A New York insurance agency is suing Citibank over $1.5 million allegedly stolen through a social engineering scheme.
Inter-Insurance Agency Services Ltd., a property and casualty agency with offices in Manhattan and Jericho, New York, filed suit against Citibank, N.A. on April 15, 2026, in the US District Court for the Southern District of New York. The agency, founded in 1992, alleges the bank failed to stop - and later failed to make good on - five unauthorized ACH withdrawals totaling $1,540,000.
The lawsuit paints a troubling picture of how quickly things unraveled. On April 17, 2025, the agency's chairman, Timothy Derham, received a call from someone claiming to be a Citibank representative named "Thomas Grant." According to the filing, the call came from Citibank's publicly listed customer service number. The caller allegedly knew internal account details - including the names of account signatories and that the agency's HR manager, Cornelia Senti, held "Level 6 Administrator" status. He convinced Senti to fill out a form sent via text message, which she submitted twice while still on the phone.
That evening, according to the lawsuit, Senti checked the accounts and found five large ACH withdrawals she had not authorized - three totaling $430,000 submitted at 6:10 p.m. Eastern and two more totaling $1,110,000 submitted at 8:50 p.m., after Citibank's own stated processing cutoff of 8:15 p.m.
What followed, according to the filing, was a frantic effort to reach the bank. Agency staff placed multiple calls to Citibank that night, only to be told the fraud department was closed and to try again at 7:00 a.m. the next morning. The bank processed all five transactions on April 18 regardless.
Citibank initially reversed the debits that same day. But the lawsuit alleges the bank then changed course. On April 24, it allegedly pulled $740,000 from an agency account that had not even been touched by the fraud, and another $1,005,000 from one of the compromised accounts - 27 separate withdrawals in all, none of which the agency had approved. By May 20, Citibank informed the agency its fraud investigation was closed, stating "there are no further funds to recover."
The agency is seeking damages under New York's Uniform Commercial Code, arguing the transactions were never authorized and that the bank's security procedures fell short of what the law requires. A separate claim accuses Citibank of improperly taking the agency's funds when it reversed its own provisional credits without permission.
For insurance agency owners and operations teams, the case is a pointed reminder that operating accounts remain a soft target. The lawsuit describes a fraudster who appeared to have detailed knowledge of the agency's banking setup - enough to spoof a phone number, reference internal credentials, and walk an employee through a security token reset in real time.
No determination has been made on the merits. The case is in its earliest stages.
