For Jennifer and Mike Kallio, it’s hard to say which was the greater shock: being defrauded of $106,000 from their account at Umpqua Bank, or what they call the uncaring stonewalling they’ve experienced at every level of the bank since then.
Jennifer Kallio owns Dryside Property Realty. Together, Mike and Jennifer own the new Honky Tonk Bar and Restaurant. Both businesses are here in Goldendale.
In November a hacker got into their online banking account. The Kallios say the hacker used a “foreign” IP address, recorded at first entry and shown in a report they obtained. (An IP address is the unique numeric identifier of a specific computer.) Once in, according to the Kallios, the hacker “mimicked” the Kallios’ real IP address to make it look as if new transactions were coming from them. Then the hacker moved funds from different accounts of the Kallios into a single one, in order to amass a larger sum of money. Then, in two transactions on November 4 and 5, the funds in that larger account were whisked away to an account at JP Morgan Chase in Detroit.
Umpqua Bank says the process the Kallios describe is not what happened. The bank states there was no “foreign” IP address used to access their account and that no mimicking of their actual IP address occurred. They say the wire transfers were sent because the Kallios, based on established security protocols, authorized it from their own IP address—something that could happen only because the hacker apparently had access to the Kallios’ computer. “The Kallios are ultimately responsible for their own computer security,” a bank spokesman said. “The attempted access from [a different] IP address… was in fact flagged for review by our system, and access was denied, as it should have been. The subsequent movement of funds from the Kallios’ account occurred from [the Kallios’] IP address, which indicates an intrusion of the Kallios’ system, not Umpqua’s.”
However it happened, though they didn’t state it this bluntly, Umpqua Bank essentially says the Kallios will never see that money again from Umpqua coffers. The bank’s position is that it cannot take responsibility for security breaches on customers’ computers.
“On Tuesday, November 9, I was going through the drive-through at Umpqua to make a deposit,” Jennifer recalls. “And when I get handed the receipt with my balance on it, there’s virtually no money in my account. At the time I think it’s odd, but there’s several cars behind me in line. I don’t want to hold up the line; I pull forward and I think, well, it must have been deposited accidentally in one of our other accounts, but when I go to leave the bank—nope, it is my Dryside Property account. So I think, what in the hell? I beat feet home, get on my laptop, and sure enough, I have zero money in my account.”
The horror story was just beginning. “I discover that on November 4 they’ve sent a wire out of my Dryside Property account to the tune of $65,000 that I did not authorize. Then it gets better.” Jennifer saw in her online banking that another outside access to her account had been made on November 5. “I never got an email notification, never got an account notice, no text message, nothing. I start looking at our online banking to discover, not only did they send the large wire of $65,000 out of my Dryside account, they moved money from our three other checking accounts. They moved all the money over from those accounts into my Dryside Property account.”
That same day, November 5, the fraudster moved another $41,000 out of that account.
“Did we know where it was sent to? Yep.” The receiving bank information was recorded in the transaction. “So we go into the bank, and Ashley [Brewster], the assistant manager who handed me my receipt that day at the drive-up window on the 9th, says, ‘Yeah, I thought it was kind of odd, too.’ Nobody picked up the phone and called me that any of this activity was going on. I never got a notice to my email or to my phone via text message that any of this was going on.”
Umpqua says it did send notice. “The Kallios did in fact receive email alerts both regarding the account change and the initial wire,” a spokesman says. “Our systems track every alert and report that information clearly.” Jennifer says she never saw such an email, and she regularly checks her spam basket. “I would definitely have noticed that,” she says.
The Kallios were among the latest targets in a rash of recent bank wire fraud attacks focused particularly on real estate companies, according to legal and real estate websites dealing with the issue.
Jennifer talked with Branch Manager Barbara Cosner. “She sends a spreadsheet that says, ‘Oh, from the time you called in and reported the fraud to the time that we arrived at the bank, they had pulled some activity, and somebody had hacked your accounts with a different IP address,’” Jennifer recalls of the conversation.
Jennifer shows the same spreadsheet print-out she obtained of her bank records around the days of the fraud. It shows a new IP address suddenly appearing on the 4th, after pages of nothing but the Kallios’ normal IP address. It then shows the contact phone number changed—critically important because transfers, like most bank processes, are typically set up to use two- or three-point verification, in which a text or email is sent to the account owner requesting them to confirm the desired bank activity. In this case, a confirmation text would have been sent to the new, unauthorized phone number belonging to the fraudster. The person receiving the text could then confirm the transfer.
The number used—(770) 906-0385—is shown as a Gainesville, Georgia, number belonging to a Michael E., though funds were diverted to a Detroit bank. There are indications the phone number has ties to a Chinese source.
Jennifer says she is extremely conscious of fraud and necessary security procedures. “I certainly didn’t schedule all of my money that I ever earned to come out of these accounts,” she says. “For God’s sakes, we get fraud notices from the title company that wire fraud is a real thing. We never give out our personal information. I am a daughter of a police officer, a longtime police officer. I’m married to the undersheriff, for God’s sakes.” Mike was Klickitat County undersheriff until his recent retirement. “You don’t give out your personal information any way or shape or form. Long story short, they’re like, ‘Well, we’re going to have to shut all of your banking down, your online access, because we don’t know how this happened.’”
And they suggested the Kallios have their computer forensically examined to determine if the hack might have occurred on their side. They did. The report showed no traces of a hack, no virus, no malware.
The Kallios climbed up a step on the Umpqua corporate ladder, speaking next to Cosner’s boss.
“He comes after us with, ‘It’s your computer, for this to happen,’” Jennifer says. “He’s just putting the blame, with no substantiation, on us, just, ‘There’s no way our banking system got hacked.’ And then he kind of chuckles, he’s like, ‘Do you think it would only be a few thousand? If our system got hacked, there’s millions of dollars available.’ He chuckles, and we’re thinking, ‘This is not small potatoes for us.’”
The Kallios asked about getting their money reimbursed, wondering if the Federal Deposit Insurance Corporation (FDIC) would get their funds back. Cosner told them the FDIC did not cover wire fraud.
“Their wire departments [at Umpqua] who approve wires are supposed to be trained in cyber fraud and things of that nature,” Jennifer says. “If you have suspicious activity on an account where a phone number is changed to a 770 area code, when we both have 509 area codes. And then there’s large wires sent out the same day to random places that we’ve never sent money to before. This should have triggered something. It should have triggered something. Nobody checked anything. They just sent more than a hundred thousand dollars out of our account.”
The Kallios climbed another corporate rung, speaking with Umpqua Regional Manger Terri Browning. They say Browning told them they were at fault for doing online banking. “You approved the transfers,” they say Browning told them. “No, of course we didn’t,” they responded.
“You just sent us a letter about this,” Jennifer told Browning. “Why didn’t you call us? We have been sweating this and we’re financially devastated, and you’re sending me a letter. You can’t even pick up the phone and call me, or have Barbara call me?’ She blamed it on me. ‘Well, you said you didn’t want to hear anything but good news.’”
Next stop was the Goldendale Police Department, who then referred it to the FBI. The Kallios authorized all parties at Umpqua to share information with the agency. A spokesperson for the Bureau states they cannot comment on the matter at this time.
The Kallios asked to speak with the fraud investigator for Umpqua Bank. They say they were told the bank fraud investigator does not speak with fraud victims.
Both Umpqua and Columbia banks were contacted for comment, in light of the impending merger of the two slated for later this year. A spokesperson for Columbia Bank declined comment, stating the two banks currently are still wholly separate entities.
Kurt Heath is the Umpqua vice president of corporate communications and PR. Asked five specific questions about the matter, Heath’s initial response was a cursory, general statement warning of the dangers of online fraud, without addressing any of the actual questions. They were presented to him again with the request they be answered specifically. A week later, he responded with detailed, though still not entirely specific, answers. The questions and answers were:
Does Umpqua insist that a breach of its computers is entirely impossible?
“Umpqua has extremely strong customer safeguards and protections in place. We treat each and every instance of account fraud with great seriousness and conduct a thorough investigation to determine exactly how the fraud took place. We’ve done so in this situation, and it’s clear that none of the bank’s systems or protocols were breached. Fraud of this magnitude is incredibly unfortunate, and Umpqua is working closely with law enforcement to do all we can to help recover information and funds… Unfortunately, fraudsters are using more and more sophisticated means of accessing people’s financial information and accounts. It’s no longer focused on accessing bank systems, which have significant safeguards and protections, but too often now includes gaining access to an unsecured device that’s been authorized by a customer. Though we cannot discuss the specifics of this case, in general, once a customer has saved authentication data on an unsecured device while conducting financial transactions, that device is then a potential target for fraudulent activity. Devices at risk include computers, phones, tablets or other electronic devices with an internet browser or banking application. We strongly encourage customers to not save authentication data on unsecured computers.”
Why didn’t personnel at Umpqua notify the Kallios when they themselves acknowledged as “strange” transactions involving large sums of money that were not normally done?
“Umpqua has sophisticated systems that automatically flag changes and send alerts to customers when significant changes are made to an account, and those protocols worked as intended in this case… Both people and businesses occasionally move sums of money beyond the normal day-to-day activity to purchase equipment, property, or other assets. It’s also not uncommon that different IP addresses are represented on an account, and slight changes to a predominant address may appear for an authorized device for a variety of reasons, including how and when a user connects to their internet service provider or when using a different port connected to the same router. For the team tasked with reviewing alerts, these things alone wouldn’t necessarily raise red flags, particularly if a transaction originates from the IP address associated with typical account activity, as in the Kallio’s case, and also because the safeguards customers set up are designed to promote flexibility in transacting business.” This response came before Umpqua’s later assertion that the Kallios were notified.
Banks usually have a banker’s blanket bond. The Kallios are very concerned about recovering their lost $106,000. Does Umpqua have and intend to use such a bond to recover their losses?
“Umpqua is deeply committed to supporting our customers, and we have a strong track record of taking action when we have a clear responsibility to do so. In this case, careful investigation has shown that Umpqua’s systems and teams functioned as intended. However, we have and will continue to work closely with law enforcement and the other bank involved to do all we can to help the Kallios recover their funds.”
Does Umpqua have comment on the Kallios’ assertion that they have been treated very poorly, even disparagingly, by Umpqua management?
“We have had a good working relationship with the Kallios since they became a customer and sincerely hope that continues into the future. This is an extremely difficult and trying situation, and they’re understandably upset and concerned. Throughout this incident, our goal has been to support them to the best of our ability, and our team has worked hard to be supportive and understanding. We regret that they feel otherwise and will review all engagements with them to understand their concerns and identify opportunities where we can improve. Moving forward, we’re committed to supporting them through any formal investigation into what happened and, if possible, to helping them recoup any financial loss.”
Is Umpqua attempting to avoid potential liability for this loss by sidestepping the question of whether or not it could be at fault?
“Absolutely not. We are committed to working with customers through difficult situations and will continue to do so. It’s incredibly difficult and upsetting to be the victim of fraud. As stated above, our thorough investigation has shown that our systems and teams functioned as intended.”
On January 2, Jennifer Kallio responded to these answers from Heath. “Umpqua has been difficult to deal with from the very beginning at every level of management, not only stonewalling us with information on our own case but law enforcement as well,” she stated. “Umpqua implies that we fell for a scam or that we had unsecured devices/computer. For the record, we never received a phone call from a scammer asking us to initiate a wire or answered any random text messages, or ever gave out our personal information. We never fell for a scam. Also, our computer was forensically checked, and the hack did not come from our side.
“Umpqua Bank would like the public to believe that they have safeguards in place to protect their customers, but they clearly do not. We were not only a victim once, but twice, on two different days whereby Umpqua Bank sent money out of our accounts completely unauthorized by us. We never received a text message, phone call, or email from Umpqua that information was changed in our account profile and/or confirming if the wires should be sent, despite the totality of event activity in our accounts which certainly should have been a red flag to Umpqua. They continue to blame us for using their own online banking system.
“Initially on November 9, after we discovered the fraud, Umpqua Bank gave us a detailed report outlining the chronological order of events and activity that occurred in our checking accounts. Recently, on December 29, Umpqua has not only changed but also omitted pertinent information which now differs substantially from the November 9 report we received from them.
“To date, Umpqua Bank has stated that they will not be refunding our money.”
Further Umpqua statements
The December 29 document Jennifer speaks of was a fax from local branch Assistant Manager Ashley Brewster. It states both fraud transfers occurred on the same day, November 4; in fact, they occurred on the 4th and the 5th. It also states the transfers went through on the Kallios’ normal, authorized IP address. Umpqua says the discrepancy in dates was just a mistyping.
“I did not even have $106,000 in my Dryside Property account on November 4,” Jennifer states in response to Brewster’s fax. “Umpqua has obviously omitted this info in this letter to me about the transfer of the other funds out of our other three checking accounts that happened on the 5th, in order to gather enough money to send the second wire, which actually happened on November 5. They also have obviously omitted the earlier activity on my account, which also happened on November 4, of the random IP address entering my account and mimicking my usual IP address in order to login and add their 770 phone number to my account. Umpqua Bank stated in this letter that it was all done under my usual IP address; they left out the fact that the initial entry into my account was done under a different IP address.”
Upmqua says this account is mistaken. “Actually, the documentation clearly shows that the IP address you reference did not successfully login into the Kallios’ account…,” they say. “An additional authentication step was required, and that action was never successfully performed.”
The Kallios say their distress is more than just about the lost money. They add they feel emotionally abandoned by the bank, which they’d entrusted with a lifetime of work and earnings.
“The only thing we did wrong is deposit money in their bank,” Jennifer says.
Some of this information came late Tuesday. There will be follow-up stories forthcoming.
Wednesday, January 5, 2022: This story is updated to correct an impression that Umpqua might have told the Kallios they would not see their money again. The current iteration clarifies that Umpqua will not return the Kallios’ funds from its own resources.