The FBI’s Internet Crime Complaint Center has released its 2018 annual report, which includes statistics that internet-enabled theft, wire fraud and exploitation were responsible for a staggering $2.7 billion in financial losses in 2018. If you are involved in transactional work, this can happen to you.
Reports detail an increasingly common story of wire fraud accompanying large sum transactions. The story line often includes a spoofed email invoice in connection with closing, which instructs one party to wire closing related expenses to a fraudulent account. As a result of the detailed and convincing invoice, one party loses their funds forever when they wire a large sum to the hacker’s offshore account.
What are the courts saying?
Recent news reported on a story about a hack that took place during a real estate closing. A law firm forwarded money to Deutsche Bank in accordance with instructions from a mortgage company. Through “mimicking” the e-mail address that the lender used, the hacker provided fraudulent wiring instructions to the law firm.
In rejecting the law firm’s complaint against the lender, the U.S. District Court for the Eastern District of Virginia ruled that state law does not allow companies to bring negligence claims against organizations that are hit with a data breach based on “a duty to safeguard the private information of another individual.” The court observed that its decision rests on a developing area of law: “whether or how to impose liability on a party whose potentially negligent conduct flows from a data breach.” Courts have come down on both sides of the issue, giving companies little clarity on who is liable for negligence after a data breach.
Red flags to watch for:
Above all, verifying the wire instructions verbally with the creditor/vendor can easily prevent loss in such scenarios. Through quick communication, parties can discover incorrect bank account information and avoid wire fraud. There are many indicia that point to suspicious e-mailed (or faxed) instructions. Here are a few red flags to keep in mind:
- A message from a Gmail or Hotmail account, especially late in a transaction
- A slight misspelling of words in the sender’s address or message
- Instructions that direct a wire to a foreign account, an account without the payee’s proper name, or an unknown bank
- Changing wire instructions
- Any “rush” transaction
These cases demonstrate the importance of maintaining adequate cyber insurance and the necessity of independently verifying all wire instructions transmitted through non-secure servers. Finally, calling a known telephone number is typically the safest way to verify information with any party to a matter.