All companies are under increasing threat of cybercrime, especially as it relates to making payments to others. In particular, business email compromise, in which a malicious party targets a business performing a transfer of funds in order to defraud the company, is an ever-growing threat to organizations of all sizes and across all industries. Several forms of business email compromise exist, but such schemes typically involve the use of email – whether a spoofed email or an email from a hacked legitimate business email account– to send fraudulent payment instructions directing payment to an account held by the fraudsters.
Companies in the construction industry are particularly susceptible to hackers as large sums of money exchange hands frequently throughout the course of a single project on a regular basis. Construction contractors also rely heavily on email communication, making the construction industry vulnerable to business email compromises and phishing attacks. In a recent matter, a contractor and property tenant fell victim to a hacker, resulting in payments diverted from the tenant to the hacker, instead of to the contractor. The contractor sued the tenant for breach of contract due to lack of payment on two projects, the tenant having made payments to a hacker upon receiving fraudulent wire instructions via email. The tenant defended that it had already made payment in full for the projects and argued it was not obligated to pay twice. Neither agreed to bear any responsibility for the loss.
Liability for payments intercepted by a hacker is a developing area of the law. Most courts that have addressed the issue in written opinions to date hold that when a payment is intercepted via fraudulent payment instructions by a third-party hacker, the party that was in the best position to avoid the loss bears the responsibility for the loss. This is most often the party that made the fraudulent payment, particularly if that party failed to take reasonable measures to confirm the fraudulent payment instructions, even where the payee was the hacked party, as long as the payee had reasonable measures in place to prevent a hack.
In the matter we handled, our client, the contractor, had taken reasonable steps to secure its email and information technology systems against hackers, including conducting regular employee trainings on how to avoid business email compromises and phishing attacks, employing a dedicated IT systems administrator, and retaining a third-party IT firm to monitor its systems. The tenant, on the other hand, did not take reasonable measures to verify the new payment instructions, even though all payment had previously been made by check – nor did it cease making payments to the hacker even after repeated inquiries from the contractor as to non-payment. We argued on behalf of the contractor that the tenant was in the best position to avoid the loss because it had received the fraudulent payment instructions, but failed to take any measures to verify those instructions. The parties ultimately agreed to settle the matter on undisclosed terms.
Contractors that suspect they have become the victim of a business email compromise attack should immediately report the cybercrime to the FBI using www.ic3.gov. They should also immediately contact their bank, legal counsel, and insurers to provide notice of the issue and formulate a plan of action to attempt to minimize the damage and recover any stolen funds. Time is of the essence. The quicker a business email compromise scheme is reported, the more likely a victim will be able to recover any fraudulently diverted funds.
The volume of these cases will continue to rise as business email compromise sweeps through susceptible companies and hackers become more sophisticated. In most cases, but especially in cybercrime, the best offense is a good defense. When it comes to the construction industry, that means maintaining excellent IT systems and cybersecurity protocols, drafting explicit and enforceable contracts, and having experienced legal counsel on your team.
