Beware Of Business E-mail Compromise (“BEC”) Schemes – Criminal Law

Popular media tends to depict cybercriminals as skillful hackers
who infiltrate a target’s computer system to steal sensitive
data and money from the target’s bank accounts. The reality is
that cybercriminals are increasingly relying on simple deception to
steal money and data from targets, in so-called BEC schemes. The
Federal Bureau of Investigation Internet Crime Complaint Center
(“IC3”) stated in its 2020 Internet Crime Report
that in 2020 alone, the IC3 received 19,369 complaints of BEC
fraud, with $1.8 billion of adjusted losses attributed to BEC
fraud. In comparison, the IC3’s report stated that ransomware
attacks in 2020 accounted for only $29 million in
losses.   

BEC schemes typically involve two parties who conduct business
primarily over e-mail, and a fraudulent third party who, usually
through a phishing e-mail sent to a company employee or other
fraudulent means, gains access to one party’s e-mail account
and is able to surreptitiously monitor the e-mail traffic between
the two business parties. When the e-mail traffic indicates that
the time has come for payment to be made on an invoice or a
settlement payment, usually via wire transfer or ACH, the
fraudulent third party inserts itself into the conversation by
impersonating the payee party’s personnel with an e-mail
account from a fake domain made to resemble the payee’s
legitimate e-mail address. The third party sends an e-mail to the
payor claiming that its bank information has changed, and then
provides payment instructions to a new bank account controlled by
the third party. The payor, seeing that the new bank information
appears to come from the person with whom it has been communicating
all along, usually does not think twice about sending the money to
the new bank account. By the time the parties discover that the
payment was sent to the wrong bank, the third party has likely
disappeared with the money and it is often too late for the sending
or receiving banks to freeze or recover the funds.

When the innocent parties in a BEC scheme resort to litigation
over the unpaid obligation, courts have turned to traditional UCC
negotiable instrument principles under UCC Sections 3-404(d) and
3-406 discussing “imposters” and forged instruments to
determine who bears the loss. In Arrow Truck Sales, Inc.
v. Top Quality Truck & Equip., Inc., Case No.
8:14-cv-2052-T-30TGW (M.D. Fla. Aug. 18, 2015), a Middle District
of Florida case involving a BEC scheme that diverted the payor
plaintiff’s payments totaling $570,000 for trucks purchased
from the payee defendant to a fraudulent third-party’s account,
the court applied the “imposter” rule from UCC Section
3-404(d), which provides that the party that was in the best
position to prevent the fraud by using reasonable care and that
fails to exercise such care bears the loss. The court in Arrow
Truck Sales determined that the payee did not negligently
handle its e-mail account to allow the third party access to commit
the fraud, and found that in fact both parties’ e-mail accounts
were hacked and it was not possible to tell which party had been
compromised first or how it occurred. The court then found that the
plaintiff, upon receiving conflicting payment instructions, should
have exercised reasonable care by calling the defendant to confirm
the correct instructions before sending payment. Because the
plaintiff failed to call the defendant first before sending payment
to the fraudulent third party, the court held the plaintiff
responsible for the loss associated with the fraud. Similarly, in
Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc.,
759 F. App’x 348 (6th Cir. 2018), a BEC case in which the
payor’s payment meant for the payee was redirected to a
fraudulent third party, the Sixth Circuit adopted the approach
taken in Arrow Truck Sales and ruled that a trial was
necessary to determine which party was in the best position to
prevent the fraud, with the trial court apportioning the loss based
on comparative fault principles. More recent cases in other
jurisdictions have applied the “imposter” rule in similar
BEC situations. See Jetcrete N. Am. LP v. Austin Truck &
Equip., Ltd., 484 F. Supp. 3d 915 (D. Nev. 2020) (rejecting
the argument that the payee whose e-mail account was hacked in BEC
scheme was liable for resulting losses, and holding that the payor
was in the best position to avoid the loss by verifying conflicting
payment instructions with the payee by phone and should therefore
bear the loss); Parmer v. United Bank, No. 20-0013 (W. Va.
Dec. 7, 2020) (holding that the payor of misdirected funds in a BEC
scheme did not exercise reasonable care by failing to verify
payment information with the payee before sending funds, and
therefore must bear the loss).  

In light of the recent caselaw involving BEC schemes, it is
apparent that courts, recognizing that even well-implemented IT
security measures cannot completely eliminate the risk of e-mail
compromise, are placing less emphasis on which party was initially
compromised and are instead placing responsibility on the party in
the best position to avoid the loss. In most cases, the party in
the best position to avoid the loss is the payor that has received
conflicting payment instructions from the fraudulent third party
and can resolve the issue by making a simple phone call to the
payee to confirm the correct information before sending funds.
Accordingly, businesses are strongly urged to implement protocols
and educate their customers to protect themselves by emphasizing
that any apparent changes in payment information must first be
confirmed by a phone call using a trusted phone number before any
payments are made. This low-tech method of phone verification is
the best line of defense against what has become an inescapable
risk of doing business in today’s high-tech environment. If you
have questions about BEC schemes or would like further information
on how to protect your business against such schemes, please
contact your Masuda Funai relationship attorney for a consultation.
 

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.