The finance chief at Fortelus Capital Management LLP got an alarming phone call just as he was getting ready to leave work on a Friday.
The caller said he was from Coutts, the London-based hedge fund’s bank, and warned there may have been fraudulent activity on the account. Fortelus Chief Financial Officer Thomas Meston was reluctant, but agreed to use the bank’s smart card security system to generate codes for the caller to cancel 15 suspicious payments. He hung up just after 6 p.m., according to court filings.
When Meston logged on to the firm’s online bank account the following Monday, he saw that 742,668 pounds ($1.2 million) was gone. Coutts, a unit of Royal Bank of Scotland Group Plc, had no record of the Friday phone call. Meston had been conned.
Meston was terminated by Fortelus and is now being sued by the fund, which says he breached his duty to protect its assets. Details of the phone conversation, which took place in December 2013, were described in documents from the firm’s London lawsuit. Meston denies he was negligent and says he acted honestly, according to his court documents in the case.
The incident shows how even the most sophisticated online security systems can fail because of human error. Firms too often see cyber security as a technical issue and don’t recognize the risk of employees being targeted, the Bank of England said in a report last week that called cyber crime a growing threat to financial stability.
“People are always the weakest link,” said Jason Ferdinand, a director at Coventry University who runs the U.K.’s first cyber security MBA course. Employees “often assume that they do not have to think about security because a machine or software is doing it for them.”
Fortelus lawyer Daniel Astaire said no client funds were affected by the breach, and the firm reported it to the police, who are investigating. Fortelus has “strong internal policies against fraud prevention” and this was “an isolated incident,” he said in an e-mail.
Fortelus Capital Management in June 2014 switched its registration to the U.S and no longer has any investment activities in the U.K., Astaire said.
Simon Goldring, a lawyer for Meston, declined to immediately comment.