The Class Action Litigation Consequences of Business Email Compromise Attacks


Sunil Shenoi, Seth Traxler and Gianni Cutri are partners at Kirkland & Ellis LLP and advise clients on a variety of data security issues, including responding to data security incidents, representing clients in data security litigation, and counseling clients on data security diligence.

They just wrote a very good summary at about BEC, aka CEO Fraud. Here is an excerpt and a link. I suggest you send this to the legal team in your organization:

"A look inside the likelihood of class action litigation from BEC attacks, the judicial results of such litigation, and potential costs associated with settling such litigation.

In the past couple years, business email compromise (BEC) attacks have dramatically increased. As a result, corporate victims of BEC attacks have been increasingly subject to class action litigation on behalf of their employees or customers whose information may have been accessed or disclosed in the BEC attack. This article examines the likelihood of class action litigation from BEC attacks, the judicial results of such litigation, and potential costs associated with settling such litigation.

Likelihood and Success of Litigation

BEC attacks can take many forms, but one of the most prevalent forms involves an email scam designed to obtain employee tax return information. These attacks, known as W-2 phishing attacks, have triggered the majority of the class action litigation relating to BEC attacks and therefore provide a useful basis for analyzing potential litigation from all forms of BEC attacks.

In a W-2 attack, a third-party typically sends company employees an email that appears to be from a company executive. The email will likely ask the employee to reply with the Form W-2 of every company employee, and the employee often complies with the request. Attackers seek employee W-2 forms because information such as the employee’s Social Security number and tax withholding can be used to perpetrate fraud against company employees, including identity theft, the filing of fraudulent tax returns, and the opening of fake bank accounts or credit cards. Since 2016, over 375 companies have disclosed that they were the victims of successful W-2 attacks.


Successful BEC attacks, such as W-2 attacks, are more likely than ever to trigger class action litigation. Such litigation is likely to be filed in federal court and companies have not experienced much success in dismissing such suits in their early stages. Settlements typically include high costs per class member, but such costs might be mitigated by a low rate of participation in the settlement by class members.

Even though several other W-2 class actions are currently pending, these trends appear unlikely to reverse themselves in the near-term. Consequently, companies should consider enhancing employee [security awareness] training and technological tools to detect and prevent successful BEC attacks. In addition, companies should consider obtaining cybersecurity insurance to cover the investigation, remediation, litigation, and/or settlement costs from a successful BEC attack.

Here is the full article (there is a paywall):


CEO Fraud Prevention Manual Download

CEO fraud has ruined the careers of many executives and loyal employees. Don’t be next victim. This brand-new manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.

Click Here To Download The Manual

PS: Don't like to click on redirected buttons? Copy and paste this link in your browser:


Topics: CEO Fraud

Subscribe To Our Blog

Domain Spoof Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews