One of the ways hackers facilitate wire fraud is by gaining access to business email accounts. Posing as the transferor in a transaction, the hacker requests the wiring instructions be changed to modify the destination of the funds to the hacker’s account.
The FBI Internet Crime Report reflects losses from business email compromise (BEC) in 2023 over $2.9 billion. Sophisticated BEC now involves funds sent to third-party payment processors, cryptocurrency platforms, or custodial accounts at a financial institution in addition to scams with real estate, vendor payments, and gift card requests.
With large sums at stake, several cases have addressed who pays when the funds are lost. Two predominant theories have emerged: liability for breach of contract and liability arising from failing to exercise reasonable care.
Peeples v Carolina Container, LLC, 2022 U.S. Dist. LEXIS 176076, involved what the Court termed, “a botched wire transfer” in an asset purchase agreement that sent the money to a crook who hacked into the email account of Peeples’ attorney. The Court granted summary judgment against Carolina Container for breach of contract, with liability for damages of $1.71 million, interest and reasonable attorney fees.
Countering breach of contract for wire fraud, some courts have extended the UCC 3-404 Imposter Rule to apply to wire transfers from fraudulent emails. UCC 3-404 states that if an imposter induces the issuer…to issue the instrument to the imposter by impersonating the payee, indorsement is effective for a payor in good faith. It also says that if a payor or payee fails to exercise ordinary care…and that failure substantially contributes to loss resulting from payment of the instrument, the person bearing the loss may recover from the person failing to exercise ordinary care if the failure…contributed to the loss.
Although the UCC applies to negotiable instruments and not wire transfers, courts used this to find the party that could best prevent the wire fraud bears the loss, regardless of contract terms.
Arrow Truck Sales v. Top Quality Truck & Equip., Inc., 2015 U.S. Dist. LEXIS 108823, is the leading case. Following a very fact-specific analysis, the Arrow court ruled in the defendant’s favor concluding that Arrow was in the best position to prevent the wire fraud and should have exercised reasonable care after receiving conflicting wire instructions.
In an Ohio case, Hoffman v Atlas Title Solutions, Ltd., 2023-Ohio-1706, the Third Appellate District Court concluded the trial court improperly granted summary judgment in favor of the title company on plaintiff’s breach-of-contract and breach-of-fiduciary duty claims, noting genuine issues of material fact whether an implied agreement for escrow services exists.
The Court stated that the case presents a novel issue requiring the analysis of who bears the responsibility for the escrow fraud that took place in the case. The Court also found that issues remain as to whether the title company implemented “proper” security measures to prevent plaintiff’s personal information from being “phished” to facilitate the “spoofed” email or whether plaintiff should have recognized that the email was “spoofed.”
The case was remanded for further proceedings. Stay tuned for developments in this case.
Wire fraud usually starts from a change to existing wire instructions or setting up new instructions. Here are some best practices to prevent wire fraud:
- DESIGNATE certain employees to send wire transfers
ALL other employees are prohibited from wiring funds - TRAIN all employees who handle wire transfers
New employees should train immediately! - ESTABLISH a “Known and Trusted” phone number to use for verification
- USE Multifactor Authentication to access all IT systems
Change passwords regularly - SECURE EMAIL to filter our phishing emails
- ENCRYPT email or use secure fax for wire instructions
- ALWAYS VERIFY all wire transfers by calling the “Known and Trusted” phone number
This includes initial set up, modified, or changed instructions - ASSUME all changes to wiring instructions are fraudulent until verified.
Carefully examine emails for slight alterations
Look for spelling, grammar, and punctuation errors - DO NOT use contact information, email or phone number from the email requesting funds
- DON’T RUSH! Take time to check and verify
- ADOPT a Wire Fraud Reduction Policy
Have all employees who can wire funds review policy annually - CONSIDER additional cyber insurance. Basic cyber coverage may not be adequate.
Contact OSBA Insurance Agency for information to obtain a quote. - CONTACT FBI Internet Crime Complaint Center (IC3) and financial institution to report scam
- VISIT OBLIC Cyber Toolbox to access information on
Top 5 Ways to Protect against BEC
Training courses for lawyers and staff
Sample Wire Fraud Reduction Policy
Additional resources:
Ohio Court Holds Escrow Agent Potentially Liable for Unaffiliated Party’s Escrow Fraud
Ohio Appellate Court Rules Phished Homebuyer Can Sue Hacked Escrow Agent
J. Bushnell Nielsen, Closing Company Not Off the Hook for Phishing Wire Fraud Loss, Vol 31, Issue 6, The Title Insurance Law Journal, 10 (2023)
Daniel S. Strick, Wire Transactions Gone Wrong and How to Avoid an Interception by a Fraudster, Vol. 16, No.2, Professional Liability Defense Quarterly, 6 (2024)
As always, if you have any questions, please contact us here at OBLIC. We can help you prevent wire fraud.
Gretchen K. Mote, Esq. Director of Loss Prevention Ohio Bar Liability Insurance Co. Direct: 614.572.0620 [email protected] |
Merisa K. Bowers, Esq. Loss Prevention Counsel Ohio Bar Liability Insurance Co. Direct: 614.859.2978 [email protected] |
This information is made available solely for loss prevention purposes, which may include claim prevention techniques designed to minimize the likelihood of incurring a claim for legal malpractice. This information does not establish, report, or create the standard of care for attorneys. The material is not a complete analysis of the topic and should not be construed as providing legal advice. Please conduct your own appropriate legal research in this area. If you have questions about this email’s content and are an OBLIC policyholder, please contact us using the information above.