Inside a $1.5M Social Engineering Heist

A New York insurance agency says one phone call that looked like it came from Citibank’s real customer service number ended with more than $1.5 million gone in five unauthorized ACH withdrawals. The caller claimed to be from Citi and allegedly walked the agency through each step, turning what should have been routine security checks into a social engineering script. 

The agency is now suing Citibank, arguing the bank’s security procedures weren’t “commercially reasonable” and that these transfers were never truly authorized. The lawsuit also claims Citi reversed provisional credits and closed its investigation, leaving the business to eat the loss. It all comes as big banks face growing pressure over how they prevent fraud and handle reimbursement when customers are scammed.  The bank’s position is this was “voluntary parting” by the business.  By voluntarily providing their access token, this is a case of social engineering and not theft without knowledge or consent.   

For finance and insurance firms, the takeaway is simple: you cannot rely on caller ID, a familiar brand name, or your bank’s fraud team to protect every transaction. When a criminal controls the conversation, they can often bend your controls to their will. That is why independent verification (using known-good contacts, separate channels, and clear approval workflows) must sit right next to the payment itself, not as an afterthought. 

Conduit is designed to eliminate that vulnerability. It provides a structured way for your team to verify counterparties, approvals, and account changes outside of email, phone, and chat, removing the need to rely on instinct for high-stakes decisions. In an environment where a single convincing interaction can empty an account within hours, you need controls that establish trust before funds are moved.

‍