- A state appellate court fault to an escrow agent handling transaction proceeds that were diverted through a phishing scam.
- The jury was permitted to refuse to assign any liability to the fraudster.
- Evolving technology risks warrant new and better protective measures.
A state appellate court upheld a jury’s apportionment of 100 percent fault to an escrow agent handling transaction proceeds that were fraudulently diverted through an email phishing scam. The court held that the jury was permitted to refuse to assign any liability to the fraudster, even though state law required the jury to “consider” the fault of all persons who contributed to the injury. ABA Litigation Section leaders recognize the growing risks of cyber fraud and suggest measures to mitigate liability for losses from such scams.
Anatomy of a Phishing Scam
In Mago v. Arizona Escrow & Fin. Corp., the defendant acted as the escrow agent for the purchase and sale of a business. After the escrow account was opened and the buyer deposited the purchase price, an imposter hacked the buyer’s email account. After the hack, the imposter created an email address that matched the sellers’ email address except for an inconspicuous two-letter typo.
The imposter subsequently discussed the purchase with the buyer by email, but without including the escrow agent in the email chain. Shortly thereafter, the imposter emailed wiring instructions to the escrow agent, copying the buyer on the email. Neither the buyer nor the escrow agent noticed the slightly different email address used by the imposter. The escrow agent questioned the wiring instructions because the name on the bank account provided in the imposter’s email was different than the sellers’ name or any other entity related to the transaction. Upon being requested by the escrow agent for authority for the wire transfer, the buyer instructed the escrow agent to release the funds to the seller.
Without further verifying the wiring information, the escrow agent released the funds and emailed confirmation of the wire transfer to the buyer and the imposter later that day. Ultimately, the sale did not go through, and the funds were never recovered.
Pursuing Scammer May Not Be an Option
The buyer subsequently sued the escrow agent alleging, among other things, negligence and breach of fiduciary duty. Notably, the imposter was not a party to the litigation. The negligence and breach of fiduciary duty claims were tried to a jury which rendered a verdict in the buyer’s favor, finding the escrow agent 100 percent liable for the loss. The escrow agent appealed the jury’s failure to apportion any fault to the imposter.
Arizona law requires juries to “consider the fault of all persons who contributed to [an] alleged injury . . . regardless of whether the person was, or could have been, named as a party to the suit.” On appeal, the escrow agent argued that the statute required the jury to assess some fault against the imposter. However, the Arizona Court of Appeals stated that “the statute requires only that a jury consider fault; it does not obligate a jury to assign a percentage of fault to every person it considers.”
A key aspect of Mago is the absence of the primary bad actor—the person perpetrating the phishing scam. “Almost any reasonable person would assume that a person who committed a fraud should be responsible for loss associated with the fraud. But fraudsters are not always easy to find, and not always easy to hold financially responsible,” observes Elisabeth Feeney, Los Angeles, CA, cochair of the Payment Systems Litigation Subcommittee of the Litigation Section’s Commercial & Business Litigation Committee.
Proactive Measures to Reduce Cyber Fraud Risks
“The FBI’s Annual Internet Crime Report indicates that email compromise crimes resulted in losses exceeding $2.4 billion in 2022,” notes Nelida Lara, White Plains, NY, cochair of the Data Security Subcommittee of Section's Commercial & Business Litigation Committee. “The legal profession is increasingly acknowledging that a basic understanding of cybersecurity, privacy, and data protection issues is essential in the practice of law, leading to such measures as requiring continuing legal education in technology,” Lara asserts.
Evolving technology risks warrant new and better protective measures. “As bad actors increasingly exploit potential weaknesses in the distribution and settlement of funds, intermediaries should consider security enhancements to their own policies and the inclusion of contractual terms addressing their rights and obligations in the face of these account-compromise events,” suggests Edward A. Marshall, Atlanta, GA, cochair of the Payment Systems Litigation Subcommittee.
“To stay on top of fraud prevention, parties should prioritize comprehensive training regarding fraud risks and preventive measures, verify wire instructions carefully, and stay informed about cyberattacks as scammers have expanded beyond email scams, such as exploiting virtual meeting platforms,” recommends Lara. “Encourage all transactions to be supported by proper due diligence and maintain data security standards,” cautions Feeney.
- Gregory Szewczyk and Sarah Dannecker, “Reasonable Security Measures: The Next Focus in Data Breach Litigation,” Consumer Litig. (Aug. 25, 2022).
- Leonard Wills, “A Brief Guide to Handling a Cyber Incident,” Minority Trial Lawyer (Feb. 27, 2019).
- John Pitblado, “Phishing for Fidelity Coverage,” Ins. Coverage (Feb. 2, 2018).