In today’s digital landscape, spoofed email fraud poses a significant threat to businesses. This occurs when cybercriminals hack into email accounts, intercept information about upcoming payments, and impersonate trusted contacts to manipulate companies into diverting the payments to fraudulent accounts.

As a business owner or professional, it’s crucial to understand the legal implications of such fraud and how to prevent it. Below are five essential steps to protect your business from spoofed email fraud.

Who Bears the Loss?

Recent court cases have grappled with the question of liability: Should the loss fall on the payee whose email account was compromised, the payor who unknowingly paid the cybercriminals, or be split based on each party’s fault? The answer often hinges on the “imposter rule,” which places the loss on the party best positioned to have prevented the fraud through reasonable care.

The three cases discussed below shed light on how courts resolve the question of liability.

Case Law

United States For the Use and Benefit of Jay Worch Electric LLC v. Atlantic Specialty Insurance Company

This case, in the U.S. District Court for the District of Maryland in May, arose out of a construction project at a naval air station.

Cybercriminals hacked into a subcontractor’s email account and learned of an impending payment from a prime contractor. The cybercriminals used a spoofed email address to fool the prime contractor and intercept the payment intended for the subcontractor.

The prime contractor did not notice subtle differences in the sender’s spoofed email address — an email address ending in “.net” rather than “.com.” The subcontractor was not aware that its email system had been hacked before the payment was diverted. The court decided that the prime contractor remained obligated to pay for the subcontractor’s work.

The key takeaway is that payors must exercise due diligence to verify changed payment instructions.

Bile v. RREMC LLC

This August 2016 case, in the U.S. District Court for the Eastern District of Virginia, arose out of a settlement. The payee — a plaintiff’s lawyer who just negotiated the settlement — became aware that his email account had been compromised, but he did not notify the defendant’s lawyer, who would be sending him the settlement payment, or the court of that fact.

The cybercriminals sent the defendant’s lawyer fraudulent payment instructions from what appeared to be the plaintiff’s lawyer’s email address. Since the plaintiff’s lawyer was in the best position to avoid the loss, the court decided that the defendant did not have to pay the settlement amount.

The key takeaway is that payees must promptly notify payors of email account security breaches.

Mile High LLC v. Flying M Aviation Inc.

This January case in the Alabama Court of Civil Appeals also arose out of a settlement. The email account of the payee, a plaintiff’s lawyer who just negotiated the settlement, had been hacked.

Cybercriminals sent the defendant’s lawyer fraudulent payment instructions from the same email address as the plaintiff’s lawyer. The court determined that the defendant’s lawyer was in the best position to avoid the loss because he “should have verified the wiring instructions before executing the wire transfer, which [he] easily could have done.”

The court also noted that the defendant failed to produce any evidence that the plaintiff’s lawyer knew that her email account had been compromised before the payment was made, and it would be improper for the court to infer as much.

The key takeaway is to always verify payment details, especially for large transactions.

Protecting Your Business

Here are five steps your business can take to best protect itself from spoofed email fraud.

1. Specify Payment Instructions
   • Include detailed payment instructions in your contracts that identify the payee’s bank by name, bank routing number, and account number. A payor who follows the documented payment instructions will be presumed to have acted reasonably, while deviations may result in the payor bearing the loss.
   • Have a clear, written policy for changing payment instructions that require notice to key personnel and prior written consent from both parties.
2. Implement Verification Protocols
   • Establish a secure channel of communication for payment-related matters that require multi-factor authentication.
   • Establish a standing policy that requires at least two people to review, verify, and approve any changes to the payee’s bank account information.
   • Contact the payee by videoconference, like Zoom or FaceTime, or call a trusted source at the payee’s place of business, like the chief financial officer, using a known, preexisting telephone number to verify the payee requested the change.
   • Limit the number of employees who can approve changes to how payments are made, and provide them training on the verification procedures to ensure compliance.
   • Avoid common pitfalls. Presume an email asking to change the payee’s bank account is fraudulent until proven otherwise. Do not rely on email replies or telephone calls to the numbers listed in the email for verification. We often hear that the victim of a spoofed email questioned whether the request was real, and replied to the cybercriminals or called them only to be told that the instructions were legitimate. Be especially cautious of urgent requests for changes and take the time needed to verify the change thoroughly.
3. Prioritize Prompt Notification
   • Create an incident response plan specifically for email compromise situations that include the contact information for key personnel at your bank to recall wire transfers and to report the fraud to the FBI’s Internet Crime Complaint Center.
   • Conduct regular security audits to ensure compliance with your procedures and to detect potential compromises early.
   • Immediately inform your business partners if you suspect email compromise to confirm that your wire payment instructions remain the same.
4. Document Shared Fault
   • Maintain detailed logs of all communications and actions related to payments. These may be useful to prove whether one party or both bear some responsibility for the diverted payment.
   • In cases where both parties bear some fault for the diverted payment, courts may exercise their equitable powers and allocate the loss based on each party’s proportionate failure to exercise ordinary care. Some courts have looked to Article 3 of the Uniform Commercial Code to assess the propriety of each party’s conduct. While Article 3 applies only to negotiable instruments and not contracts or wire transfers, courts still find the provisions useful in its assessment of fault.
   • Documenting shared fault is important because many of these disputes between payees and payors are resolved through negotiations, especially where the parties are interested in maintaining a continuing business relationship.
5. Obtain Cyber Insurance
   • Specifically, request coverage for spoofed email fraud in writing, and document your reliance on your insurance agent or insurer offering that coverage.
   • Invest in comprehensive cyber insurance that covers losses resulting from “funds transfer fraud” and “computer fraud.” The case law on cyber insurance claims is nuanced, and these coverage forms are the two that are most likely to provide coverage for spoofed email fraud.
   • Consult with a cyber insurance specialist to ensure you have the necessary coverage. While a policy may have a broad insurance agreement, it is important to review the definitions, limitations, and exclusions that can severely restrict the coverage.
   • Regularly review and update your cyber insurance policies to make sure your needs are covered as cybercriminals continue to implement new methods to steal funds.

Conclusion

Protecting your business from spoofed email fraud requires a multifaceted approach. By specifying clear payment instructions, implementing robust verification protocols, promptly notifying business partners of suspected compromises, documenting shared faults, and investing in comprehensive cyber insurance, you can significantly reduce the risk of falling victim to email fraud.

The key is to stay vigilant.

This article was published in Law360 on July 22, 2024.