(Bloomberg) — The finance chief at Fortelus Capital Management LLP got an alarming phone call just as he was getting ready to leave work on a Friday.
The caller said he was from Coutts, the London-based hedge fund’s bank, and warned there may have been fraudulent activity on the account. Fortelus Chief Financial Officer Thomas Meston was reluctant, but agreed to use the bank’s smart card security system to generate codes for the caller to cancel 15 suspicious payments. He hung up just after 6 p.m., according to court filings.
When Meston logged on to the firm’s online bank account the following Monday, he saw that 742,668 pounds ($1.2 million) was gone. Coutts, a unit of Royal Bank of Scotland Group Plc, had no record of the Friday phone call. Meston had been conned.
Meston was terminated by Fortelus and is now being sued by the fund, which says he breached his duty to protect its assets. Details of the phone conversation, which took place in December 2013, were described in documents from the firm’s London lawsuit. Meston denies he was negligent and says he acted honestly, according to his court documents in the case.
The incident shows how even the most sophisticated online security systems can fail because of human error. Firms too often see cyber security as a technical issue and don’t recognize the risk of employees being targeted, the Bank of England said in a report last week that called cyber crime a growing threat to financial stability.
“People are always the weakest link,” said Jason Ferdinand, a director at Coventry University who runs the U.K.’s first cyber security MBA course. Employees “often assume that they do not have to think about security because a machine or software is doing it for them.”
Fortelus lawyer Daniel Astaire said no client funds were affected by the breach, and the firm reported it to the police, who are investigating. Fortelus has “strong internal policies against fraud prevention” and this was “an isolated incident,” he said in an email.
Fortelus Capital Management in June 2014 switched its registration to the U.S and no longer has any investment activities in the U.K., Astaire said.
Simon Goldring, a lawyer for Meston, declined to immediately comment.
Meston “believed that he was preventing a fraud from being carried out against the claimants, and this belief was reasonable,” his lawyers said in court filings. They said he’s not personally responsible for the firm’s assets and that Coutts should have to repay Fortelus.
Friday afternoon scam
Hedge funds are not the only victims of a “Friday afternoon scam.” Zurich Insurance Group AG warned in May that law firms were targeted by fraudsters impersonating bank staff that asked for access to accounts, often late on a Friday.
The frauds cost firms and their insurers an estimated 5 million pounds over three months this year, Zurich said.
The theft was carried out by an “unknown third party,” Fortelus said in court documents. The caller identified himself as “Simon Hughes” from the Coutts Online Fraud Response team and transfers were made to accounts under names including EE Traders, AA Ltd., MK Trader, P Plumbers and LLM Client Account, according to court filings.
Meston says that as part of his termination agreement with the fund, he has already agreed to give up salary and bonus payments worth 136,600 pounds. That includes three months he worked without pay, or about 25,000 pounds, as well as 95,000 pounds in cash and deferred bonuses that he surrendered.
Jo Thorne, a spokeswoman for Coutts, declined to comment.
“This story is sad because it may well have been an honest mistake, but because of the technological advances made in finance, where the majority of their business is digital, significant losses can happen very quickly,” said Ferdinand.
The case is Fortelus Capital Management LLP & Anr v. Mr. Thomas Meston, High Court of Justice, Queen’s Bench Division, HQ15P02169
–With assistance from Jeremy Hodges and Will Wainewright in London.