Cyber theft in Udon Thani drains 2.4 million baht from firm
A significant cyber theft incident involving a mobile banking app has emerged, affecting an accountancy firm in Udon Thani. The firm found its bank accounts emptied of 2.4 million baht across three banks, and the lack of notification about these transactions has raised serious concerns.
Ornanong Boonto, managing director of a company in Moomon, Mueang district, shared her experience to alert others with bank accounts and those using mobile applications for transactions. She highlighted the risk of cybercriminals syphoning money unnoticed, as was the case with her personal and company bank accounts.
Despite the seriousness of the situation, the banks involved failed to provide robust security measures or adequate guidance, prompting Ornanong to report the issue to the Udon Thani Police Station. The police admitted this method of theft was new to them.
Ornanong explained that she and her company have active accounts with five banks, using mobile applications for various transactions. On December 22, one of the bank accounts, identified as Bank A, was locked, preventing any transactions. Following the standard unlocking procedure through the bank’s official number, normal access was restored.
However, it later transpired that funds from Bank A had been transferred out in four transactions, each worth 49,999 baht (US$1,460), totalling 199,999 baht (US$5,855). Similarly, Bank B saw an identical pattern, with four transactions of 49,999 baht each.
The most severe loss occurred with Bank C, where 40 transactions of 49,999 baht (US$1,460) each were made, reaching a staggering sum of 1,999,999 baht (US$58,545). Notably, none of these banks notified Aranong via email about the transactions, while two other banks registered no such activity.
Cyber theft
When Ornanong approached the banks, Banks A and B suggested filing a complaint using their forms, acknowledging unusual transaction patterns and stopping a fifth transfer attempt as per the Bank of Thailand’s regulations. Bank C, which witnessed the highest loss, failed to issue any email alerts and allowed continuous transfers until police intervention.
Bank C’s staff provided no guidance on the issue, refused to answer questions, or accept any documents, citing bank orders, a clear evasion of responsibility. Ornanong stated that if the bank continued refusing her documents, she would send them via post, determined to follow through the necessary procedures.
She further elaborated on the complexities involved in managing a corporate account, requiring official documents, seals, and authorised signatures for any changes or statement requests. The ease with which money was transferred every 30 seconds, totalling 40 times, contradicted the central bank’s regulations.
Following the incident, the bank was uncommunicative, failing to uphold its duty of providing secure, reliable service to its customers. Ornanong emphasised that in business, basic responsibility is owed to clients to maintain trust.
The funds in Bank C were crucial for the company’s operations, including employee salaries and client tax payments, especially with the year-end approaching. The financial strain also impacted bonuses, prompting Aranong to appeal for the bank to return the stolen funds before the new year, as the emptied accounts could not cover salaries.
Later that day, at 4pm, Ornanong and the company’s advisor met with police officer Kitipoom Akkhavitayanukul at Udon Thani Police Station to submit additional documents accusing Banks A, B, and C of failing to notify them of the transactions via email as previously agreed, reported KhaoSod.
The accusation extended to Bank C not adhering to the Bank of Thailand’s fraud management policies dated March 29, 2023, particularly the requirement for identity verification for transactions exceeding 200,000 baht (US$5,855).
