A vast array of cybersecurity threats costs businesses billions of dollars each year. In early 2016, the FBI issued a warning to American businesses about “business email compromise” (BEC) scams, also known as “CEO fraud.” It stated that the number of incidents involving this type of scam, along with the amount of associated losses, has quickly increased in the past few years. New York and New Jersey business owners should be aware of what this type of scam involves, and their potential liability should they be the victims of such a scam.
A typical BEC scam involves the use of a company’s own email network, or an email address made to look like an internal company email, to pose as the CEO or another high-level executive. The scammer, commonly known as the “imposter,” contacts a lower-level executive or employee and directs them to take certain actions, such as wiring money to an account that the imposter controls. By the time the company becomes aware of the scam, the imposter has usually withdrawn the money and closed the account. The BEC scam is similar to scams known as “phishing,” in which a scammer solicits personal information from people through emails made to look like they come from a bank or another legitimate entity.
A business could face various types of liability if it is the victim of a BEC scam, depending on the nature of the scam and the resulting loss. If the scam somehow compromises secure business information, such as customers’ payment information, the business could be liable to those customers for their damages from the identity theft and other misuse of that information. Guarding against BEC scams should be part of every company’s cybersecurity strategy.
A currently pending lawsuit offers a useful example of how a BEC scam might happen. The plaintiff lost about $480,000 to a BEC scam and then sued its insurer when it refused to cover the loss. Ameriforge Group, Inc. v. Fed. Ins. Co., et al., No. 4:16-cv-00377, am. complaint (S.D. Tex., Mar. 10, 2016). The legal issues presented in the case are not as important for our purposes here as the factual allegations.
According to the plaintiff’s amended complaint, the Director of Accounting (DA) began receiving fraudulent emails in May 2014 from an imposter purporting to be the company’s CEO. In the initial email, the “CEO” told the DA that he was putting him in charge of a high-priority “confidential financial operation” and instructed him not to discuss the matter with anyone else. Ameriforge, am. complaint at 3. It also asked the DA if a particular individual, identified as an attorney, had contacted him yet. About 30 minutes later, a person using the name provided in the email contacted the DA by phone, told him that $480,000 in “due diligence” fees were required for an investment in China, and gave him wiring instructions. Id.
The DA sent the wire transfer, believing that the CEO had directed him to do so. Several days later, he received another email from the imposter, instructing him to send $18 million. This made the DA suspicious, and the scam was discovered after he reported the email to his supervisor. The complaint notes that the imposter “seemed to know the normal procedures of the company” and that the CEO and the DA “had a long-standing, very personal, and familiar relationship,” such that the DA “would not question” an email bearing the CEO’s name. Id. at 4.
Business operations attorney Samuel C. Berger practices in the New York City and Northern New Jersey areas. We offer numerous fixed-fee legal-service packages, which address a wide range of legal matters for businesses, small business owners, and entrepreneurs. To schedule a confidential consultation with a knowledgeable and skilled business advocate, contact us today online, at (201) 587-1500, or at (212) 380-8117.
More Blog Posts:
Federal Government Addresses Cybersecurity Risks for Businesses, New York & New Jersey Business Lawyer Blog, January 7, 2016
Cybersecurity Breaches May Result in Liability for “Unfair or Deceptive Acts or Practices” Under the FTC Act, New York & New Jersey Business Lawyer Blog, September 17, 2015
Protecting Your New York or New Jersey Business from Data Breaches, and the Liability Associated with Data Breaches, New York & New Jersey Business Lawyer Blog, June 4, 2015