In today’s world, electronic funds transfer (EFT) and wire transfers are common. But when internet scammers intercept wire transfers, who pays the cost of the theft, the payor, or the payee? Up until, California had no persuasive legal authority on the issue.
This subject has been finally addressed by the California Courts. In an issue of first impression in our State, the Fourth District Court of Appeal has tackled an important topic: which party bears the risk of loss when an imposter causes one party to a settlement to wire settlement proceeds to the imposter instead of the other settling party?
In Thomas v. Corbyn Restaurant Development, Corp., the Appeals Court addressed the issue of a fraudulent wire transfer paid as part of the settlement of an underlying personal injury lawsuit. The Plaintiff, Thomas, sued Defendant Corbyn Restaurant group for personal injuries he sustained because of an alleged altercation he had with Corbyn restaurant employees.
The parties settled the lawsuit at mediation in exchange for payment to Thomas in the amount of $475,000. The settlement payment was to be paid via check to the Plaintiff’s attorney/client trust account within 30 days.
The two law firms exchanged emails regarding the specifics of the settlement payment. That is where the trouble began. Included in that email correspondence was a spoofed email from Defendant’s attorney. The email address contained a few altered letters. A subtle, but important alteration as it allowed a third-party imposter to begin communicating with Defendant’s counsel. The change was not detected by Plaintiff’s counsel.
Thereafter, the imposter, using the spoofed email address, sent over wire instructions to transmit the settlement payment, instead of a check. Defendant’s counsel transmitted the settlement payment to the imposter. The imposter was able to abscond with the settlement funds and the parties did not detect the fraud until Plaintiff contacted counsel inquiring about payment.
Because Plaintiff did not receive the settlement funds as outlined in the settlement agreement, he sought a court order to enforce the terms of the agreement. The Court granted the order and Defendants appealed.
The Appeals Court was faced with a dearth of California authority on fraudulent wire transfers. The Court was forced to rely on out of State authority, including the Uniform Commercial Code’s “Imposter Rule”, which holds that the risk of loss should be borne by the party that failed to exercise ordinary care if that lack of ordinary care contributed to the loss.
When looking at the party who failed to exercise due care in the transaction, non-California courts have looked to various “red flags”, including: (1) the extent to which each party secured its computer system or whether the system had been breached before; (2) whether a party was aware that its transaction was being targeted, and, if so, whether that party disclosed the targeting to the other party in the transaction, or to the court; (3) whether either party failed to scrutinize spoofed email addresses or overlooked typographical errors or duplicative information; (4) and whether the payor called to confirm wire instructions, particularly when they conflicted with prior payment arrangements or new payment instructions changed material information like names and addresses.
The Appeals Court adopted this framework and analyzed legal culpability based on the various “red flags” in the underlying transaction.
There were various “red flags” that went undetected by Defendant’s counsel. First, the fraudulent wiring instructions contradicted the settlement agreement terms, which called for a settlement check. Likewise, the fraudulent wire instructions conflicted with the named payee information outlined in the settlement agreement.
The Court also pointed out abnormalities in the email string that should have raised red flags with Defendant’s counsel. While counsel did attempt to phone verify the wire transfer initially, the number was inoperable. A later phone number provided for verification was fraudulent. That should have caused Defendant’s counsel to inquire deeper before issuing the wire transfer. Together, these numerous “red flags” were enough for the Appeals Court to determine that Defendant failed to exercise due care in the transaction and therefore should bear the risk of loss for the fraud.
The Court likewise dismissed the notion that Plaintiff bear some responsibility for fraud under a comparative fault argument, because no such evidence of Plaintiff’s culpability existed.
The result of the case is that Defendant is now forced to pay the settlement twice—once to the imposter and once to the Plaintiff. A harsh result, but one which is reached based on analyzing the relative conduct of each party in the underlying transaction.
So how can parties best avoid being in this situation. First, for large payments (including legal settlements) consider utilizing overnight delivery services, such as UPS of FedEx, with tracking and signature requirements. If you must issue wire transfers, have a written protocol set in place and honor it. Do not deviate from original wire information provided and phone verify all wires with a human being at the business’ listed phone number before issuing. In email correspondence regarding wire transfers, double-check the email domain addresses and include multiple parties in the email string to better identify potential imposters. Lastly, we recommend that all businesses carry cyber insurance to protect themselves in the event of a cyber loss.
