In an era where digital transactions are the norm, businesses and organizations have become increasingly vulnerable to cybercrime. A growing concern in this realm involves the fraudulent misdirection of payment. In one example, a third-party bad actor begins by targeting an individual within an organization who is responsible for payment transactions. The third-party bad actor then uses various wrongful methods to gain control of the individual’s email account, such as phishing scams to obtain authentic account credentials. After gaining access to the individual’s account, the third-party bad actor may monitor the situation while lying dormant and waiting for an opportune moment to interpose itself into otherwise legitimate email communications concerning upcoming payments.
Once an upcoming payment is identified, such as a payment for an invoice received through email, for example, the third-party bad actor impersonates the individual, utilizing the authentic credentials, and provides fraudulent, and in many cases, conflicting wiring instructions. It is important to keep in mind that the individual within the organization is usually unaware that their credentials are being misappropriated because these bad actors will cover their tracks by deleting emails and even going so far as to fabricate communications or responses from the paying party. Remaining undetected, the third-party bad actor continues to impersonate the individual until payment using the fraudulent wiring instructions is completed, at which point they may relinquish control of the individual’s account.
While this scenario frequently occurs, third-party bad actors have developed other common schemes to fraudulently misdirect payments, including by using nearly identical contact information to the individual they are trying to impersonate, typically email addresses and telephone numbers with a difference of one or two letters or numbers, and manipulating phone calls. As a reflection of the gravity of this issue, business email compromise (BEC) was identified as the second most financially damaging type of crime, with $2.9 billion in reported losses in 2023.[1] Thus, a critical question arises: in situations where payments are fraudulently misdirected to a third-party bad actor, which party bears the financial loss? While the fraudulent misdirection of payments may not be a new issue, the increasing frequency of these events and use of digital communication, sometimes in combination with other digital tools, to accomplish these nefarious ends are a relatively recent phenomenon. Businesses and organizations trying to navigate this issue are facing great uncertainty from both a legal perspective, as most jurisdictions have little to no common law developed in this area, and a business perspective, due to the strain on business relationships in working to identify which party should bear the financial loss. Therefore, this article reviews the approaches of the few jurisdictions which have addressed this critical question of which party bears the risk of financial loss when a payment was fraudulently misdirected and some proactive measures to implement for businesses and organizations.
Texas favors the application of a fault-based rule, rooted in English common law and Texas common law, which places the loss on the party who is most at fault for the misdirection of payment. For example, in Morgan v. Harper, the court noted, “[w]here one of two equally innocent parties must suffer by reason of the fraud of another, the loss should fall upon him whose negligent act or omission has enabled the wrongdoer to commit the fraud.”[2] By applying this logic, in Prosper Fla., Inc. v. Spicy World of USA, Inc., the court held that the seller of a bulk shipment of black pepper had the burden of loss because the buyer called to verify the instructions and in doing so acted reasonably to prevent the loss.[3]
In one Florida case which dealt with the fraudulent misdirection of payment, the court decided liability by determining which party was in the best position to prevent the fraud. In Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc., the court determined the buyer was in the best position to prevent the fraud because the buyer received conflicting wire instructions and failed to confirm or verify the wire instructions.[4] On the other hand, a Nevada court chose to apply the Uniform Commercial Code, as the payment was intended to cover goods, for determining which party would bear the risk of loss.[5] Using the Nevada court’s approach, if a payment is made in good faith, then it is effective and the party who failed to receive the payment will suffer the loss. However, if either party fails to exercise ordinary care and that failure substantially contributes to the resulting loss, then the party who failed to exercise ordinary care will bear the loss. In Jetcrete N. Am. LP v. Austin Truck & Equip., Ltd., the buyer of ready-mix trucks had the burden of loss because they received conflicting emails about wire instructions within minutes and failed to use reasonable care by confirming the validity of the new instructions.[6] Unlike the earlier approaches in Texas and Nevada, Delaware appears to look to the contract between the parties and places the burden of loss on the party who failed to carry out their duty to pay, regardless of their good faith. In Peeples v. Carolina Container, LLC, as part of an asset purchase agreement, a company wired $1.7 million to a third-party bad actor using fraudulent payment instructions.[7] There, the court found that the company’s contractual obligation under the contract was to provide payment, and in mistakenly paying a third-party bad actor, they had failed to satisfy this obligation.
Beyond Texas, Florida, Nevada, and Delaware, many states have not analyzed this issue, and given all the different factual scenarios underlying the fraudulent misdirection of payment, businesses and organizations are left with little to no guidance as to how liability will be determined. However, there appears to be one commonality with the jurisdictions which have analyzed this issue: courts generally favor the party that took steps to prevent the loss. For example, in Prosper, the buyer avoided liability by calling the seller to verify payment instructions while in Jetcrete, the buyer was held to be liable for the loss because they failed to call and verify the correct payment instructions after receiving conflicting instructions minutes apart.
With this in mind, below are a few proactive measures to take within a business or organization for any payment transactions:
[1] Federal Bureau of Investigation Internet Crime Report 2023 | AHA
[2] 236 S.W. 71 (Tex. Comm’n App. 1992, holding approved).
[3] 649 S.W.3d 661 (Tex. App.—Houston [1st Dist.] 2022, no pet.).
[4] No. 8:14-cv-2052-T-30TGW, 2015 U.S. Dist. LEXIS 108823 (M.D. Fla. 2015).
[5] Jetcrete N. Am. LP v. Austin Truck & Equip., Ltd., 484 F. Supp. 3d 915 (D. Nev. 2020).
[6] 484 F. Supp. 3d 915 (D. Nev. 2020).
[7] 4:19-cv-21-MLB, 2021 WL 4224009 (N.D. Ga. Sept. 16, 2021).