In part 1 of this series, we looked at the rise of business email compromise (BEC) schemes and how they work. Next, we will explore who is liable and how to protect your business from such scams.
Who is liable for the loss?
The question now becomes who is liable for the loss. In the above scenario, you made the payment to your supplier. However, the supplier never received the payment and is still owed money. The supplier expects to be paid. But, on the other hand, the imposter hacked the supplier’s computer system and imitated the supplier’s communications.
One could argue that it is the supplier’s fault that the funds were lost, as the supplier did not have sufficient security to protect its systems from being hacked. The misplaced confidence enabled another to commit fraud. Who is at fault? Who is liable? Both you and the supplier are victims of the hacker imposter.
Courts that have faced the question of who is liable for losses that occur due to a BEC scam have consistently held that losses attributable to fraud should be borne by the party in the best position to prevent the fraud.
Questions the court may ask
The court is required to do a fact-specific analysis. Specifically, the court must ask who was in the best position to prevent the fraud and subsequent loss. The analysis is not about whether one party or another was negligent, but rather who was in the better position to prevent the fraud.
Some possible inquiries include:
- Did the supplier fail to properly educate its employees not to click on an attachment or a link? Did this failure result in the release of malware that provided access by the imposter to the employee’s email correspondence and business transaction information?
- Did the supplier have sufficient security to protect its systems from being hacked? Did this misplaced confidence enabled another to commit fraud?
- Did the supplier allow third-party hackers to infiltrate its systems, enabling the imposters to review the supplier’s invoicing procedures and receive emails from its customers?
- Did the supplier enable an imposter to misappropriate funds by giving the imposter unlimited access to its systems?
- Did the supplier have knowledge that third-party hackers infiltrated its systems?
- Did the supplier have the opportunity to take reasonable steps to ensure its customers received notice of the BEC scam? If so, did the supplier adequately and timely warn its customers of the false ACH wiring instructions?
- Did the buyer have a reason to suspect an imposter? If so, what measures did the buyer take to determine whether the individual was the trusted entity’s representative or an imposter?
- Did the buyer receive conflicting information regarding the payment method, such as two different wiring instructions? If so, did the buyer exercise reasonable care after receiving conflicting emails to confirm or verify the correct wire instructions prior to sending payment?
Can I seek recourse from my bank?
Victims of BECs have found little success in seeking recourse against their financial institutions. For example, in Peter E. Shapiro, P.A., v. Wells Fargo Bank, 795 F. App’x 741, 743 (11th Cir. 2019), the Eleventh Circuit held that the bank was not liable, reasoning the bank “maintained and complied with reasonable routines” by processing the payment through its automated system based on a valid account number alone, without regard to a mismatch between names of the account holder and the intended beneficiary, which was noted in the system’s audit trail but did not halt the transaction.
What can I do to protect myself?
Today’s cyber landscape provides ample opportunities for criminals to facilitate large-scale fraud schemes. Cyberattacks come in many forms and are clearly on the rise. No organization is immune. The FBI states in its 2022 report that “cyber risk is a business risk.” As these threats of cyber-enabled fraud increase, companies must protect not only themselves but also their customers from these scams.
Accordingly, you should consider not “if” your business will experience a cyber attack but what you will do “when” your business experiences a cyber attack and what you can do to minimize liability risks. A proactive cyber security plan must include proactive steps, cyber insurance, and a strong incident response plan.
Email remains the most vulnerable threat vector for gaining access to corporate networks. When an email comes in from someone in a company that you have a relationship with, especially when it comes from what appears to be a correct email address, this can be harder to detect.
Businesses must prioritize regular training. The aim is to teach employees to resist phishing attempts. Employees should be educated on recognizing dangers and cybersecurity measures in order to be able to identify and recognize cyber scams. Remember that BEC scams are not reliant on a technical loophole or software breach but rather on an employee accepting the validity of a fraudulent email. Businesses can also limit what information can be communicated via email and establish policies that prohibit sensitive information, such as wiring instructions and bank account information, from being transmitted via email.
Businesses can implement additional security measures such as VPNs, multi-factor authentication, and endpoint/mobile device security solutions. To safeguard their data from ransomware attacks, businesses of all sizes should have backup and disaster recovery solutions and incident response procedures.
Insurance coverage may also be key
Including your employees in the solutions, staying vigilant, and understanding the risk is key to managing the risk. However, even if a business completes the most robust employee training and purchases the most sophisticated technology to further protect its systems, there is no guarantee your business will not be subject to a future cyber attack.
Properly insuring your business to cover yourself and your customers from the threat of a cyber attack is imperative. General insurance policies do not include cyber risk cover, some specifically exclude it. Despite the high frequency of cyber incidents experienced by businesses, research reveals that there is a significant gap in cyber insurance coverage, most notably among small businesses. It is likely that a portion of these businesses are not even aware that cyber insurance exists. However, it does, and it is well worth exploring.