Wire Transfer Fraud And Business Email Compromise (BEC)

— An Ounce of Prevention is Worth a Pound of Cure

Wire transfer fraud is an ever-increasing threat to businesses and consumers. Fraudsters use a number of deceptive techniques to perpetrate their fraudulent activity, and their victims are too often left without any realistic means of recouping their losses directly from the criminals. In addition to the initial losses resulting from the fraud itself, parties are often forced to navigate the nebulous legal landscape to determine the apportionment of liability among the innocent parties to the fraudulent transaction.

Business Email Compromise

Business email compromise (BEC) is one of the most financially damaging online crimes. It exploits the fact that most people today conduct both personal and professional business via email, almost as their exclusive form of communication. In a BEC scam (also known as email account compromise (EAC)) criminals send an email message a) that appears to come from a known source b) making a legitimate request.

Examples:

• A company regularly works with a vendor; the vendor sends an invoice with an updated mailing address.
• A company CEO emails an assistant, directing them to purchase dozens of gift cards to send out as employee rewards. The CEO asks for the card serial numbers in order to email them out right away.
• A homebuyer receives a message from his title company with instructions on how to wire his down payment.

Learn more at the FBI webpage on scams and frauds.

This article presents a concise summary of the prevalence of wire transfer fraud resulting from Business Email Compromise, a brief overview of relevant case law involving legal liability attendant to such transactions, and some tips to prevent falling victim to this type of fraud.

Typical Steps in a BEC Attack

Federal Trade Commission statistics reveal that reported losses from fraud rose to a record high of $12.5 billion in 2024.¹ While investment scams represented the highest category of fraud losses in 2024 ($5.7 billion), wire transfer fraud resulting from (BEC) exceeded $2.7 billion in 2024.² A BEC or EAC scam involves criminals sending an email message that appears to come from a known source for an apparently legitimate financial transaction request, often related to anticipated vendor payments or upcoming real estate closings.³ Fraudsters use various techniques to perpetrate the BEC scams, including spoofing an email account or website (using fake/fraudulent emails or websites mimicking legitimate emails or domains containing fraudulent wire transfer information), spear phishing emails (targeted emails appearing to be from a trusted source tricking victims into revealing confidential information), and use of malware (malicious software contained in apparently legitimate email threads used to infiltrate networks and gain access to legitimate emails threads about billing, invoices and pending transactions).⁴ Despite the method used by the fraudster, the goal is the same: trick the victim into wiring funds into a fraudulent account controlled by the criminal rather than the legitimate account of the intended payee.

The innocent parties of BEC fraud scams are forced into the unfortunate position of not only losing money to the fraudster but also having to determine legally which party — the payor or the intended, legitimate payee — should bear the loss of that fraud. The payor, as the party who transferred (and lost) funds to the fraudulent account, may sue the intended payee seeking to recoup the lost funds under one or more theories of liability, including negligence (failure to warn or protect from fraud, failure to secure network/email systems, and/or failure to train employees to detect, report, and delete phishing emails), violation of section 3.406 of the Uniform Commercial Code (UCC) (apportioning liability to parties involved in forgery of negotiable instrument (i.e. the "imposter rule")), breach of contract, and/or conversion.⁵ Conversely, an intended payee who failed to receive funds for a specified transaction because of a fraudulent email misdirecting payment to another account (typically a vendor who supplied goods and who is entitled to payment for those goods) may sue the payor seeking to obtain its rightful payment for the transaction, typically under a breach of contract claim or a claim for payment under UCC section 2.709.⁶ Unfortunately for parties involved in a fraudulent wire transfer arising from BEC, there is a lack of case law clearly outlining the apportionment of liability among the parties, thus various courts and jurisdictions apply different analyses to these situations.

BEC Liability Determinations Differ Among Courts

Prosper Fla. Inc. v. Spicy World of USA, Inc., a Texas state court suit, involved a series of fraudulent emails purporting to be from the seller directing a purchaser to wire funds to an account other than the seller's account for payment of goods admittedly received and accepted by the purchaser. The seller sued the purchaser for breach of contract, seeking to recover payment for the goods delivered to and accepted by the purchaser. Following an appeal from the trial court ruling in favor of the purchaser, the appellate court applied the Texas common law rule that when allocating a loss between two parties resulting from another's fraud, the loss should fall on the one who enabled the fraud to happen, namely the party who was "most at fault" for the misdirection of funds.⁷ The appellate court ultimately deferred to the trial court's determination of fault among the purchaser and seller in regard to the fraudulent transaction to determine who was "most at fault," given the evidence introduced at trial. In other words, the court held that the determination of liability among parties to a fraudulent transaction involving the BEC is a fact issue for the jury.

Conversely, Benchellal v. Okonite Co., a Texas federal court decision, involved a buyer's suit against a seller for negligence and breach of contract after the buyer wired funds to a fraudulent account based upon a spoofed email appearing to be sent by the seller. The seller moved for summary judgment, requesting the court dismiss the negligence and breach of contract claims as a matter of law. The court granted seller's motion and dismissed the buyer's claims. The court refused to create a separate and distinct duty of care on the part of a seller under either Texas common law or the UCC to support the buyer's negligence claim.⁸ In addition, the court held that the parties never had a valid contract, but even if they did, the buyer failed to perform as it was undisputed that the fraudulently directed wire transfer never reached the seller's account.⁹ The court further refused to extend the doctrine of apparent authority to the fraudulent email hacker who "appeared" to be emailing on the part of the seller.¹⁰ In other words, the court ruled as a matter of law that neither the buyer's negligence nor breach of contract claim were legally supportable and thus neither claim would go to the jury for consideration.

Thus, it remains unclear whether, and to what extent, a party owes a duty to protect another party in a transaction from falling victim to fraud through BEC. Prosper would signal that both parties have a duty to act reasonably to prevent the fraud and thus the determination of liability for losses resulting from BEC fraud is for a jury to determine under the facts of the particular situation, taking into account the parties' knowledge and involvement in the transaction, including any indicia of fraud in the email(s) involved. This comports with Texas common law regarding apportionment of losses from fraud to the party/parties most responsible for "causing" or "failing to prevent" the fraud. In either case, this would suggest that there is an implied duty to avoid negligent behavior in BEC situations, such as failing to notice a misspelled email, failing to call to confirm wire instructions, or failing to suspect fraud from last-minute changes to prior wiring instructions.

Conversely, Benchellal would signal that for parties who are victims of BEC fraud, Texas law does not impose a duty to prevent the fraud (and thus the parties cannot be liable for any losses resulting from the fraud) unless the parties had a special or long-standing relationship that created a duty between them (i.e. long-standing vendor and customer relationships that have consistently used one form of payment or long-standing wire transfer directives to facilitate payments among the parties). The differing analyses and conclusions in the above cases reflect the general uncertainty among courts across the country in how best to navigate liability among parties who fall victim to BEC fraud.

Tips for Safeguarding Against BEC

While the law may be evolving and somewhat murky in this area, one thing is clear: consistent with the old adage that "an ounce of prevention is worth a pound of cure," parties should proactively protect themselves and their businesses from falling victim to wire transfer fraud through BEC. These steps can include:

• maintaining network and email security software,
• employing internal and/or external cyber security personnel to detect potential fraud or threats,
• educating and training employees on best practices for email usage, detecting potential fraud and designing strategies to avoid potential fraud,
• employing multi-factor authentication for any proposed wire transfer transaction, and
• using good old common sense – if an email is misspelled, contains a strange/unknown domain, seems suspect, shady or "off" in any way, don't trust it.

Any email asking to "change" wiring instructions, especially at the last minute, should immediately be regarded as suspicious and carefully scrutinized and verified with the other party via means other than email. Emails containing wiring instructions for non-US banks or accounts should be scrutinized and authenticated via means other than email. Be highly suspicious of any changes to long-standing payment instructions among trusted vendors or customers and verify any requests for changes to wiring instructions with a trusted contact via non-email communication. Businesses can also consider commercial crime or cyber liability insurance policies to protect their business from BEC or similar types of cyber fraud.¹¹

If you or your company do experience a BEC fraud incident, regardless of whether it results in fraud losses or not, report it to your IT department, local law enforcement, the FBI's Crime Complaint Center (IC3),¹² and any related bank or financial institution.

If you or your company is involved in a BEC fraud incident, feel free to contact our office to assist you in assessing the legal implications of your situation and how you should protect your rights.

1. https://www.ftc.gov/news-events/news/press-releases/2025/03/new-ftc-data-show-big-jump-reported-losses-fraud-125-billion-2024
2. Id; see also https://www.ic3.gov/AnnualReport/Reports (FBI Internet Crime Center (IC3) Annual Reports).
3. https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise
4. Id.
5. See e.g., Benchellal v. Okonite Co., No. 4:22-CV-4435, 2024 U.S. Dist. LEXIS 41878, at *6, 16-17 (S.D. Tex. Mar. 11, 2024) (granting summary judgment to defendant, intended payee, on plaintiff's claims of common law negligence, violation of Texas UCC § 3.406, and breach of contract).
6. See e.g., Prosper Fla., Inc. v. Spicy World of USA, Inc., 649 S.W.3d 661 (Tex. App.—Houston [1st Dist.] 2022, no pet.) (involving vendor's claim of breach of contract against customer to obtain payment following customer's transfer of funds to fraudulent account as a result of alleged business email compromise); see also TEX. BUS. & COMM. CODE § 2.709(a)(1) (a seller may recover the price of goods accepted, together with any incidental damages, if the buyer fails to pay the price when due).
7. Prosper, 649 S.W.3d at 672-73 ("We likewise are persuaded that the correct rule is that any loss resulting from fraudulently misdirected payments should be placed on whichever party to the contract the factfinder finds to be most at fault for the misdirection. This rule comports with Texas common law, which generally holds that when allocating a loss between two parties resulting from another's fraud, the loss should fall on the one who enabled the fraud to happen.") (citing Morgan v. Harper, 236 S.W. 71, 73 (Tex. Comm'n App. 1922, holding approved) (when one of two innocent parties must suffer due to fraud of another, loss should fall on person whose negligence enabled wrongdoer), Luse v. Crispin Co., 344 S.W.2d 926, 932 (Tex. App.—Houston [1st Dist.] 1961, writ ref'd n.r.e.) (when one of two people entitled to equal consideration must suffer due to third-party's misconduct, loss should fall on person who had knowledge and means to protect himself but failed to do so)); also citing J.F. Nut Co. v. San Saba Pecan, No. A-17-CV-00405-SS, 2018 U.S. Dist. LEXIS 226743, 2018 WL 7286493, at *3 (W.D. Tex. July 23, 2018) (liability for the misdirected payment should turn on the respective fault of the parties for the same) (citing Arrow Truck Sales v. Top Quality Truck & Equip., No. 8:14-CV-2052-T-30TGW, 2015 U.S. Dist. LEXIS 108823, 2015 WL 4936272, at *5-6 (M.D. Fla. Aug. 18, 2015), Meritdiam, Inc. v. Facets Fine Jewelry, No. CV-14-07041-MWF, 2015 U.S. Dist. LEXIS 199763, 2015 WL 12660377, at *6 (C.D. Cal. Apr. 27, 2015)).
8. Benchellal, 2024 U.S. Dist. LEXIS 41878, at *14-15 (recognizing Texas common law generally does not impose a duty on one party to prevent harm to others, absent "discrete, special relationships earmarked by specific characteristics including: long standing relations, an imbalance of bargaining power, and significant trust and confidence shared by the parties", none of which existed in the present case), *21 ("Neither the imposter rule [under TEX. BUS. & COMM. CODE § 3.406], nor any of the cases cited by Plaintiffs, converts § 3.406 into a general-purpose negligence statute that applies in the absence of a negotiable instrument and imposes a duty of care to prevent scammers from hacking email.").
9. Id. at *22-23.
10. Id. at *23-24.
11. Commercial crime and/or cyber liability insurance can potentially hedge against these types of losses; however, it is important to consult with your insurance professional regarding the specific types of insurance required and the limitations and exclusions related to such policies. See generally https://www.certifid.com/article/does-insurance-cover-wire-fraud#:~:text=Sign%20up%20for%20The%20Wire
12. https://www.ic3.gov/

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.