News

Who is Legally Responsible for a Wire Transfer When A Hacker Sent the Instructions?

June 13, 2023
CMcDowell Article Graphic

In the ever-evolving cat-and-mouse game of computer scams, the latest iteration may be the most sophisticated and nefarious. According to the FBI, Americans lost $10.3 billion to internet fraud in 2022. An increasing percentage of that loss arises from what law enforcement calls business email compromise (BEC) or email account compromise (EAC) fraud. In these schemes, a third-party hacker sends an email message that appears to come from a known source making a legitimate request, tricking the target into sending money by wire transfer to the hacker’s bank account.

Often, this is done because a vendor or subcontractor’s email and computer systems have been compromised. A hacker gains entry into the company’s email and patiently monitors communications until a legitimate invoice goes out. The hacker then follows up the authentic billing request with an email of his own informing the payor that the company has changed banks and that the invoice needs to be paid via new wire instructions. The request appears authentic because the false wire instructions come from the victim’s actual email, which the hacker has hijacked.

If the payor confirms the instructions to the company’s email, the hacker intercepts the confirmation email from the compromised account and confirms the bogus instructions. BEC schemes have several variations, including one where a transactional attorney’s email is compromised, and the hacker sends false wire instructions from the lawyer’s email to one of the parties in a real estate or business transaction. The result can be the same in all of these cases: a large sum of money is erroneously wired to a fake bank account, the hackers quickly remove and convert it into bitcoin, and the money vanishes. The question then becomes: who is left holding the proverbial bag and out the money—the business that wired the funds or the company that was hacked? The answer may be surprising.

At first blush, it may seem that the company or individual whose email was compromised should be responsible. After all, that person must have done something wrong that enabled the hacker to slip past security and gain control of their email. Interestingly, however, courts are deciding in favor of the business that never received its money and against the entity that wired the money—this is not to say that the person or entity that was hacked can never be held responsible, just that most courts are siding in their favor. Cases holding the payor responsible are based on either basic contract law or a new judicially created concept known as the “Imposter Rule.”

Examples

Under fundamental contract law, the entity that sent the money to the wrong account may be in breach of contract. The case of Peeples v. Carolina Container, LLC, No. 4:19-CV-21-MLB, 2021 U.S. Dist. LEXIS 176076, at *1 (N.D. Ga. Sept. 16, 2021), illustrates how contract law applies to this situation. The Peeples case arose from a botched wire transfer. Carolina Container was supposed to wire $1.71 million to Peeples but ended up wiring that money to a crook who hacked into the email account of Peeples’s attorney and used his account to send fraudulent payment instructions to Carolina. After Carolina refused to pay the money to the appropriate party, Peeples sued. Peeples argued that Carolina breached the contract because it did not pay per the contract terms. Carolina asserted that it was not in breach because “it ‘performed its obligation to wire the [money] according to written instructions it received from [Peeples’s lawyer’s] email account.’” Id. at *7. Applying basic contract law, the court determined that Carolina breached the contract and was responsible for paying Peeples the money, plus interest, costs, and fees.

Some courts are reluctant to apply contract law to BEC situations because of the harsh result. These courts apply the “Imposter Rule” embodied in UCC 3-404, which by its terms, applies only to negotiable instruments, not wire payments. Nonetheless, it is increasingly being applied to wrongfully sent wire transfers from fraudulent emails. The new rule generally provides that if an imposter “induces the issuer of an instrument to issue the instrument to the imposter by impersonating the payee, endorsement of the instrument discharges a payor in good faith of its obligation.” This may sound good for the payor; however, the rule further provides that if the payor or payee “fails to exercise ordinary care in paying or taking the instrument and that failure substantially contributes to the loss resulting from payment of the instrument, the person bearing the loss may recover from the person failing to exercise ordinary care to the extent the failure to exercise ordinary care contributed to the loss.”

Following this doctrine, courts have held that the party most responsible for causing the payment to be misdirected must bear the loss irrespective of the contract’s terms. While the Imposter Rule provides the payor an opportunity to escape liability under the written agreement, the result is often the same.

Determining which party was in the best position to prevent the misdirection of the funds and is liable involves a thorough, fact-specific analysis. The leading case in this area is Arrow Truck Sales v. Top Quality Truck & Equip., Inc., No. 8:14-cv-2052-T-30TGW, 2015 U.S. Dist. LEXIS 108823, at *1 (M.D. Fla. Aug. 18, 2015,). In Arrow, the parties exchanged numerous emails negotiating the purchase of twelve trucks for $570,000. One of those emails contained wiring instructions used in previous transactions between the parties.

During the parties’ negotiations, a third party hacked into the email accounts of both buyer and seller, creating new email accounts that were almost identical to the actual accounts. Eventually, the third-party hacker used the seller’s email account to email the buyer new wiring instructions. The updated instructions specified an out-of-state bank and a different beneficiary, though the seller was listed somewhere on the instructions. The buyer followed the “updated” instructions and unknowingly wired the $570,000 to the hacker. The seller never received the money and refused to deliver the trucks to the buyer. The buyer filed suit against the seller for breach of contract.

Applying the UCC’s Imposter Rule analysis, the Arrow court determined that the buyer had “more opportunity and was in the better position to discover the fraudulent behavior based on the timing of the emails and the fact that the fraudulent wiring instructions involved a different beneficiary, different bank, different location, and different account information from the previous wiring instructions.” 2015 U.S. Dist. LEXIS 108823, at *11.

Furthermore, given that the buyer had received conflicting emails containing two sets of wiring instructions—one legitimate and one fraudulent—he should have confirmed the information with the seller before wiring any funds. Therefore, the court concluded that the buyer was responsible for the loss because he was in the best position to prevent the loss. A similar holding can be found in Parmer v. United Bank, Inc., No. 20-0013, 2020 W. Va. LEXIS 828, at *17 (Dec. 7, 2020) (“[H]ad Ms. Parmer or her counsel exercised reasonable care and verified the wire transfer instructions . . . , the loss could have been averted . . . Ms. Parmer must bear this loss”).

When applying the Imposter Rule, there are several factors that courts frequently focus on 1) was the bogus wire instruction contrary to previous instructions; 2) was the new wire instruction sending the money to an account in a third party’s name; 3) was the new account out of the state or country; and, most importantly, 4) did the payor contact the customer via telephone to verify the new wire instructions. Because the company whose computers have been hacked has no way of knowing it is under attack from a wrong-doer, courts feel that the entity wiring the funds is in the best position to prevent fraud by exercising ordinary care to avoid fraud.

The best way to avoid liability in a false wire transfer scheme is to avoid being a victim in the first place. Fortunately, there are several simple things businesses can do to prevent a BEC wire transfer scheme:

  1. A BEC scheme almost always starts with an employee (or lawyer) clicking on a phishing email that allowed the hacker access to the business’s email systems. Proper training of everyone who has access to the company’s email system is essential to preventing fraud of all types;
  2. Along the same lines, companies should use multi-factor authentication and change passwords regularly;
  3. Do not use email for wire instructions, but if you must:
    • Use email encryption or fax the instructions;
    • Always call and confirm the wiring instructions are trustworthy by using a known and independently obtained phone number of the sender–do not use the contact information listed in the current instructions or in the email with the transfer request, and do not confirm only via email;
    • Be suspicious of all changes to wiring instructions. This is doubly true if it routes payment through a different bank or a bank in a state or country different than where the vendor is located;
    • Carefully inspect the email address and contact information of the sender of the wire instructions–watch out for subtle changes in address (disguising a lowercase “i” with a lower case “l” or transposing digits in phone numbers);
  4. Pay attention to stilted or incorrect grammar, inappropriate capitalizations, incorrect punctuation, and spelling errors in email communications;
  5. Consider having “Cyber” insurance coverage to cover losses from transfers made using fraudulent transfer instructions;
  6. Immediately contact the FBI’s Internet Crime Complaint Center (IC3) and the institution receiving the wired funds if you believe you have been the victim of a BEC or similar scam. If the fraud is detected quickly enough (within a few hours), the FBI or the bank may be able to recover the funds.

If you have questions about internet fraud or cybersecurity, contact Christopher McDowell at 513.629.9489 or crmcdowell@strausstroy.com.