Burgoon: Next steps for victims of business email compromise scams
Posted
Taylor Burgoon
Photo courtesy of Fennemore
By Taylor Burgoon | Fennemore Business Litigation Practice Group
Recently, more companies have fallen victim to what is known as “business email compromise” (BEC) scams. The Federal Bureau of Investigation defines a business email compromise scam as a sophisticated email fraud scheme through which a fraudster contacts businesses and individuals to unlawfully obtain money.
The common fact pattern is this: A fraudster hacks into an entity’s email system and sends new wiring instructions to a payor. The payor, thinking the payee sent the new instructions, complies with them and unknowingly wires its payment to the fraudster. Eventually, the parties realize what happened. The payee, of course, wants its payment. The payor, however, obviously does not want to pay a second time.
What can be done, if anything, to recover the stolen funds? And, if the funds are not recovered, who will be left to bear the loss?
Although this continues to be a developing area of law, most courts that have encountered this issue have applied the “imposter rule,” which imposes liability on the party that was in the best position to prevent the fraud. Although each case is different, below are some of the factors the courts will weigh to determine the party in the best position to have prevented the fraud and thus, bear the responsibility.
• Whose system was hacked? Did that entity have adequate firewalls, employee training and other protocols in place to protect their system from hackers? Had this entity been hacked in the past? If so, did they notify the other party of this?
• Did the payor take steps to try to authenticate the changed wiring instructions?
• Did the payor receive conflicting emails with different payment instructions over a relatively short period of time?
• Did the new wiring instructions include unusual information that should have raised suspicion, such as instructing the payor to wire the funds to a foreign bank account where the entities do not operate or listing the account beneficiary as someone other than the payee?
• Was the email address identical to the seller’s authentic email, or did the fraudster use a similar, but not identical, email address with minor changes that could have been detected?
• Did the email(s) use the true seller’s typical grammar, phrasing and jargon, or were there changes and inaccuracies that should have raised suspicion?
A minority of courts have declined to apply the imposter rule and have, instead, relied on basic breach of contract principles. These courts have held that the payor must bear the loss because it failed to remit the payment to the proper party and, thus, owes that money to the payee regardless of the fraudulent third-party hacker.
As can be seen, this is a fact-intensive inquiry and, as such it is important to consult with an attorney knowledgeable in this area of the law.
There are other avenues to look to if your company unfortunately falls victim to one of these advanced scams.
Step 1: Notify the appropriate authorities
Report the fraud to the local police in the city and/or county where the receiving (fraudster’s) bank is located. In addition, if the amount stolen is $1,000,000 or more, you should report it to the FBI through its Internet Crime Complaint Center: https://www.ic3.gov/.
Step 2: Check for insurance coverage
Both the payor and payee should review their insurance policy to determine whether there is coverage for this type of loss. Courts, including the Ninth Circuit, have construed policies covering computer fraud, funds transfer fraud, and other similar provisions as providing coverage for BEC scam losses. It is recommended to have a lawyer review your policy for potential coverage and not solely rely on your insurance adjuster’s position about whether there is coverage.
Step 3: Reach out to the receiving bank
Consult with an attorney about going after the bank that received the unauthorized wire transfers or wire transfers sent in response to fraudulent instructions. However, absent special duties imposed by statute (such as U.C.C. §3-404), courts have generally held that banks do not owe a duty of care to non-customers. As such, it is unlikely you will have a successful claim against the receiving bank unless you can establish that the bank had actual knowledge of and participated in the fraudulent scheme.
Although it is a high bar to be able to hold the receiving bank liable, the parties should certainly reach out to the bank to try to get as much information as possible about the fraudulent account. Some jurisdictions have held that banks have an obligation to assist in the investigation after fraud has been detected.
Ultimately, this is a truly unfortunate situation that no company should ever have to deal with. Understanding the common fact patterns, the red flags to be wary of, and the various frameworks courts have applied will help position your business to avoid BEC scam liability.
Editor’s note: Taylor Burgoon works in the Business Litigation Practice Group at Fennemore, where she handles various complex litigation matters. She has previously written about business email scam liability here. Reader reactions, pro or con, are welcomed at AzOpinions@iniusa.org.