Wire Fraud or “Business Email Compromise” – is the Bank liable?

Many businesses and individuals rely on wire transfers for various payments and transactions. A wire transfer is an electronic transfer of funds between parties or, more accurately, between the parties’ banks. These types of transfers are privy to wire fraud, which occurs when a hacker impersonates one of the parties and deceives the other party into sending a payment to the hacker’s account. Hackers accomplish this by tracking the parties’ communications before a final monetary transaction ever occurs and then inserting themselves into the communication, typically via email. While the idea of being defrauded in this way may not be of high concern to most people, it is precisely why businesses and individuals fall prey to wire fraud: hackers take advantage of this lack of caution by adopting the writing style and voice and using an email address that is almost identical to the address of the impersonated party. The hackers will often change a single letter in or add a character to an email address and hope the difference goes unnoticed. Too often, they succeed in their endeavor. Money is wired into the hacker’s account rather than into the account of the legitimate payee. The hacker’s receiving bank usually has no idea that the account is associated with criminal activity.

Many wire frauds originate in other countries, and tracking the hacker is nearly impossible. Once the wire is complete, the hacker disappears with the money while the payee and payor are left short-handed. The average amount stolen in a single transaction is $65,000.

In a wire fraud situation, no one—with the exception of the hacker—did anything wrong. The most that can be said about the parties to the transaction and the sending and receiving banks is that they acted negligently in failing to spot the fraudulent activity. However, banks are heavily protected under U.S. law, and the chances of recovering against them are extremely slim. In order to legally establish negligence, a person must show the existence and breach of a duty on the part of the allegedly negligent party. In the case of wire fraud, if a Bank does not owe a duty to the payee (or payor), then the Bank cannot be found negligent, and typically, the Bank only owes a duty to its customer—the hacker.

Otherwise, Section 4A of the Uniform Commercial Code (“UCC”) governs fund transfers and defines the rights, liabilities, and duties of the parties involved. The UCC protects Banks in various situations. For example, if wire transfer instructions identify a beneficiary by name and account number but the name and number identify different persons, a Bank will not be held liable for a fraudulent transfer if the Bank did not know the name and number refer to different persons or if the transfer was processed in a fully automated manner.

Let’s break this down in an example. Cheese Co. owes Good Goats Inc. $50,000 for fresh milk. Cheese Co. has been communicating with a Good Goats employee at his john.christopoulos@goodgoatsinc.com email. Cheese Co. receives an email directing payment to a Wells Fargo bank account from john.christapoulos@goodgoatsinc.com. Cheese Co. sends the payment, but Good Goats never receives it. The transfer was intended for Good Goats but the account actually belonged to Bad Hacker. Wells Fargo’s fully automated system conducted the transfer. In this situation, the UCC allows Wells Fargo to rely on the account number when processing the transfer, thereby, protecting it against liability for the lost money.

Under the UCC, a Bank may be liable for failing to comply with the originator’s instructions for the wire transfer. However, in the case of wire fraud, the Bank does comply with the instructions—the originator simply had the wrong instructions.

Because Banks are well protected against liability for losses associated with wire fraud, it is incumbent upon businesses and individuals to remain watchful for hackers trying to pry their way into financial transactions. An email from a vendor claiming a new bank account should be a red flag. An easy way of preventing wire fraud is to pick up the phone and confirm the new account number with a trusted source or to check the email address for additional characters, missed letters, extra periods, or any other concerning nuances.