Fraudulent wire transfer instructions sent – and acted upon – by email cost US companies billions of dollars a year. So-called “business email compromise” matters usually involve a hacker penetrating either a supplier or a customer email system and sending email to the customer that purports to be a change of payment wiring instructions from the supplier. Some hackers pretend to be a company executive directing an employee to wire money to a business partner. Many companies either do not verify the new instructions, or they attempt to confirm them via reply email (which only puts them in touch with the bad guys!). The defrauded recipient wires the money to the fraudulent account, the bad guys take it, and both companies lose the total amount of the payment. It’s a bad deal all around and, unless caught almost immediately after the transfer, nearly impossible to recoup. These are not confined to small transfers, either: payments in the high six or seven figures are regularly diverted by fraudsters.
The law in the US has not yet caught up with this extremely common occurrence. Courts may engage in a balancing of the facts to determine whether which party was in a better position to avoid the fraud. Or they may look at the contract language about how payment is triggered, or at the overall fairness of the matter. Of course, where an email purports to be purely internal there is no possibility working out the loss with the counter-party: the defrauded company has to absorb the loss unless it is insured.
However, insurance coverage is similarly fact-dependent, and may center on both the facts surrounding the transfer and the language of the policy. Just last month, the federal appeals court for the Ninth Circuit overturned a lower court ruling that would have denied coverage for a business email compromise claim, holding that the policy language could be read to include losses caused by a fraudulent email to an employee. At stake was a $200,000 loss caused when an employee sent payment to a fraudster.
Why It Matters
All companies that communicate about payments and wire transfers via email should institute and train employees on an internal policy that prohibits responding to payment instructions via email alone. If an employee received an executive request to send money or a “change of bank account” type email from a supplier, best practice dictates that the employee should verify the email via a non-email means: call a known number (not any contact numbers given in the email) or seek assistance from a supervisor. The potential for loss is too great otherwise, and there is no certainty of being made whole. Be sure to review your coverage annually to understand whether you are covered against business email compromise as well. And take the opportunity of renewal to talk with your insurer and your lawyer about the best practices for securing your network against a fraudulent penetration in the first case.