Two Bank of Montreal customers in Toronto say they want the bank to implement better security measures and repay them the thousands of dollars they lost after e-transfers were mysteriously sent from their bank accounts using their own login information.
The online account of Lan Wang's elderly mother was accessed without authorization in November, and someone e-transferred $10,000 out of the account, according to bank documents reviewed by CBC News.
"It's all their savings. It's very tough for them," Wang said of his elderly parents. "They were relying on that money."
Just over a month later, someone took out cash advances on Jedy Huang's BMO credit card, transferred the money to his bank account, then e-transferred $7,400 out of the account, according to bank statements.
"This is a huge amount of money," Huang said. "It's [put a] very, very terrible burden on my family."
The two cases, which are among what experts say is a rising number of e-transfer fraud issues, illustrate how difficult it is for customers to prove that a breach wasn't their fault when their own login information and IP address are used to fraudulently access an online account.
While Wang and Huang aren't sure how the accounts were accessed, they say BMO could have done more to spot and alert them about the suspicious activity. The men, who want the bank to reverse the e-transfers, are sharing their experiences in an effort to warn others about the potential security risks of online banking.
"My mom trusted the Bank of Montreal. She put the money in [the bank] and it's shocking," said Wang, who is handling the issue for his mother due to her age and a language barrier.
In Huang's case, he's stuck with a credit card bill he can't pay, plus interest.
"I don't have that much money at this moment," he said. "I checked my credit scores and they went from very high to very low because I couldn't pay off the credit bill."
BMO didn't answer specific questions from CBC News, citing customer privacy, but in an emailed statement, a spokesperson said that "protecting customers' accounts and their personal information is our primary focus."
Bank ombudsman says e-transfer complaints growing
Wang filed a report with Canada's Ombudsman for Banking Services and Investments (OBSI). It says e-transfer complaints, especially relating to fraud, are a growing concern.
OBSI, which is funded by banks and investment firms, received 36 e-transfer complaints in 2021. The majority were related to fraud, which made up seven per cent of opened complaint cases that year. In the two years prior, e-transfer complaints represented just two per cent of opened cases, OBSI spokesperson Mark Wright said.
Wright said e-transfer complaints are typically difficult cases because it's hard to track down the fraudster.
"In most of these cases, we are not able to make a compensation recommendation in favour of the consumer because our investigations show the bank would not have reasonably been expected to prevent the fraud," he said, adding there are times banks have been found to be in the wrong because they could have prevented the loss.
Wang also filed a report with Toronto police and said he was told the file was being transferred to the RCMP in Burnaby, B.C., as investigators believe the person who took the money may have opened a bank account in Burnaby.
Toronto police wouldn't provide details to CBC News but did say it's an active investigation.
Customers want better security from BMO
Both Wang and Huang detailed a similar situation: They didn't notice the nefarious activity until a few days after it happened, then immediately contacted BMO and were told an investigation would be launched.
After several months, the bank told them it wouldn't return the money because their accounts were logged into using the correct password and security question and that the IP address — a series of numbers connected to a device on a network — that was linked to the activity matched their own.
But Wang and Huang are adamant that their devices are secure — they had their computers scanned for viruses and malware and found nothing, and they didn't share their passwords.
"They say it's my fault," Huang said. "BMO refused my explanation that I did not leak my username and password. Even my wife doesn't know this information."
Huang said he rarely uses the BMO credit card that was accessed because he keeps it for emergencies only. He said the bank should have noticed the four cash advances taken out on the card, followed by the money being e-transferred out of his bank account — all within a few days — and notified him.
Wang said his mom didn't receive the email alerting a customer that an e-transfer was accepted.
While Huang received an email alert from the bank, it wasn't sent to the email address associated with his bank account.
Additionally, Huang had signed up for alerts whenever there's a withdrawal over $10, something BMO recommends, but he said he didn't receive any alerts.
"Someone must know how to circumvent these methods to commit the fraud," he said.
Both Huang and Wang say they'd like to see, for example, two-factor authentication added automatically to customers' accounts, instead of giving them the option.
Security expert's tips to protect online accounts
Privacy and security expert Ross Saunders said there are several ways an online bank account can be accessed. The director of privacy and security at Bamboo Data Consulting in Toronto said the most common ways are when email addresses are compromised and through phishing scams — emails that look like they are from a bank that ask the recipient to log in to their account.
"You're not actually logging into the banking platform. You're logging into someone else's platform and they're just capturing that data," he said.
Saunders said Wang and Huang's cases are more unique because the bank said the activity matched their IP addresses. While people can "spoof" an IP address, he said, it's more likely someone gained remote access to their computers.
"[Remote access] is truly a scary sort of approach because then it's not just your banking that's exposed, it's everything that you've got on there."
Tips from Saunders to protect online accounts include:
Identify phishing emails by grammar and spelling mistakes.
Use different passwords for different accounts.
Don't click on links or install software you don't recognize.
Enable two-factor authentication.
Don't choose security questions someone could find online (e.g., where did you go to high school?).
BMO says protecting customer accounts is joint effort
In its statement, BMO said while it takes measures to protect customers' accounts, it's a joint effort. The bank said customers should keep their password confidential, ensure only their fingerprints and facial ID are stored on their phone and notify the bank within 24 hours if their cards or online banking device, such as a phone or laptop, is stolen or passwords compromised.
But both Wang and Huang said none of those tips would have made a difference in their cases and that they're ready to close their BMO accounts after this experience.
"There's other banks ... which would make me more comfortable," Huang said.