Businesses beware: Business email compromise liability
While ransomware attacks usually grab the headlines, one of the more troubling trends in the ever-evolving e-commerce world is the rise in business email compromise (BEC) attacks, which continue to cause massive financial losses for businesses. BEC is an exploit in which an attacker obtains access to a business email account and imitates the owner’s identity in order to defraud the company and its employees, customers or partners. Often, an attacker will create an account with an email address almost identical to one on the corporate network, relying on the assumed trust between the victim and their email account.
Carried out by transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers, BEC can take a variety of forms, click here to learn more.
BECs typically involve social engineering techniques, such as domain spoofing, in order to obtain credentials for a corporate email account. Once inside the email account, attackers typically search for correspondence regarding financial transactions and trick victims into transferring funds to an attacker-controlled bank account instead of the account of the legitimate recipient. A common type of BEC involves an attacker posing as a company’s vendor and emailing “updated” bank account details for electronic wire payment of the vendor’s invoices.
Data from the FBI Internet Crime Complaint Center indicates that reported BEC scam losses are up nearly 58% since 2020. In 2023, total BEC losses by victims amounted to a staggering $2,946,830,270 (up from a mere $1,866,642,107 in 2020).
After a BEC event occurs, the question of liability inevitability presents itself: who is responsible for replacing unrecoverable funds that were fraudulently directed to an account used by an attacker? Is it the company whose systems were hacked, allowing the attacker to pose as a legitimate vendor? Or is it the company that was misled and initiated the payment to the attacker-controlled account? What about the financial institution that allowed the transaction to occur?
Overall, case precedent evaluating BEC liability remains sparse and relatively unsettled. Some courts have found the sender liable if it was negligent in maintaining its email accounts or knew about “red flags” alerting it to fraud and failed to notify the other party to the transaction. Other courts have found that the recipient of the fraudulent wire instructions is liable for failing to verify the instruction’s validity, especially in situations where conflicting emails were sent over a short period of time or where the nature of the wire information and/or emails should have raised suspicion. Other courts still have found the financial institution at fault for accepting the incoming funds when it “knew” that the intended payee was different from the designated accountholder.
In evaluating BEC liability, courts typically apply one of three general frameworks: (1) the Uniform Commercial Code “Imposter Rule” (exercising ordinary care); (2) agency principles; or (3) breach of contract principles.
The majority of courts apply what is known as the “imposter rule,” which stems from Uniform Commercial Code principles governing negotiable instruments. (UCC §3-404). The presumption is that the party who was in the best position to prevent the fraud should bear the responsibility. Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, 759 Fed. Appx. 348 (6th Cir. 2018). Courts have also asked which party had the “last clear chance” to prevent the loss. Determining which party was in the best position to prevent the fraud is a fact-intensive inquiry, in which courts consider the following:
- Whether each party exercised “ordinary care” given the circumstances is a critical factor. Whether a party ignored red flags strongly influences case outcomes. Red flags may include odd syntax or wording in the fraudulent email, a request by an unknown or unexpected individual, a request that is out of context for the transaction, or failure of a transfer to a new bank. It also is relevant whether a party followed its own protocols for certifying transfers;
- Whether there were protocols in place to protect against breach;
- Whether there had been a breach in the past and, if so, whether notice was provided to the recipient of these prior instances;
- The fact that a party’s email system was compromised is relevant to, but not dispositive of the responsibility determination. The duty to ensure that one’s email system is not hacked is not a duty commercial parties owe to one another, and the courts recognize that sophisticated hackers are sometimes successful despite ordinary care. Compare, Deutsche Bank Nat’l Trust Co. v. Buck, 2019 U.S. Dist. LEXIS 54774, 2109 WL 1440280 (E.D. Va. March 29, 2019) (no general common law duty to protect an individual's private information from an electronic data breach) and 2 Hail, Inc. v. Beaver Builders, LLC, 2017 Colo. Dist. LEXIS 1294 (D. Colo. November 29, 2017) (finding no legal theory applicable to allocate responsibility based on relative fault and imposing liability on the party’s whose payment was misdirected). However, if a party’s email system was compromised because it did not have in place or follow reasonable security measures, it likely will be found not to have exercised ordinary care;
- Once a party has notice from an odd email or other anomaly that a hacker may be targeting a transaction, it likely has a duty to investigate and to warn all counterparties to any prospective transfers. Bile v. RREMC, LLC, No. 3:15cv051, 2016 WL 4487864 (E.D. Va. Aug. 24, 2016);
- Whether the recipient did anything to try to authenticate the changed wiring instructions;
- Whether the recipient received conflicting emails with varying wiring instructions over a relatively short period of time;
- The nature of the fraudulent wiring instructions; courts are more inclined to conclude that instructions to wire money to a foreign bank account and/or to an unknown beneficiary should have raised the recipient’s skepticism; and
- The nature of the fraudulent email(s) (i.e., was the email address identical to the sender’s authentic email, or did the fraudster use a similar, but not identical, email address with minor changes that could have been detected? Did the email(s) use the true sender’s typical grammar, phrasing, and jargon, or were there changes and inaccuracies that should have raised suspicion?);
- Some courts have concluded that, whichever party was in the best position to prevent the fraud bears 100% of the loss. Jetcrete N. Am. LP v. Austin Truck & Equip., Ltd., 484 F. Supp. 3d 915, 920 (D. Nev. 2020). Other courts have suggested that a jury may apportion a percentage of liability to both parties based on their respective degrees of fault. Beau Townsend, 759 F. App’x at 357; Peeples v. Carolina Container, LLC, 4:19-CV-21-MLB, 2021 WL 4224009, *4–*8 (N.D. Ga. Sept. 16, 2021).
In Arrow Truck Sales Inc. v. Top Quality Truck & Equipment Inc., (M.D. Fla. 2015), Arrow unknowingly paid a hacker after receiving one invoice from the hacker and one from its actual counterparty, Top Quality. Arrow did not inquire before paying the hacker. Arrow sued, claiming it was not obligated to pay again because the loss stemmed from Top Quality’s lack of reasonable security. Top Quality brought a breach of contract counterclaim against Arrow for failure to pay.
The judge in the Arrow case cited the UCC’s “imposter rule,” (§3-404) which provides that a party whose failure to exercise ordinary care substantially contributes to a loss. Rejecting Arrow’s contention that it “was not [its] business to question the information” in the invoice, the court held: [The payor] should have exercised reasonable care after receiving conflicting e-mails containing conflicting wire instructions by calling [the payee] to confirm or verify the correct wire instructions.
The U.S. Court of Appeals for the Sixth Circuit took a similar approach in Beau Townsend Ford Lincoln Inc. v. Don Hinds Ford Inc. (6th Cir. 2018). The trial court, finding that a contract existed between the parties and that the defendant-buyer’s payment had gone to the hacker, granted summary judgment on a breach of contract claim against the defendant. However, the Sixth Circuit reversed and remanded, holding that the determining factor is “whether either [party’s] failure to exercise ordinary care contributed to the hacker’s success,” which may result in apportioning the loss by comparative fault. The parties ultimately settled.
In the most recent case, Studco Building Systems US LLC v. 1st Advantage Federal Credit Union, No. 2:20-cv-00417 (Slip. Op.) (Jan. 12, 2023 E.D. Va.), as the result of a business email compromise, funds intended for one of Studco’s vendors were fraudulently transferred to an attacker-controlled account held at 1st Advantage, a credit union, through a series of transactions. Studco argued that under UCC Article 4A, as enacted in Virginia and 48 other states, 1st Advantage was not permitted to accept the incoming funds because it “knew” that the intended payee was different from the designated accountholder. The court agreed and on January 12, 2023, after a bench trial, awarded Studco damages in the full amount of the diverted payments (approximately $559,000) along with attorney’s fees and costs.
Ultimately, when BEC events occur, McDonald Hopkins Litigation and Data Privacy attorneys have extensive experience assisting clients in responding to BEC and other cybersecurity threats, minimizing their harm, and, if necessary, litigating the resulting disputes. McDonald Hopkins attorneys have also had success tracing and recovering misdirected funds through quick reporting and investigative and law enforcement contacts.