The New Jersey borough of Palisades Park and its bank, Mariner's Bank, had a long-standing procedure for handling transfer orders:
Before a transfer could occur, the borough would fax a wire request to the bank on borough letterhead with the tax collector's stamp and signature. The fax would identify the account to be debited, the beneficiary's information, the dollar amount and a description of the transfer.
The bank would then return an "outgoing wire transfer request" form to the borough for completion, according to the suit, and the borough would fax the completed form back to the bank. The bank would then confirm the wire transfer through a phone call, and after completion the bank would return a transfer confirmation to the borough.Palisades Park, Mariner's Bank settle over breach that drained $500K from borough accounts, NorthJersey.com, 2 Dec 2021
Evidently, this procedure was secure enough to work for a decade:
"Throughout its decade-long relationship with the Bank, the Borough does not recall ever initiating an outgoing bank-to-bank transfer that did not follow this procedure," the lawsuit says.
The article does not explain how this procedure was circumvented or abused, but the end result was that:
Between Jan. 19 and Jan. 24, 2019, four unauthorized automated clearinghouse payment orders [totaling $498,000] were made from the borough's account through the bank's online banking system and went undetected for nearly a week.
The borough, bank, and insurance company have now reached a settlement of which the details are undisclosed, the article concludes.