BUSINESS EMAIL COMPROMISE SCAMS: WHEN THE FRAUDSTER HAS FLED, WHO’S STUCK HOLDING THE BAG?

In the technological world we live in today, fraudsters have developed new ways to effectuate scams. The Federal Bureau of Investigation defines a business email compromise scam, also known as a “BEC scam,” as a sophisticated email fraud scheme through which a fraudster contacts businesses and individuals to unlawfully obtain money. Although this is still a developing area of law, more and more courts have been tasked with analyzing the issues that arise from BEC scams and have begun to develop frameworks to assign and allocate liability. Understanding these frameworks is crucial to best protect yourself and your business from liability should you fall victim to one of these increasingly common BEC scams.

The typical overarching fact pattern is this: A purchaser of a good or service sends a wire transfer to the wrong bank account based on fraudulent wiring instructions sent via email from a fraudster pretending to be the seller. By the time the parties discover what happened, the fraudster is long gone with the money. The real seller, whose email system was hacked, demands to be paid. The purchaser, who was duped by the fraudster, refuses to pay a second time. Who prevails?

The Hacked vs. The Defrauded

Although a growing area of law, the case law evaluating BEC scam liability remains sparse. Courts that have analyzed this issue have typically applied one of three general frameworks:  (1) the Uniform Commercial Code “imposter rule,” (2) breach of contract principles, or (3) agency principles.

Imposter Rule. The majority of courts that have analyzed this issue have applied what is known as the “imposter rule,” which stems from Uniform Commercial Code principles governing negotiable instruments.[1] Under this rule, the party that was in the best position to prevent the fraud bears the loss. Determining which party was in the best position to prevent the fraud is a fact-intensive inquiry. Although each case is different, there are common factors that can tip the scale one way or the other:

  • Whether the seller had any protocols in place to protect their email system from being susceptible to hacking;
  • Whether the seller’s email system had ever been hacked in the past and, if so, whether the seller notified the buyer of these prior instances;
  • Whether the buyer did anything to try to authenticate the changed wiring instructions;
  • Whether the buyer received conflicting emails with varying wiring instructions over a relatively short period of time;
  • The nature of the fraudulent wiring instructions: Courts are more inclined to conclude that instructions to wire money to a foreign bank account and/or to an unknown beneficiary should have raised the buyer’s skepticism; and
  • The nature of the fraudulent email(s): Was the email address identical to the seller’s authentic email, or did the fraudster use a similar, but not identical, email address with minor changes that could have been detected? Did the email(s) use the true seller’s typical grammar, phrasing, and jargon, or were there changes and inaccuracies that should have raised suspicion? 

Some courts have concluded that, whichever party was in the best position to prevent the fraud bears 100% of the loss.[2] Whereas other courts have suggested that a jury may apportion a percentage of liability to both parties based on their respective degrees of fault.[3]

Breach of Contract Principles.  A few courts have declined to apply the imposter rule and have, instead, relied on basic breach of contract principles to assign liability to the party who failed to comply with their contractual obligations (typically, the party who unknowingly wired money to the fraudster).[4] Unlike the imposter rule, contract law is not concerned with who acted reasonably. All that matters is that the buyer agreed to pay the seller for a good or service and must comply with that obligation even if it inadvertently paid a fraudster first. Although strict in application, thus far, this appears to be the minority rule.

Agency Principles.  Courts have also analyzed BEC scam liability under traditional agency principles; specifically, a concept known as apparent or ostensible authority.[5] Apparent authority exists when a principal (in this case, the hacked seller) has intentionally or inadvertently induced a third party (here, the defrauded buyer) to believe that someone was its agent even though the principal did not actually give that person authority to act on its behalf.[6] Importantly, under this analysis, the fraudster’s conduct is irrelevant.[7] The critical factor is whether the true seller’s actions or omissions led the buyer to reasonably believe that the fraudster was the seller’s agent.[8] Most courts have declined to hold a seller liable based on agency principles.[9]

Takeaways

In sum, some courts have found that a seller is liable if it was negligent in maintaining its email accounts or knew about “red flags” alerting it to fraud and failed to notify the other party to the transaction. Other courts have found that the recipient of the fraudulent wire instructions is liable for failing to verify the instruction’s validity, especially in situations where conflicting emails were sent over a short period of time or where the nature of the wire information and/or emails should have raised suspicion. However, not all courts apply the same tort-based analysis, and for the courts that do, the cases are fact-intensive. Understanding the common fact patterns, the red flags to be wary of, and the various frameworks courts have applied will help you position your business to avoid BEC scam liability.


[1] See Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., 759 Fed. Appx. 348, 357 (6th Cir. 2018); Parmer v. United Bank, Inc., 20-0013, 2020 WL 7232025, at *3 (W. Va. Dec. 7, 2020); Jetcrete N. Am. LP v. Austin Truck & Equip., Ltd., 484 F. Supp. 3d 915, 920 (D. Nev. 2020); Bile v. RREMC, LLC, 3:15CV051, 2016 WL 4487864, at *7–*13 (E.D. Va. Aug. 24, 2016); J.F. Nut Co., S.A. de C.V. v. San Saba Pecan, LP, A-17-CV-00405-SS, 2018 WL 7286493, at *3 (W.D. Tex. July 23, 2018); Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc., 8:14-CV-2052-T-30TGW, 2015 WL 4936272, at *5–*6 (M.D. Fla. Aug. 18, 2015).

[2] See, e.g., Jetcrete, 484 F. Supp. 3d at 920.

[3] See, e.g., Beau Townsend, 759 F. App’x at 357; see also Peeples, 2021 WL 4224009, at *8 (analyzing the two apportionment of liability rules).

[4] See Peeples v. Carolina Container, LLC, 4:19-CV-21-MLB, 2021 WL 4224009, *4–*8 (N.D. Ga. Sept. 16, 2021); 2 Hail, Inc. v. Beaver Builders, LLC., 2017 WL 7086784, *2 (Nov. 29, 2017, Colo. Dist. Ct.).

[5] J.F. Nut, 2018 WL 7286493, at *3; Jetcrete N. Am. LP, 484 F. Supp. 3d  at 920; Beau Townsend, 759 Fed. Appx. at 358.

[6] See, e.g., Ruesga v. Kindred Nursing Centers, L.L.C., 215 Ariz. 589, 597, ¶ 29 (App. 2007); Reed v. Gershweir, 160 Ariz. 203, 205 (App. 1989).

[7] Reed, 160 Ariz. at 205.

[8] Id.

[9] J.F. Nut, 2018 WL 7286493, at *3; Jetcrete N. Am. LP, 484 F. Supp. 3d  at 920; Beau Townsend, 759 Fed. Appx. at 358.


Get MORE. Insights

Stay ahead in the legal world – subscribe now to receive the latest insights and news from Fennemore Law Directly in your inbox!