Business email compromise (also called payment fraud, funds transfer fraud, social engineering fraud, and misdirected invoice fraud) is one of the most financially devastating cybersecurity incidents facing businesses today. At its core, it’s simple: a threat actor deceives someone (the “payor”) into sending money to the wrong bank account.
Imagine you are a business lawyer assisting your client in the sale of their business. During the closing process, you ask the purchaser’s counsel to send the purchase funds to be held in your trust account.
Further imagine the following:
- A threat actor has been inside your email for months.
- They have quietly created a rule in your mailbox system that substitutes your trust instructions for their banking information.
- When the purchaser’s counsel requests your trust instructions, the email they receive contains the threat actor’s banking information.
- Lastly, the purchaser’s counsel wires the funds to the threat actor.
Who Bears the Loss?
Let’s say neither you nor the purchaser’s counsel catches the fraud in time, and the money is gone. Who is responsible? Several actors may be implicated:
- Did the payor (the one sending payment) follow appropriate, commercially reasonable measures (e.g., call-back verification, dual approval workflows, segregation of duties) to ensure the bank account information was accurate?
- Was the payee (the one receiving payment) negligent in establishing and maintaining appropriate security controls?
- Was the bank that processed the payment negligent in vetting the transaction—or in verifying where the payment was being sent?
- What about the employees of the payor or the payee?
Depending on the jurisdiction and the specific facts, the payor is often responsible as a practical and/or legal matter for the misdirected funds.
If You’re the Payor: How to Protect Yourself?
It may feel unfair that the payor is generally responsible because, after all, it is often the payee’s email systems that were infiltrated. But rather than focus on fairness, let’s focus on what you can do to protect your business:
- Payment Verification Clauses: Include a clause in your contract stating that payment instructions may not be changed unless confirmed through a secure, multi-factor method. You could also require verbal confirmation using a pre-existing, independently verified phone number (and not a phone number included in the email request).
- Allocation of Liability for Email-Based Instructions: Include a clause that specifies who is liable for bank-change instructions that originate from a specified email account.
- Warranties Around Secure Communications: Require the other party to implement and maintain reasonable cybersecurity practices, and conduct appropriate cybersecurity due diligence.
- Insurance Obligations: Speak with your insurance broker about cyber insurance and misdirected funds coverage. If both parties are adequately insured, then the risk for litigation often decreases because the likelihood of one party ultimately being unpaid (or having to pay twice) is lower.
- Employee Training: Train employees who process bank account changes on appropriate verification measures and escalation procedures.
- Tabletop Exercises: Run quarterly or annual simulations involving fake payment requests or bank-account change requests to test how employees respond.
Defense in Depth—Beyond IT Controls
At the end of the day, as with any cybersecurity incident, defense in depth is key. Layering additional IT security controls is not enough. People need training, contracts need to be robust, insurance should be reviewed, and processes should be tested.
My question for you: When was the last time you reviewed your business’ policies and procedures as they relate to bank account change requests?
Davis, Burch & Abrams is a business law firm that helps companies develop practical, compliant AI, privacy, and cybersecurity programs tailored to evolving technology laws. If you have any questions about this article—or if your business needs guidance to stay current with AI, privacy, and cybersecurity laws in the United States or Canada—please reach out to the author, Savvas Daginis, at [email protected].
This article is for informational purposes only and should not be seen as legal advice. You should consult with a lawyer before you rely on this information.