Most of the disputed claims we see at Blue Book Services involve allegations of hot weather, late deliveries, damaged products, poor returns, things of that nature. But sometimes we see disputes that don’t involve temperature tapes, bills of lading or inspection certificates.
Recently we received two complaints in which a seller’s email system was compromised by a third party who appears to have hacked into the email system and monitored communications before sending a well-timed email with instructions to fraudulent wire transfer to seller’s customers.
Although the facts in each case vary (and are subject to some dispute), in both cases a customer (the payer) transferred money to a third-party account and was unable to cancel the payment.
Plus, in both cases, the payers basically said, “Too bad, but you’ve been hacked and we’re not here to pay the bills twice.”
In this article, we’ll discuss these scams, called business email compromise or BEC scams, and identify best practices to help you and your business partners avoid similar mishaps.
Don’t blame the bank
First, generally speaking, Michael Erdman of the Chicago-area law firm Teeple, Leonard and Erdman explains, “If a bank had commercially reasonable security measures, followed them and performed the transfer in good faith, it’s probably untouchable.”
Additionally, Erdman explains that the bad actor’s bank generally has no obligation to victims, although in some cases the bank may be able to reverse the payment or help criminal justice authorities investigate.
In most cases, the harsh reality is that buyers and sellers must work things out between themselves, testing the still-developing law in this area, and perhaps testing the strength of the business relationship as well.
“Courts that have considered the matter have focused on the party best placed to prevent the loss,” Erdman says.
“Questions would include whether the payer’s reliance on the compromised email was reasonable given the circumstances, and whether the intended recipient took reasonable steps (e.g., used standard security measures) to avoid the email. Compromised email in the first place,” he adds.
The first of two BEC claims filed with Blue Book provides a good example of the plaintiff-beneficiary (the intended beneficiary) taking reasonable action after discovering that their email system had been compromised.
Once the problem was discovered, the plaintiff-beneficiary immediately informed his customers of the problem and asked them to disregard emails from an email domain name that deceptively resembled his own.
Unfortunately, despite this notice, the buyer sent a payment to the fraudulent account which, to date, has not been recovered.
The second claim filed with Blue Book, however, would have been more difficult to prevent.
This plaintiff-beneficiary was unaware of the compromise at the time, and the fraudulent instructions were sent from the plaintiff-beneficiary’s appropriate email address.
In this case, the buyer appears to have accepted the new wire transfer instructions without a second thought and sent the payment to the hacker’s account, never to be seen again.
So in these situations, which party was best placed to prevent the loss?
Although the details of each case should be reviewed separately, we believe it is reasonable to expect that a payer who transfers money to a new or different account without confirming the validity of the new information will be charged (1) being in the best position to prevent the loss, and (2) failing to take reasonable steps to prevent it.
Meanwhile, payees who fail to implement standard security procedures or notify business partners of a known security breach can expect their claim to be disputed by the payer on that basis. .
Erdman shares the following non-exclusive list of safeguards to consider in consultation with your bank, network professionals, attorney, insurer, customers and vendors.
First, have a contact person at your intended payee who you know is “real” and authorized to provide payers with wire transfer instructions. Second, as a general rule, only act on wire transfer instructions provided by that authorized person.
Third, when you first receive bank transfer instructions from the beneficiary’s authorized person, or when the instructions received by email differ in any way from the authenticated transfer instructions previously provided by the person authorized, pick up the phone and call the authorized person (using a known business phone number) before acting on the instructions.
Confirm that you are speaking with the authorized person and validate the authenticity and accuracy of recently received wire transfer instructions.
Fourth, in situations where telephone confirmation is impossible or impractical, consider whether the transfer should be sent immediately. A payer assumes legal risk when sending a wire transfer without validating new or different instructions.
Fifth, if you choose to continue without confirmation by phone, carefully review emails with new or different transfer instructions.
Specifically, examine the “from” name and email address (not just what is shown, but character by character). Also examine the body of the email and the sender’s signature block for anything inaccurate or unusual (typing errors, clumsy grammar, or unusual language). Compare previously received wire transfer instructions and “new” ones – if in doubt, don’t send the wire transfer!
Sixth, inform employees of the appropriate security measures and the importance of respecting them at all times.
First, designate a contact person at the payer who is authorized to receive and process wire transfer instructions.
Second, only send wire transfer instructions to this authorized person. Consider simultaneously phoning the person to confirm receipt of instructions and authenticate them.
Let the authorized person/payor know that this will be your practice when sending further instructions (email with phone call) and ensure you always follow the practice.
Third, more generally, but equally important, ensure that your company’s security measures, both online and offline, are appropriate.
Would it be difficult for a third party to connect to your network and access an existing email account? Create a new email account using the company domain? Identify employees responsible for customer accounts? Get “useful” information from your trash or discarded devices?
Fourth, avoid using common email domains (@gmail.com, @yahoo.com, @outlook.com) for commercial purposes. Consider not posting the names of employees responsible for customer accounts on a public website.
Fifth, consider encrypting wire transfer instructions and/or sharing them using a more secure means of communication than email.
And to think that you just wanted to sell products! Unfortunately, these threats are real and have multiplied in recent years.
For more information and steps to take after sending money to a fraudulent account, go here.
The bad guys will sometimes win. Victims include renowned New York law firms, a Premier League football club and even banks worth millions of dollars.
But with thoughtful preparation and the discipline to follow procedures, good guys can stack the odds in their favor.
For a revealing glimpse into the life of one of BEC’s most successful scam artists, head here.