The prevalence of COVID-19 is causing more businesses and employees to choose to work from home more often, which effectively decreases their exposure to the virus but increases their exposure to "BEC" threats.
Business Email Compromise (BEC) is a sophisticated type of cybercrime where attackers impersonate a trusted entity, such as a company's executive or business partner, to trick individuals into transferring money or sensitive information. BEC typically involves social engineering tactics to deceive targets and exploit vulnerabilities in email systems.
When remote working becomes a new trend, and people have fewer chances to meet in person and check the authenticity of information sent by email, BEC is more likely to succeed than not.
Typical Forms of BEC
- The scammer might send an email from a disguised address like the address of a vendor's contact person and ask the recipient to pay to the spoofer's designated bank account.
- The scammer might send an email from a disguised address like the recipient's supervisor and ask for confidential and sensitive information from them for further scamming conduct.
How to Protect Yourself from BEC Spoofing
It is wise for companies to make efforts to train employees, adopt cyber securities measures, implement financial controls, and establish report-audit compliance mechanisms to protect them from BEC.
If you fall victim to BEC spoofing, be sure to first collect all relevant communications, financial records, and other evidence showing the spoofing attack and resulting damages. Then, you should report the incident to law enforcement and regulatory bodies, such as the FBI's Internet Crime Complaint Center (IC3).
- Hover your mouse pointer over url and sender name to see if the name of the receiving company matches exactly.
- Whenever feasible and especially when something feels unusual, request phone verification or even video call verification prior to wiring money.
- Be suspicious of a feeling of urgency while sending wires, take extra time and slow down wiring transactions – the scams depend on haste to work
Legal Protections for BEC Victims
A BEC victim can raise several legal claims against the individual or group responsible for the spoofing attack, including wire fraud, identity theft, conversion, Computer Fraud and Abuse Act (CFAA) claims, and state-specific cybercrime laws claims.
By pursuing these claims, BEC victims can seek to hold spoofers accountable for their actions and potentially recover lost funds or receive compensation for damages suffered. It is important to seek advice from an attorney specializing in cybersecurity and fraud to understand the best legal strategy.
Avoid Legal Responsibilities of Leaking Information to the BEC Spoofers
New York State Information Security Breach and Notification Act requires businesses and other entities to notify consumers in the event of a data security breach so that affected consumers can take appropriate action to protect themselves against the threat of identity theft.
Other jurisdictions have begun looking at Article 3 of the UCC (governing negotiable instruments). Known as the "Imposter Rule" embodied in UCC 3-404, it applies by its terms only to negotiable instruments, not wire payments. However, it is increasingly being applied to wrongfully sent wire transfers from fraudulent emails.
BEC Victims' Potential Legal Liabilities of Negligence
It should be noted that in transactions where a BEC victim acted as an agent of his employer, client, etc., he or she could be liable for negligently transferring money to the wrong bank account under the BEC spoofing.
In USCHAG Corp. v. Flagstar Bank, FSB, 220 A.D.3d 823 (2nd Dept. 2023), the client sued its insurance broker for negligently transferring money to the bank account provided by the BEC spoofer. Defendant moved to dismiss the complaint, claiming that plaintiff failed to state a negligence claim. However, both the trial court and the appellate court held that the complaint survived the defendant's motion to dismiss and stated a cause of action for negligence and gross negligence.
In Tillage Commodities Fund, L.P. v. SS&C Techs., Inc., 151 A.D.3d 607, 58 N.Y.S.3d 28 (2017), the client sued its service provider for sending millions out of the client's accounts based on fraudulent BEC instructions. The client brought a breach of contract claim based on a gross negligence standard and claims that defendant breached the implied covenant of good faith and fair dealing by failing to take reasonable precautions to prevent the fraud and by frustrating plaintiff's recovery efforts. The Court held that "plaintiff has sufficiently alleged that defendant...failed to comply with basic cybersecurity precautions and actively disregarded its own policies as well as obvious red flags. This is especially true in light of defendant's awareness that the transfers...would result in near depletion of plaintiff's account."
Conclusion
If you believe you have been injured by BEC spoofing or need to establish a legal mechanism against prospective BEC frauds, it is important to act quickly to protect your rights. Contact a member of our team to learn more about your options and whether filing a lawsuit makes sense under your specific circumstances.
Contributions to this blog by Yiran Wang and Lily Harrison.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.