Sunova Credit Union customers to pay $1K deductible after falling victim to Google ad phishing scam
Fraudsters stole $3K from 48 victims who clicked on fake Sunova website
A couple from Lac du Bonnet, Man., says if Sunova Credit Union had notified customers about a Google ad phishing scam when it was first discovered, they wouldn't be out nearly $3,000.
Instead, Lisa Rand and Kerry Mitchell say they were told in order to get part of their money back, they'll have to pay Sunova's $1,000 insurance deductible.
"They were negligent in not … notifying their members right away," said Rand. "They should have done it immediately."
Fraudsters stole nearly $3,000 — the maximum amount allowed for an e-transfer payment — from 48 Sunova customer accounts, using an ad on Google designed to look like Sunova's real site and glean users' banking information if they clicked on it and tried to log in.
"I had no clue it was an ad. I had no clue it was a fake site. It said Sunova Credit Union, online banking, 2 Park Ave., Lac Du Bonnet, and I clicked on it, said Rand.
She logged into her account in late July to check the balance before an upcoming camping trip. The money was transferred from her account on Aug. 12 before she realized it the following day.
CBC News spoke to five victims of the scam, who say they learned what happened when they got an email notifying them an e-transfer they never sent had been accepted.
"I said, 'How can that be possible?' I don't even know this person, nor did I approve any e-transfer, especially not for an amount like that," said JoAnne Nelson, who was defrauded on Aug. 4.
Nelson, who lives in Oakbank, logged into a seldom-used Sunova savings account in late July. She works part-time as a dog trainer and was hit particularly hard when the coronavirus forced her to stop working.
"That's my emergency fund. That was money that my dad gave me when he passed away," she said. "And purse strings have been pretty tight around here lately."
Fake ad mimicked Sunova's website
Fraudsters created a fake ad made to look exactly like Sunova Credit Union's online banking website, which appeared at the top of Google's search results page when the victims searched for Sunova.
Not realizing the ad was a fake, the victims clicked on it and entered their login credentials. The fraudsters recorded their information then transferred the victims to the actual Sunova website to complete their banking, without the victims knowing it had happened.
Rand and Mitchell say Sunova knew about the phishing scam as early as July 28 but didn't post a warning on the main page of their website until Aug. 19 — a week after they lost $2,950.
The credit union told her the ad was up from July 24 to 28, Rand said.
"We accept responsibility for clicking on the wrong site. We can't hold that against Sunova at all," said Mitchell. "But do some due diligence and just try and let your members know so that we don't all go through this."
Sunova thought threat was contained
Leanna Beasant, Sunova's vice president and chief financial officer, said the credit union learned of the fake ad in July and immediately contacted Google to remove it.
"We acted as soon as we could. We did our best," she said.
At that point, Beasant said, no money had been stolen, so Sunova thought the threat had been contained, not realizing the fraudsters had already collected dozens of usernames and passwords.
"We weren't really aware of what was going on until we started to hear from members.… That's when you kind of start to put the pieces together," said Beasant.
She says calls started coming in around Aug. 4, as customers discovered thousands had been drained from their bank accounts. Beasant says Sunova's security systems were not compromised and there were many unknowns at the time.
"My heart goes out to people that have been scammed in this way. Of course it does," said Beasant.
"But at the end of the day, we do our due diligence. We did our best under the circumstances."
Sunova says the fraudsters logged into 48 accounts. The credit union was able to get back about 30 per cent of the stolen money before it was gone for good.
Beasant says that's because some of the victims had text alerts set up on their accounts to notify them of certain activity. That enabled those victims to contact Sunova right away, she said, and the credit union was able to intercept the e-transfer before the fraudsters got it.
"They saw it straight away and it's in those opportunities that we're able to stop things, she said.
RCMP are investigating reports from more than 25 victims in Lac du Bonnet, Beausejour, Pinawa, and Oakbank.
Victims asked to sign release, pay deductible
Nelson says she contacted Sunova the day she learned about the e-transfer. She was told to change her passwords, clear the history off her devices and wait for further information.
She was eventually told to come into the Oakbank office, where she was informed she would be getting her money back — if she signed a release and paid a $1,000 deductible.
"And I said, 'Per person? You mean every single member who's had money taken has to pay $1,000?' And [the representative] said yes," Nelson said. "I started to cry at that point, and then I said, 'I just don't understand.… I caught it the day it happened.'
"They said it was not their fault, their system was not compromised."
Rand and Mitchell say the branch manager in Lac du Bonnet told them the same thing.
"They just don't care. They want their $1,000 deductible, and that's it," said Rand.
Beasant says while Sunova is not to blame for its customers financial losses, it's working with its insurance company to reimburse some of the stolen money.
"If we're not successful in getting the money from the other FI (financial institution), then we're taking the insurance route, recognizing it wasn't our systems that were hacked in any way," she said.
"So they'll refund us back, less the deductible, and it is the deductible that we're passing along to the members. So it's not a fee."
Sunova post doesn't mention victims
Beasant says the credit union is constantly trying to educate members about online dangers, because if not this scam, they could fall victim to another.
"If you just be too specific, sometimes people can only be looking for that, and then they'll say, 'Well, why didn't you tell us about this?'" she said.
She says Sunova will look at the process it used to handle the scam.
"I'm sure we could do better. We will strive to," said Beasant.
However, if members want to recoup some of their losses, Sunova says they will have to pay the deductible.
That doesn't sit well with Nelson, Rand or Mitchell.
"They have a slogan it says on their building, 'Where relationships matter most'" Rand said. "And I don't feel our relationship matters at all to them right now."