A new and growing risk for businesspeople is a phenomenon called “BEC” – business email compromise. Here is how it works.
A bad actor, usually overseas, hacks into the email account for Ashley at AAA Accounting. The hacker sits quietly, watching and waiting as Ashley exchanges emails with Brendan at B&B Bricklayers. From the email traffic, he learns that Ashley and Brendan are arranging for AAA to provide accounting services to B&B. This means that B&B will soon owe AAA some money.
Just as B&B is about to send a check or wire transfer to AAA, the hacker pounces. In a spoofed email to Brendan, which looks like it’s coming from Ashley, Brendan is provided “new” wire instructions. But of course, the bank account identified in those instructions isn’t owned by AAA. It is a financial conduit to the bad actor and his associates – most likely, far beyond the jurisdiction of the United States.
So now, AAA has suffered a loss because it never got paid for its work, and B&B has suffered a loss because its money is gone. Whichever way that loss ultimately gets divided up, one or both parties are in for a lot of pain.
The courts are still wrestling with how to approach this new kind of case. Most of them analogize these cases to forged-check cases under Article 3 of the Uniform Commercial Code. Under section 3-404 of the UCC, the burden of the loss is placed on “the person who failed to exercise ordinary care [which] contributed to the loss.” But in many of these situations, there is at least arguably some lack of care on both sides, and it is hard to predict how a court would ultimately rule.
As usual, an ounce of prevention is worth a pound of cure. Businesses need to alert their people to scams of this type. Employees should be trained to require multi-factor authentication whenever they receive payment instructions by email. Most commonly, a simple phone call to a familiar voice will do.