Account Takeover and Business Email Compromise Fraud: Legally Puzzling Payments Problems

In a series of three articles, we will address the ascendency of account takeover (“ATO”) and business email compromise (“BEC”) fraud — the unfortunate occurrence where a payor or intended payee’s account is compromised, leading to the misdirection of payments to a threat actor.

Although variations are plentiful, there are two common fact patterns in which such fraudulent conduct occurs.

In the first, the threat actor gains access to or otherwise manipulates a payments platform associated with the payor (e.g., a payroll or accounts payable tool). The threat actor then causes payments or refunds to be redirected to an account to which he or she has access. Once the funds arrive, they are quickly withdrawn or sent elsewhere, allowing the threat actor to abscond with the proceeds before the payor or the platform can effectively claw back the funds.

In the second fact pattern, a payee’s business email account is compromised or impersonated. The threat actor, now posing as the payee or its representative (e.g., the head of the accounts payable department), sends alternate wire or ACH instructions — causing the payor to direct an otherwise planned payment to an account unassociated with the intended payee. By the time the intended payee inquires about its nonreceipt of funds, the threat actor has already redirected funds from the recipient account, leaving the payor “out” the payment but the intended payee without compensation.

In the next two installments of this series, we’ll explore each of the foregoing fact patterns and discuss how tribunals and lawmakers have attempted to allocate responsibility among the parties involved. Before engaging in that deep dive, however, we pause to acknowledge four attributes of ATO and BEC fraud that make the litigation and resolution of these disputes uniquely challenging.

First, in almost every instance, the “bad actor” who orchestrated the fraud is not before the decisionmaker. Their identities are concealed, and, even if known, they are frequently beyond the jurisdictional reach of the decision-making body. Thus, the parties coming before the court or arbitrator are the common victims of the same fraudulent scheme. Whether it is the intended payee that never received its funds, the payor who had funds misdirected based on faulty instructions, or the platform used to effect the transfers, no litigant can credibly be cast as the villain. Everyone before the tribunal is the victim. The court or arbitrator simply has the unenviable task of allocating the loss among parties wronged by a non-party criminal actor.

Second, the precise means used to effect the account takeover are often shrouded in mystery. How the threat actor managed to misappropriate email or account credentials is frequently unknown, even with the benefit of a forensic review. Whether through the use of sophisticated malware or more pedestrian efforts to cover their tracks, threat actors are skilled at obscuring the tactics they used to gain dominion over a party’s account. Thus, each party to the proceeding (and, if cyber coverage is involved, its insurer) reflexively presumes it was the other who had a security failing. Absent extensive discovery and forensic analysis, which can be extremely costly and often inconclusive, there will frequently be unresolved (and perhaps unresolvable) question marks around how the threat actor accomplished the fraud.

Third, with the benefit of 20/20 hindsight, virtually every party involved in the dispute could be said to have had some blame in failing to prevent the fraud. The intended payee could be accused of allowing its email systems to be compromised or not contacting the payor more promptly about the non-receipt of an anticipated payment. The payor could be faulted for not reaching out by phone or videoconference to confirm the accuracy of payment credentials. (The rise of real-time “deep fakes” that call into question the effectiveness of even those efforts are beyond the scope of this series.) Alternatively, the payor could be accused of not taking more rigorous steps to monitor its account activity, such as by identifying anomalous transactions appearing on a dashboard or statement. Finally, a payments platform (again, with the benefit of hindsight) could be faulted for not spotting “red flags” that made the transactions at issue suspicious. Users who previously wanted the ability to make payments from anywhere, on any device, and with as few hurdles as possible, now decry the lack of friction, oversight, and roadblocks that they had once perceived as a feature (not a bug).

Fourth, and likely as a consequence of the foregoing, the outcomes of legal disputes involving ATO and BEC fraud have run the gamut. Courts do not always agree regarding what legal standard to apply. And even when ostensibly adopting the same “test,” courts faced with highly similar fact patterns have reached polar opposite conclusions regarding which party should bear the loss.

In our next installment, we will address the first of the two fact patterns referenced above — ATO fraud, where the threat actor gains improper access to a payments platform and engages in unauthorized transactions. After that, we will turn to the second scenario, in which the threat actor instead impersonates the payee and provides alternate (and fraudulent) payment instructions.

Related Industries