Contact usFree consultation

UncategorizedBeware of Business Email Compromise

December 16, 2025

by Eric D. Morton

Business Email Compromise (BEC) is a form of cyber fraud where attackers hack or spoof email accounts of companies that are doing business with each other. Fraudsters intercept invoice communications, and trick a party owing money into sending funds to fraudulent accounts. The result? Payments sent to the fraudsters (and then their overseas money launderers). The owed money is not paid. The underlying debt is now in a legal limbo.

BEC

BEC is widespread

  • Global losses from BEC totaled approximately $55.5 billion between October 2013 and December 2023, with around 305,000 reported incidents worldwide.
  • In the U.S. alone, the FBI’s Internet Crime Complaint Center (IC3) counted 158,436 victims and $20 billion in exposed losses.
  • In 2024 alone, IC3 logged 21,442 BEC complaints, second only to investment fraud in terms of dollar loss, accounting for $2.8 billion.
  • Between 2022 and 2024, nearly $8.5 billion in losses were attributed to BEC schemes.
  • And the trend is accelerating: global BEC attacks rose nearly 9% from December 2022 to December 2023.

Who Is Liable?

The courts have not developed a standard for who is liable when a party to a contract is fraudulently induced to pay a third party. Consider the following scenario:

Party A regularly buys goods to Party B and Party A pays Party B by ACH to Party B’s bank account.  Fraudsters hack into Party B’s email and IT systems.  In monitoring those systems, the fraudsters find an invoice for goods sold to Party A.  The fraudsters also discover the payment method that Party A was using to pay Party B.

The fraudsters impersonate an employee of Party B and induce Party A to wire the money for the invoice to a new account. Despite a few oddities in the email and instructions, Party A wires the money.  The money goes to an account controlled by the fraudsters and disappears.  In a few hours it is overseas in the hands of money launderers.  Money stolen like this is never recovered.

Who has to pay?  The courts take different approaches to BEC:

  1. Contractual Obligation

Party A’s debt to Party B remains. Some courts have found that payments made to fraudsters do not fulfill contractual duties.  Party A has Party B’s goods and still owes the money.

  1. Fault and Negligence

Liability may shift if the hacked party failed to implement reasonable cybersecurity measures, such as multi-factor authentication or employee phishing training. A court might find that Party B was negligent, but proving foreseeability and causation can be complex and fact-specific.  Or, a court might find Party A is negligent, because it didn’t verify the payment instructions and ignored red flags, and the court applies a comparative negligence standard between the parties.

The problem now is that there is no clear legal standard to rely on. Businesses must look out for themselves.  

 Risk Mitigation Strategies

  • Strong passwords.  Have unique, long passwords for all accounts.  Change them every six months.
  • Dual-channel verification: Add a secondary confirmation step (like a phone call to a known number) when payment instructions change.
  • Rigorous cybersecurity hygiene: Implement MFA, enforce strong password policies, and train staff to detect phishing. Ensure that all software, computers and servers are updated regularly.
  • Contract clauses: Specify secure communication protocols and require confirmation steps for wiring funds and changing payment methods. Personally confirm any changes to payment methods, addresses, etc.
  • Train personnel to recognize phishing attacks, cyber scams, unauthorized requests for information, etc. Anything suspicious should be reported to management immediately.
  • Buy Cyber Insurance and carefully go over the coverage with an agent.
  • Ensure that customers know that your business will not change payment methods without personal notification from a named employee.  Not by email.

BEC is part of the increasing world of cyber-crime. With vigilance, layered security, and clear understandings between parties, businesses can significantly reduce their exposure to BEC.

Eric D. Morton is the principal attorney at Clear Sky Law Group, P.C.  He can be reached at 760-722-6582, 510-556-0367, and emorton@clearskylaw.com

 

previous
Copyright in the Age of AI: Who Owns AI-Assisted Content?
next
Keeping Your Secrets Secret: An Approach For Small Businesses

https://clearskylaw.com/wp-content/uploads/2018/06/logo-clear-sky-law@2x-320x102.png
Contact Us
Get the personal attention you deserve

https://clearskylaw.com/wp-content/uploads/2018/06/lawpay-credit-cardsblk-1-e1528834061701.png

CARLSBAD

760.722.6582
2173 Salk Avenue, Suite 250
Carlsbad, CA 92008

OAKLAND

510.556.0367
1300 Clay Street, Suite 600
Oakland, CA 94612

Contact Us
Get the personal attention you deserve

https://clearskylaw.com/wp-content/uploads/2018/06/lawpay-credit-cardsblk-1-e1528834061701.png

CARLSBAD

760.722.6582
2173 Salk Avenue, Suite 250
Carlsbad, CA 92008

OAKLAND

510.556.0367
1300 Clay Street, Suite 600
Oakland, CA 94612

Copyright ©2025 Clear Sky Law Group. All Rights Reserved.

Copyright 2019 Clear Sky Law Group, P.C.