Business email compromise fraud, known to law enforcement as “BEC” fraud, is a relatively new scam that is increasingly costly to American business—and it’s getting worse. It usually begins with a fake email from a boss or client and ends with an employee being duped into wiring thousands of dollars to a scammer. Increased email usage by the millions of Americans working from home for the first time, on non-protected personal computers, only amplifies this threat.
In 2019 alone, the Federal Bureau of Investigation received almost 24,000 complaints reporting close to $1.8 billion in losses from BEC fraud. Worldwide estimated losses approach $26 billion between 2016 and 2019. These numbers, as high as they are, probably underestimate true losses because victims do not always report the fraud.
The steady increase in losses can be attributed, at least in part, to the increasing savviness of scammers. No longer are fraudulent emails fraught with broken English, improper syntax, or fanciful tales of Nigerian princes. Fraudsters today are adept at deceiving their targets. They research them on social media, infiltrate business and personal email accounts, and monitor communications for months. When the time is right, they send fake emails that can be virtually indistinguishable from the real thing.
A typical tactic involves creating a false sense of urgency. All employees want to be effective at their job and usually feel obligated to comply with a boss’s request—particularly if it is urgent. Scammers rely on this mentality by targeting mid or lower level employees with fake emails from the CEO, or other business leader, requesting immediate transfers of money. Targeted employees, fearing the boss’s wrath, comply with the request without taking the time to verify it. Money is wired to the scammer’s bank account and from there, diverted to banks in Hong Kong, mainland China, or other countries where it is unreachable by U.S. authorities. Law enforcement and banks have made strides in recent years in their efforts to halt these transfers, but the chances of recovering the money are still slim even if the victim acts quickly.
Not only do they make-off with the money, but scammers can also leave years of civil litigation in their wake. One of the first reported cases in the country to address BEC fraud is from Florida. In Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc., 2015 WL 4936272 (M.D. Fla. Aug. 18, 2015), two semi-truck dealers were negotiating the sale of twelve used trucks when, unbeknownst to either, their email accounts were hacked. Fraudsters monitored their communications and eventually sent an email from the seller’s email account containing “updated” wiring instructions. The buyer followed the fake instructions and unknowingly wired $570,000 to the hacker. The money was never recovered; and having never received payment, the seller refused to deliver the trucks.
In the litigation that followed, the court found that although both parties were hacked, the buyer should bear the entirety of the loss because it “had more opportunity and was in the better position to discover the fraudulent behavior based on the timing of the e-mails and the fact that the fraudulent wiring instructions involved . . . different account information from all of the previous wiring instructions. . . . [A]t the very least,” the court said, “the change in wiring instructions and conflicting e-mails should have prompted [the buyer] to confirm the information . . . prior to wiring any funds.” Subsequent courts have followed that rationale and distilled the following rule: “the party who was in the best position to prevent the fraud by exercising reasonable care suffers the loss.”
The practical effect of this rule is significant. First, it means that, regardless of the time, money, and effort a business devotes to cyber-security, the single act of a careless employee can expose it to tremendous losses—even if internal systems were not compromised. Second, absent a specific contractual provision or other duty that allocates the risk, a jury must determine who is at fault. Civil cases today rarely result in jury trials because the cost is high and juries can be unpredictable. That will be particularly true for BEC cases because it can be difficult to determine who is most at fault. In the case discussed above for example, the email accounts of both businesses were compromised, but neither knew when or how that breach occurred. Moreover, both parties received fraudulent emails and both ignored warning signs that might have prevented the fraud.
There are a few potential solutions. The first step to preventing BEC fraud is awareness. In addition to traditional cyber-security, many large businesses use training and transaction policies to educate employees about the dangers of fraud or provide a step-by-step checklist that must be completed before a wire can be sent. Successful policies should require multiple people to review the transaction before it is finalized, along with several levels of confirmation with the intended recipient. Risk can also be managed on the front end by using specific contractual provisions that shift the risk of loss, for example, to the party whose system was hacked. When money is unintentionally diverted, employees should immediately inform the sending bank. The sooner the bank is aware of the mistake, the more likely it will be able to recall the wire.
Businesses today cannot afford to overlook this threat. As an increasing number of Americans begin to work from home, no business, no matter how small, is safe from attack and no business, no matter how robust its cyber-security, is immune from loss.