Cybercriminals seldom rest, always looking for vulnerabilities to exploit—and now they’re increasingly targeting private commercial transactions in what’s known as a business email compromise attack (BEC). In such a breach, a cybercriminal infiltrates a company’s email system and poses as an owner of an important company email account. Pretending to be a specific executive, the thief then emails another business with which the first has an ongoing relationship, sending wire instructions for money legitimately owed to a bank account set up and controlled by the perpetrators of the scheme.
The email recipient, believing the message to be authentic, wires payment to the criminal’s account. By the time the two businesses figure out they’ve been had, it’s too late, and the money the second one sent to the first is long gone.
What happens in the wake of something like this? Can a victimized company recover the stolen funds? Can it possibly hope to recover from the criminal himself? If the perpetrator can’t be found, can the defrauded company recover the money from the one whose systems were hacked?
Hacking Businesses Is Good Business
According to the FBI’s Internet Crime Complaint Center (known as “IC3”), BEC cyberattacks on American companies have caused more than $8.2 billion in losses since 2013, with an additional $1.7 billion in adjusted losses in 2019 alone—the highest estimated out-of-pocket losses from any class of cybercrime over that period. IC3 also estimates global losses have exceeded $26 billion over the past three years. Given that many such crimes go unreported, the true figure is likely much higher.
BEC attacks increasingly occur on private business transactions because criminals, quite simply, see vulnerability. Companies engage in regular exchanges in which the buyer purchases a set amount of goods from a seller, and over time executives establish relationships with their counterparts. The nature of this friendly back-and-forth generally builds a degree of trust, which cybercriminals eagerly prey on.
In a typical scenario, a BEC attack originates with the criminal targeting an executive at a given company. Let’s say Company A supplies auto parts to Company B on a set schedule, for which the latter wires payment. Knowing this, the criminal will infiltrate Company A’s email system, often through a “phishing” scheme—sending a phony email or web link. Once clicked on, the targeted account has been compromised. The criminal can then monitor the account’s messages and activity, becoming familiar with how the executive at Company A uses email and how exactly the transactions with Company B occur. Upon spotting a good opportunity, the criminal sends out a spoofed or otherwise compromised message requesting the wire transfer.
In this scenario, Company A is harmed because it has made the usual delivery to Company B but hasn’t been paid. Company B is harmed, too, though, because it has issued payment intended for Company A but now in the criminal’s coffers. Usually, Company A will demand legitimate payment from Company B, or demand that it send the merchandise back. Where to go from here?
Recovering Cyberattack Assets From the Criminal
In the aftermath of a BEC attack, it is possible for victimized companies to recover lost assets. The FBI’s IC3 reported that in 2019, its Recovery Asset Team was able to claw back roughly 79 percent of potential losses for claims that were referred to the Recovery Asset Team, totaling $304.9 million. To have any hope of obtaining recovery from the criminal, though, a victimized company must report the fraud to the FBI or other law enforcement—and there are a number of reasons a business might be reluctant to do so. According to the Department of Justice, as of 2016, just 15 percent of corporate fraud victims nationwide report the crime.
Why are companies so wary? First, a business might view the pursuit of a cybercriminal as a waste of time and resources, especially when the hacker is determined to be operating overseas. Indeed, because so many cybercriminals ply their trade outside the United States, it’s often extremely difficult to hold them to account.
Second, apprehending the perpetrator might not be the company’s highest priority. It will focus instead on shoring up internal controls to ensure that it doesn’t fall victim again, as well as on fulfilling its legal obligations to notify regulators and the affected parties. It might be concerned about negative publicity or harm to its reputation. These worries are probably overblown, but they might lead a business to try to resolve related disputes with its partners informally or in the civil courts.
Recovering Assets from the Business Partner
When a company can’t recover money stolen by a cybercriminal, it might decide to seek recovery from the business partner. When such disputes can’t be resolved informally, they lead to litigation, focusing on which party was more negligent in enabling the scheme: Was it Company A, whose email system was initially hacked, or Company B, who sent the payment to a fraudulent account?
Recent years have seen a handful of court decisions involving BEC-scheme victims who have sued each other. Which company should bear the risk of loss? Courts so far have taken a similar approach to these cases.
The first relevant case was a 2015 dispute, Arrow Truck Sales v. Top Quality Truck & Equipment, Inc., in which one company, Top Quality, negotiated to sell a group of trucks to the other for $570,000. Both the seller and purchaser’s email systems were hacked by third-party fraudsters who sent “updated” wiring instructions to the buyer, Arrow Truck, which believed them to be real; the criminals got away with the full $570,000 purchase price.
The district court noted that there was no applicable case law on the issue of which party bore the loss stemming from third-party fraud that resulted in nonperformance of the contract. It took guidance instead from the Uniform Commercial Code, which provides—under the “imposter rule”—that the party that suffers the loss is the one in the best position to prevent a forgery by exercising reasonable care. After a bench trial, the court determined on those grounds that the purchaser of the trucks should bear the loss. “The [wire] instructions involved completely different information from all of the previous instructions,” the court observed. “Simply put, [Arrow Truck] should have exercised reasonable care after receiving conflicting emails containing conflicting wire instructions by calling [Top Quality] to confirm or verify the correct wire instructions prior to sending the $570,000. As such, Arrow should suffer the loss associated with the fraud.”
In a 2016 case, Bile v. RREMC, a lawyer named Uduak Ubom had his email hacked. Ubom represented Amangoua Bile, a client who had just reached a $63,000 settlement with his former employer on an employment discrimination claim. The third-party fraudster used Ubom’s email to send updated wiring instructions to the law firm representing the employer. When the firm followed those directions, the criminal stole the money. Bile and his former employer, RREMC, then brought competing motions to enforce the settlement agreement. The court held an evidentiary hearing and determined that Ubom had failed to observe ordinary care, which contributed to the theft—and consequently Bile bore the loss. Notably, the court found that Ubom had knowledge of an attempted fraud days before the transfer took place but did not notify opposing counsel. The court thus adopted a rule that “where an attorney has actual knowledge that a malicious third party is targeting one of these cases with fraudulent intent, the attorney must either alert opposing counsel or must bear the losses to which his failure substantially contributed.”
Two years later, in Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., the latter car dealership agreed to purchase 20 SUVs from the former. As the deal came to a close, a criminal infiltrated Townsend’s email account and sent a message requesting that Hinds pay for the vehicles via wire transfer to an out-of-state bank. Hinds, believing the note was authentic, inadvertently wired the money to the criminal and picked up the SUVs. When Townsend later asked Hinds to return them, Hinds refused, and Townsend sued for breach of contract, among other causes of action.
The district court granted summary judgment for Townsend. Both parties were negligent: Townsend “should have maintained a more secure email system and taken quicker action upon learning that it might have been compromised,” it observed, whereas Hinds “should have ascertained that an actual agent of Beau Townsend was requesting that it send money by wire transfer.” Nonetheless, the court held that Hinds breached the agreement because Townsend had “not received any funds from Don Hinds[.]”
The Sixth Circuit, on appeal, reversed, finding the district court’s approach too simplistic. The Sixth Circuit reasoned that the case should be evaluated in two ways: under both contract law and agency law. Under contract law, the circuit court found that the case turned on the principle of mutual error: “[B]oth parties held the mistaken belief that they had agreed on a method of payment.” Because rescission of the contract—a common remedy for a mutual mistake—was not an option (Hinds couldn’t return the SUVs without being out the $730,000 purchase price), the Sixth Circuit turned to another provision of the Restatement (Second) of Contracts, which provides that the court may allocate the risk of loss to a party when “it is reasonable in the circumstances to do so.” The court then discussed both Arrow Truck and Bile, concluding that the district court, on remand, should determine “whether either Beau Townsend’s or Don Hinds’ failure to exercise ordinary care contributed to the hacker’s success, and would then have to apportion the loss according to their comparative fault.”
The Sixth Circuit also applied agency principles to support its view that the risk of loss could be apportioned between the two parties. Applying the Restatement and Ohio law, the court found that if “Beau Townsend had failed to exercise ordinary care in maintaining its email server, thus allowing the hacker to pose as [an employee], then Beau Townsend could be liable for Don Hinds’ reasonable reliance on the hacker’s emails. In addition, any potential liability would be reduced if Don Hinds also failed to exercise reasonable care.” Finally, the circuit court directed the trial court to “hold a trial to decide whether and to what degree each party is responsible for the $730,000 loss in this case.” To do so, the trial court must decide which party “was in the best position to prevent the fraud.”
In essence, Beau Townsend stands for the proposition that when a third-party criminal steals money from a contractual transaction between two others, a district court must conduct a factual inquiry to determine which party should bear the loss: whichever was more negligent because it was in the best position to prevent the fraud. If both parties are negligent, the loss may be apportioned between them.
Caution: Hazards Ahead
Recovering money from a business email compromise attack is difficult. The only way to recover from the criminal who launched the attack is to get law enforcement involved. A company might be reluctant to do that to begin with, and if the criminal is operating out of the country, recovery is likely impossible.
A business that has been victimized by a BEC attack might decide to proceed against a business partner, claiming it was that party’s negligence that enabled the attack to succeed. Filing such a suit, of course, can come at some cost: The litigation will end up assessing which company could best have prevented the scheme, and whose internal-security practices are better. Companies should proceed cautiously when filing suit unless they’re confident that their security protocols will withstand scrutiny. Otherwise, they might find themselves victimized a second time.
Santosh Aravind, partner at Scott, Douglass & McConnico., is an experienced trial lawyer representing individuals and companies in white-collar criminal investigations, regulatory enforcement proceedings, cyber-security matters, and complex commercial litigation. Santosh has represented clients in proceedings brought by the Securities and Exchange Commission, the United States Department of Justice, the Office of Attorney General in Texas, Massachusetts Attorney General’s Office, and various state agencies in Texas.
