Scamming, phishing, pharming, vishing — people in the business world are well aware that hackers and other fraudsters have developed a myriad of schemes designed to obtain sensitive personal information and money.  Every year, these schemes cause businesses to suffer significant financial losses.  The FBI estimates that in 2020 business email compromise (“BEC”) and email account compromise (“EAC”) schemes caused losses of $1.86 billion.  To combat these schemes, companies spend thousands of dollars to secure their computer systems and train their employees to recognize and prevent fraudulent schemes from succeeding.  But no matter the preventative steps taken by businesses, hackers and fraudsters manage to stay one step ahead with new, creative schemes.
A recent fraud that businesses have unfortunately experienced is EAC, where hackers gain access to and use legitimate business email accounts of vendors and service providers to direct customers to send money to unauthorized accounts.  EAC affects businesses ranging from small to large and can occur in any industry, including financial institutions, real estate, contractors and law firms.  In a typical EAC scenario, hackers gain access to a person’s actual email account and are able to monitor the incoming and outgoing correspondence in order to learn business practices, customer information and payment terms.  At an appropriate time, the hackers use the email account to send payment instructions to a customer who legitimately owes money to the purported author’s company.  The customer receiving the email has likely communicated with the company and its employees previously and, having no reason to suspect the hacking, follows the directions and sends payment (ranging from thousands to millions) to a fraudulent account.  By the time everyone realizes what has happened, the hackers and the money are long gone.
Because EAC is a relatively new fraud phenomenon, very few courts have had the chance to consider and decide the issue of who amongst the affected parties will ultimately bear the loss.  Published legal decisions suggest that courts are tending to place liability on the party who was, in a given factual scenario, better able to prevent the fraud.
As governing legal doctrines are established, however, businesses are left to figure out how best to protect themselves from EAC and the resulting losses.  Thankfully, numerous means of protection from EAC schemes are available.  Three of the easiest are: (1) documentation, (2) communication and (3) insurance.
Prior to doing business with each other, vendors and their customers should memorialize the terms of their relationship in written contracts.  In addition to the typical terms one expects to see in contracts (e.g., scope of work, agreed upon price and timelines, etc.), authorized payment methods and allocation of risk should be included.  By agreeing up front as to how and where payments are to be made, the parties can ensure that any potential future EAC communications regarding payment will be immediately flagged and investigated.  Moreover, by delineating who bears the risk of loss, should computer systems be compromised and payments be diverted, the parties will understand the duties and obligations they owe to one another and will hopefully take the steps necessary to protect their systems.
When payments are owed and transfer of money between businesses is necessary, any emails received that contain directions for payments to be made to specific accounts or by certain methods should be verified prior to release of funds.  The employee responsible for initiating the transfer of funds should not simply trust the email, even when it appears to have been sent from a legitimate and verified email account.  Instead, they should personally reach out to the person who supposedly sent the email, either in person or via a telephone call, to confirm the directions are legitimate and the accounts actually belong to the company that is ultimately entitled to receive the payment.  Only after successfully verifying authenticity of the payment instructions should the person initiate the fund transfer.
Businesses can and should obtain cyber-security insurance riders (which are not automatically part of standard business insurance policies) that provide coverage for losses caused by EAC and other information security breaches.  Such policies provide an added layer of protection for companies when fraud is not timely discovered or prevented.  All businesses should ask their insurance agents to confirm what cyber-security insurance options are available to them.
Although EAC and other information security fraud will unfortunately continue to plague the business world, companies can, by implementing these recommended practices, often prevent and/or protect against the significant consequences they might otherwise face.
About this Author
For more than 20 years, Heather has focused her practice on commercial litigation. She has represented individuals, as well as businesses in a broad spectrum of industries, including contractors and manufacturers, financial institutions, luxury good retailers, real estate developers, closely held corporations, partnerships and publicly traded companies. Her clients have ranged in size from small start-ups to large global conglomerates and everything in between.
She has extensive litigation experience in a wide variety of legal disputes, including trademark and copyright infringement…
 

You are responsible for reading, understanding and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.

Trending

Most Common QR Activation Code 001-$wag$-sfap49glta4b7hwyl5fsq-3802622129

source