The collection letter sent to Cadenza Music in St. Paul resembled what shows up in your mailbox when you forget to pay a phone or electric bill. Except for the amount.

“Dear Nancy Vernon. This is final notice and demand for payment of your $40,091.92 debt to Intuit.”

Vernon owns Cadenza Music with her husband, Eugene Monnig. The store supplies school bands and retail customers, repairs instruments and offers lessons at its 149 N. Snelling Av. storefront location.

“$40,000 is a lot of money,” Vernon said. “That’s a lot of piano lessons.”

Cadenza Music’s tussle with Intuit holds many lessons of its own — mostly about the perils of phishing scams and the hard question of who pays when fraudsters steal.

Phishing is the effort to trick individuals and businesses into giving up personal and financial information. Phishing e-mails arrive in inboxes by the millions, often with alarming subject lines saying your bank account has been hacked. Most estimates put the annual losses from phishing scams in the billions.

Cadenza Music was hit by an especially insidious attack called “spear phishing,” in which these scammers gather some information about their targets to make their deceptions more convincing.

It all started with an e-mail Vernon received Oct. 20. It purported to be from Intuit, the company Cadenza Music used to handle online payments. It claimed there had been a “payment processing error” and directed Vernon to enter in her Intuit account credentials.

She followed those directions, but a short time after she entered the last four digits of her Social Security number, she realized she had made a mistake. Too late.

Within an hour, she was talking to Intuit about freezing the account. “While I was on the phone with Intuit, I received a phone call from a man in New York,” she said. He wanted to know: “Who are you and why did you charge my credit card for $19,000?”

A woman, also on the East Coast, called with the same question.

These were big charges for a store whose typical charges are about a hundred bucks. Intuit secured the account, but not before those fraudulent charges directed the $40,000 into the thief’s temporary bank account, Vernon said.

Vernon said she was told for weeks not to worry about the charges, though she never received anything in writing from Intuit saying that. Instead, in January, the bills began to arrive.

Vernon acknowledged that the store’s contract with the company gives Cadenza the responsibility for paying up if someone gets ahold of their credentials. But she argues Intuit dropped the ball by failing to stop the scammers sooner: Cadenza’s account with Intuit is supposed to have a monthly transactions limit of $10,000.

“If Intuit had enforced the contractual limits, these fraudulent transactions would have been prevented, and you would not be demanding $40,000 from me and my company,” she wrote in a Feb. 2 letter to Intuit.

Intuit described a somewhat different sequence of events, but did not address Vernon’s specific complaints.

“In October 2015, Intuit proactively reached out to the impacted customer after identifying potentially suspicious account activity,” Steve Sharpe, Senior Public Relations Manager at Intuit, said in a statement. “Intuit continues to work with the customer to resolve this issue.”

“At Intuit, safeguarding the privacy and security of our customers’ data is job one.”

With 2015 revenue of more than $4 billion, Intuit is best known for its QuickBooks and TurboTax software. Based in Mountain View, Calif., the software behemoth is a constant target of these kinds of attacks. It issues multiple security alerts about phishing e-mails every day.

Vernon has reported the fraud to the St. Paul police, but she does not expect its investigators to track down the thieves. A $40,000 payout would not sink Cadenza Music, but she and Monnig think it would not be right.

“I still dream of not having to write that check,” Monnig said.

 

Contact James Eli Shiffer at james.shiffer@startribune.com or 612-673-4116.