Internet-based frauds, schemes, scams, and all sorts of mean, nasty, ugly things, are risks organizations must prepare for. One scheme that has been the subject of litigation recently is commonly known as a “business email compromise scheme.” In a typical scheme, some malefactor gains access to the email account of an employee or officer at a target organization. It then uses the account to send payment instructions to a customer or other person that owes the target money, who then directs payment to the fraudster’s account instead of the target’s. Sometimes the fraudster gains access to email accounts linked to the payor, in addition to the payee, making the legerdemain even more convincing or delaying the victims’ realization that something’s wrong. Once in possession of the funds, the fraudster removes the money to a foreign jurisdiction where U.S. law enforcement has little chance of clawing it back.
Unless completely covered by insurance, the victims have to decide who bears the cost. Finger pointing ensues. Most victims, through some combination of insurance, negotiation, settlement, or just eating the loss, have avoided going to court to decide who’s responsible for the purloined funds. However, there have been several cases over the past few years that shed light on how courts are likely to allocate responsibility in the event the parties cannot come to an amicable agreement.
Principles
A loss attributable to fraud will generally be borne by the party in the best position to have prevented it. If wire instructions are suspicious, courts may hold the party who followed them responsible. Alternatively, the party whose email was hacked may be in the best position to prevent the fraud, especially if their email was hacked by virtue of some internal negligence. A court in this situation must determine whose “failure to exercise ordinary care contributed to the hacker’s success,” and apportion the loss accordingly.
In the event a party receives conflicting information about where to direct payment, it is incumbent upon that party to verify, preferably verbally, which set of instructions is accurate. This is especially true where the instructions are in close proximity, such as related to the same transaction. It is also especially true where the conflicting instructions are dramatically different, such as directing funds to a different state, different bank, or to an account in the name of a different person.
It has also been found that failure to notify business counterparts of an attempted fraud, even one that appears to have been thwarted, may constitute lack of ordinary care. By not alerting the other party of the first hack attempt you may be depriving them an opportunity to guard against subsequent attempts to penetrate the same system or that attempt to target the same transaction. If your organization is subject to an attempted hack, you should consider notifying other participants to any subject transaction.
Finally, courts consider whether a business email compromise scheme victim followed “basic cybersecurity precautions.” This means, at the very least, following any written or otherwise established cybersecurity protocols your organization has in place. If your organization has such policies (and it should), it is important to make sure your employees adhere to them, lest a judge come to hold it against you.
Factors
In sum, the issue of liability for the loss will likely be determined based on whose “failure to exercise ordinary care” most contributed to the hacker’s success. Courts will apportion the loss according to each party’s comparative fault. The factors courts are using to make this allocation appear to be:
- Whose email was hacked;
- If anyone knew of the attempted fraud while there was time to stop it;
- Whether anyone disregarded internal procedures in a way that enabled the fraud;
- Was the payment redirection inherently suspicious, for an unusual amount, or to an unusual destination; and
- Whether the payor receive conflicting information that would have caused a reasonable actor to verify?
Conclusion
Having a contract in place with counterparts that addresses the situation can help protect a business in the event it or a counterpart falls victim to a business email compromise scheme. Even more fundamental, organizations should review their internal payment policies and those of partners to ensure everyone is taking all reasonable best security practices. Please feel free to reach out to attorneys Justin Furry or Christopher Baiamonte at the Wladis Law Firm at (315) 445-1700 if your organization has been the victim of a business email compromise scheme or if you have questions regarding anything in this article.
Christopher J. Baiamonte
Mr. Baiamonte concentrates his practice primarily on civil litigation. He counsels individual, corporate, and municipal clients on resolving disputes ranging from environmental liability to shareholders rights to creditor–debtor suits. He also works with clients to navigate various state and federal regulations relating to areas such as environmental protection, employment, and civil rights.