Over the last three years, cyber-thefts have been on the rise. Among others, two realms where cybercriminals have been most active are phishing for wire transfers from homebuyers and in business email compromises (BEC) of companies that frequently make payments via wire transfer. This article illustrates those problems and offers solutions on how to minimize your client’s susceptibility.
Phishing for Homebuyers
Cybercriminals have regularly targeted homebuyers through phishing scams. Typically, the cybercriminal obtains access to the email account of the title company and/or Realtor and gathers information regarding anticipated payments to the title company, who is usually acting as the escrow agent in the transaction. An email is sent to the homebuyer purporting to be an agent of the title company. Many of these cybercriminals actually gain control of employee’s email accounts, making a fraudulent email nearly indistinguishable from one that is authentic. They are often able to create messages that fit the tone and context of the previous correspondences between the parties.
Business Email Compromise
Many businesses require a high frequency of wire transfers to be sent online. These can vary from hundreds to millions of dollars. Businesses that rely on frequent wire transfers with international partners tend to be the most vulnerable.
Similar to the phishing scheme described above, these cybercriminals will gain access to the email accounts of a business and look for payment patterns as well as the personnel who conduct these payments. Once patterns have been established, an email that appears to be authentic is sent to the employee or agent responsible for sending outward wire transfers. In most cases, the format of the email will perfectly replicate that of an authentic message. Typically, it contains an instruction stating that the recipient’s account number has changed, and all new payments should be directed to the new account. In my experience, once one wire has been sent, more solicitations will follow, and they will be larger and more brazen.
How to Recover Losses from Cybertheft
There are two primary ways to facilitate a recovery for your client in the above-referenced situations. First, many insurance providers now offer cyber policies, which typically cover losses incurred from cybertheft. However, this option is only practical for businesses as many consumers such as a first-time homebuyer will not be afforded this type of coverage. The second route to recovery is traditional tort and contract remedies.
While the world around us has changed and continues to evolve, often demanding our presence online in order to conduct day-to-day activities, the law is lagging well behind. Recovery in cyber cases demands a creative response vis-à-vis your claim’s application to tort and contract law. Negligence, negligent misrepresentation, breach of contract, and breach of implied covenant of good faith and fair dealing are the most common Obviously, establishing negligence requires demonstrating that a duty existed, which can be difficult to establish, However, with regards to title companies and their relationship to homebuyers as an escrow agent, a duty exists to safeguard their client’s funds; that duty requires protective measures to be taken that are commensurate with the nature of the risks involved. These measures should begin with the use of digital signatures, which is in essence a digital “fingerprint” that can almost definitively link the email to the proper sender.
Most crucially, multi-factor authentication is needed to establish the legitimacy of a wire-transfer request. Thus, in addition to an email request, the consumer should be provided with additional steps to verify the authenticity of the request, as hackers will often continue to control the email account after the request has been made, thereby allowing them to provide a false confirmation to the consumer. Usually, these steps include the following: a phone call to the escrow agent; a confirmation code provided prior to any email solicitation; and providing the buyer with the proper account number prior to payment.
Given the now well-known risk of BECs and phishing scams, the above-mentioned preventative measures are undeniably necessary in order to safeguard a client’s funds. The landscape of business and consumer transactions is changing, and the law must change as well in a way that is commensurate with a potential plaintiff’s exposure to cybercrime. While in most cases attorneys are limited to traditional tort and contract remedies, the burden rests with lawyers to ensure that the law adapts and properly reflects the burgeoning threat to American businesses and consumers. Tom Moran