A buyer enters into a big contract. The “seller” emails wire instructions to the buyer. The buyer wires funds to the “seller’s” account. The real seller never receives the funds. What happened? The parties fell victim to a hacker’s “spoofing” scheme—the hacker emailed the buyer pretending to be the seller and provided wire instructions directing payment to the hacker’s bank account. The sophistication of this scheme can vary, but in some cases the fraudulent email appears to have been sent from another person’s email account, displaying an identical email address and e-signature.
With the increased usage and sophistication of spoofing schemes, legal disputes are on the rise to determine who should suffer the loss when a hacker successfully carries out this scheme.
Limited Recourse Against Banks
Claims against the sending and receiving bank are typically a dead end because of the preemptory effect of Article 4A of the Uniform Commercial Code (UCC), which governs wire transfers between banks and commercial entities. Deliberately drafted to balance risks and obligations between the bank and its customer, the Article limits the claim avenues against a bank in this circumstance. Usually, a bank will not be liable so long as the party who made the transfer was authorized to do so. The spoofing scam is aimed at the person or entity instructing the bank and not the bank itself; therefore, the transfer is typically made by an authorized party, but sent to the wrong place.
No Presumption of Liability Against Either the Buyer or Seller
With banks generally out of the picture, parties have looked to one another to recover their losses. Courts have grappled with how to allocate fault in these circumstances and have increasingly used UCC § 3-404 as a guide. This section governs negotiable instruments, but specifically addresses the scenario where an imposter induces a payor to issue a check by impersonating a proper payee of the instrument. It states:
If a person paying the instrument or taking it for value . . . fails to exercise ordinary care . . . and that failure substantially contributes to loss resulting from payment of the instrument, the person bearing the loss may recover from the person failing to exercise ordinary care to the extent the failure to exercise ordinary care contributed to the loss.
In other words, there is no presumption that either the buyer or seller is liable. Rather, the party that was in the best position to prevent the fraud, through the exercise of ordinary care, will suffer the loss of the fraudulent transaction. Courts have found this framework instructive for misdirected wire transfers.
Court Decisions Inform Best Practices to Avoid the Spoofing Scam
There is no set standard to determine who was in the best position to prevent a loss. However, a review of recent court decisions is instructive on best practices to avoid falling victim to a spoofing scam:
- Verify wire instructions by phone. In Jetcrete North America LP v. Austin Truck & Equipment, Ltd.,2 the court remarked that “[a] simple phone call to [Seller] would have revealed the fraud and avoided the loss,” and held the buyer liable.
- Verify the email address which sent the instructions. In Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc.,3 the hacker used a different email address that resembled but was not identical to the authentic email of the seller contact. The buyer did not notice because the name that showed up in Microsoft Outlook was the same. The Sixth Circuit reversed summary judgment in the buyer’s favor and remanded so a jury could determine liability. Spotting a non-identical email address will stop the scheme in its tracks, although additional steps are necessary in cases where the hacker is able to identically spoof an address.
- Look for differences between the “new” and “old” wire instructions. In Arrow Truck Sales, Inc. v. Top Quality Truck & Equipment, Inc.,4 the court found that the buyer had failed to prevent the loss in part by failing to take action even though the wire instructions from the hacker were from a different bank, state, and had a different beneficiary. Beau Townsend similarly involved new wire instructions with a different bank, state, and beneficiary.
- Be wary of “new” or “updated” wire instructions. This scam frequently involves the hacker advising the victim of “new” instructions based on some pretext. For example, in Jetcrete, the hacker claimed that the “new” instructions were for larger transactions. In Arrow, the new instructions were supposedly needed due to “unsettled tax issues.”
- Notify all parties to a transaction of potential fraud. In Bile v. RREMC, LLC,5 the court held that a plaintiff’s attorney was most responsible for preventing the loss when he failed to report to defense counsel that he had received a fraudulent email purporting to be from his client directing that funds be wired to an out-of-country bank account. The same hacker that emailed the plaintiff’s attorney later sent the same instructions to the defendants’ counsel who then sent the settlement funds to the hacker’s account.
Watch for Additional Red Flags
More generally, parties to wire transactions should watch for the same red flags that may be contained in other types of fraudulent emails. Typos, improper grammar, and strange and overly formal language can all be signs that the email attaching the wire instructions is not authentic, even if it appears to be from the individual who would be expected to send the instructions. As with most email schemes, a combination of diligence and common sense can go a long way to protect yourself against a hacker’s intrusions.