Waterlooville Golf Club in Portsmouth, England was the victim of hackers that used spyware to steal funds from the club’s bank account overnight by creating false invoices. The club’s bank has refused to refund the money, arguing that the club committed “gross negligence” by not using the bank’s own security software.
Hackers siphoned £90,000 ($116,636) from the business account of a golf club in Portsmouth, England over a 24-hour period, proving to be an instructive lesson for all clubs, which could be vulnerable to the same threat, the London Daily Mail reported.
An employee of Waterlooville Golf Club logged into the account one afternoon, and by the time she logged in again the next morning, she found that money had been plundered from the club’s funds. To make matters worse, the club’s bank, NatWest, refused to refund the money, which would have ruined the club if it had not secured a ten-year loan. Ironically, the loan was arranged with NatWest, which means the bank is profiting from the club’s misfortune, the Daily Mail reported.
Mark Pinhorn, the club’s chairman, said going cap in hand to the bank for a loan was a ‘galling’ experience. He also believes NatWest was culpable in failing to detect the fraud. It was committed in August 2014. The employee noticed that NatWest’s website was running slowly, but nothing seemed amiss, the Daily Mail reported.
At one point she was asked for a special code during log-in, which she supplied, although typically this is only required at the point when it comes to authorizing payment. The next morning, after logging on to the account, she found nearly £90,000 had been withdrawn in two installments—£9,700 ($12,581) from the club’s standard business account and £80,190 ($104,007) from the linked savings account, the Daily Mail reported.
It is thought hackers were able to steal the cash after sending an email dressed up as an invoice the day before. As the employee was used to dealing with invoices from suppliers, she clicked on the attachment, which may have downloaded ‘spyware’ on to the computer. Spyware is software that lets a criminal ‘see’ what a computer user is doing—including the details they enter for online banking, the Daily Mail reported.
The bank told the club it would not refund the sum as staff should have downloaded its security software, and their inaction amounted to negligence. But staff say not only were they unaware that spyware was sitting on the computer, but the bank has failed to explain its own laxity over security, the Daily Mail reported.
The savings account has never been used to make an external payment before. Instead, the club’s subscriptions are paid into the current account and transferred to the linked savings account. Money is moved back monthly from the savings account to the current account to pay bills, the Daily Mail reported.
“In our eyes a direct transaction from the savings account was a highly unusual payment that should have been flagged by the bank,” said Pinhorn. “Why was it allowed?”
Equally depressing was the fact that the banks in receipt of the funds said they could not divulge details of the accounts held by the fraudsters, because of data protection rules. NatWest agrees that the transactions were not authorized by the employee, but the bank claims “gross negligence” on the part of the club and so says it is not responsible for the fraud, the Daily Mail reported.
The Mail on Sunday asked NatWest to comment on its handling of the fraud committed against the golf club. It said the club should have downloaded its recommended Trusteer Rapport security software and should not have entered a special code at log-in. A bank spokesman said: “We have every sympathy with the club being the victim of malware fraud. We investigated the case thoroughly and provided a detailed rationale for the outcome.
“We provide extensive security advice to enable customers to prevent malware fraud, through direct messages, emails and access to the security centre on our website.”
The case acts as a warning to NatWest customers that if they do not download what it says they should in terms of security software, and if they have spyware on a computer, they could be held responsible for fraud, the Daily Mail reported.