Who Is Liable for Lost Money in a Cyber Scam?

Cameron G. Shilling
Director, Litigation Department & Chair of Cybersecurity and Privacy Group
Published: New Hampshire Business Review
February 29, 2024

Disaster has struck. One of your employees was tricked into changing the account for payments to your biggest vendor, sending a series of payments to a fraudulent account, and now the vendor has cut you off until you pay the outstanding balance of hundreds of thousands of dollars. Or, perhaps your largest customer was duped in the same way and now is refusing to pay you, claiming that you caused the loss because your email system was hacked.

And the scams get worse. For example, maybe you (or your real estate agent or law firm) was tricked into sending to a fraudulent account the funds that you intended to purchase property or a business, and now the sellers are refusing to proceed without payment. Worse yet, your elderly parent may have lost his or her retirement savings in a romance scheme, or sent tens of thousands of dollars via a Bitcoin ATM in a phone scam.

These and many other types of electronic funds transfer (EFT) fraud are prolific. Yet, most people think this could not happen to them – until it does. Businesses need to adopt safeguards to avoid EFT fraud, but that is a topic for another article. The purpose of this article is to explain how to potentially recover lost funds and, when that is not possible, who bears liability.

Speed is critical. Funds often can be recovered in whole or part if proper actions are taken within 24 to 72 hours. Notifying the transferor and recipient banks is sometimes enough to freeze the funds there before the thieves can extract them or transfer them to other banks. Notifying federal law enforcement also may be necessary both to freeze funds transferred to other banks as well as ensure that seized funds are returned to the payor.

Cyber crime insurance is the next step to recover funds not returned through the financial system. But that insurance (i.e., coverage for lost money) is not the same or as common as cyber liability insurance, which covers the costs associated with compromised information, such as in a network intrusion or ransom incident. Many businesses have not purchased and are unaware that they should have cyber crime insurance. Moreover, if a business has such insurance, the policy limit is often low (e.g., from $25,000 to $100,000), and a policy with a higher limit in the range of $250,000 or more can be costly.

So, if funds cannot be recovered from the banks and if there is no (or insufficient) cyber crime insurance to cover the loss, who bears liability? You might think that the banks are culpable. For example, if the payor instructs that the EFT be made to a particular payee using a particular account number, and that account is not in the name of that payee, then the banks might have prevented the fraud. But allocating liability to banks would impair the EFT system, since the name on an account often does not match the name of the payee, resulting in false positives. As a result, most states have adopted a provision of the uniform commercial code, which absolves a bank of liability unless it knows that the account holder is not the intended payee. Moreover, even if a bank does bear some responsibility for EFT fraud, it is cost prohibitive for many businesses to pursue litigation to recover from a bank.

You also might think that, if one party’s email system was hacked, that party should bear the liability. For example, a thief gains access to an accounts receivable (A/R) employee’s email, monitors communications with customers to identify significant upcoming payments, then sends an email to the customer from the A/R employee’s email altering the payment instructions and directing the customer to pay the thief’s bank account. Make no mistake – hackers perpetrating this type of EFT fraud are often highly sophisticated, subtle, and convincing.

While allocating liability to the hacked party would be an easy bright line rule, it is not the rule that has developed, primarily for two reasons. First, while the hacked party may (or may not) have failed to implement proper safeguards to prevent an email intrusion, the party that complied with the fraudulent payment instruction may be equally or more culpable. For example, communications from the thief may have red flags (such as linguistic errors, email format inconsistencies, etc.), the bank account may bear indicia of fraud (such as a bank that is distant from the payee’s location or an account with a name that bears no relationship to the payee), and there may be a multitude of other facts that should lead the payor to question the situation.

Second, in some types of EFT fraud, neither party was hacked, such as when thieves engage in spoofing by using an email domain nearly unnoticeably different from the email domain of the intended payee, or mask their email account to appear to be real email of the intended payee. Similarly, in some EFT fraud, both the payor and payee were hacked.

As a result, the prevailing rule is that the party who was in the best position to avoid the fraud bears liability. This heavily fact based approach could allocate liability to the payor, payee, or potentially other involved parties, such as real estate and title agents, legal and accounting firms, payroll and accounts payable services, information technology providers, etc.

While the prevailing rule fosters fairness, it also creates inefficiencies. For example, it is often unclear which party was best able to avoid the fraud because both bear some responsibility, and the cost to litigate these disputes can be disproportionate to or even exceed the amount of the loss. Thus, unless liability for EFT fraud has been allocated by contract, the most common result is that the parties negotiate a division of the liability and move on. Also, opportunities exist to defray the impact of the loss if the parties continue to engage in ongoing business.

At the risk of stating the obvious, the intractability of these situations should move businesses to adopt measures to reduce the risk of EFT fraud and invest in cyber crime insurance to cover such a loss. Otherwise, a business may find itself in an uncomfortable dispute with a valued customer or vendor over how much financial loss each can bear to cover.