Business Email Compromise and Wire Transfer Fraud – is the bank liable?

Epps & Coulson Logo

Business Email Compromise and Wire Transfer Fraud – is the bank liable?

If anyone in your organization handles financial transactions, invoice, or payroll changes over email, these types of transfers are at risk to wire fraud, which occurs when a hacker impersonates one of the parties and deceives the other party into sending a payment to the hacker’s account.  The Dark Web criminals target sophisticated social engineering attacks by tracking anyone who can authorize or redirect payments or financial transactions before a final monetary transaction ever occurs and then inserting themselves into the communication, typically via email.

Business Email Compromise (“BEC”) in simple words can either be domestic or international and tracking the hacker is nearly impossible.  Once a wire is complete, the hacker disappears with the money while the payee and payor are left short-handed.  According to the FBI’s internet crime complaint center these types of crimes have seen a rapid increase and the BEC schemes continue to be the costliest, with losses exceeding $1.8 Billion in 2021 alone.

Businesses should be on high alert and assume that some despicable third party is in your email server waiting to pounce.  When your leadership, HR staff, salespeople and executives receive an email coming from “within” your company directing a financial transaction, it is a mistake to automatically assume it is legitimate, especially if an email is claiming a new bank account number.  Businesses can take steps to assure these are valid requests and implement multi-factor authentication (“MFA”) policies to eliminate the possibility that your business will be the victim of a financial crime.  Some of these policies may include your business:

  •      •Implement a cybersecurity policy and check of email filters to help block malicious messages with common fraud-related keywords from untrusted sources and newly registered domains, which serve as a first line of defense;
  •      •Train and enforce users in the business of all company policies;
  •      •Require verbal confirmation from the party sending the email and make a phone call prior to executing any transaction to assure the party sending the email did in fact request it;
  •      •Require a wet signature on a document including a double check of the bank routing and account number;
  •      •Require the bank to contact you prior to executing any transaction above a certain amount in order to confirm its legitimacy, as well as the account number(s) the transaction is where the funds are to be sent.


Unfortunately, in this environment, it is incumbent upon businesses to be vigilant when dealing with bank wire transfers.  Banks are heavily protected under U.S. law and the chance to recover against the bank is extremely slim.  Section 4A of the Uniform Commercial Code (UCC) governs fund transfers and defines the rights, liabilities, and duties of the parties involved.  Under the UCC, banks are not liable for unauthorized transfers from non-consumer accounts unless the bank and depositor agree to use a commercially reasonable security procedure to verify wire transfer requests before they are sent.  In order to legally establish a claim against the bank, a company would have to show the existence and breach of a duty on the part of the bank.  In the case of wire fraud, if a bank does not owe a duty to the payee (or payor), then the bank cannot be found negligent and typically, without some other written agreement with the bank, the bank only owes a duty to its receiving party – the hacker.

Businesses should review business insurance policies to determine whether financial losses due to cybersecurity fraud are covered.

Here at Epps & Coulson, LLP we understand that these business email policies may be part of the front line of defense.  We are available to advise – Dawn:

Information contained in this Memo is intended for informational and educational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.  It is considered advertising under laws of some states.  Epps & Coulson, LLP encourages you to call to discuss these matters as they apply to you or your business.

Attorneys admitted to practice in
California, New York, Colorado, Texas, and Oregon