In 2023, businesses and individuals have suffered massive losses of over $2.9 billion due to a scam called business email compromise (BEC).1Internet Crime Report 2023, Federal Bureau of Investigation, https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf. This scheme typically unfolds when hackers compromise legitimate business email accounts through social engineering or computer intrusion techniques. Once inside, they meticulously identify who the business works with and send fake emails requesting for a change in payment type (frequently from check to wire transfer) or a change from one bank account to a different bank account under their control.
Imagine the scenario where a buyer and seller have cultivated a long-term business relationship, facilitated primarily through email correspondence. This relationship sees the exchange of invoices, wire transfer instructions, and payment confirmations via email as the norm. In one of their transactions, the seller sends wire transfer instructions to the buyer through email, as they typically do. However, before the buyer executes the payment, a follow-up email arrives from the seller, stating, “Please disregard the wire transfer instructions in my previous email; we have stopped using that bank account for the transactions exceeding $50,000. Attached please find the updated wire transfer instructions. Kindly ensure that the payment is processed in accordance with these updated instructions.” The buyer initiates payment to the newly provided bank account.
Several weeks later, the buyer receives another email from the seller: “This serves as a kind reminder to settle the outstanding balance for March’s invoice. The goods have already been delivered, but we have not received any payment from you.” The buyer promptly responds to the seller, asserting that the payment has already been made and attaching a copy of the wire transfer confirmation. “This is not our bank account,” the seller responds. This is when the parties realize that the seller’s email account had been hacked and that the wired funds had been stolen.
The seller wants to recover the contractual price from the buyer. The seller may see this case as a simple one—it delivered the goods, but never received payment from the buyer. This case, however, is complicated by the fact that a hacker fraudulently misdirected the buyer’s payment to an unauthorized party. Under these circumstances, either the seller or the buyer will suffer a loss. If the court holds that the buyer must pay the seller, the buyer will have to pay twice for the same goods. If the court holds that the buyer does not have to pay the seller, the seller will go unpaid for the goods it sold and delivered. How to resolve this issue? In this article, we will analyze the development of case law on which party bears the loss when wired funds have been fraudulently diverted by a hacker.
I. The Imposter Rule.
As one of the courts noted, there is a “dearth of authority” regarding the legal consequences of sending a wire transfer to the wrong bank account based upon fraudulent payment information sent via email.2See Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., 759 F. App’x 348 (6th Cir. 2018). When dealing with email scam cases, courts have used creative legal maneuvers to find a proper solution. One of the most interesting but also controversial approaches is applying the “imposter rule” set forth in Section 3-404 of the Uniform Commercial Code (hereinafter the “UCC”) by analogy.
Section 3-404(d) of the UCC provides that “if a person paying the instrument [i.e., the payer] or taking it for value or for collection [i.e., the payee] fails to exercise ordinary care in paying or taking the instrument, the person bearing the loss may recover from the person failing to exercise ordinary care to the extent the failure to exercise ordinary care contributed to the loss.”
In the context of BEC scams, courts have construed the “imposter rule” to mean that the loss attributable to fraud should be borne by the party in the best position to prevent the fraud. While some courts have favored apportioning the loss based on the comparative fault of the parties involved,3See, e.g., Beau Townsend, 759 F. App’x at 357. others have insisted on assigning 100% of the loss to the party who was in the best position to prevent the loss, regardless of any negligence on the part of the other party.4See, e.g., Jetcrete N. Am. LP v. Austin Truck & Equip., Ltd., 484 F. Supp. 3d 915, 919 (D. Nev. 2020).
1. Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc.5Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc., No. 8:14-CV-2052-T-30TGW, 2015 WL 4936272, at *1 (M.D. Fla. Aug. 18, 2015).
One of the first cases that applied the “imposter rule” in the context of BEC scams is Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc. In Arrow, the buyer contracted to purchase twelve trucks from the seller for $570,000. The parties negotiated the transaction via email. The seller emailed invoices containing correct wire transfer instructions, identical to wiring instructions the seller provided to the buyer for past truck sales. Unbeknownst to either party at the time, fraudsters hacked into both of their email accounts and sent “updated” wiring instructions to the buyer on behalf of the seller to divert the $570,000 payment. The buyer wired the funds to the fraudulent account. The seller did not receive the payment and refused to deliver the trucks to the buyer. The buyer filed a suit against the seller.
The Middle District of Florida conducted a bench trial in which it found that neither party was negligent in the manner they maintained their email accounts and that the buyer “had more opportunity and was in the better position to discover the fraudulent behavior based on the timing of the emails and the fact that the fraudulent wiring instructions involved a different beneficiary, different bank, different location, and different account information from all of the previous wiring instructions.”6Arrow, 2015 WL 4936272 at *4. “[T]he change in the wiring instructions and conflicting emails should have prompted [the buyer] to confirm the information with [the seller] prior to wiring any funds,” the court states.7Id. Unable to find a factually similar case discussing the issue of which party to a contract bears the loss stemming from fraud committed by an outsider, i.e., a third-party fraudster, the court looked to UCC § 3-404(d) and held that the buyer should suffer the loss associated with the fraud as the buyer was in the best position to prevent the fraud.8Id. at *6.
One may argue that this decision is controversial because Article 3 of the UCC governs only negotiable instruments, not wire transfers, and because the federal court did not perform its Erie-mandated duty to apply the law of the state in which it sits.9“When a district court’s jurisdiction is predicated on diversity of citizenship, it must apply the law of the state in which it sits, including that state’s choice of law rules.” Green Plains Trade Grp., LLC v. Archer Daniels Midland Co., 90 F.4th 919, 927–28 (7th Cir. 2024) (citing Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S. 487, 495, 61 S. Ct. 1020, 1021, 85 L. Ed. 1477 (1941); Erie R. Co. v. Tompkins, 304 U.S. 64, 78, 58 S. Ct. 817, 822, 82 L. Ed. 1188 (1938)). The court “did not find a factually similar case” and therefore applied UCC § 3-404(d) by analogy.10Arrow, 2015 WL 4936272, at *5. However, is there truly an absence of governing state law? Why did the court refrain from applying the well-established rules of contractual liability? Are tort concepts like due diligence relevant in contract analysis? These controversies are still not settled in the context of BEC scams.
Several courts adopted the Arrow analysis, and the following are illustrative instances of such rulings.
2. Bile v. RREMC, LLC.11Bile v. RREMC, LLC, No. 3:15CV051, 2016 WL 4487864, at *10 (E.D. Va. Aug. 24, 2016).
In Bile, an employee (the plaintiff) won a $65,000 settlement in an employment discrimination suit. A few days after reaching the settlement, the plaintiff’s counsel received an email, purportedly from the plaintiff, requesting that the $65,000 settlement be wired to a particular Barclay’s account in the plaintiff’s name in London. The plaintiff’s counsel called the plaintiff to ask if the latter had sent that email; the plaintiff informed his counsel that he did not. The plaintiff’s counsel deleted the email without notifying the defendants, their counsel, or the court.
Two days later, the plaintiff’s counsel and the defendants’ counsel agreed over the phone that two checks—one for $2,000-less-withholding sent by one of the defendants and one for $63,000 sent by the defendants’ counsel—would be sent to the plaintiff at his residence by FedEx. Following this conversation, the plaintiff’s counsel emailed the plaintiff’s home address to the defendants’ counsel. Later that day, however, the defendants’ counsel received another email, purportedly from the plaintiff’s counsel, requesting that the funds be wired to a particular Barclay’s account. The defendants’ counsel followed the wire instructions and transferred $63,000 to the Barclay’s account. Eventually, the parties discovered that the wire instructions were sent by a hacker who had infiltrated the email account of the plaintiff’s counsel. The plaintiff did not receive the money. The defendants’ counsel refused to make another $63,000 payment, and this litigation followed.
The Eastern District of Virginia ruled in the defendants’ favor. Though there was “no case law precisely on point,” the court looked to “common law contract principles and principles from Article 3 of the UCC” and held that “the participant who fails to exercise ordinary care is liable for any losses to which his lack of ordinary care substantially contributes.”12Bile, 2016 WL 4487864, at *6, *10. The court found that the plaintiff’s counsel, acting as the plaintiff’s agent, “failed to use ordinary care under the circumstances” and “[t]hat failure substantially contributed to the $63,000 loss.”13Id. at *11. “Two days before the fraud was perpetrated on [the defendants’ counsel], both [the plaintiff’s counsel] and [the plaintiff] were aware that an unidentified third party had targeted the settlement funds for diversion to a Barclay’s bank account that had nothing to do with [the plaintiff].”14Id. The plaintiff and his counsel failed to pass this information along to the defendants, their counsel, or the court.15Id. The court found that if the defendants’ counsel had been aware of this suspicious activity, it would have been “self-evident” the firm would not have initiated the wire transfer.16Id. In contrast, the court found the defendants’ counsel “acted with ordinary care” in carrying out its end of the transaction.17Id. at *13. The court held the defendants were entitled to enforce the settlement agreement without paying out another $63,000 because the plaintiff’s counsel’s failure to alert the opposing counsel to the fraud “substantially contributed to the loss of $63,000 within the meaning of UCC § 3-406.”18Id. at *11, *13.
3. Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc.19Beau Townsend, 759 F. App’x.
In Beau Townsend, the buyer agreed to purchase twenty Ford Explorers from the seller for about $736,225. When it came time to close the deal, the buyer received an email, purportedly from the seller’s commercial sales manager, instructing the buyer to wire the money to an out-of-state bank. The buyer agreed, wired the money, and picked up the Explorers.
Later, it became known to the parties that a hacker had infiltrated the email account of the seller’s manager and sent fraudulent wiring instructions to the buyer. Although the buyer thought it had paid the seller for the Explorers, it had actually wired $736,225 to the hacker, who quickly emptied the bank account and vanished.
It would be useful to detail the methods employed by a hacker in perpetrating this fraud. In both the current trade deal and previous ones, the parties’ managers communicated via their business email accounts: (1) jcolumbro@btford.com for Jeff Columbro, the seller’s commercial sales manager, and (2) jcolglazier@donhindsford.com for John Colgazier, the buyer’s commercial account manager. The seller used a third-party email service called FuseMail. FuseMail allows users to set up “rules” for how certain messages will be handled. Those rules can, for example, automatically forward emails from a specified sender to a different email address. They can also automatically send emails affected by the rule to a different folder, such as the deleted items folder. After gaining access to Columbro’s email, the hacker set up rules for how emails from certain senders, including Colglazier, would be handled in Columbro’s FuseMail account. Here is the progression of events:
August 3: The hacker infiltrated Columbro’s business email account. Having this access, the hacker could send emails to Colgazier from Columbro’s business email address (jcolumbro@btford.com). Those emails appeared to Colglazier as if Columbro had sent them.
September 25: Colglazier received an email from Columbro (jcolumbro@btford.com) asking if the buyer would be interested in purchasing some of the Explorers. Colglazier (jcolglazier@donhindsford.com) responded that same day, and after a flurry of emails, the buyer agreed to buy twenty Explorers. (It was communication between real persons.)
September 28: The hacker created a fraudulent Gmail account to impersonate Colgazier (donhindsford@gmail.com). The hacker also set up rules for how emails ending with @donhindsford.com (i.e., emails from Colgazier and other representatives of the buyer) would be handled in Columbro’s FuseMail account. From September 28 onward, any emails from Colgazier and other representatives of the buyer to Columbro were automatically diverted to Columbro’s deleted items folder, where Columbro was unlikely to see them. The buyer’s emails were also forwarded to the Gmail account the hacker had created. The hacker then had the ability to forward the buyer’s messages back to Columbro, where they would appear in his inbox. Although those messages arrived from a different email address than the first messages Columbro received from Colglazier—jcolglazier.donhindsford@gmail.com rather than jcolglazier@donhindsford.com—Columbro never noticed this switch because the messages still appeared as if they were sent by “John Colglazier” in Columbro’s Microsoft Outlook email system. Thus, the hacker could filter the messages from Colgazier and other representatives of the buyer to Columbro, allowing Columbro to see only the messages the hacker wanted him to see.
September 29: After Columbro sent half of the invoices, Colglazier replied stating that the buyer intended to pay for the vehicles with a check. (Because of the abovementioned settings in Columbro’s FuseMail account, this email appeared in Columbro’s deleted items folder. As a result, Columbro did not see it.) Colglazier received several emails in reply, purportedly from Columbro, rejecting the buyer’s offer to pay by check and instructing the buyer to wire the money to an out-of-state bank. (These emails were sent by the hacker on behalf of Columbro.)
September 30: Columbro sent Colglazier the remaining invoices. This allowed the parties to calculate the final sales price of $736,225.40.
October 2: Colglazier emailed Columbro, asking him to review Colglazier’s paperwork to see if everything was in order. (Because of the abovementioned settings in Columbro’s FuseMail account, this email appeared in Columbro’s deleted items folder. As a result, Columbro did not see it.) Colglazier received a reply email, purportedly from Columbro, stating that Colglazier’s paperwork was in order and containing another copy of the wiring instructions. (This email was sent by the hacker on behalf of Columbro.)
October 5-7: The buyer picked up the Explorers and wired over $736,000 to the fraudulent bank account. Each time the buyer’s representative sent a wire transfer confirmation to Columbro—which again appeared in Columbro’s deleted items folder—she received emails purportedly from Columbro that the seller had received the money. (These emails were sent by the hacker on behalf of Columbro.)
October 13: Columbro called Colglazier to ask when the seller could expect a check for the twenty Explorers. Colglazier told Columbro that the buyer had already wired the funds, in line with the instructions received via email. The seller requested that the buyer return the Explorers. The buyer refused, and this litigation followed.
The Southern District of Ohio ruled in the seller’s favor because “[the seller] has not received any funds from [the buyer]” and awarded the seller the $736,225.40 it requested.20Beau Townsend Ford Lincoln Inc. v. Don Hinds Ford, Inc., No. 3:15-CV-400, 2017 WL 4237028, at *6 (S.D. Ohio Sept. 25, 2017), rev’d and remanded, 759 F. App’x 348 (6th Cir. 2018). The Sixth Circuit, however, reversed this decision and held that “losses attributable to fraud should be borne by the party in the best position to prevent the fraud,” thus adopting the approach taken by the courts in Arrow and Bile.21Beau Townsend, 759 F. App’x at 357, 359. The Sixth Court remanded the case to the district court “to decide whether and to what degree each party is responsible for the $730,000 loss in this case.”22Id. at 359 (“To decide this case, the factfinder must determine which party ‘was in the best position to prevent the fraud.’ … To answer that question, there must necessarily be findings of fact. And to make findings of fact, the district court must hold a trial.”).
Besides the imposter rule, the court used the doctrines of mutual mistake and agency by estoppel as rationale for its ruling.23Id. at 353-55, 357-58.
(a) Mutual Mistake.
As for the doctrine of mutual mistake, the court found that this doctrine could be applied in this case because “both parties held the mistaken belief that they had agreed on a method of payment.”24Id. at 353-54 (“Colglazier had emailed Columbro saying [the buyer] intended to pay with a check, as they had in the past. Due to the hacker’s deception, Columbro never saw any emails that would have caused him to second-guess Colglazier’s assertion, and on October 13, he asked Colglazier when [the seller] could expect a check. Likewise, after the hacker posing as Columbro told Colglazier that [the seller] would prefer a wire transfer and sent instructions, Colglazier complied. Each party thought its own belief regarding payment was correct, and neither party knew the other was mistaken.”). The court held that “in the case of a mutual mistake, the Restatement permits the court to allocate the risk of loss to a party when ‘it is reasonable in the circumstances to do so.’”25Id. at 354 (citing Restatement (Second) of Contracts § 154(c)).
It is controversial whether the doctrine of mutual mistake is applicable in this case. Pursuant to the Restatement (Second) of Contracts § 152(1), this doctrine applies only if both parties make a mistake “at the time a contract was made as to a basic assumption on which the contract was made.” Where, as here, the parties develop a mistaken impression about something after the contract was made, the Restatement’s rule appears to be inapplicable on its face.
(b) Agency by Estoppel.
As for the doctrine of agency by estoppel, the court found guidance in the Restatement (Third) of Agency § 2.05, stating that if a person “carelessly caused [the] belief” that “an actor has authority as an agent,” the person “is subject to liability to a third party who justifiably is induced to make a detrimental change in position because the transaction is believed to be on the person’s account.” The court also found guidance in an Ohio Court of Appeals case, Luken v. Buckeye Parking Corp., holding that the owner of public parking lot is liable to customer for value of automobile destroyed in collision when driven by imposter who masqueraded as lot attendant and gave customer a ticket for car and that customer could only be justified if he believed in good faith, after exercising reasonable care and prudence, that the person who was assuming to act as an agent was in truth and agent and was acting within his authority.26Luken v. Buckeye Parking Corp., 77 Ohio App. 451, 451, 68 N.E.2d 217 (1945).
Based on the Restatement and Luken, the Sixth Circuit held that “if [the seller] had failed to exercise ordinary care in maintaining its email server, thus allowing the hacker to pose as Columbro, then [the seller] could be liable for [the buyer’s] reasonable reliance on the hacker’s emails” and that “any potential liability would be reduced if [the buyer] also failed to exercise reasonable care.”27Beau Townsend, 759 F. App’x at 358.
There was disagreement among courts regarding the application of the “agency by estoppel” theory in the context of BEC scams. In Jetcrete, for example, the District of Nevada rejected to apply this doctrine because “no Nevada court in the last 99 years recognized this theory and none has ever applied it.”28Jetcrete, 484 F. Supp. 3d at *920. Even if Nevada recognized this theory, the court stated that it would reject it since there was no evidence that the seller carelessly caused the buyer to believe the hacker was acting on behalf of the seller.29Id. at 920-21.
(c) Comparative Fault Approach.
Beau Townsend was the first case where the Sixth Circuit expressly formulated and introduced the “comparative fault” approach in the context of BEC scams, holding that the loss must be apportioned according to the parties’ comparative fault.30Beau Townsend, 759 F. App’x at 357. This approach was not universally accepted by all courts. In Jetcrete, for example, the District of Nevada assigned 100% of the loss to the party who “was in the best position to prevent the loss by taking the reasonable precaution of verifying the wiring instructions by phone” (i.e., the buyer)—“[e]ven if [the seller] failed to use reasonable care” to prevent its email platform from being hacked.31Jetcrete, 484 F. Supp. 3d at *920.
Thus, besides the debated issue of whether the “imposter rule” applies in the context of wire transfer scams,32As noted above, Article 3 of the UCC governs only negotiable instruments, not wire transfers. “Wire transfers are explicitly governed by Article 4 of the UCC, not Article 3’s rules for negotiable instruments.” Bile, 2016 WL 4487864, at *7 n.17. The Northern District of Georgia states that “[i]t would be odd to borrow a provision that explicitly does not apply where that provision is part of a larger code containing other provisions that do apply.” Peeples v. Carolina Container, LLC, No. 4:19-CV-21-MLB, 2021 WL 4224009, at *1 (N.D. Ga. Sept. 16, 2021). another issue emerges regarding its interpretation: should the loss be apportioned based on the comparative fault of the parties involved, or should 100% of the loss be assigned to the party who was in the best position to prevent the loss? In the absence of appellate authority or legislative action, it remains uncertain which interpretation a particular court will adopt.
II. Strict Liability for Breach of Contract.
Despite the pattern set by Arrow and similar cases,33See, e.g., Bile, 2016 WL 4487864; Beau Townsend, 759 F. App’x; Prosper Fla., Inc. v. Spicy World of USA, Inc., 649 S.W.3d 661, 671–72 (Tex. App. 2022) (“We likewise are persuaded that the correct rule is that any loss resulting from fraudulently misdirected payments should be placed on whichever party to the contract the factfinder finds to be most at fault for the misdirection.”); Forde v. Krantz, No. 21-CV-80603-RKA, 2023 WL 7109745, at *1 (S.D. Fla. Oct. 27, 2023), motion for relief from judgment denied, No. 21-CV-80603, 2024 WL 1174123 (S.D. Fla. Mar. 18, 2024) (holding that the buyer should suffer the loss associated with the fraud because the buyer “was in the best position to prevent it”). several courts have resisted adopting this approach.34See, e.g., 2 Hail, Inc. v. Beaver Builders, LLC, No. 2016CV32847, 2017 WL 7086784, at *1 (Colo.Dist.Ct. Nov. 29, 2017) (declining to adopt the legal analysis from Bile because the court was “troubled by an attempt to combine the common law of contracts with the statutory law governing negotiable instruments as set forth in Article 3 of the Uniform Commercial Code” and because there was “the lack of developed legal authority addressing the issue of whether parties to a business transaction have a duty to each other to take reasonable steps to protect themselves and others from hacking attacks by unscrupulous third-party criminals; and whether a breach of any such duty may relieve a party of its contractual obligations, or perhaps, expose the breaching party to liability in tort, or perhaps through a legislative extension of the Colorado Uniform Commercial Code to cover such conduct”); Peeples, 2021 WL 4224009.
In Peeples v. Carolina Container, LLC, the buyer was supposed to wire $1.71 million to the plaintiff under an Asset Purchase Agreement (hereinafter the “Agreement”).35Peeples, 2021 WL 4224009, at *1. However, it ended up wiring that money to the hacker who gained access to the email account of the plaintiff’s attorney and used that account to send fraudulent wiring instructions to the buyer. Notably, the wiring instructions were for an account in the name of JAE Holding Limited at CTBC Bank Co., Ltd. in Hong Kong. “No one at [the buyer’s company] knew whether [the plaintiff] had any connection to JAE Holding Limited. No one tried to find out before completing the wire. And no one did anything more generally to confirm the accuracy or authenticity of the new wire instructions (beyond noting they were sent from … email account [of the plaintiff’s attorney]).”36Peeples, 2021 WL 4224009, at *2. When the hacker vanished with money, the plaintiff sued his attorney and the buyer to recover the money.
The Northern District of Georgia ruled in favor of the plaintiff, explaining that:
[The buyer] breached that obligation [to pay the Holdback Amount to the plaintiff] because it paid the Holdback Amount to JAE Holding Limited, not Plaintiff. [The buyer] may have tried to pay Plaintiff. It may have acted in good faith. It may have intended to fulfil its obligation under the Agreement. But, as a general rule, none of that matters. The Agreement says “[t]he Holdback Amount … shall be paid by Buyer to Seller.” [The buyer] did not do that. So, “[u]nder elemental precepts of contract law,” [the buyer] is “liable … for breach of contract even if [it] is without fault.” CITGO Asphalt Ref. Co. v. Frescati Shipping Co., Ltd., 140 S. Ct. 1081, 1089, 206 L. Ed. 2d 391 (2020). “[A] party’s good faith will not prevent his failure to perform a duty from amounting to a breach.” Scott v. Clarke, 355 F. Supp. 3d 472, 505 (W.D. Va. 2019) (collecting authorities). That has been the rule “from time immemorial.” U.S. Fire Ins. Co. v. Cavanaugh, 732 F.2d 832, 840 (11th Cir. 1984) (Hill, J. dissenting). “Contract liability is strict liability.” CITGO, 140 S. Ct. at 1089; see Jones v. Porter, 438 F. Supp. 3d 101, 104 n.1 (D. Me. 2020) (“[C]ontract law generally operates on a strict liability system—i.e., if a party breaches, that party pays damages, regardless of the party’s reason for breach.”); Bell v. Bd. of Educ. of Albuquerque Pub. Sch., 652 F. Supp. 2d 1211, 1219 (D.N.M. 2008) (“[C]ontract law is essentially a law of strict liability, with an accompanying system of remedies that operates without regard to fault.”).37Peeples, 2021 WL 4224009, at *4.
Among the defenses used by the buyer was reference to the notice provision of the Agreement, telling the parties where to address their communications with one another if they want those communications to count under the Agreement.38Id. at *5. The buyer pointed out that the email account listed for the plaintiff’s attorney was the same email account from which the fraudulent wire instructions were sent.39Id. It follows, says the buyer, that “it was contractually entitled to rely upon those instructions without further inquiry.”40Id.
The court rejected the buyer’s argument:
The provision simply identifies the addresses that “communications must be sent to”; it says nothing about the addresses those communications must be sent from. … As a textual matter, [the buyer] cannot use a clause about the proper recipient to excuse its reliance on an improper sender. Second, to the extent [the notice provision of the Agreement] does control whether the hacker’s emails are operative under the Agreement, it suggests those emails were invalid rather than valid. [The notice provision of the Agreement] requires communications intended for [the buyer] to be sent to Mr. Cobery and Ronald T. Sessions. … There is no evidence the hacker sent his fraudulent wire instructions to Mr. Sessions. So, under [the notice provision of the Agreement], those instructions are not “deemed to have been given.” Finally, even if the hacker’s emails did count as valid communications under [the notice provision of the Agreement], [the buyer] has not shown they override [the buyer’s] explicit and material obligation under the Agreement to pay Plaintiff the Holdback Amount. The Agreement is clear that [the buyer] must pay Plaintiff. But the hacker’s emails asked [the buyer] to pay someone else. Faced with these conflicting instructions about a material obligation, [the buyer] was required to follow the Agreement. That is so because the Agreement “may be amended, modified or supplemented only by an agreement in writing signed by each Party.” (Id. § 10.09.) And any waiver of the Agreement’s terms must be “explicitly set forth in writing and signed by the Party so waiving.” (Id.) The hacker’s emails complied with neither requirement.41Id. at *5-6 (emphasis added).
The Northern District of Georgia hesitated to apply the imposter rule, noting that it has not been invoked before in Delaware courts and has been rarely applied by other courts.42Id. at *7. Notably, other courts “essentially created the rule by borrowing—and sometimes synthesizing—principles from elsewhere.”43Id. (“See, e.g., Beau Townsend, 759 F. App’x at 353-59 (combining Article 3 of the Uniform Commercial Code with the doctrine of mutual mistake while flirting with an agency theory); Bile v. RREMC, LLC, 2016 WL 4487864, at *10 (E.D. Va. Aug. 24, 2016) (‘aggregat[ing]’ the ‘common law contracts approach and the Article 3 approach’ by ‘nesting Article 3 principles within Restatement § 237’).”). “That approach is in tension with the concept of judicial restraint,” the Northern District of Georgia states.44Id. For instance, Article 3 of the UCC, commonly relied upon for the imposter rule, applies to negotiable instruments, not wire transfers, making its application inappropriate here.45Id. Additionally, the sophistication of the parties suggests that they should be bound by the Agreement, which does not mention the imposter rule and unambiguously says that “[t]he Holdback Amount … shall be paid by Buyer to Seller.”46Id. at *8. Even if the imposter rule were to apply, it would not alter the outcome, as the buyer was best positioned to prevent the fraud and thus, according to the imposter rule, should bear the loss resulting from the fraud.47Id.
III. The Imposter Rule or Strict Liability for Breach of Contract: Which Approach Stands Out as the Better Choice?
In the Arrow line of cases, the courts relied on tort concepts in their rulings. In Beau Townsend, for example, the Sixth Circuit held that the loss must be apportioned according to the parties’ comparative fault.48Beau Townsend, 759 F. App’x at 357. However, can the courts rely on tort concepts in breach-of-contract claims? This is exactly the claim that was examined in Beau Townsend.49Beau Townsend, 759 F. App’x at 352 n.2 (“Only the contract claim is at issue in this appeal.”). The Sixth Circuit listed the elements of the breach-of-contract claim under Ohio law: “(1) a binding contract or agreement was formed; (2) the nonbreaching party performed its contractual obligations; (3) the other party failed to fulfill its contractual obligations without legal excuse; and (4) the nonbreaching party suffered damages as a result of the breach.”50Id. at 353 (citing Carbone v. Nueva Constr. Grp., L.L.C., 83 N.E.3d 375, 380 (Ohio Ct. App. 2017)).
In Beau Townsend, all elements of the breach-of-contract claim were present. The Sixth Circuit did not dispute the existence of the contract between the seller and the buyer, nor did it doubt that the seller had fulfilled its contractual obligations. While the Sixth Circuit did not explicitly state that the buyer was in breach, it relied on the factually similar case, Arrow, in which the court concluded that the buyer’s non-payment breached the contract.51See Arrow, 2015 WL 4936272, at *5 (“[T]he Court concludes that [the buyer], not [the seller], breached the contract for the Trucks because, after the contract was executed, [the buyer] never provided payment for the Trucks to [the seller].”). In Beau Townsend, the situation was analogous: the buyer did not pay to the seller. Therefore, it is reasonable to conclude that the buyer breached the contract.52See also Forde, 2023 WL 7109745, at *9 (“By not paying [the seller] or his agents, [the buyer] breached a material term of the Mortgage and Promissory Note.”). The Sixth Circuit did not qualify the hacker’s attack as a “legal excuse” justifying the buyer’s non-performance. As for the last element of the breach-of-contract claim—the nonbreaching party suffered damages as a result of the breach—the Sixth Circuit qualified the $736,225 as the seller’s “loss.”53Beau Townsend, 759 F. App’x at 353, 357 (“The ultimate question here is which party should bear the $736,225 loss attributable to the scheme perpetrated by an unidentified third-party fraudster.”; “[R]ecord evidence suggest[s] [the seller] was at least partially responsible for its own losses.”).
Even though all elements of the breach-of-contract claim were present, the Sixth Circuit deviated from this straightforward analysis, choosing instead to base its decision on the tort concept of comparative fault. In 2020, the U.S. Supreme Court held that “[u]nder basic precepts of contract law, an obligor is strictly liable for a breach of contract, without regard to fault or diligence.”54CITGO Asphalt Ref. Co., 140 S. Ct. at 1089 (“[A]s a general rule, due diligence and fault-based concepts of tort liability have no place in the contract analysis required here. Under elemental precepts of contract law, an obligor is ‘liable in damages for breach of contract even if he is without fault.’ Restatement (Second) of Contracts, p. 309 (1979) (Restatement (Second)). To put that default contract-law principle in tort-law terms, ‘Contract liability is strict liability.’ Ibid. (emphasis added); see also 23 Williston § 63:8, at 499 (2018) (‘Liability for a breach of contract is, prima facie, strict liability’).”). This holding challenges the pattern established by Arrow, Bile, Beau Townsend, and other similar cases.
At the same time, there were cases, such as Peeples, that adopted the strict liability approach and held the breaching party liable under the contract. This approach appears to be more compatible with contemporary jurisprudence and its long-entrenched rules of contractual liability. Applying this approach would require the courts to determine whether all elements of the breach-of-contract claim are met, including whether the BEC scam constitutes a valid excuse for non-performance in the particular circumstances of each case. As of today, this approach has not been consistently applied in the context of BEC scams. A definitive solution regarding the parties’ liability in this context has yet to be formulated.
IV. Conclusion.
The cases analyzed in this article emphasize the need for the payer to exercise utmost vigilance when initiating wire transfers based on information conveyed through email. In the absence of established law,55As of the date of this article, Prosper Fla., Inc. v. Spicy World of USA, Inc., 649 S.W.3d 661, 672 (Tex. App. 2022), is the only published appellate decision addressing the issue on which party bears the loss when wired funds have been fraudulently diverted by a hacker. However, this decision is binding only on lower courts in Texas. it remains uncertain which approach the court will adopt: the “imposter rule,” strict liability for breach of contract, or any other approach. In any scenario, the payer may face adverse consequences. If the court is unwilling to apply the “imposter rule” and follows a traditional breach-of-contract claim analysis, then the payer will have to pay the contractual price twice. Even if the court decides to apply the “imposter rule,” the payer may still be held liable as the party who was in the best position to prevent the loss by exercising reasonable care. Moreover, the court may decide not to follow the “comparative fault” interpretation introduced in Beau Townsend and assign 100% of the loss resulting from the fraud to the payer, as it was ruled in Jetcrete.
What can be done to protect yourself and your money? As the old-age saying suggests, “an ounce of prevention is worth a pound of cure.” Reflecting on the cases mentioned earlier, a simple preventive action such as confirming wiring instructions over the phone could have averted extensive litigation. Recognizing this, the FBI promotes the implementation of procedures “to verify payments and purchase requests outside of email communication.”56Internet Crime Report 2023, supra note 1, at 11. These procedures “can include direct phone calls but to a known verified number and not relying on information or phone numbers included in the email communication.”57Id. Other best practices include carefully examining the email address, URL, and spelling used in any correspondence and not clicking on anything in an unsolicited email or text message asking you to update or verify account information.58Id. Additionally, it can be useful to include warnings within the emails, such as the following:
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
BECAUSE OF THE INCREASE IN WIRE FRAUD ACTIVITY, DO NOT SEND A WIRE TRANSFER TO OUR FIRM OR TO ANY OTHER PERSON WITHOUT VERBAL RE-CONFIRMATION WITH AN ATTORNEY AT OUR OFFICE OF THE WIRE TRANSFER BANK ACCOUNT INFORMATION.59This is the warning that the payee’s attorney and his law firm began including in their email correspondence after the BEC incident described in Forde, 2023 WL 7109745, at *4.
When it comes to making payments, rushing due to urgency is frequently counterproductive. It is far preferable to prioritize caution over urgency, as it is always better to be safe than to face the consequences of a hasty decision later on.
The information provided in this article is intended for informational purposes only and does not constitute legal advice. It should not be relied upon or applied without consulting an attorney to address your specific circumstances. Please note that this article was published on the date indicated and may not reflect subsequent changes in the law.