We have written on previous occasions about the rise in frequency and severity of Business Email Compromise (BEC) cyberattacks. As explained in other posts, BEC attacks are a type of phishing scam typically targeting companies in order to fraudulently direct payments of money to accounts associated with the attackers. Attackers typically target high-level executives or employees with access to financial systems. After the BEC attack, victims have typically had difficulty recovering the fraudulently misdirected funds, which are usually moved to offshore accounts very quickly.
However, a recent court decision in Virginia may have provided a roadmap for some BEC victims to seek compensation from the financial institutions that facilitate the fraudulent transfers of money. In Studco Bldg. Sys. US, LLC v. 1st Advantage Fed. Credit Union, WL 1926747 (2023), a United States District Court Judge held that one of the financial institutions involved in facilitating a BEC payment did not act in a commercially reasonable manner in allowing the transaction to take place. Because the financial institution acted negligently, the victim of the BEC was awarded a judgment of $558,868.71
In Studco, as a result of a BEC scam, the victim’s funds were sent – in multiple, separate transactions – to the attackers’ account at 1st Advantage Federal Credit Union. The transactions in question generated automated warnings in 1st Advantage’s internal fraud warning systems. The Court noted that, in situations involving potentially fraudulent transfers of customers’ funds, a financial institution exercises appropriate due diligence when it maintains reasonable routines for communicating significant information to the persons conducting the transactions and there is reasonable compliance with those routines. In Studco, the Court held that 1st Advantage did not appropriately monitor its internal fraud warnings and that the bank should have identified certain warning signs about the transactions, including conflicting information about the name of the intended beneficiary and the account holder of the account receiving the fraudulent funds.
While the District Court’s decision has been appealed to the U.S. Court of Appeals for the Fourth Circuit, the Studco decision serves as a cautionary tale for all parties – and particularly financial institutions – affected by BEC scams. Businesses should evaluate their fraud detection policies, as well as employee training, to ensure that BEC warning signs are detected at the earliest possible time.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.