In 2024, for instance, Colorado lawyer and political figure Randy Corporon was sued by his client, Anne O’Riordan, as a result of a $375,000 wire transfer that was fraudulently misdirected to an account in Hong Kong. O’Riordan accused Corporon of failing to exercise “reasonable caution” before wiring the $375,000 divorce settlement to the Hong Kong account. O’Riordan alleged that a fraudster hacked Corporon’s email account and intercepted communications about the settlement, then tricked Corporon into wiring the funds to what he erroneously believed was O’Riordan’s investment account in Hong Kong.
Transactional lawyers are often viewed as being particularly susceptible to these scams because of their participation in deals requiring adherence to sometimes tight closing deadlines and involving the electronic transmission of significant sums of money to complete transactions. Take, for example, wire fraud in the context of a real estate transaction, as outlined by a lawyers professional liability insurer:
The scammer assumes the identity of a party to the transaction and uses an email address that appears to be from the legitimate sender. It could be an email from the “purported” real estate agent, mortgage broker, seller’s attorney, etc. The scammer may even have control over the person’s real email address or the email may use a similar, but slightly altered domain name . . . . With control over a person’s real email address, the scammer can obtain knowledge specific to the transaction, information about all the parties to the transaction, various timetables, etc.
The scammer has usually already had enough access to previously exchanged emails in the transaction to seem convincing to the attorney receiving the email . . . . The scammer will typically provide wire instructions or make some change to a previous wire transfer request. Sometimes, the scammer may even change the transaction details, such as account numbers or changing the original plan of having payment made by check to requiring payment via a wire transfer.
To circumvent normal channels that might uncover a fraud, the scammer will emphasize that “time is of the essence,” and that this matter is “urgent.” Typically, the scammer will use common business phrases . . . .
The attorney will then wire out the money for the closing . . . to the scammer’s account. The money is quickly transferred by the scammer to an overseas bank before the scam can be uncovered and stopped.
Litigators are equally susceptible to these schemes. Wired settlement funds are an appealing target for cybercriminals; an emergence of reported cases and disciplinary proceedings dealing with these incidents suggests that these frauds are on the rise. Consider the following scenario.
You defended a client in litigation that settled for $250,000. Payment was to be accomplished by a wire transfer from your client to the plaintiff’s lawyer’s bank account. Unbeknownst to everyone, a hacker penetrated the plaintiff’s lawyer’s systems. In short, the hacker perpetrated a “man in the middle” scheme in which the hacker intercepted email communications from the plaintiff’s lawyer to you and vice versa. Ultimately, posing as the plaintiff’s lawyer, the hacker emailed you wire transfer instructions for the settlement funds. You conveyed those instructions to the client, who wired the funds accordingly. Of course, the funds were wired to the hacker’s account rather than to the plaintiff’s lawyer’s account. Late the next day, the plaintiff’s lawyer called to complain about the delay in payment. Your follow-up quickly exposed the fraudulent scheme. Unfortunately, the client could not claw back the wired funds. The plaintiff’s lawyer now insists that your client send a check to accomplish the settlement. The client refuses to do so. The client further suggests that if anyone other than the plaintiff or its lawyer must bear the loss, it should be your firm for conveying the fraudulent wire transfer instructions. Does the maxim “the client is always right” apply here?
Instead, assume that the plaintiff’s lawyer had earlier learned that their firm’s email system was potentially compromised but did not tell you before the settlement. Alternatively, assume that before the email message containing the fraudulent wire transfer instructions was sent, the plaintiff’s lawyer sent you proper wire transfer instructions that differed from those sent by the hacker. You neither compared the two sets of instructions nor called the plaintiff’s lawyer to confirm the new instructions. Do the altered facts of either alternative scenario change the analysis of which party should bear the cost of the fraud?
The Impostor Rule
In answering these hypothetical questions, judicial guidance is scant. One court noted that there is a “dearth of authority” as to which party bears the loss where wired funds were fraudulently diverted by a hacker. The few courts that have addressed the allocation of responsibility for wire transfer frauds generally adhere to the “impostor rule” in some form. The impostor rule provides that “losses attributable to fraud should be borne by the party in the best position to prevent the fraud.” Which party was best positioned to prevent the fraud generally is a question of fact.
The impostor rule traces in part to sections 3-404 and 3-406 of the Uniform Commercial Code (UCC), which allocate liability for check forgery. Section 3-404 provides in relevant part:
(a) If an impostor, by use of the mails or otherwise, induces the issuer of an instrument to issue the instrument to the impostor, or to a person acting in concert with the impostor, by impersonating the payee of the instrument or a person authorized to act for the payee, an indorsement of the instrument by any person in the name of the payee is effective as the indorsement of the payee in favor of a person who, in good faith, pays the instrument or takes it for value or for collection.
. . . .
(d) With respect to an instrument to which subsection (a) or (b) applies, if a person paying the instrument or taking it for value or for collection fails to exercise ordinary care in paying or taking the instrument and that failure substantially contributes to loss resulting from payment of the instrument, the person bearing the loss may recover from the person failing to exercise ordinary care to the extent the failure to exercise ordinary care contributed to the loss.
Section 3-406 states:
(a) A person whose failure to exercise ordinary care substantially contributes to an alteration of an instrument or to the making of a forged signature on an instrument is precluded from asserting the alteration or the forgery against a person who, in good faith, pays the instrument or takes it for value or for collection.
(b) Under subsection (a), if the person asserting the preclusion fails to exercise ordinary care in paying or taking the instrument and that failure substantially contributes to loss, the loss is allocated between the person precluded and the person asserting the preclusion according to the extent to which the failure of each to exercise ordinary care contributed to the loss.
(c) Under subsection (a), the burden of proving failure to exercise ordinary care is on the person asserting the preclusion. Under subsection (b), the burden of proving failure to exercise ordinary care is on the person precluded.
Of the courts applying the imposter rule, most rely on Article 3 of the UCC, with some courts also borrowing and incorporating other principles, such as common law contract and agency concepts. Some courts, however, decline to apply the impostor rule as set forth in sections 3-404 and 3-406 because Article 3 of the UCC governs only negotiable instruments, not contract disputes or wire transfers. Nonetheless, most courts tend to reason or find that liability should still rest with the party best positioned to prevent the fraud. At bottom, the outcome is most often the same regardless of whether the court applies the UCC’s impostor rule or general contract law principles. In fact, courts referring to sections 3-404 and 3-406 in allocating responsibility for fraudulent wire transfers are not actually applying the UCC; rather, they are analogizing check forgeries to email compromises in fashioning a remedy for the fraud at issue.
Disappearing Settlement Funds—Prior Knowledge of Compromised Email
A leading case on allocating liability for a fraudulent wire transfer, Bile v. RREMC, LLC, involved two law firms. A settlement payment was the target of the fraud.
Background and facts. Plaintiff Amangoua Bile sued defendants RREMC, LLC, and Denny’s, Inc., for employment discrimination. Bile was represented by Uduak Ubom of the Ubom Law Group, and RREMC was represented by Olaolowaposi Oshinowo and Vijay Mago of LeClairRyan, P.C. The case settled on July 21, 2015, for $65,000, with $63,000 to be paid without taxes being withheld. Under the terms of the settlement agreement, Bile was to dismiss the action within 10 days and the defendants were to pay him within 15 days.
On July 27, Ubom received an email from an aoi.com account, which attempted to mimic his client Bile’s legitimate aol.com address. That message asked that the $65,000 settlement be wired to a particular Barclay’s account in Bile’s name in London. Ubom called Bile to ask if he sent the email; Bile told Ubom that he had not. Ubom and Bile thus knew that a criminal had targeted the settlement for a fraudulent wire transfer. They also knew that Ubom Law Group’s email account was potentially compromised. Ubom deleted the fraudulent email without informing the LeClairRyan lawyers of the threat.
After signing the settlement agreement on July 21, Bile began demanding immediate payment, even though the agreement gave the defendants 15 days to pay. The defendants agreed to initiate payment on July 29 to avoid Bile attempting to renege on the settlement.
On July 29, Ubom and Oshinowo talked by phone and agreed that two checks—one for $63,000 sent by LeClairRyan and one for $2,000-less-withholding sent by RREMC—would be FedExed to Bile at his home. Oshinowo also told Ubom that it might be difficult to process the $63,000 check as quickly as Ubom and Bile hoped. The lawyers then agreed that Ubom would send confirmation of Bile’s home address to Oshinowo by email. Ubom, using the [email protected] email address, confirmed Bile’s home address to Oshinowo through an email message sent at 4:33 p.m. on July 29.
At 6:40 p.m. that day, Oshinowo received another email message from [email protected], requesting that the $63,000 payment be wired to a Barclay’s account in London. Oshinowo believed that this email and a second email that arrived soon thereafter were sent by Ubom because (1) the message’s salutation (addressing Oshinowo by a shortened form of his family name, “Posi,” and Mago by Mago’s given name) tracked Ubom’s previous emails; (2) the message “was consistent with Ubom’s error-prone typography”; (3) the email reiterated Bile’s and Ubom’s demand for prompt payment; (4) the email was consistent with an earlier conversation where Ubom promised to confirm certain details via email; and (5) the lawyers had communicated by email throughout the case. An expert hired by LeClairRyan would later testify that the header information in the payment email showed that the email authentically came from Yahoo’s servers, meaning that (1) the email came from [email protected] and was sent by someone with access to Ubom’s email account; and (2) nothing about the email’s header would have alerted Oshinowo that the email was sent by an impostor.
Oshinowo, believing that the email came from Ubom, initiated LeClairRyan’s internal procedures for a $63,000 wire transfer to the specified Barclay’s account. The wire transfer went through without incident.
On July 31, Bile called Ubom to complain that while he had received the $2,000 check, he had not received the remaining $63,000. Ubom then called Oshinowo, who told him that the money had been wired as instructed by his 6:40 p.m. email on July 29. Ubom denied that he or anyone in his office sent that message. LeClairRyan immediately tried to recall the $63,000 wire transfer but was unsuccessful.
The defendants refused to make another $63,000 payment, and Bile consequently refused to dismiss his lawsuit. The parties then filed cross-motions to enforce the settlement. In connection with their motions, the parties agreed that (1) the same fraudster who sent the July 27 aoi.com email to [email protected] also sent the July 29 6:40 p.m. email from [email protected] to Oshinowo; and (2) this fraudster controlled the Barclay’s account involved in the scam and transferred or withdrew the $63,000 prior to LeClairRyan’s recall attempt.
The court’s ruling. In resolving the dispute, the court found guidance in Article 3 of the UCC. The court reasoned that UCC sections 3-404 and 3-406, which address liability for check forgeries, injected into its wire transfer fraud analysis two important principles: first, “a party whose failure to take ordinary care results in loss must be the party to bear that loss”; and, second, “a blameless party is entitled to rely on reasonable representations, even when those reasonable representations are made by fraudsters.” Expanding on those principles:
[I]f Defendants’ agent, LeClairRyan, issued the wire transfer pursuant to Defendants’ agent’s own error or Defendants’ agent’s lack of ordinary care, then Defendants remain liable on the underlying obligation. Conversely, if Bile’s agent, Ubom, caused the wire transfer to be issued pursuant to Bile’s agent’s own error or Bile’s agent’s lack of ordinary care, then Bile is not entitled to collect on the underlying obligation. Defendants remain liable on the underlying obligation if the transfer of funds can be described as Defendants’ agent’s error rather than Bile’s agent’s error.
According to the court, Ubom, as Bile’s agent, failed to use ordinary care under the circumstances. His failure substantially contributed to the $63,000 loss.
Neither the parties nor the court could locate any authority for the proposition that a lawyer must notify opposing counsel when he knows that a third party has gained access to confidential information, such as the terms of a settlement agreement, or knows that settlement funds have been the target of an attempted fraud. “However,” the court reasoned, “the principle is an eminently sensible one.” As the court explained:
Two days before the fraud was perpetrated on LeClairRyan, both Ubom and Bile were aware that an unidentified third party had targeted the settlement funds for diversion . . . . Additionally, Bile and Ubom knew that [email protected] was being used in an effort to perpetrate the fraud. Ubom failed to pass this information along to Defendants, defense counsel, or the Court. This failure substantially contributed to the loss of $63,000.00 within the meaning of U.C.C. § 3-406. The Court finds it self-evident that if Oshinowo or Mago was aware: (1) that the settlement funds were the target of a malicious third party; (2) that the terms of the confidential Settlement Agreement had been accessed by a malicious third party; or (3) that a malicious third party was angling to redirect the settlement funds to a Barclay’s account when Bile had no such account, then Oshinowo would not have initiated the wire transfer on July 29, 2015.
The Bile court concluded that because Ubom failed to observe the ordinary care argued as the standard for the practice of law, and because that failure substantially contributed to the loss of the $63,000 in settlement funds, the principles developed in the UCC and associated case law required Bile to bear the loss.
In deciding that Bile should bear the cost of the wire transfer fraud, the court did not overlook Oshinowo’s role in the debacle. In examining Oshinowo’s actions, however, the court noted that unlike Bile and Ubom, Oshinowo had no reason to suspect that the July 29, 2015, 6:40 p.m. email from [email protected] was fraudulent until he spoke with Ubom on July 31, when it was too late to prevent the fraud. Although Oshinowo might have exercised greater care when he received the email directing the settlement funds to an overseas bank account, Article 3 does not require best practices—it only requires ordinary care, and there was no proof that Oshinowo did not exercise ordinary care. According to the court, “the simple fact [was] that Bile’s agent, Ubom, could have prevented the loss . . . by notifying opposing counsel on July 27, 2015 when he had actual knowledge of an attempted fraud, the known purpose of which was to lay hands on the settlement funds.” The court then stated what it considered to be a rule going forward: “[W]here an attorney has actual knowledge that a malicious third party is targeting one of his cases with fraudulent intent, the attorney must either alert opposing counsel or must bear the losses to which his failure substantially contributed.”
In conclusion, the Bile court held that the defendants substantially performed their obligations under the parties’ settlement agreement when they completed the fraudulent wire transfer. As a result, they were entitled to enforce the settlement.
Analysis. Bile is an unusual case because of Ubom’s and Bile’s awareness of the initial fraudulent email message concerning the settlement. The Bile court’s reasoning is also debatable. For instance, Bile lived in Virginia, yet the 6:40 p.m. email instructed Oshinowo to wire the settlement funds to a bank account in London. Moreover, Ubom and Oshinowo had never discussed payment by wire transfer; rather, they agreed that the settlement would be paid through two checks. Although Oshinowo had cautioned Ubom that it might be difficult to quickly process the $63,000 check, Ubom never proposed a wire transfer as an alternative. Under those circumstances, why didn’t ordinary care require Oshinowo to call Ubom to confirm the wiring instructions? Had Oshinowo made such a call, the fraud would have been avoided.
Furthermore, Bile was decided in 2016 when most lawyers probably did not appreciate the risk of wire transfer fraud as acutely as they do today. Law firms now routinely require lawyers to confirm wire transfer instructions before initiating a wire transfer. In short, steps that were not considered the exercise of ordinary care in 2016 likely constitute ordinary care today. There is a good argument that confirming all wire transfer instructions before initiating a transfer is the current standard of care for lawyers.
Stolen Settlement Funds—Failure to Verify Wire Instructions
Ostrich International Co., Ltd. v. Michael A. Edwards Group International Inc. is more typical of email scams targeting wired settlement funds. In contrast to Bile, the fraudster in Ostrich changed the wire transfer to a different account (as opposed to changing payment from a check to a wire), and the lawyer sending the payment instruction did not have prior notice that the account was being targeted. Although the analysis was similar to Bile, the Ostrich court reached a different result.
Background and facts. On May 18, 2022, plaintiff Ostrich International Co., Ltd., and various defendants and third-party defendants entered into a settlement agreement. The settlement agreement required third-party defendants AETCO, Inc., and Deepmala Sengupta (collectively, the defendants) to make three payments to Ostrich by July 1, August 1, and November 1. All payments were to be made by wire transfer to Ostrich’s bank account in Japan. Ostrich was represented by Theodore Dokko, and the defendants were represented by Tyler Brown.
On May 17, one day before the parties executed the settlement agreement, Brown received an email from Dokko’s email account. That email asked to have the settlement funds wired to Ostrich’s “US account rather than the previous account in Japan,” and it further advised that Dokko would revise the draft settlement agreement to reflect that change. Although the email came from Dokko’s email account, it was sent by a hacker who had infiltrated the account. The change in instructions was unbeknownst to Ostrich, which did not have a U.S. bank account. Unsurprisingly, the settlement agreement was never revised to reflect the fraudulent wire instructions, leaving the original instructions in place in the final, signed agreement.
Later, on June 14, Brown received a second fraudulent email from Dokko’s account. That email contained “updated” instructions to wire the funds to a different U.S. bank account. The June 14 email attached the parties’ settlement agreement, making the email appear authentic; however, the email also bore red flags such as grammatical and punctuation errors and a duplicated signature block.
On June 24 and June 29, Brown received more fraudulent emails. This time, they were from a “spoofed” email account with an address nearly identical to Dokko’s account. Those emails requested the status on payment, and the latter email once again included instructions to wire payment to a U.S. account.
On June 30, the defendants wired $111,379 to the account specified in the fraudulent wiring instructions. On July 5, Dokko first learned that his email was compromised during an email exchange with Brown, who advised that his clients had sent the settlement funds pursuant to “updated” wiring instructions. Thereafter, before the second payments were due, Dokko and Brown spoke on the phone to confirm wiring instructions. The second payment was received without issue. The third payment, however, was withheld by the defendants due to a dispute over the first payment and liability for the stolen funds.
Dokko’s law firm did not know how or when its email was compromised. The firm admitted that at some time before June 14, 2022 (and likely before the first fraudulent email on May 17), the hacker accessed and monitored Dokko’s email, and even “set up mailbox rules to intercept, hide, and reply to case emails, posing as Mr. Dokko.” The firm acknowledged that it had a security incident a year prior, in August 2021, but it maintained that the incidents were not related.
Ultimately, Ostrich never received the first (stolen) and third (withheld) settlement payments. Ostrich then moved to enforce the settlement, which the defendants opposed.
The court’s ruling. In analyzing who bears the risk of loss for the fraud, the court first evaluated the contract. The court noted that the settlement agreement required the settlement funds to be sent to Ostrich’s account in Japan. It also noted that the agreement, by its own terms, could be modified only by written agreement signed by both parties (which, of course, did not happen). As such, the court found that the defendants violated the settlement agreement.
The court then inquired whether the third-party fraud could serve as a defense. The defendants cited no controlling legal authority to excuse their nonperformance, but argued that Ostrich was in a better position to prevent the fraud. The court construed the defendants’ argument as invoking the “doctrine of mistake”—i.e., a mistaken belief as to a material aspect of the contract, where the mistake is not caused by the neglect of a legal duty on the person making the mistake. Under California law, the doctrine of mistake may allow rescission of the contract, or if rescission is impractical or impossible, “courts may allocate the risk of loss to the party ‘best able to avoid it’ when ‘it is reasonable in the circumstances to do so.’”
The court then looked to out-of-circuit cases addressing which party bears the risk of loss caused by the interception of emails by a hacker. The court, relying on two federal district court cases, formulated two guiding principles:
First, “parties who know or should have known that their email account is at risk of being hacked [are] in the best position to prevent the fraud.” Citing Bile, the court suggested that if a party (including a law firm) knows that a hacker is targeting the settlement funds or that its email account may be compromised, it should (at the very least) “scrupulously monitor its emails” and alert the opposing party and its counsel of the scheme.
Second, “[a] party who receives conflicting wiring instructions may reasonably avoid losses due to fraud by calling the other party to confirm the correct instructions.” Red flags that should alert a recipient to potential fraud may include instructions changing the beneficiary, bank, location, or account information. The court suggested that, in such a scenario, calling to confirm instructions would be an exercise of reasonable care expected to prevent a loss.
Applying these principles, the court concluded that the defendants were in the best position to prevent the harm. Although Dokko’s firm was responsible for the security of its own email accounts, the firm was not on notice of the scheme and was reasonably unaware that it was being targeted. The court emphasized the hacker’s sophistication and persistence in intercepting and hiding incoming emails, such that Dokko “had no reason to suspect there was fraud afoot.”
Conversely, the court concluded that Brown could have more easily avoided the loss by simply calling Dokko to confirm the wire instructions. The court emphasized that the fraudulent instructions conflicted with those in the final, written settlement agreement. The court further reasoned that the multiple, conflicting instructions and minor errors in the emails should have prompted Brown to confirm the instructions before having his client wire a substantial sum of money. Moreover, if Brown had carefully evaluated the email addresses of the wire instruction emails, the fraud would have been revealed because the addresses did not match.
After weighing the facts, the Ostrich court concluded that Brown, while not negligent, nonetheless “was in the better position to prevent the fraud” and avoid the loss. Thus, the court allocated the risk of loss to the defendants, finding them in breach of the settlement agreement.
Analysis. The Ostrich result is consistent with the majority view. Unlike the court in Bile, however, the Ostrich court did not refer to or borrow reasoning from the UCC. Instead, the Ostrich court applied state law contract principles in framing the same, basic inquiry: What party was in the best position to prevent the harm? Ostrich makes clear that a party cannot bury its head in the sand. If a party knows or reasonably should know that it is a target of a scam or that its email or a correspondent’s email has been compromised, that party is best positioned to avoid a loss, such as by exercising increased vigilance and notifying other interested parties. Conversely, a recipient of payment instructions should be alert for red flags, and if detected, it should call and verify the authenticity of the instructions. Ostrich suggests that not doing so would be a failure to exercise reasonable care.
Cementing Fault by Failing to Verify Wiring Instructions
Wire fraud cases outside the settlement payment context further illustrate these schemes. A leading case, Jetcrete North America LP v. Austin Truck & Equipment, Ltd., also involved a swindle via changed wire transfer instructions. Although it reached a result similar to that in Ostrich, the Jetcrete court analyzed the UCC’s imposter rule to get there.
Background and facts. In June 2018, Jetcrete North America LP urgently needed to acquire three cement trucks. On June 11, Richard Miranda of Jetcrete called Austin Truck & Equipment to inquire about buying the trucks. He was routed to Austin salesperson James Walpole. For the next two days, Miranda and Walpole negotiated over the phone and by email and finally agreed that Austin would sell Jetcrete three new trucks for $518,124.18. Employees of Jetcrete’s parent company, Thyssen Mining Inc., were included in the email traffic because Thyssen handled purchasing for Jetcrete.
On June 13, Walpole emailed wiring instructions to Miranda concerning a $6,000 deposit. Walpole instructed Miranda to wire the deposit to Freightliner of Austin’s account at JP Morgan Chase Bank in Austin, Texas. Thyssen wired the funds that day. The next day, Walpole emailed Miranda to confirm receipt of the funds.
At some unknown time, someone hacked into Walpole’s email account. On June 15, Walpole and Judy Schwartz of Thyssen exchanged purchase orders and invoices to finalize the parties’ deal. Almost immediately thereafter, Miranda received an email, purportedly from Walpole, which said:
FYI, you have the old wiring instructions which can only accommodate deposits in smaller amounts. we only use those for purchases less than $50k, reason why i sent it for the $6,000. I will send you our other wiring instructions or the balance due first thing Monday morning. Waiting to get it from accounting.
Thanks,
James
Although the message came from Walpole’s correct email address, it was written by the hacker.
Walpole soon emailed Miranda and Schwartz to confirm the total purchase price and attached a PDF document with wiring instructions for payment of the $512,124.18 balance. Those wiring instructions were the same ones used for the $6,000 deposit. Again, Miranda and Schwartz almost immediately received another message from Walpole’s email address that was part of the same email string that said:
I’m sorry to have sent the old wiring instructions again. please ignore the wiring instructions in my previous email. we stopped using those for larger purchases as explained to Richard earlier. I will be sending the updated info shortly or first thing Monday morning. I apologize for the mix up
Thanks,
James
Unbeknownst to Miranda and Schwartz, the hacker also authored this email message.
Early on Monday, June 18, the hacker, masquerading as Walpole, sent another email to Miranda and Schwartz attaching fraudulent wiring instructions that directed Jetcrete to wire the balance of the purchase price to National Equipment & Trucking’s account at Bank of America in Austin, Texas. On June 19, Thyssen wired $512,124.18 to National’s account. That afternoon, Miranda emailed Walpole to tell him that the funds had been wired. Walpole did not receive that email because the hacker intercepted it. Once again masquerading as Walpole, the hacker emailed Miranda the next morning to say that Austin had received the funds.
On June 20, Miranda emailed Walpole to ask when the trucks would be delivered. The hacker intercepted this and other emails to Walpole over the next few days and replied in a fashion that led Miranda to believe everything was in order. Finally, on June 26, the parties realized that Walpole’s email had been hacked and that the wired funds had been stolen.
Jetcrete could not recover the wired funds. Because Jetcrete needed the trucks for the mining project, it acceded to Austin’s demand that it wire another $512,124.18 to complete the purchase. After Jetcrete did so, Austin delivered the trucks. Jetcrete then sued Austin on various theories to recover the duplicate payment, including breach of contract.
The court’s ruling. Because Austin delivered the trucks after it was fully paid, Jetcrete could not prove that Austin breached their contract. But, Jetcrete argued, the real issue was who should bear the loss of the stolen funds. Jetcrete contended that resolution of this issue was governed by the UCC because the parties’ contract involved the sale of goods. Continuing, under the UCC’s impostor rule, Austin was in the best position to avoid the loss by taking reasonable security measures to prevent the hack of Walpole’s email. Jetcrete argued that Miranda could not have known that some of the emails he received from Walpole’s account were fraudulent. In comparison, Walpole had received fraudulent emails that contained warning signs such as misspelled domain names that should have signaled that his email account was compromised.
Austin contended that the UCC did not apply because it governs negotiable instruments rather than wired funds. Plus, some of the emails Miranda received contained warning signs of fraud (such as poor grammar and punctuation and varying font sizes), so Miranda was as much at fault as Walpole. Austin also argued that it took reasonable security measures by employing an IT consultant, installing Symantec virus scanner software on its system, and hosting its email server at a respected provider of such services. According to Austin, “Jetcrete was in the best position to avoid the loss by simply calling Austin to verify the wiring instructions. By not doing so, Jetcrete failed to exercise reasonable care, therefore causing the loss.”
The Jetcrete court agreed with Austin. Even if Austin’s conduct was imperfect, its mistakes had to be weighed against Jetcrete’s failure to exercise reasonable care. Here, after Miranda and Schwartz received the fake email messages changing the wiring instructions, neither anyone at Jetcrete nor anyone at Thyssen verified the new instructions. A telephone call to Walpole or anyone else at Austin would have exposed the fraud and avoided the loss. “The failure to do so [was] especially disconcerting after Jetcrete received conflicting email instructions within minutes of each other.”
Although the hack of Walpole’s email account laid the foundation for the loss, Jetcrete was best positioned to prevent the loss by calling Austin to verify the wiring instructions. The court thus concluded that Jetcrete should bear the loss.
Analysis. The Jetcrete court reached the right result. The multiple emails ostensibly sent by Walpole changing the wiring instructions for the purchase funds were red flags. Miranda or Schwartz easily could have called Walpole to verify the new instructions. Had they done so, they would have exposed the hacker’s scheme and avoided the loss. In short, and as the court concluded, Jetcrete was in the best position to avoid the loss.
Professional Liability and Responsibility Implications for Lawyers
Wire fraud schemes pose serious professional liability and responsibility risks for lawyers and law firms.
Professional liability. First, and most apparent, is financial liability. If a client is victimized by a fraudulent wire transfer, that liability may be attributable to some fault of the client’s lawyer or law firm, whether due to a security breach or other failure by the lawyer. If so, the client will likely look to the lawyer and firm to recoup that loss. Depending on the amount of the wire, the lawyer’s or firm’s exposure could be substantial. Additional damages may be claimed as a result of a failed transaction or settlement, as well as potential claims for attorney fees and costs by aggrieved parties trying to rectify the situation.
Professional responsibility. Beyond potential financial loss, wire fraud and hacking schemes also implicate ethical concerns and, in turn, potential professional discipline. Chief among the applicable considerations are lawyers’ ethical duties of competence and confidentiality.
Lawyers’ duty of competence extends to technological competence. Under Rule 1.1 of the ABA Model Rules of Professional Conduct, lawyers must provide competent representation to a client, which requires appropriate legal knowledge, skill, thoroughness, and preparation necessary for the representation. This includes an obligation to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Under Model Rule 1.1, not only are lawyers required to understand technologies that are being used to deliver legal services to their clients, but they must also “use and maintain those technologies in a manner that will reasonably safeguard property and information that has been entrusted to the lawyer.”
Lawyers’ duty of confidentiality complements the duty of technological competence. Model Rule 1.6(a) broadly mandates that “[a] lawyer shall not reveal information relating to the representation of a client” absent certain exceptions. Further, under Model Rule 1.6(c), a lawyer must “make reasonable efforts” to safeguard client information to prevent unauthorized access by third parties or inadvertent or unauthorized disclosure. Those obligations extend to the use of technology; lawyers must exercise reasonable efforts to protect client information when using electronic communications and other technological tools. What actions or decisions constitute “reasonable efforts” depends on the facts. As it relates to cybersecurity, general standards for “reasonable efforts” are emerging that focus on processes—namely, processes to assess risks, identify and implement appropriate security measures responsive to those risks, verify that the measures are effectively implemented, and ensure that they are continually updated for new developments.
Recommendations for Lawyers and Law Firms
Wire transfer fraud poses a serious threat to lawyers and law firms. Accordingly, law firms should require lawyers and staff members to authenticate all wire transfer requests. No one should ever initiate a wire transfer based solely on an email request. Changed wire transfer instructions raise particular red flags. Regardless, a lawyer or staff member should always call the requesting party to verify the legitimacy and accuracy of the request before initiating the transfer. Even wire transfer requests from colleagues within the firm should be confirmed by telephone or in person.
When calling to authenticate a wire transfer request sent by email, a lawyer or staff member should independently verify the correct telephone number for the requesting party. The telephone number in the sender’s email message or signature block should not be used, as a hacker could change it. Rather, the person responsible for confirming the legitimacy of the request should use the telephone number on file for the requesting party or look up the party’s number from an independent, reliable source.
If a wire transfer request seems suspicious even after calling the requesting party to confirm its legitimacy and accuracy, the lawyer or staff member should verbally confirm the wire transfer request with a second person at the requesting party’s company or firm. In the alternative, the lawyer or staff member should insist that the requesting party make the request in writing on its letterhead and fax the request to the firm. A scammer is unlikely to have a copy of the requesting party’s letterhead, and the fax number is also subject to independent verification.
Finally, avoid serving as an escrow agent or otherwise holding clients’ funds in escrow whenever possible. Holding funds in escrow invariably leads to the need to transfer those funds to another party by wire, which in turn creates opportunities for fraud.
Conclusion
Many law firms have implemented the recommended safeguards outlined in this article. Today, lawyers are much more sensitive to the risks posed by fraudulent wire transfers than they were just a few years ago. Unfortunately, though, email scams continue to multiply, and not all lawyers are as alert to potential frauds as they should be. Vigilance and verification are necessary to protect lawyers against potentially significant liability to their clients and third parties, and to ensure that lawyers are satisfying their ethical obligations. When in doubt, lawyers should pick up the phone.
