Insight

Scammers’ Delight

Attacks on companies’ email systems are common, and losses are staggering. How can a business fight back against third-party fraud—and what are the risks of choosing to go to battle?

Hands typing on blue, light u keyboard
SA

Santosh Aravind

October 5, 2020 08:00 AM

Cybercriminals seldom rest, always looking for vulnerabilities to exploit—and now they’re increasingly targeting private commercial transactions in what’s known as a business email compromise attack (BEC). In such a breach, a cybercriminal infiltrates a company’s email system and poses as an owner of an important company email account. Pretending to be a specific executive, the thief then emails another business with which the first has an ongoing relationship, sending wire instructions for money legitimately owed to a bank account set up and controlled by the perpetrators of the scheme.

The email recipient, believing the message to be authentic, wires payment to the criminal’s account. By the time the two businesses figure out they’ve been had, it’s too late, and the money the second one sent to the first is long gone.

What happens in the wake of something like this? Can a victimized company recover the stolen funds? Can it possibly hope to recover from the criminal himself? If the perpetrator can’t be found, can the defrauded company recover the money from the one whose systems were hacked?

Hacking Businesses Is Good Business

According to the FBI’s Internet Crime Complaint Center (known as “IC3”), BEC cyberattacks on American companies have caused more than $8.2 billion in losses since 2013, with an additional $1.7 billion in adjusted losses in 2019 alone—the highest estimated out-of-pocket losses from any class of cybercrime over that period. IC3 also estimates global losses have exceeded $26 billion over the past three years. Given that many such crimes go unreported, the true figure is likely much higher.

BEC attacks increasingly occur on private business transactions because criminals, quite simply, see vulnerability. Companies engage in regular exchanges in which the buyer purchases a set amount of goods from a seller, and over time executives establish relationships with their counterparts. The nature of this friendly back-and-forth generally builds a degree of trust, which cybercriminals eagerly prey on.

In a typical scenario, a BEC attack originates with the criminal targeting an executive at a given company. Let’s say Company A supplies auto parts to Company B on a set schedule, for which the latter wires payment. Knowing this, the criminal will infiltrate Company A’s email system, often through a “phishing” scheme—sending a phony email or web link. Once clicked on, the targeted account has been compromised. The criminal can then monitor the account’s messages and activity, becoming familiar with how the executive at Company A uses email and how exactly the transactions with Company B occur. Upon spotting a good opportunity, the criminal sends out a spoofed or otherwise compromised message requesting the wire transfer.

In this scenario, Company A is harmed because it has made the usual delivery to Company B but hasn’t been paid. Company B is harmed, too, though, because it has issued payment intended for Company A but now in the criminal’s coffers. Usually, Company A will demand legitimate payment from Company B, or demand that it send the merchandise back. Where to go from here?

Recovering Cyberattack Assets From the Criminal

In the aftermath of a BEC attack, it is possible for victimized companies to recover lost assets. The FBI’s IC3 reported that in 2019, its Recovery Asset Team was able to claw back roughly 79 percent of potential losses for claims that were referred to the Recovery Asset Team, totaling $304.9 million. To have any hope of obtaining recovery from the criminal, though, a victimized company must report the fraud to the FBI or other law enforcement—and there are a number of reasons a business might be reluctant to do so. According to the Department of Justice, as of 2016, just 15 percent of corporate fraud victims nationwide report the crime.

Why are companies so wary? First, a business might view the pursuit of a cybercriminal as a waste of time and resources, especially when the hacker is determined to be operating overseas. Indeed, because so many cybercriminals ply their trade outside the United States, it’s often extremely difficult to hold them to account.

Second, apprehending the perpetrator might not be the company’s highest priority. It will focus instead on shoring up internal controls to ensure that it doesn’t fall victim again, as well as on fulfilling its legal obligations to notify regulators and the affected parties. It might be concerned about negative publicity or harm to its reputation. These worries are probably overblown, but they might lead a business to try to resolve related disputes with its partners informally or in the civil courts.

Recovering Assets from the Business Partner

When a company can’t recover money stolen by a cybercriminal, it might decide to seek recovery from the business partner. When such disputes can’t be resolved informally, they lead to litigation, focusing on which party was more negligent in enabling the scheme: Was it Company A, whose email system was initially hacked, or Company B, who sent the payment to a fraudulent account?

Recent years have seen a handful of court decisions involving BEC-scheme victims who have sued each other. Which company should bear the risk of loss? Courts so far have taken a similar approach to these cases.

The first relevant case was a 2015 dispute, Arrow Truck Sales v. Top Quality Truck & Equipment, Inc., in which one company, Top Quality, negotiated to sell a group of trucks to the other for $570,000. Both the seller and purchaser’s email systems were hacked by third-party fraudsters who sent “updated” wiring instructions to the buyer, Arrow Truck, which believed them to be real; the criminals got away with the full $570,000 purchase price.

The district court noted that there was no applicable case law on the issue of which party bore the loss stemming from third-party fraud that resulted in nonperformance of the contract. It took guidance instead from the Uniform Commercial Code, which provides—under the “imposter rule”—that the party that suffers the loss is the one in the best position to prevent a forgery by exercising reasonable care. After a bench trial, the court determined on those grounds that the purchaser of the trucks should bear the loss. “The [wire] instructions involved completely different information from all of the previous instructions,” the court observed. “Simply put, [Arrow Truck] should have exercised reasonable care after receiving conflicting emails containing conflicting wire instructions by calling [Top Quality] to confirm or verify the correct wire instructions prior to sending the $570,000. As such, Arrow should suffer the loss associated with the fraud.”

In a 2016 case, Bile v. RREMC, a lawyer named Uduak Ubom had his email hacked. Ubom represented Amangoua Bile, a client who had just reached a $63,000 settlement with his former employer on an employment discrimination claim. The third-party fraudster used Ubom’s email to send updated wiring instructions to the law firm representing the employer. When the firm followed those directions, the criminal stole the money. Bile and his former employer, RREMC, then brought competing motions to enforce the settlement agreement. The court held an evidentiary hearing and determined that Ubom had failed to observe ordinary care, which contributed to the theft—and consequently Bile bore the loss. Notably, the court found that Ubom had knowledge of an attempted fraud days before the transfer took place but did not notify opposing counsel. The court thus adopted a rule that “where an attorney has actual knowledge that a malicious third party is targeting one of these cases with fraudulent intent, the attorney must either alert opposing counsel or must bear the losses to which his failure substantially contributed.”

Two years later, in Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., the latter car dealership agreed to purchase 20 SUVs from the former. As the deal came to a close, a criminal infiltrated Townsend’s email account and sent a message requesting that Hinds pay for the vehicles via wire transfer to an out-of-state bank. Hinds, believing the note was authentic, inadvertently wired the money to the criminal and picked up the SUVs. When Townsend later asked Hinds to return them, Hinds refused, and Townsend sued for breach of contract, among other causes of action.

The district court granted summary judgment for Townsend. Both parties were negligent: Townsend “should have maintained a more secure email system and taken quicker action upon learning that it might have been compromised,” it observed, whereas Hinds “should have ascertained that an actual agent of Beau Townsend was requesting that it send money by wire transfer.” Nonetheless, the court held that Hinds breached the agreement because Townsend had “not received any funds from Don Hinds[.]”

The Sixth Circuit, on appeal, reversed, finding the district court’s approach too simplistic. The Sixth Circuit reasoned that the case should be evaluated in two ways: under both contract law and agency law. Under contract law, the circuit court found that the case turned on the principle of mutual error: “[B]oth parties held the mistaken belief that they had agreed on a method of payment.” Because rescission of the contract—a common remedy for a mutual mistake—was not an option (Hinds couldn’t return the SUVs without being out the $730,000 purchase price), the Sixth Circuit turned to another provision of the Restatement (Second) of Contracts, which provides that the court may allocate the risk of loss to a party when “it is reasonable in the circumstances to do so.” The court then discussed both Arrow Truck and Bile, concluding that the district court, on remand, should determine “whether either Beau Townsend’s or Don Hinds’ failure to exercise ordinary care contributed to the hacker’s success, and would then have to apportion the loss according to their comparative fault.”

The Sixth Circuit also applied agency principles to support its view that the risk of loss could be apportioned between the two parties. Applying the Restatement and Ohio law, the court found that if “Beau Townsend had failed to exercise ordinary care in maintaining its email server, thus allowing the hacker to pose as [an employee], then Beau Townsend could be liable for Don Hinds’ reasonable reliance on the hacker’s emails. In addition, any potential liability would be reduced if Don Hinds also failed to exercise reasonable care.” Finally, the circuit court directed the trial court to “hold a trial to decide whether and to what degree each party is responsible for the $730,000 loss in this case.” To do so, the trial court must decide which party “was in the best position to prevent the fraud.”

In essence, Beau Townsend stands for the proposition that when a third-party criminal steals money from a contractual transaction between two others, a district court must conduct a factual inquiry to determine which party should bear the loss: whichever was more negligent because it was in the best position to prevent the fraud. If both parties are negligent, the loss may be apportioned between them.

Caution: Hazards Ahead

Recovering money from a business email compromise attack is difficult. The only way to recover from the criminal who launched the attack is to get law enforcement involved. A company might be reluctant to do that to begin with, and if the criminal is operating out of the country, recovery is likely impossible.

A business that has been victimized by a BEC attack might decide to proceed against a business partner, claiming it was that party’s negligence that enabled the attack to succeed. Filing such a suit, of course, can come at some cost: The litigation will end up assessing which company could best have prevented the scheme, and whose internal-security practices are better. Companies should proceed cautiously when filing suit unless they’re confident that their security protocols will withstand scrutiny. Otherwise, they might find themselves victimized a second time.

Santosh Aravind, partner at Scott, Douglass & McConnico., is an experienced trial lawyer representing individuals and companies in white-collar criminal investigations, regulatory enforcement proceedings, cyber-security matters, and complex commercial litigation. Santosh has represented clients in proceedings brought by the Securities and Exchange Commission, the United States Department of Justice, the Office of Attorney General in Texas, Massachusetts Attorney General’s Office, and various state agencies in Texas.

Headline Image: ISTOCK / DEPO881, MILAN_JOVIC

Related Articles

Announcing the 2020 Global Business Edition


by Best Lawyers

Featuring Best Lawyers and Law Firm of the Year honorees from around the globe.

	Fall Business Edition "The Global Issue"

Treacherous Waters, Uncharted Territory


by Bryan Driscoll

Political shifts around the globe this year are forcing international law and business to navigate a more intricate compliance landscape

Man in suit with telescope stands on deserted boat

The Human Cost


by Justin Smulison

2 new EU laws aim to reshape global business by enforcing ethical supply chains, focusing on human rights and sustainability

Worker wearing hat stands in field carrying equipemtn

Critical Period


by Armelle Royer and Maryne Gouhier

How the green-energy raw materials chase is rewriting geopolitics

Overhead shot of mineral extraction plant

Misinformation Age


by Gregory Sirico

As AI weaponizes lies, can global law, corporate business practices and legal associates adapt to the growing threat?

Animated hands shifting sides of a message cube

Clash Across the Channel


by Clément Fouchard and Peter Rosher

The diametric opposition of decisions reached by French and English courts in a recent arbitration case shows how profound cultural differences between international jurisdictions can lead to maddening legal uncertainty.

French and English flag

Without Delay


by Ashish Mahendru and Darren Braun

Remote testimony? Virtual evidence presentation? Been there, done that: Why even international arbitration proceedings have, for the most part, weathered the pandemic just fine.

People talking in a conference room

Targeted Cyber Attacks Are Rapidly Increasing in 2019


by James L. Pray

Targeted cyber attacks, spear-phishing attacks, and ransomware attacks are increasing and could put your business's security on the line.

Cyber Attacks Are Increasing

Motion Sustained


by Elise Scott, Madalyn Brown, and Bob DeMott

Corporate social responsibility isn’t just good for the planet—increasingly, it’s good for business, too.

How Corporate Sustainability Works

Trending Articles

2025 Best Lawyers Awards Announced: Honoring Outstanding Legal Professionals Across the U.S.


by Jennifer Verta

Introducing the 31st edition of The Best Lawyers in America and the fifth edition of Best Lawyers: Ones to Watch in America.

Digital map of the United States illuminated by numerous bright lights

Unveiling the 2025 Best Lawyers Awards Canada: Celebrating Legal Excellence


by Jennifer Verta

Presenting the 19th edition of The Best Lawyers in Canada and the 4th edition of Best Lawyers: Ones to Watch in Canada.

Digital map of Canadathis on illuminated by numerous bright lights

Legal Distinction on Display: 15th Edition of The Best Lawyers in France™


by Best Lawyers

The industry’s best lawyers and firms working in France are revealed in the newly released, comprehensive the 15th Edition of The Best Lawyers in France™.

French flag in front of country's outline

Presenting the 2025 Best Lawyers Editions in Chile, Colombia, Peru and Puerto Rico


by Jennifer Verta

Celebrating top legal professionals in South America and the Caribbean.

Flags of Puerto Rico, Chile, Colombia, and Peru, representing countries featured in the Best Lawyers

Announcing the 13th Edition of Best Lawyers Rankings in the United Kingdom


by Best Lawyers

Best Lawyers is proud to announce the newest edition of legal rankings in the United Kingdom, marking the 13th consecutive edition of awards in the country.

British flag in front of country's outline

Unveiling the 2025 Best Lawyers Editions in Brazil, Mexico, Portugal and South Africa


by Jennifer Verta

Best Lawyers celebrates the finest in law, reaffirming its commitment to the global legal community.

Flags of Brazil, Mexico, Portugal and South Africa, representing Best Lawyers countries

Prop 36 California 2024: California’s Path to Stricter Sentencing and Criminal Justice Reform


by Jennifer Verta

Explore how Prop 36 could shape California's sentencing laws and justice reform.

Illustrated Hands Breaking Chains Against a Bright Red Background

Announcing the 16th Edition of the Best Lawyers in Germany Rankings


by Best Lawyers

Best Lawyers announces the 16th edition of The Best Lawyers in Germany™, featuring a unique set of rankings that highlights Germany's top legal talent.

German flag in front of country's outline

Celebrating Excellence in Law: 11th Edition of Best Lawyers in Italy™


by Best Lawyers

Best Lawyers announces the 11th edition of The Best Lawyers in Italy™, which features an elite list of awards showcasing Italy's current legal talent.

Italian flag in front of country's outline

Tampa Appeals Court ‘Sends Clear Message,” Ensuring School Tax Referendum Stays on Ballot


by Gregory Sirico

Hillsborough County's tax referendum is back on the 2024 ballot, promising $177 million for schools and empowering residents to decide the future of education.

Graduation cap in air surrounded by pencils and money

Find the Best Lawyers for Your Needs


by Jennifer Verta

Discover how Best Lawyers simplifies the attorney search process.

A focused woman with dark hair wearing a green top and beige blazer, working on a tablet in a dimly

Key Developments and Trends in U.S. Commercial Litigation


by Justin Smulison

Whether it's multibillion-dollar water cleanliness verdicts or college athletes vying for the right to compensation, the state of litigation remains strong.

Basketball sits in front of stacks of money

Woman on a Mission


by Rebecca Blackwell

Baker Botts partner and intellectual property chair Christa Brown-Sanford discusses how she juggles work, personal life, being a mentor and leadership duties.

Woman in green dress crossing her arms and posing for headshot

Best Lawyers Celebrates Women in the Law: Ninth Edition


by Alliccia Odeyemi

Released in both print and digital form, Best Lawyers Ninth Edition of Women in the Law features stories of inspiring leadership and timely legal issues.

Lawyer in green dress stands with hands on table and cityscape in background

The Human Cost


by Justin Smulison

2 new EU laws aim to reshape global business by enforcing ethical supply chains, focusing on human rights and sustainability

Worker wearing hat stands in field carrying equipemtn

Beyond the Billables


by Michele M. Jochner

In a recently conducted, comprehensive study, data reveals a plethora of hidden realities that parents working full-time in the legal industry face every day.

Women in business attire pushing stroller takes a phone call