The case of Arrow Truck Sales Inc. v. Top Quality Truck & Equipment tells a familiar tale, but provides insight into how the law interprets cases and who’s at fault.
On the coattails of the FBI warning U.S. companies about Business Email Compromise (BEC) scams , I came across an interesting angle on the BEC topic – what happens when two companies falling victim to a BEC scam sue. The recent court case of Arrow Truck Sales Inc. v. Top Quality Truck & Equipment revolves around BEC that resulted in wire transfer fraud. The simple version is the two companies were engaged in negotiating a $500K purchase of twelve trucks.
A cybercriminal hacked both the seller’s and buyer’s email accounts, created spoofed accounts, and sent the buyer fraudulent wire instructions that were different from prior transactions the two companies had used. What makes this case interesting is that the seller had actually sent the buyer legitimate wire instructions as well.
The court found that neither party was negligent, but that the buyer had better opportunity to discover the fraudulent behavior due to the banking details being different from those previously used. And because the buyer received two sets of conflicting instructions, the court concluded the buyer bore the responsibility for the loss.
I’ve recommended time and time again that in cases where any change of banking instructions are communicated via email, it should be verified using either phone or an in person meeting. And if via phone, the number should not be determined from the email providing the change instructions, but from a previously known source to ensure the actual person is being called.