BEC Losses: Who’s Cheatin’ Who, Who’s Being True, and Who Will End Up Paying In End?
BEC Losses: Who’s Cheatin’ Who, Who’s Being True, and Who Will End Up Paying In End?[1]
Business Email Compromise (BEC) and Email Account Compromise (EAC) cases continue to rack up large losses for businesses around the globe. The FBI estimates that there were $1.7B in losses due to BEC fraud in 2019. And the losses have been climbing steadily over the last several years.
BEC fraud most commonly results from the compromise of an email account. The fraudster tricks the user into providing their username and password for the email account. Once compromised, the fraudster will use the account to send out further spoofed emails in an effort to eventually compromise the account of someone who is responsible for either sending or receiving wire transfers. Once such an account is compromised the fraudster will use the account to trick email recipients into sending money to a different account and abscond with the money.
The fraud leaves the two parties with a claim against each other – the payor has paid for services or goods rendered, but the payment went to the fraudster; while the payee has provided services or goods but has not received a payment. The question becomes, who is responsible for the loss?
In Arrow Truck Sales Inc. v. Top Quality Truck & Equipment Inc.[2], Arrow paid money for the purchase of 12 trucks. The salesman for Top Quality and the buyer for Arrow negotiated a price of $570,000. Unbeknownst to either, both of their email accounts had been compromised. The fraudster then sent an email to Arrow asking to have the wire payment sent to a different bank account, one controlled by the fraudster. Both parties admitted that the new bank account was different than the bank account in the prior emails. The court, while holding for Top Quality, stated:
“Simply put, [Arrow] should have exercised reasonable care after receiving conflicting e-mails containing conflicting wire instructions by calling [Top Quality] to confirm or verify the correct wire instructions prior to sending the $570,000. As such, Arrow should suffer the loss associated with the fraud.”[3]
Although the judge noted that both parties had their email accounts compromised, the court held that neither party was negligent in their manner of maintaining their email accounts. The court then discussed their relative due diligence and duty of ordinary care in terms of the “imposter rule” under the UCC. The imposter rule allows the court to determine liability based on which party is in the best position to prevent the forgery by exercising reasonable care.[4]
The Arrow case was discussed at length by the court in Beau Townsend Ford Lincoln, INC., v. Don Hinds Ford, INC.[5] In Townsend Don Hinds Ford had agreed to purchase approximately $736,225 worth of Ford Explorers. Beau Townsend Ford Lincoln’s email had been hacked, however, and the request for the wire transfer of the money was changed by the hacker to an alternate bank account.
In the Townsend case, the court discussed the issue of fault based on the trial court’s finding for the plaintiff. The trial court stated that “[i]t was not Beau Townsend that instructed Don Hinds to send funds to ‘K.B. KEY LOGISTICS, L.L.C.’ in Missouri City, Texas.”[6] But the appellate court opined that in order to determine who was in the best position to prevent the fraud, the trial court must conduct a trial to determine the facts based on the case and determine to what degree, if any, each party is responsible. The appellate court stated:
“[I]f principles taken from UCC Article 3 are applied, the court would have to determine whether either Beau Townsend’s or Don Hinds’ failure to exercise ordinary care contributed to the hacker’s success, and would then have to apportion the loss according to their comparative fault.”[7]
A trial on the negligence of both parties as to the loss would allow the court to determine if a company with a hacked email account is primarily at fault, or whether the payor who paid the money based on an email without further confirmation or due diligence would be primarily at fault.
A number of other courts have considered the imposter rule in non BEC related cases. Based on the reasoning in those cases and the types of issues in BEC cases, the following types of circumstances may be considered by the courts in determining fault:
- The normal course of business for the companies or the industry;
- Prior dealings between the companies, e.g. had the companies only dealt in written checks prior to the incident;
- Whose accounts were hacked;
- Contributory actions, e.g., forwarding a hacked email or deleting an email known to be fraudulent without notifying the other party;
- Common cyber security techniques, e.g. multi-factor authentication;
- Company IT and security policies, e.g. whether the actions were in breach of the company’s own IT and security policies;
- Prior red flags of suspicious activity; and
- Whether a contract or an agreement had actually been reached.
While there is no clear cut rule for apportioning liability based on current case law, businesses should continue to exercise care and implement proper processes and procedures for initiating and confirming wire transfers to reduce the risk of bearing the liability of a fraud.
[1] With all due respect to Alan Jackson
[2] Case No. 8:14-cv-2052-T-30TGW, 2015 WL 4936272 (M.D. Fla. Aug. 18, 2015)
[3] Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc., Case No. 8:14-cv-2052-T-30TGW, 13 (M.D. Fla. Aug. 18, 2015)
[4] See, e.g. Nebraska Uniform Commercial Code § 3-404(d), “The drawer is in the best position to avoid the fraud and thus should take the loss.”, comment #3; see also, State Sec. Check Cashing, Inc. v. Am. Gen. Fin. Servs., 972 A.2d 882 (Md. App. 2009).
[5] Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., Case No. 17-4177 (6th Cir. Nov. 27, 2018)
[6] Id at page 18.
[7] Id at page 15.