Most of the disputed claims we see at Blue Book Services involve allegations of warm temperatures, late delivery, deteriorating product, poor returns—things of this nature. But occasionally we see disputes that don’t involve temperature tapes, bills of lading, or inspection certificates.
Recently we received two claims where a seller’s email system was compromised by a third party who appears to have hacked into the email system and monitored communications before sending a well-timed email with fraudulent wire transfer instructions to the seller’s customers.
Although the facts in each instance vary (and are subject to some dispute), in both cases a customer (the payor) wired money to a third-party account and was unable to reverse the payment.
Also, in both cases the payors have essentially said, “Too bad, but you got hacked and we aren’t in the business of paying bills twice.”
In this article we’ll discuss these scams, called business email compromise or BEC scams, and identify best practices to help you and your business partners avoid similar misadventures.
Don’t Blame the Bank
First, as a general matter, Michael Erdman of the Chicago-area law firm of Teeple, Leonard, and Erdman, explains, “If a bank had commercially reasonable security measures, followed them, and executed the wire in good faith, it is probably untouchable.”
What’s more, Erdman explains that the bad actor’s bank typically has no duty to the victims, even though in some instances the bank may be able to reverse the payment or help criminal justice authorities investigate.
In most cases, the hard reality is that buyers and sellers are left to remedy the situation between one another—testing the still developing law in this area, and perhaps testing the strength of the business relationship as well.
“Courts that have addressed the issue focus on which party was in the best position to have prevented the loss,” states Erdman.
“Questions would include whether the payor’s reliance on the compromised email was reasonable given the circumstances, and whether the intended payee took reasonable steps (e.g., utilized standard security measures) to avoid the compromised email in the first place,” he adds.
The first of the two BEC claims filed with Blue Book provides a good example of the claimant-payee (the intended payee) taking reasonable steps after discovering its email system had been compromised.
Once the problem was discovered, the claimant-payee immediately informed its customers of the problem and asked them to disregard emails from an email domain name that was deceptively similar to its own.
Unfortunately, despite this notice, the buyer sent payment to the fraudulent account which, to date, has not been recovered.
The second claim filed with Blue Book, however, would have been more difficult to prevent.
This claimant-payee was not aware of the compromise at the time, and the fraudulent wire instructions were sent from the claimant-payee’s proper email address.
The buyer in this case appears to have accepted the new wire transfer instructions without a second thought and sent payment to the hacker’s account, never to be seen again.
So, in these situations, which party was in the best position to have prevented the loss?
Although the details of every case must be considered separately, we think it’s safe to expect that a payor that wires money to a new or different account without confirming the validity of the new information will be accused of (1) being in the best position to prevent the loss, and (2) failing to take reasonable steps to prevent it.
Meanwhile, payees that fail to implement standard security procedures, or fail to notify business partners of a known security breach, can expect their claim to be challenged by the payor on this basis.
Best Practices
Erdman shares the following nonexclusive list of safeguards to be considered in consultation with your bank, network professionals, attorney, insurer, customers, and suppliers.
For payors
First, have a contact individual at your intended payee who you know to be “real” and authorized to provide payors with wire transfer instructions. Second, as a rule, only act on wire transfer instructions provided by this authorized individual.
Third, when receiving wire transfer instructions from the payee’s authorized individual by email for the first time, or when instructions received by email differ in any way from the authenticated wire instructions previously provided by the authorized individual, pick up the phone and call the authorized individual (via a known business phone number) before acting on the instructions.
Confirm you’re speaking with the authorized individual, and validate the authenticity and accuracy of the recently received wire transfer instructions.
Fourth, in situations where telephone confirmation is impossible or impractical, consider whether the wire must be sent immediately. A payor is assuming legal risk when sending a wire transfer without validating new or different instructions.
Fifth, if you opt to proceed without telephone confirmation, carefully examine emails that contain new or different wire instructions.
Specifically, scrutinize the “from” name and email address (not just what is displayed, but character by character). Also examine the email body and sender’s email signature block for anything inaccurate or unusual (typos, awkward grammar, or unusual language). Compare previously received and “new” wire transfer instructions—if in any doubt, do not send the wire!
Sixth, educate employees regarding appropriate security measures and the importance of adhering to them at all times.
For payees
First, have a contact individual at the payor who is authorized to receive and process wire transfer instructions.
Second, only send wire transfer instructions to this authorized individual. Consider making a contemporaneous phone call to the individual to confirm receipt of the instructions, and to authenticate them.
Let the authorized individual/payor know this will be your practice when sending new instructions (email accompanied by phone call) and be sure to always adhere to the practice.
Third, more generally, but just as important, ensure that your business security measures, both online and offline, are appropriate.
How difficult would it be for a third party to log in to your network and gain access to an existing email account? Create a new email account using the company’s domain? Identify employees responsible for receivables? Obtain “useful” information from your trash or discarded devices?
Fourth, avoid the use of common email domains (@gmail.com, @yahoo.com, @outlook.com) for business purposes. Consider not publishing the names of employees responsible for receivables on a public-facing website.
Fifth, consider encrypting wire transfer instructions and/or sharing them using a communications medium more secure than email.
And to think you just wanted to sell produce! Unfortunately, these threats are real and have been increasing in recent years.
Concluding Thoughts
The bad guys are going to win sometimes. Victims include high-profile New York City law firms, a Premier League soccer club, and even banks to the tune of millions of dollars.
But with thoughtful preparation and the discipline to follow procedures, the good guys can put the odds in their favor.
For a revealing look into the life of one of the most successful BEC scammers, go here.