Understanding the Intricacies of Wire Fraud Liability
Our practice has seen a surge of claims involving wire fraud - an increasingly prevalent crime and subject of business disputes. Liability for losses stemming from fund misdirection often hinges on either the terms of contracts between the parties, or a deceptively simple rule: the party best positioned to prevent the fraud should bear the loss. [i]
Yet, this seemingly straightforward principle is not always easy to apply. Modern fraud schemes—clever, intricate, and facilitated by technological vulnerabilities— more often result in scenarios where liability is not merely assigned to a single party but apportioned, reflecting the realities of shared responsibility.
At its core, the rule for wire fraud liability is designed for both efficiency and fairness. If liability was indiscriminately assigned to the victim or to the most accessible “deep pocket,” (read: party with insurance), the system would incentivize negligence rather than diligence. By placing liability on the party in the best position to thwart the fraud, the rule aims to foster greater vigilance and tighter security practices to all potentially at-risk parties.
Liability is not so easily pinned to a single party. In many instances, facts support shared fault. Courts and our insurance clients alike increasingly recognize the need for a more nuanced approach: apportioning liability based on each party’s respective role in either preventing—or failing to prevent—the fraud.
The classic fact pattern of BEC
Consider a scenario all too familiar to commercial insurers and their policyholders involving a business email compromise (BEC). Party A’s email system is breached, granting a third-party threat actor access to sensitive information. The threat actor, posing as Party A, socially engineers Party B into misdirecting a payment to the threat actor’s account instead of Party A’s rightful account. Party B’s funds are gone, and Party A remains unpaid. The question arises: who is liable?
Under the aforementioned rule, liability depends on the parties’ relative abilities to prevent the fraud. Did Party A fail to implement basic cybersecurity measures like multi-factor authentication? Did Party B ignore glaring red flags in the fraudulent payment request? The answers to these questions guide the allocation of liability. Party A may bear responsibility for allowing the unauthorized access to email to occur in the first instance, while Party B may share blame for failing to verify the payment instructions.
The hard work of apportionment
Apportionment of liability is not just a pragmatic solution but also an equitable one. The factual circumstances—Party A’s cybersecurity negligence versus Party B’s lapses in due diligence—dictate the balance. Courts have increasingly relied on comparative fault principles to allocate liability, recognizing that neither party operates in a vacuum.
This approach avoids the heavy hand of assigning total liability to one party, which could unjustly enrich the other. By allocating responsibility, the legal system acknowledges the shared risks inherent in modern commerce and incentivizes all participants to bolster their defenses against fraud.
Allocation considers the actions and omissions of all parties involved. There are many factors that may be considered to determine how liability should be apportioned in these cases including, but not limited to:
Security measures: The adequacy and effectiveness of each party’s security measures are critical. This includes evaluating whether the compromised party had viable, industry standard cybersecurity protocols to prevent unauthorized access.
In one recent matter, a real estate closing agency found itself partially responsible for a wire fraud loss when it failed to implement MFA on its email account, which a hacker then leveraged to send fraudulent wiring instructions to the buyer. The buyer argued that the closing agent’s substandard email security was the proximate cause of the loss and that the loss could have been prevent had the agency deployed MFA, a widely adopted security measure.
Third-party involvement: The role of any third parties, such as intermediaries or service providers is also considered. Their actions or inactions often impacts the overall apportionment of liability.
IT Managed Services Providers (MSPs) providing technology services to business clients should be especially mindful of exposure in wire fraud liability disputes. Clients that experience business email compromises and attending wire fraud losses often attempt to hold MSPs accountable, alleging negligence, breach of contract, consumer fraud and other theories of liability.
In a recent matter, an MSP was named a third-party defendant after its law firm consumer’s client experienced a wire fraud loss. The law firm, sued for legal malpractice, claimed the MSP failed to secure the email system and detect the breach, which proximately led to its client’s wire fraud loss. In doing so, it sought to pass liability onto the MSP.
Due diligence / reasonable care: The extent to which each party exercised due diligence and reasonable care in their actions is scrutinized. This includes a party’s efforts to verify the legitimacy of the payment instructions received from the compromised email account.
Parties naturally assert that the other was negligent, on account of, among other things, inadequate security measures, lack of appropriate verification procedures such as confirming payment details through a secondary communication channel, ignoring obvious “red flags” or warning signs that could have indicated fraudulent activity, failures to provide basic training and awareness programs for employees, non-compliance with industry standards, history of prior incidents and poor record keeping.
Control over the transaction: The degree of control each party had over the transaction or communication is considered. The party with greater control and the ability to implement preventive measures may bear more liability.
Consider a situation where the misdirection arises from a business email compromise, which involves hidden “rules” within the compromised account, designed to conceal the threat actor’s communications and attempts to misdirect. Courts may view the compromised party as having no control over the transaction, thus potentially reducing that organization’s liability.
Previous incidents: The history of previous incidents or warnings about potential fraud risks can influence liability. If a party had prior knowledge of similar threats and failed to take corrective action, its liability may be increased. One recent client’s vendor experienced multiple phishing attacks over an extended period of time prior to a successful fund misdirection. Despite alerts by vigilant employees, the vendor failed to address the attacks or implement stronger security measures. This history of unaddressed phishing attacks may impact the vendor’s liability in any dispute over the lost funds.
Industry standards: Compliance with industry standards and best practices is evaluated. Parties that fail to adhere to established guidelines for cybersecurity and fraud prevention may be deemed more liable. Regulated industries such as the financial services, healthcare, education, energy and utilities, and government and defense industries are subject to more stringent cybersecurity regulations due to the sensitive nature of the data they work with and the potential impact of data breaches and security incidents. Being able to demonstrate compliance and commitment to applicable industry standards positions a party in a better position to defend itself against liability claims and protect its reputation in the process.
Piggybacking claims: Stretching potential liability
Wire fraud claims often do not stand alone. Instead, they spawn a host of ancillary allegations, potentially broadening the scope of liability. Businesses may also face consumer fraud claims, including accusations of misleading customers about cybersecurity, allegations of deceptive practices, misrepresentation, and failure to protect consumer information. Licensed professionals—lawyers, accountants, brokers, etc.—who fail to detect fraudulent schemes may find themselves ensnared in malpractice claims where the allegations are that the failure to adhere to professional standards contributed to the fraud loss.
Even directors and officers are not immune. Plaintiffs increasingly pursue claims against corporate leadership, arguing that lax oversight or inadequate investment in cybersecurity measures constitute breaches of fiduciary duty. Such claims underscore the cascading risks of wire fraud, extending liability beyond the immediate parties to those in positions of trust and authority.
What about the banks?
A common question from our clients is about the bank’s liability in wire fraud cases. Courts may hold banks accountable for inadequate security measures, or for ignoring clear evidence of mishandled funds. However, this liability typically arises very rarely and only when there is evidence of “actual knowledge” of the fraud, or banks do not adhere to industry standards for cybersecurity or payment authorization. The Uniform Commercial Code (UCC), which governs commercial transactions in the United States, only holds banks liable if they do not take reasonable steps to prevent the transfer, while also requiring account holders to review their transactions promptly.
Under the Electronic Fund Transfer Act, banks must reimburse consumers for unauthorized transfers of their funds. Yet, this obligation does not extend to situations where the funds have already been delivered to unknown fraudsters, leaving many wire fraud victims without recourse. Banks are primarily obligated to their own account holders, and victims seeking assistance from the fraudster’s receiving bank, often find themselves without any legal remedy if the receiving bank is unresponsive. Usually, a receiving bank is only liable if it has “actual knowledge” of illegal activity, such as knowingly participating in a criminal scheme to defraud a victim of funds. In the absence of such knowledge, the receiving bank is generally not held responsible for the fraudulent transaction.
As soon as a fraudulent wire transfer is detected, we recommend first contacting the bank that executed the transfer to attempt to freeze the funds. If the FBI’s Internet Crime Complaint Center (IC3) is contacted quickly, the so-called “kill chain” process can be initiated.
The “kill chain” process involves coordination among banks, law enforcement, and financial institutions to quickly intercept and potentially recover misdirected or stolen funds before they are fully withdrawn or transferred by fraudsters. The name “kill chain” comes from the idea of stopping or disrupting the fraudulent transaction at critical stages before the stolen funds are beyond reach. The first 24-48 hours are most critical for success of the process, and we have seen successful partial and full recoveries for our clients who acted within this time frame.
Lessons for prevention and practice
For businesses, the takeaway from this discussion on wire fraud liability should be clear. Robust cybersecurity measures are no longer optional; they are a legal imperative. Companies must adopt proactive policies, such as change-in-payment verification, employee training, fraud detection protocols, and regular audits of cybersecurity practices. Equally critical is the adoption of contractual provisions that address liability allocation, giving the parties an opportunity at clarity before disputes arise.
Cyber insurance, of course, plays a tremendous role in mitigating the risk to policyholders arising from wire fraud. However, many policies either exclude coverage for wire fraud losses or materially sublimit it. Similarly, fidelity or crime insurance policies may respond to wire fraud claims depending on the policy’s language and the circumstances of the fraud. However, these policies are also often subject to lower sublimits or higher deductibles. Therefore, due diligence and vigilance are more important than ever to ensure that funds are not misdirected and to avoid the costly consequences of potential gaps in coverage.
As wire fraud continues to evolve, so too must the legal strategies employed to address it, encompassing additional risk management strategies to address the potential ancillary claims such as consumer fraud, professional malpractice, and director and officer liability. By understanding the intricacies of wire fraud liability, parties can better protect themselves and mitigate the risks associated with this pervasive crime.
“Understanding the Intricacies of Wire Fraud Liability,” Zywave Cyber Front Page News (February 3, 2025)
[i] See Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., 759 Fed. Appx. 348, 357 (6th Cir. 2018) and similar case law.
