Canadians defend themselves against scams.
Tips to protect yourself
Bagnall suggests "slowing down and being hypersensitive" when browsing websites or receiving emails.
He also reminds people to be cognizant of what they share on social media and that long passwords equal strong passwords.
Bagnall's five recommendations to both companies and individuals are:
- Be aware of what data is stored where, and under what sort of security.
- Be aware of vulnerabilities — both digital and human.
- Educate yourself on current threats.
- Plan ahead by imagining a threat or problem. What would you do if you lost your phone, for instance?
- Have a recovery plan in case disaster strikes. How will you get your data back, for instance?