Business Email Compromise Fraud: Should the Party Best Positioned to Avoid the Fraud Bear the Loss?

Footnotes for this article are available at the end of this page.

Business email compromise (“BEC”) occurs when a payee’s business email account is compromised or impersonated. The threat actor, posing as the payee or its representative (e.g., the head of the accounting department), sends alternate wire or ACH instructions, causing the payor to direct an otherwise planned payment to an account unassociated with the intended payee. By the time the intended payee inquires about its nonreceipt of funds, the threat actor has already redirected funds from the recipient account, leaving the payor “out” the payment but the intended payee without compensation.

Although there is a relative dearth of case law addressing which party should bear the loss under this fact pattern, two divergent approaches have emerged.

The Imposter Rule

The first approach, adopted by most of the courts that have examined this issue, is to apply the “Imposter Rule” from Article 3 of the Uniform Commercial Code (“UCC”).1 Although Article 3 addresses third-party fraud in negotiable instruments, courts have increasingly used the Imposter Rule in the BEC context by analogy. Under the Imposter Rule, the party who was in the best position to prevent the fraud by exercising reasonable care bears the fault for the resulting loss.2

Courts have reached different conclusions about whether the payor or the payee was in the best position to prevent the fraud in BEC cases, even on similar fact patterns. Some courts have held that a party who negligently secured its email systems, allowing threat actors to gain access, is ultimately responsible for the fraud. In Bile v. RREMC, LLC, No. 3:15-CV-051, 2016 WL 4487864, at *11 (E.D. Va. Aug. 24, 2016), for example, the court held that the defendant payor “substantially performed” its obligations under a settlement agreement to transmit settlement funds to the payee, finding that the payee’s attorney failed to exercise reasonable care when his email was compromised and the hacker sent fraudulent payment instructions to the payor.

In other instances, courts have imposed liability where a party should have been put on notice of potentially fraudulent activity based on the surrounding circumstances. For instance, in Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc., No. *:14-CV-2052-T-30TGW, 2015 WL 4936272 (M.D. Fla. Aug. 18, 2015), the court found that the payor received wiring instructions with numerous red flags, including a beneficiary that was not the payee. Accordingly, it held that the payor was ultimately responsible for the loss because it was in the best position to recognize the fraud and resolve the conflicting instructions.3

At least one federal appellate court has endorsed using the Imposter Rule to resolve BEC cases. In Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., 759 Fed. Appx. 348 (6th Cir. 2018), the plaintiff car dealer sold and delivered a fleet of vehicles to the defendant purchasing dealer. A hacker infiltrated the plaintiff’s email server and sent fraudulent wiring instructions to the defendant. Both parties claimed that the other was in the best position to avoid the fraud, but after determining that the Imposter Rule should apply to resolve the dispute, the United States Court of Appeals for the Sixth Circuit ruled that each could support their respective arguments with record evidence that the other was at fault. Accordingly, it reversed the trial court’s grant of summary judgment to the plaintiff, holding that the question of which party was in the best position to prevent the fraud was for the factfinder to decide.

Alternatives to the Imposter Rule

At least one court has expressly considered and rejected the Imposter Rule in the BEC context.

In Peeples v. Carolina Container, LLC, No. 4:19-CV-21-MLB, 2021 WL 4224009, at *4 (N.D. Ga. Sept. 16, 2021), the plaintiff sued for money owed under an asset purchase agreement after the defendant inadvertently sent the funds to a hacker pursuant to fraudulent wiring instructions. The court determined that the outcome was “relatively straightforward” based on the express terms of the agreement, which required the defendant to indemnify the plaintiff for any losses arising out of any breach or non-fulfillment of the agreement. Pointing out that “[c]ontract liability is strict liability,” the court held that the defendant was liable to the plaintiff for the loss he sustained when the plaintiff did not receive the payment owed to him under the asset purchase agreement.

Although the parties did not ask the court in Peeples to apply the Imposter Rule, it nevertheless indicated a disinclination to follow the rule because a “hacked email transmitting a fraudulent [payment instruction] is not a negotiable instrument.” Accordingly, the court opined that applying Article 3 of the UCC in this context would arguably “[stray] into the realm of judicial law-making.”4 While this arguably constitutes unbinding dicta, it could prove instructive for other courts who are considering whether to adopt the Imposter Rule for BEC disputes in their jurisdiction.

In any event, the court’s ultimate ruling provides an alternative framework for resolving BEC disputes where the parties’ contract contains language, such as an indemnification provision, allocating loss without regard to which party was in the best position to prevent the fraud.

Conclusion

As the Peeples court acknowledged, the lack of directly applicable authority on which party bears the loss when funds have been fraudulently diverted leaves space for “creative lawyering” and a host of potential conceptual frameworks for resolving such disputes.5 At present, though, using the Imposter Rule appears to be the preferred approach by courts that have had the unenviable task of allocating the loss among parties wronged by a third-party criminal actor in a BEC scheme.

 

[1] E.g., Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc., No. 8:14-CV-2052-T-30TGW, 2015 WL 4936272, at *5 (M.D. Fla. Aug. 18, 2015).

[2] “[I]f a person paying the instrument or taking it for value or for collection fails to exercise ordinary care in paying or taking the instrument and that failure substantially contributes to loss resulting from payment of the instrument, the person bearing the loss may recover from the person failing to exercise ordinary care to the extent the failure to exercise ordinary care contributed to the loss.” U.C.C. § 3–404(d), codified in Georgia at O.C.G.A. § 11-3-404.

[3] Arrow, 2015 WL 4936272 at *6.

[4] Peeples, 2021 WL 4224009 at *7.

[5] Id. at *6.

Related Industries