Cybercriminals exploited remote work during the COVID-19 pandemic. In 2020, the FBI’s Internet Crime Complaint Center (IC3) saw a record 70% increase in the number of reported internet scams and losses exceeding $4.2 billion, due in part to the pandemic driving more commercial activities online and increasing remote work. According to the FBI, one of the most popular methods to steal money from businesses and individuals during the pandemic involved phishing scams and email account compromises.
What is the perfect way to be trapped in a wire fraud scheme? An employee receives and responds to a phishing email allowing the fraudster to access the company email system.
Email account compromise (EAC) is a popular online crime because so many individuals and employers use email to conduct business. In an EAC scam, a fraudster gains access to the corporate email, monitors the email traffic, and sends email messages that appear to come from a known source and make a legitimate request.
In a real-world example of an EAC during the pandemic, a company vice president scheduled a six-figure wire transfer to complete a commercial vehicle sale by emailing his company’s wiring instructions for payment to a financial institution for the buyer. After the fraudster gained access to the VP’s email account through a suspected phishing scam and monitored the email traffic for potential wire transaction details, the fraudster contacted the same bank facilitating the wire transfer. The fraudster’s email included fake wire instructions and directed the funds be sent to a different bank account controlled by the fraudster. To avoid detection by the VP, the fraudster created a fake email address that was almost identical to the email address for the real bank representative. The fraudsters also stole graphics from the parties’ websites to make the fake emails and instructions look real. The fraudster then implemented a series of rules for the VP’s email account to immediately divert all emails (sent and received) involving the wire transfer to the VP’s archive folder – The VP never checked his archived folder. Despite a number of obvious red flags with the fake emails sent to both parties by the fraudster, the bank representative and the VP never called each other by phone to confirm the authenticity of the fake emails or wiring instructions. By the time the VP realized something was wrong days later, the bank had already wired the money to the fraudster’s account. The fraudster, along with wired funds, were now gone. Neither the bank, seller nor law enforcement could recover the funds from the fraudster. The seller had no insurance coverage for a cyber loss or wire fraud scheme.
Who Bears the Loss in that kind of Litigation? Generally, Courts say the party in the best position to discover the fraud should bear the loss. Courts that have grappled with the relevant legal scheme to determine liability amongst the parties when fraud has occurred by an unknown third-party, have concluded that the loss “should be borne by the party in the best position to prevent the fraud.” Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., 759 Fed. Appx. 348, 354 (6th Cir. 2018) (denying summary judgment to both parties where “Beau Townsend, pointing to the suspicious nature of the wire instructions, says Don Hinds could have prevented the loss[,]” and “Don Hinds, pointing to the fact that Beau Townsend’s email was hacked, says the same about Beau Townsend.”); see also Parmer v. United Bank, Inc., No. 20-0013, 2020 WL 7232025, at *6 (W. Va. Dec. 7, 2020) (adopting same rule for assigning loss); Jetcrete N. Am. LP v. Austin Truck & Equip., Ltd., 484 F. Supp. 3d 915, 920 (D. Nev. 2020) (same); J.F. Nut Co., S.A. de C.V. v. San Saba Pecan, LP, No. A-17-CV-00405-SS, 2018 WL 7286493, at *3 (W.D. Tex. July 23, 2018) (concluding that party in the best position to prevent the fraud should suffer the loss for a misdirected payment); Arrow Truck Sales, Inc. v. Top Quality Truck & Equipment, No. 8:14-cv-2052-T-30TGW, 2015 WL 4936272, at *4−6 (M.D. Fla. Aug. 18, 2015) (same); Meritdiam, Inc. v. Facets Fine Jewelry, LLC, No. CV1407041MWFCWX, 2015 WL 12660377, at *6 (C.D. Cal. Apr. 27, 2015) (“[T]he Court believes that liability will likely lie with the party the jury determines was most greatly at fault in causing the payment to be misdirected. Meritdiam either allowed unauthorized access to its email account or failed to prevent its system from being hacked[.] . . . JB Hudson did not pick-up on certain clues in the emails[.] These are issues for the jury.”).
How can employers and individuals prevent finding themselves in an EAC situation or suffering a loss due to wire fraud?
- Use multi-factor authentication and change passwords regularly.
- Do not email for wire instructions, but if you must:
- Use email encryption.
- Call and confirm the wiring instructions are trustworthy by using a known and independently obtained phone number of the sender – do not use the contact information listed in the current instructions or in the email with the transfer request.
- Be suspicious of any changes to the wiring instructions.
- Carefully inspect the email address and contact information of the sender of the wire instructions – watch out for subtle changes in address (disguising a lowercase “i” with a lower case “l” or transposing digits in phone numbers.
- Pay attention for stilted or incorrect grammar, inappropriate capitalizations, incorrect punctuation, and spelling errors in email communications – when in doubt pick up the phone and call to confirm bank account and wire information.
- Consider having “Cyber” insurance coverage to cover losses from transfers made using fraudulent transfer instructions.
- Immediately contact the FBI’s Internet Crime Complaint Center (IC3) and the institution receiving the wired funds – if the fraud is detected quickly enough (within a few hours), the FBI or the bank may be able to recover the funds.